Privacy Policy

1. Who We Are

Calm Analytics is operated by Fabio Souto, a self-employed professional (autónomo) based in Ourense, Galicia, Spain. We are the data controller for the personal data we process.

Contact: hello@calmanalytics.com

2. What Data We Collect

We collect and process the following data:

• Account data: Your name, email address, and profile picture from your Google account when you sign in.
• GA4 access tokens: OAuth tokens to access your Google Analytics 4 data on your behalf. These are stored encrypted in our database.
• Cached analytics data: Aggregated GA4 data temporarily cached to reduce API calls and improve performance. This data is never tied to individual website visitors.
• Subscription data: Billing and subscription information is managed by Paddle (our payment processor) and is not stored on our servers.

3. What We Do NOT Collect

Calm Analytics does not:

• Install tracking scripts on your website
• Collect data directly from your website visitors
• Store individual-level visitor data
• Use cookies for advertising or tracking purposes
• Share or sell your data to third parties

4. How We Use Your Data

We use your data solely to:

• Authenticate you and provide access to the Service
• Fetch and display your GA4 analytics data in your dashboards
• Cache analytics data to improve performance and reduce GA4 API usage
• Send you service-related communications (account, billing, important updates)

5. Legal Basis for Processing (GDPR)

We process your data based on:

• Contract performance: Processing necessary to provide you with the Service (Article 6(1)(b) GDPR).
• Legitimate interest: Caching analytics data to improve performance and reduce API usage (Article 6(1)(f) GDPR).
• Consent: When you authorize access to your GA4 properties via Google OAuth (Article 6(1)(a) GDPR). You can revoke this at any time from your Google account settings.

6. Data Storage and Security

Your data is stored in Supabase (hosted on AWS infrastructure). GA4 access tokens are stored encrypted. We use HTTPS for all data transmission and follow industry-standard security practices.

Cached analytics data is automatically expired and refreshed. When you delete your account, all associated data is removed from our systems.

7. Third-Party Services

We use the following third-party services:

• Google (OAuth & GA4 API): For authentication and fetching your analytics data. Subject to Google's Privacy Policy.
• Supabase: Database and authentication infrastructure. Subject to Supabase's Privacy Policy.
• Vercel: Hosting and deployment. Subject to Vercel's Privacy Policy.
• Paddle: Payment processing (Merchant of Record). Subject to Paddle's Privacy Policy.

8. Google API Services Disclosure

Calm Analytics' use and transfer of information received from Google APIs adheres to the Google API Services User Data Policy, including the Limited Use requirements. We only access the GA4 data necessary to display your dashboards and do not use it for any other purpose.

9. Your Rights (GDPR)

Under the GDPR, you have the right to:

• Access: Request a copy of your personal data.
• Rectification: Request correction of inaccurate data.
• Erasure: Request deletion of your data ("right to be forgotten").
• Portability: Request your data in a machine-readable format.
• Restriction: Request that we limit processing of your data.
• Objection: Object to processing based on legitimate interest.
• Withdraw consent: Revoke Google OAuth access at any time.

To exercise any of these rights, contact us at hello@calmanalytics.com. We will respond within 30 days. You also have the right to lodge a complaint with the Spanish Data Protection Agency (AEPD).

10. Cookies

We use only essential cookies required for authentication and session management. We do not use advertising, tracking, or analytics cookies on our own website.

11. Data Retention

We retain your account data for as long as your account is active. Cached analytics data is automatically expired based on configured TTL values (typically 24 hours). When you delete your account, all your data is permanently removed within 30 days.

12. International Transfers

Your data may be processed in countries outside the European Economic Area (EEA) through our third-party service providers. Where this occurs, appropriate safeguards are in place, including Standard Contractual Clauses (SCCs) approved by the European Commission.

13. Children's Privacy

The Service is not intended for children under 16 years of age. We do not knowingly collect personal data from children.

14. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of material changes by email or through the Service. The "Last updated" date at the top indicates when the policy was last revised.

15. Contact

For any privacy-related questions or requests, contact us at hello@calmanalytics.com.