CoaCalm Privacy Policy

Effective date: June 19, 2026
Last updated: June 19, 2026

This Privacy Policy explains how Coacalm("CoaCalm," "we," "us," or "our") collects, uses, shares, and protects your personal data when you use the CoaCalmmobile application (the "App"), a wellness app offering guided EFT ("tapping") audio sessions. It also describes the rights you have over your data and how to exercise them, including how to permanently delete your account and data from within the App.

CoaCalm is a general wellness product, not a medical device. Please also read the "Health, Wellness & Safety Disclaimer" section below.

If you have any questions about this Policy or your data, contact us at coacalm2025@gmail.com.

1. Who We Are (Data Controller)

The data controller responsible for your personal data is:

Coacalm
United Kingdom
Email: coacalm2025@gmail.com

We have not appointed a Data Protection Officer, as we are not required to do so. Privacy questions can be sent directly to coacalm2025@gmail.com.

2. A Quick Summary

We want you to understand the most important points up front:

  • We do NOT sell your personal data. Ever.
  • We do NOT use advertising, ad networks, the IDFA, or any ad/tracking identifiers. There is no third-party advertising in CoaCalm.
  • We do NOT use any third-party analytics SDK.We do not track your activity across other companies' apps or websites.
  • The front camera is used ONLY as a live on-screen mirror so you can see yourself while tapping. Camera frames are never captured, never stored, never transmitted off your device, and are never processed by us or by any artificial intelligence. (See Section 5.)
  • Your self-reported wellness information is treated as sensitive health-related data and is only used to run the App's features for you. (See Section 6.)
  • You can permanently delete your account and your data at any time from inside the App (Settings → Delete Account). (See Section 11.)

3. What Data We Collect, Why, and Our Legal Basis

We only collect what we need to provide CoaCalm. The table below lists every category of personal data we collect, the purpose, and (for users protected by the GDPR/UK GDPR) the legal basis for processing.

Data categorySpecific dataPurposeLegal basis (GDPR / UK GDPR)
Account & identityEmail address, name, and a unique user ID provided when you sign in with Apple or Google; preferred language; avatar image (avatar_url)Create and secure your account, authenticate you, provide the service, and respond to support requestsPerformance of a contract (Art. 6(1)(b))
Self-reported wellness dataYour onboarding responses: mental-health challenges, stress level, sleep quality, physical symptoms, wellness goals, triggers, and coping mechanisms; and your SUDS intensity ratings (0–10) recorded before and after sessionsPersonalize your experience, recommend relevant sessions, and let you track how you feel over timeExplicit consent (Art. 9(2)(a)) for this special-category (health-related) data, on the basis of a contract (Art. 6(1)(b)) to deliver the feature
Session activity & progressWhich sessions you complete, session duration, timestamps, streaks, totals, and other progress statisticsShow your history and progress, maintain streaks, and power the App's tracking featuresPerformance of a contract (Art. 6(1)(b))
Subscription & purchase dataYour subscription status, plan, trial status, transaction/entitlement information, and a device identifier used by our subscription providerManage your free trial and subscription, unlock paid content, and prevent abusePerformance of a contract (Art. 6(1)(b)); legitimate interests (Art. 6(1)(f)) in preventing fraud and abuse
Notification preference (local)Your daily-reminder settingSchedule a local daily reminder on your deviceConsent (you turn the reminder on) / legitimate interests (Art. 6(1)(f))

Important notes:

  • We do not integrate Apple HealthKit, the Clinical Health Records API, Motion & Fitness, or any device health API. All wellness data is information you choose to enter yourself; none of it is read from your device's health records.
  • We do not collect the IDFA, advertising identifiers, or any cross-app/cross-site tracking data.
  • We do not use any third-party analytics SDK and do not build advertising profiles about you.
  • The device identifier mentioned above is used solely by our subscription provider (Adapty — see Section 7) to manage your subscription entitlement; it is not used for advertising or tracking.

Where we rely on consent (including the explicit consent required for your wellness data), you can withdraw it at any time — see Section 10. Where we rely on contract, providing the data is necessary to use the relevant feature; if you do not provide it, that feature may not work.

4. How We Collect Data

We collect data:

  • Directly from you — when you sign in, complete onboarding, enter SUDS ratings, set preferences, or contact support.
  • Automatically as you use the App — your session completions, durations, timestamps, and progress are generated by your use of the features.
  • From sign-in and payment providers— Apple and Google provide your email, name, and user ID when you choose Sign in with Apple or Google Sign-In; Apple's StoreKit and our subscription provider provide your purchase and subscription status.

We do not buy personal data about you from data brokers, and we do not receive advertising or tracking data about you from third parties.

5. Camera — Live Mirror Only (Never Captured, Stored, or Transmitted)

This is important, so we state it plainly:

CoaCalm uses your device's front camera for one purpose only: to display a live, on-screen mirror of yourself during a tapping session, so you can position your hands and see yourself as you tap.

  • The camera feed is shown as a live preview on your screen only.
  • No photos, video, or individual frames are ever captured, recorded, saved, or stored — on your device or anywhere else.
  • No camera data is ever transmitted off your device, to us or to anyone.
  • No camera data is ever processed, analyzed, or used by any artificial intelligence, facial-recognition, or biometric system.
  • The mirror runs entirely on your device and disappears as soon as you close it.

You grant camera access through your device's system permission prompt, and you can turn camera access off at any time in your device Settings without losing access to the audio sessions.

6. Sensitive Wellness Data — How We Treat It

Some of the information you enter — your mental-health challenges, stress level, sleep quality, physical symptoms, wellness goals, triggers, coping mechanisms, and your SUDS (Subjective Units of Distress) ratings — describes how you feel. We recognize that this is sensitive information:

  • Under the GDPR/UK GDPR, it is treated as special-category "data concerning health" (Article 9). We process it only with your explicit, specific, informed consent, which is requested separately from any acceptance of general terms, and which you can withdraw at any time.
  • Under California law (CCPA/CPRA), it is treated as "Sensitive Personal Information."
  • We handle it consistently with applicable U.S. health-data rules, including the FTC Health Breach Notification Rule and state consumer-health-data laws (such as Washington's My Health My Data Act).

How we limit its use:

  • We use this data only to operate the App's features for you — personalizing your experience, recommending sessions, and showing your progress and SUDS history.
  • We never use it for advertising, marketing profiling, or "use-based" data mining.
  • We never sell it and never share it with advertising networks or analytics companies. (As noted, we use neither.)
  • We only share it with the limited service providers described in Section 7, who process it strictly on our behalf to host and run the App.

If we ever experienced a security incident affecting this data, we would notify affected users and regulators as required by law.

7. Who We Share Data With (Processors & Third Parties)

We do not sell your personal data and do notshare it for advertising. We share data only with the limited set of service providers ("processors") needed to run CoaCalm. Each is bound by contract to protect your data and to provide a level of protection at least equal to that described in this Policy and required by law, and each may only process your data on our instructions.

ProviderRoleWhat it receives / processes
SupabaseDatabase & authentication backend (our processor)Stores your account and identity data (email, name, preferred language, avatar URL), your self-reported wellness data, your SUDS ratings, your session history, and your progress statistics, on hosted PostgreSQL infrastructure. Authenticates your sign-in.
AdaptySubscription management (our processor)Receives your purchase and subscription data (plan, trial and renewal status, transaction/entitlement information) and a device identifier, to manage your trial and subscription and unlock paid content. Adapty does not receive your wellness data, SUDS ratings, or camera data.
AppleSign in with Apple + App Store / StoreKit paymentsProcesses your Sign in with Apple authentication (providing your email, name, and user ID) and all in-app purchases and subscription billing through your Apple ID. Apple processes payment information directly; we never see or store your full payment-card details.
GoogleGoogle Sign-InProcesses your Google authentication, providing your email, name, and user ID.

We may also disclose data if required by law, court order, or valid legal process, or to protect the rights, safety, and security of our users, the public, or us. If we are ever involved in a merger, acquisition, or sale of assets, we will notify you and ensure any successor honors this Policy.

We do not share your data with any analytics provider, advertising network, data broker, or third-party AI service.

8. International Data Transfers

We operate globally, and your data may be processed in countries other than the one where you live, including the United States. Data residency for our database depends on the region in which our Supabase project is hosted.

When we transfer personal data out of the EEA, the UK, or Switzerland to a country that does not provide an equivalent level of protection, we rely on appropriate safeguards, which may include:

  • the European Commission's Standard Contractual Clauses (SCCs) and, for UK transfers, the UK International Data Transfer Agreement / Addendum; and/or
  • a recipient's certification under the EU-US Data Privacy Framework(and the UK-US "Data Bridge") where applicable.

Our processors (including Supabase and Adapty) maintain data processing agreements incorporating these safeguards. You may request a copy of the relevant safeguards by emailing coacalm2025@gmail.com.

9. How Long We Keep Your Data (Retention)

We keep your personal data only for as long as needed for the purposes described in this Policy:

  • Account, identity, wellness data, SUDS ratings, session history, and progress are retained for as long as your account remains active.
  • When you delete your account (Section 11), we permanently delete this data from our live systems promptly, and it is then purged from our routine backups within our standard backup cycle (no longer than 30 days).
  • Subscription and billing records may be retained for longer where we are legally required to keep them — for example, to meet tax, accounting, and audit obligations (typically up to 7 years, depending on jurisdiction). Apple and Google retain their own transaction records under their policies.
  • If any law requires us to retain specific data after your deletion request, we will keep only what the law requires, for only as long as required, and we will tell you if you ask.

10. Your Privacy Rights

Depending on where you live, you have some or all of the following rights. We do not discriminate against you for exercising any of these rights.

10.1 Rights for everyone / EEA & UK (GDPR)

  • Access — obtain a copy of the personal data we hold about you.
  • Rectification — correct inaccurate or incomplete data.
  • Erasure ("right to be forgotten") — delete your data (see in-app account deletion, Section 11).
  • Restriction — limit how we process your data in certain cases.
  • Objection — object to processing based on our legitimate interests.
  • Data portability — receive your data in a structured, commonly used, machine-readable format and have it transmitted to another controller where technically feasible.
  • Withdraw consent — where we rely on consent (including the explicit consent for your wellness data), withdraw it at any time. Withdrawal is as easy as giving consent and does not affect processing already carried out.
  • Lodge a complaint— with your local data protection authority (in the UK, the Information Commissioner's Office; in the EEA, your national supervisory authority).

10.2 California residents (CCPA/CPRA)

In the past 12 months we have collected the following CCPA categories: identifiers (email, name, user ID, device identifier), customer records (account details), commercial information (subscription/purchase data), internet or other activity (session activity within the App), and sensitive personal information (your self-reported health-related wellness data and SUDS ratings). The sources, purposes, and recipients are described in Sections 3, 4, and 7.

As a California resident, you have the right to:

  • Know / Access the personal information we collect, use, and disclose.
  • Delete your personal information.
  • Correct inaccurate personal information.
  • Limit the Use and Disclosure of Sensitive Personal Information — we already use your sensitive information only for the purposes described here and not for inferring characteristics or for advertising.
  • Opt out of the sale or sharing of personal information.
  • Non-discrimination for exercising your rights.

We do not sell your personal information, and we have not sold or shared personal information for cross-context behavioral advertising in the preceding 12 months. Because we do not sell or share personal information, we do not offer a "Do Not Sell or Share My Personal Information" link.

10.3 How to exercise your rights

You can exercise your core rights directly in the App:

  • Delete your account and data: Settings → Delete Account (see Section 11).
  • Access, correct, or export your data, or for any other request: email us at coacalm2025@gmail.com.

We will respond within the timeframes required by applicable law (generally within 30 days under the GDPR and 45 days under the CCPA, each extendable where permitted). We may need to verify your identity before acting on a request. You may use an authorized agent where the law allows.

11. Deleting Your Account and Data (In-App)

You can permanently delete your account and your personal data at any time, directly within the App — no email, phone call, or support ticket required.

In the App: Settings → Delete Account.

When you confirm deletion:

  • We permanently erase your account record and associated personal data — including your profile (email, name, preferred language, avatar), your self-reported wellness data, your SUDS ratings, your session history, and your progress statistics — from our live systems, and purge it from backups within our standard backup cycle (Section 9).
  • This is a full deletion, not a temporary deactivation, and it cannot be undone.
  • If any data must be retained because the law requires it (for example, billing records for tax purposes), we will retain only that legally required data and nothing more, as described in Section 9.

About your subscription and billing: Deleting your CoaCalm account does not automatically cancel an active subscription, because your subscription is billed by Apple through your Apple ID. To stop future charges, turn off auto-renewal in your device's Account Settings (App Store) at least 24 hours before your next renewal date. Deleting the App alone does not cancel your subscription. For refunds, see Apple's "Report a Problem" page (reportaproblem.apple.com); Apple processes all App Store refunds.

If you prefer, you may also request deletion by emailing coacalm2025@gmail.com.

12. Security

We use technical and organizational measures to protect your data, including encryption in transit, authentication through Apple and Google, access controls, and reputable hosted infrastructure (Supabase). No method of transmission or storage is 100% secure, but we work to protect your data and to address vulnerabilities. In the event of a data breach affecting your personal data, we will notify you and the relevant authorities where required by law.

13. Children's Privacy

CoaCalm is not directed to or intended for children. The App is age-rated 9+ for general App Store classification purposes, but you must be at least 16 years old (or the minimum age of digital consent in your country, and at least 13) to create an account and use CoaCalm.

We do not knowingly collect personal data from children under these ages. If you are a parent or guardian and believe your child has provided us with personal data, please contact us at coacalm2025@gmail.com and we will delete it. If we learn that we have collected data from a child below the applicable age without proper consent, we will delete that data promptly.

14. Health, Wellness & Safety Disclaimer

CoaCalm is a general wellness and educational product. It is not a medical device and does not provide medical advice, diagnosis, or treatment.

CoaCalm and its EFT/tapping content are provided for general wellness and educational purposes only. They are not intended to diagnose, treat, cure, mitigate, or prevent any disease or medical or mental-health condition, and are not a substitute for professional medical or mental-health care. EFT is a complementary practice; results vary and are not guaranteed. Always consult a qualified healthcare or mental-health professional before making decisions about your health or before starting, stopping, or changing any treatment. Never disregard professional advice or delay seeking it because of something you accessed in the App.

In a crisis, this App cannot help you — please get help now. CoaCalm is a wellness tool and cannot provide crisis support. If you are in emotional distress, thinking about harming yourself, or facing a medical or mental-health emergency:

  • In the US: call or text 988 (Suicide & Crisis Lifeline), or call 911.
  • Outside the US: contact your local emergency number, or find a helpline at findahelpline.com (International Association for Suicide Prevention).

You are not alone, and help is available.

15. Changes to This Policy

We may update this Privacy Policy from time to time. When we do, we will revise the "Last updated" date above and, for material changes, provide notice within the App or by other appropriate means. We review this Policy at least every 12 months. Your continued use of CoaCalm after an update takes effect means you accept the revised Policy.

16. Contact Us

If you have questions, requests, or complaints regarding this Privacy Policy or your personal data, contact us at:

Coacalm
United Kingdom
Email: coacalm2025@gmail.com

This Privacy Policy is provided for transparency and compliance purposes and does not constitute legal advice. Coacalm should have this Policy reviewed by qualified privacy counsel before publication.