Privacy Policy

Calibrate Ltd (Company number: 17109642), a company registered in England and Wales, is the data controller responsible for your personal data. Our registered office is at 128 City Road, London, United Kingdom, EC1V 2NX. For any questions regarding the processing of your data, you can contact us at the addresses indicated in the Contacts section of this policy.

We collect the following categories of personal data:

• Account data: email address, name, and password (stored in encrypted form) provided during registration.
• Assessment data: your responses to the Cognitive Diagnostic Index (CDI) assessment and calculated scores (CDI score, drift profile, component breakdown across awareness, action, commitment, and coherence).
• Behavioral data: exercise responses, daily check-in answers, progress tracking data, and session completion records generated through your use of our programs. This data may include information about your behavioral patterns, habits, and decision-making tendencies, which we classify as sensitive personal information (see Section 12 for US-specific rights).
• Payment and transaction data: purchase history, program selected, transaction amounts, refund records, and payment method details (processed and stored by Stripe; we do not store full card numbers).
• Navigation and device data: IP address, browser type and version, operating system, referring pages, pages visited, date and time of access, and approximate geolocation derived from IP address — collected automatically during browsing.
• Cookie data: technical, analytical, and marketing cookies as described in our Cookie Policy.
• Communication data: email address, email engagement data (opens, clicks, bounces), unsubscribe preferences, and content of any communications you send to us.

Your personal data is processed for the following purposes:

• Providing and managing the service: account creation, authentication, access to purchased programs, and delivery of digital content.
• Processing your CDI assessment results, generating personalised reports, and recommending a suitable program based on your score.
• Improving the service through aggregate and anonymised analysis of usage data and behavioral patterns.
• Sending service-related communications including account confirmations, security notices, program updates, and support responses.
• With your consent, sending email marketing communications (drip campaigns) about our programs and services. You can unsubscribe at any time via the link in each email.
• With your consent, displaying personalised advertisements through Meta (Facebook/Instagram) using client-side pixel tracking and server-side Conversions API.
• Processing payments, managing subscriptions, issuing refunds, and maintaining financial records as required by law.
• Detecting and preventing fraud, abuse, and security incidents, and monitoring the integrity of our systems.
• Complying with applicable legal obligations, including tax reporting, responding to lawful requests from public authorities, and establishing or defending legal claims.
• Identifying and resolving technical errors and performance issues through automated error monitoring (Sentry).

Under the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018, we process your data on the following legal bases:

• Contract performance (Article 6(1)(b) UK GDPR): processing necessary for providing the service you have purchased or requested, including account management, program delivery, and payment processing.
• Consent (Article 6(1)(a) UK GDPR): for analytics cookies, marketing cookies, email marketing communications, personalised advertising, and session recording. You may withdraw your consent at any time without affecting the lawfulness of processing carried out before withdrawal.
• Legitimate interests (Article 6(1)(f) UK GDPR): for service security, fraud prevention, error monitoring, and improving our services based on aggregated usage data. We have conducted a balancing test to ensure our interests do not override your rights.
• Legal obligation (Article 6(1)(c) UK GDPR): for tax and accounting obligations under UK law, including HMRC requirements.

Your personal data will be retained for the following periods:

• Account data: for the duration of your account plus 30 days after deletion to allow for account recovery.
• Assessment and behavioral data: for the duration of your account. Upon account deletion, this data is anonymised or deleted within 30 days.
• Payment and transaction data: 6 years from the date of the transaction, as required by HMRC for tax and accounting purposes under UK law.
• Refund records: 6 years from the date of the refund, in line with HMRC requirements and limitation periods for potential claims.
• Navigation data: 26 months from the date of collection.
• Email marketing data: until you unsubscribe or delete your account, whichever occurs first. Unsubscribe records are kept indefinitely to honour your preferences.
• Cookie data: according to the duration specified in our Cookie Policy.
• Error monitoring logs (Sentry): 90 days from the date of the event.

Under the UK GDPR (Articles 15-22) and the Data Protection Act 2018, you have the following rights:

• Right of access (Article 15): obtain confirmation of whether we process your personal data and request a copy of that data.
• Right to rectification (Article 16): have inaccurate or incomplete personal data corrected.
• Right to erasure (Article 17): request deletion of your personal data (the "right to be forgotten"), subject to legal retention requirements.
• Right to data portability (Article 20): receive your personal data in a structured, commonly used, and machine-readable format, and transmit it to another controller.
• Right to object (Article 21): object to processing based on legitimate interests, including profiling. We will stop processing unless we demonstrate compelling legitimate grounds.
• Right to restriction (Article 18): request that we limit the processing of your data in certain circumstances, for example while we verify the accuracy of your data.
• Right to withdraw consent: at any time, without affecting the lawfulness of processing carried out before withdrawal. You can withdraw consent through your cookie settings, email unsubscribe links, or by contacting us.
• Rights related to automated decision-making (Article 22): see Section 9 below for details about how we use automated processing.

To exercise any of these rights, contact us at privacy@calibrate-system.com. We will respond within one calendar month. If your request is complex or we receive a large number of requests, we may extend this period by up to two further months, and we will inform you of any such extension.

We share your data with the following categories of recipients, each acting as a data processor under a written data processing agreement:

• Hosting and infrastructure: Vercel (United States) for website hosting and serverless functions; Supabase (United States) for database hosting, user authentication, and data storage.
• Analytics: PostHog (European Union) for anonymised website analytics and, with your consent, session recording. PostHog is configured to operate in opt-out-by-default mode and only activates after you provide consent. Session recordings may capture your interactions with the site, including clicks, scrolls, and page navigation. No recordings are made without your prior consent.
• Advertising: Meta Platforms (United States) for marketing campaigns, only with your consent. This includes client-side tracking via the Meta Pixel and server-side event transmission via the Meta Conversions API (CAPI). Server-side tracking sends event data (such as page views and purchases) directly from our servers to Meta, which may include hashed identifiers.
• Payment processing: Stripe (United States) for secure transaction processing. Stripe acts as an independent data controller for payment card data under its own privacy policy.
• Email delivery: Resend (United States) for transactional emails (account confirmations, security notices) and marketing email campaigns (drip sequences). Resend processes email addresses and delivery metadata on our behalf.
• Error monitoring: Sentry (data ingested via German endpoint, Functional Software GmbH) for application error tracking and performance monitoring. Sentry may process IP addresses, browser information, and error context data. No behavioral or assessment data is sent to Sentry.

We have entered into data processing agreements with each of these providers in accordance with Article 28 of the UK GDPR, ensuring that your data is processed only on our documented instructions and subject to appropriate security measures.

As a UK-based company serving an international audience, your personal data may be transferred outside the United Kingdom. We ensure that all international transfers are protected by appropriate safeguards:

• Transfers to countries with UK adequacy regulations: where the UK Secretary of State has determined that a country provides an adequate level of data protection, we rely on that adequacy decision.
• International Data Transfer Agreement (IDTA): for transfers to the United States and other countries without an adequacy decision, we use the UK International Data Transfer Agreement or the UK Addendum to the EU Standard Contractual Clauses, as approved by the Information Commissioner's Office (ICO).
• UK-US Data Bridge: where applicable, we rely on the UK Extension to the EU-US Data Privacy Framework for transfers to certified US organisations.

Our US-based providers (Vercel, Supabase, Stripe, Resend, Meta) process data subject to these safeguards. Sentry data is ingested via a German endpoint within the European Economic Area. PostHog data is processed within the EU.

You may request a copy of the relevant transfer safeguards by contacting us at privacy@calibrate-system.com.

We use automated processing in the following ways:

• CDI Score Calculation: when you complete the Cognitive Diagnostic Index assessment, your responses are processed by an automated algorithm that calculates your CDI score across four components (awareness, action, commitment, coherence). This score is used to recommend one of our three programs (AUDIT, RECODE, or IRREVERSIBLE). The recommendation is based solely on your CDI score range.
• Significance: the CDI-based recommendation is informational only. You are free to choose any program regardless of your recommended tier. The recommendation does not restrict your access to any service, and no program is denied based on your score.
• Safeguards: you have the right to request human review of any automated recommendation, to express your point of view, and to contest the outcome. To do so, contact us at support@calibrate-system.com.

We send the following types of email communications:

• Transactional emails: account confirmations, password resets, purchase receipts, and security notices. These are sent as necessary for the performance of our contract with you and do not require separate consent.
• Marketing emails: after you provide your email address (for example, during the CDI assessment), we may send you a series of informational and promotional emails about our programs. These emails are sent only with your consent or, where permitted, on the basis of soft opt-in under the Privacy and Electronic Communications Regulations 2003 (PECR).
• Unsubscribe: every marketing email contains a clear and functional unsubscribe link. Once you unsubscribe, we will stop sending marketing emails within 10 business days. Transactional emails related to your account and purchases will continue.

For US recipients: in compliance with the CAN-SPAM Act of 2003, all commercial emails clearly identify the sender as Calibrate Ltd, 128 City Road, London, EC1V 2NX, United Kingdom. We do not use deceptive subject lines or false header information. Opt-out requests are honoured within 10 business days. We do not share or sell email addresses to third parties for their own marketing purposes.

We implement appropriate technical and organisational measures to protect your personal data, including: encrypted data transmission (HTTPS/TLS) for all communications between your browser and our servers; encrypted password storage using industry-standard hashing algorithms; access limited to authorised personnel on a need-to-know basis; regular security updates and vulnerability assessments; continuous infrastructure monitoring and automated alerting; Content Security Policy (CSP) headers and CSRF protection on all mutation endpoints; rate limiting on authentication and sensitive API endpoints.

If you are a resident of California or another US state with comprehensive privacy legislation (including Colorado, Connecticut, Virginia, Utah, Texas, Oregon, Montana, and others), you have additional rights under applicable state law.

California Consumer Privacy Act (CCPA) / California Privacy Rights Act (CPRA)

Categories of personal information we collect: identifiers (name, email, IP address); commercial information (purchase history, programs purchased); internet or electronic network activity (browsing history, interactions with our service); inferences drawn from the above (CDI score, behavioral profile, program recommendation).

Sensitive personal information: your behavioral assessment data, exercise responses, and CDI component scores may constitute sensitive personal information under the CPRA. We process this data only for the purposes of providing our service to you and do not use it for purposes beyond those disclosed in this policy. We do not sell sensitive personal information.

Your rights under US state privacy laws:

• Right to know: you may request that we disclose the categories and specific pieces of personal information we have collected about you, the categories of sources, the business purposes for collection, and the categories of third parties with whom we share your data.
• Right to delete: you may request that we delete the personal information we have collected about you, subject to certain exceptions (such as legal retention requirements).
• Right to correct: you may request that we correct inaccurate personal information.
• Right to opt out of sale or sharing: we do not sell your personal information. We do not share your personal information for cross-context behavioural advertising except with your affirmative consent (via cookie consent for Meta Pixel tracking).
• Right to non-discrimination: we will not discriminate against you for exercising any of your privacy rights.
• Right to limit use of sensitive personal information: you may request that we limit our use of sensitive personal information to what is necessary for providing our service.

Do Not Sell or Share: Calibrate does not sell personal information as defined under the CCPA/CPRA. When you consent to marketing cookies, Meta Pixel may collect data that could be considered "sharing" for cross-context behavioural advertising under California law. You may opt out of this sharing by declining marketing cookies via our cookie settings or by enabling the Global Privacy Control (GPC) signal in your browser. We recognise and honour GPC signals as valid opt-out requests.

California "Shine the Light" (Civil Code Section 1798.83): Calibrate does not disclose personal information to third parties for their direct marketing purposes.

To exercise your US privacy rights, contact us at privacy@calibrate-system.com. We will verify your identity before processing your request. You may also designate an authorised agent to submit requests on your behalf. We will respond within 45 days (or 90 days if reasonably necessary, with notice).

If you believe your privacy rights have been violated, you may file a complaint with the Federal Trade Commission (FTC) at www.ftc.gov/complaint or with your state attorney general.

Our service is not directed to individuals under the age of 18. We do not knowingly collect personal data from anyone under 18 years of age. If you are a parent or guardian and you believe your child has provided us with personal data, please contact us at privacy@calibrate-system.com and we will take steps to delete that information promptly.

We may update this privacy policy from time to time to reflect changes in our practices, technology, legal requirements, or for other operational reasons. In case of significant changes, we will notify you via email (at the address associated with your account) or through a prominent notice on our website at least 30 days before the changes take effect. The "Last updated" date at the top of this policy indicates when it was most recently revised. We recommend reviewing this page periodically.

For any questions about this privacy policy, to exercise your data protection rights, or to make a complaint, you can contact us at:

Data protection enquiries: privacy@calibrate-system.com

General support: support@calibrate-system.com

Legal matters: legal@calibrate-system.com

Registered office: Calibrate Ltd, 128 City Road, London, United Kingdom, EC1V 2NX

You also have the right to lodge a complaint with the Information Commissioner's Office (ICO), the UK supervisory authority for data protection: ico.org.uk — telephone: 0303 123 1113.

US residents may also file a complaint with the Federal Trade Commission (FTC) at www.ftc.gov/complaint or with their state attorney general.