Back to home
Privacy policy

How we handle what you tell us.

In plain English first, then the legal version. Last updated April 2026.

Your conversations with Calyn are encrypted in transit, access-controlled, and never sold. You can delete them at any time.

The short version

  • Encrypted in transit and at rest. Your messages travel over an encrypted connection (TLS/HTTPS) and are stored encrypted at rest by our hosting provider. There is no end-to-end or on-device encryption — your messages are stored in readable form so Calyn can read and respond to them.
  • Linked to your account, access-controlled. Your conversations are linked to your account, not stored anonymously. Access is restricted with row-level security, so that when you’re signed in you can read only your own data.
  • Never sold. We do not sell, rent, lease, or share your data with advertisers, data brokers, insurers, employers, or any third party for commercial purposes.
  • Not used to train models. We do not use your conversation content to train AI models for any purpose other than operating the service for you.
  • Yours to delete. You can reset your data, or delete your account, at any time. Each takes effect with a single confirmation.

How conversations are processed

Calyn’s replies are generated by a third-party large language model. Our current provider is DeepSeek (model “deepseek-chat”), which operates from China; when you send a voice message, it is transcribed by OpenAI’s Whisper. Your messages travel over an encrypted connection and are stored by our hosting provider so Calyn can read and respond to them. There is no end-to-end or on-device encryption — your messages are held on our servers in readable form.

Access to your conversation content is restricted. Server-side access uses a limited credential, and the AI provider receives your content only as needed to generate a reply. A person on our team accesses your conversation content only where you ask us to (for example, a support request you raise) or where we are required to by a valid legal request.

What we collect

  • Account data: email address (for sign-in only) and billing identifiers if you subscribe.
  • Conversation content: the text and voice you choose to share with Calyn. This is what powers your experience and is the most sensitive data we hold.
  • Device information: operating system version and app version, for compatibility. Nothing else.

What we do not collect

  • We do not collect your name, phone number, address, location, contacts, or photos.
  • We do not use third-party advertising trackers, fingerprinting, or analytics that follow you across the web.
  • We do not share data with insurers, employers, healthcare providers, or government agencies, except where compelled by valid legal process (see “Legal disclosures” below).

How we use your data — and what we will never do with it

We use your data only to provide the service to you: to power your conversations, generate your plan and insights, sync across your devices, and improve product reliability. We will never:

  • Sell, rent, or share your data with advertisers, data brokers, insurers, employers, or any third party for commercial purposes.
  • Use your conversation content to train AI models for any purpose other than operating the service for you.
  • Use your data for behavioral advertising, profiling for marketing, or any cross-site tracking.
  • Share information with a third party (such as a clinician or program sponsor) without your explicit opt-in. You can revoke that consent at any time.

We do not proactively monitor your conversations or report their content to authorities. We comply with valid legal process when required — see “Legal disclosures” below.

Where data is stored

Your account data, conversation content, and the memory Calyn derives are stored by our hosting provider (Supabase) in the European Union (Frankfurt, Germany). Data is encrypted at rest with provider-managed keys and in transit with TLS/HTTPS. Our database uses row-level security so that, when you’re signed in, you can read only your own rows, and server-side access uses a restricted credential.

International transfers. To generate Calyn’s replies and the memory it builds, your conversation content is sent to our AI provider (DeepSeek), which operates from China — a country without an EU adequacy decision. Voice transcription and optional web search use providers based in the United States. These are transfers outside the EU/EEA. Where required by law (including the GDPR for EU/UK users), we rely on EU Standard Contractual Clauses together with supplementary safeguards to protect the data during transfer.

Vulnerability disclosure. If you believe you have found a security vulnerability in Calyn, please write to security@calyn.app. We do not pursue legal action against good-faith researchers who follow responsible disclosure.

While we apply industry-standard security practices, no system connected to the internet can be guaranteed secure. By using Calyn you acknowledge this inherent risk and accept that we cannot, despite our best efforts, eliminate the possibility of unauthorized access caused by infrastructure-provider incidents, zero-day vulnerabilities, or other events outside our reasonable control.

How long we keep it

Conversation content is retained for as long as your account is active, unless you choose to delete individual conversations or your history. When you delete content, it is removed from our active systems within 24 hours and from backups within 30 days. When you close your account, all content is deleted within 30 days.

Legal disclosures

If we receive a valid legal request (subpoena, court order, or equivalent under applicable law), we are required to comply. We will challenge requests that we believe are overbroad, and we will notify the affected user unless prohibited by law.

Legal basis for processing (EU / UK users)

Under the GDPR, we process your personal information on the following legal bases:

  • Contract — to deliver the service you’ve signed up for, in line with our terms.
  • Legitimate interest — to keep the service running, secure, and improving (e.g. fixing bugs, preventing abuse). We balance this against your rights and you can object at any time.
  • Legal obligation — to comply with applicable laws and respond to valid legal process.
  • Consent — for anything optional, including sharing data with a third party such as your therapist. You can withdraw consent at any time.

Your rights

Under the GDPR, CCPA, and similar regulations, you have the right to access, correct, export, and delete your data, to restrict or object to processing, and to lodge a complaint with your local data protection authority (in the UK, the Information Commissioner’s Office). All of the in-app rights can be exercised from inside the app. If you need help, write to privacy@calyn.app.

Children

Calyn is intended for users aged 18 and older. We do not knowingly collect data from minors. If you believe a minor has created an account, please contact us and we will delete it promptly.

Changes to this policy

We will notify you of material changes by email and in-app at least 30 days before they take effect. Continued use of Calyn after the effective date constitutes acceptance.

Contact

Questions about privacy? privacy@calyn.app. Data-protection matters are handled by our management team, reachable at the same address.