Privacy Policy

Last updated: March 27, 2026

1. Data Controller

Caliu is operated by Marc Torrelles, an individual based in Spain. For any privacy-related inquiries, you can reach us at hola@caliuapp.com.

2. What Data We Collect

We collect only the data necessary to provide and improve the service:

  • Account information: email address, name, and password (hashed with bcrypt). If you sign in with Google, we receive your name, email, and profile picture from Google.
  • Notes and content: the notes, tags, attachments, and reminders you create within Caliu.
  • Device information: Web Push subscription tokens if you enable notifications.
  • Usage data: anonymized analytics events (page views, feature usage) collected via PostHog, hosted in the EU. Session recordings mask all form inputs.
  • Error reports: technical error data (stack traces, browser info) collected via Sentry to diagnose and fix bugs. Your user ID and email may be attached for troubleshooting.

3. Legal Basis for Processing (GDPR Art. 6)

  • Contract performance: processing your account data, notes, and sync data is necessary to provide the service you signed up for.
  • Legitimate interest: error monitoring (Sentry) and analytics (PostHog) help us maintain and improve the service. We balance this against your privacy by anonymizing data where possible and masking sensitive inputs.
  • Consent: push notifications require your explicit opt-in. You can revoke this at any time in your browser settings.

4. How We Use Your Data

  • To provide, maintain, and sync your notes across devices.
  • To authenticate your identity and secure your account.
  • To send transactional emails (email verification, password resets).
  • To deliver push notifications for reminders you set.
  • To monitor errors and improve the reliability of the service.
  • To understand how the service is used so we can improve it.

5. Third-Party Services

We use the following third-party services to operate Caliu. Each processes data on our behalf under appropriate data processing agreements:

  • Cloudflare (USA/global) — hosting, database (D1), file storage (R2), caching, and CDN. Cloudflare is our primary infrastructure provider.
  • PostHog (EU) — product analytics. Data is hosted in the EU. Session recordings mask all form inputs.
  • Sentry (USA) — error monitoring and performance tracking.
  • Maileroo — transactional email delivery (verification, password resets).
  • Google — OAuth authentication (only if you choose to sign in with Google).

6. International Data Transfers

Some of our service providers (Cloudflare, Sentry) may process data outside the European Economic Area (EEA). Where this occurs, we rely on EU-approved mechanisms such as Standard Contractual Clauses (SCCs) or adequacy decisions to ensure your data is protected in accordance with GDPR requirements.

7. Cookies

Caliu uses a single essential cookie (caliu_session) to keep you logged in. This cookie is strictly necessary for the service to function and does not require consent under the ePrivacy Directive. We do not use advertising or third-party tracking cookies.

8. Data Retention

  • Account data: retained for as long as your account is active.
  • Deleted notes: soft-deleted items are permanently purged after 30 days.
  • Sessions: expire after 30 days and are cleaned up automatically.

9. Your Rights (GDPR)

Under the General Data Protection Regulation, you have the right to:

  • Access your personal data and obtain a copy.
  • Rectify inaccurate or incomplete data.
  • Erase your data (“right to be forgotten”).
  • Restrict processing in certain circumstances.
  • Data portability — receive your data in a structured, machine-readable format.
  • Object to processing based on legitimate interest.
  • Withdraw consent at any time (e.g., push notifications).

To exercise any of these rights, email us at hola@caliuapp.com. We will respond within 30 days.

10. Data Security

We take reasonable technical and organizational measures to protect your data, including: passwords are hashed with bcrypt, API keys are stored as SHA-256 hashes, all connections use HTTPS/TLS, session cookies are httpOnly and Secure, and rate limiting is applied to authentication endpoints.

11. Children's Privacy

Caliu is not directed at children under the age of 16. We do not knowingly collect personal data from children under 16. If you believe a child has provided us with personal data, please contact us and we will delete it.

12. Supervisory Authority

If you believe your data protection rights have been violated, you have the right to lodge a complaint with the Spanish Data Protection Agency (Agencia Española de Protección de Datos — AEPD) at www.aepd.es, or with your local supervisory authority if you are based in another EU/EEA country.

13. Changes to This Policy

We may update this Privacy Policy from time to time. If we make material changes, we will notify you by email or through the app. The “Last updated” date at the top reflects the most recent revision.

Back to home