Privacy Policy

This privacy policy describes how Calmika — operated by Dávid Kovács, sole trader (Hungary) — handles personal data on the calmika.com website and in the Calmika mobile app.

Data is processed only to operate the app and website, manage subscriptions, provide support, maintain security, and enable therapist/institutional connections separately approved by the parent. We do not sell data to third parties and we do not use targeted advertising systems.

Calmika is built around data minimisation. We only process data needed to operate the app, website, subscriptions, support, therapist applications or a parent-approved therapist connection.

• Email address and message content — only when you provide it for contact, therapist application or support.
• Technical device and website usage data — for security, troubleshooting, essential operation and, after consent, aggregated Google Analytics website analytics.

We do not sell data, do not build advertising profiles for children, and do not use behavioral advertising or third-party tracking on the child-facing interface.

Child profiles, preferences and app usage data primarily operate locally on the device. A therapist/institutional connection does not provide automatic access to raw data.

When a connection is approved, the professional can see only a GDPR-safe, aggregated and purpose-limited summary: for example age band, child nickname or parent-approved label, module usage totals and developmental trends. They cannot see raw event logs, payment data, parent contact details or health diagnoses.

The website uses two categories: necessary technologies and optional analytics.

• Necessary operation — language preference, remembering your cookie/analytics choice, security and technical operation.
• Optional Google Analytics — loaded only if you accept analytics; used with IP anonymisation for aggregated website measurement.
• No advertising or remarketing cookies, no Meta/TikTok/Google Ads pixels, and no child profiling.

We may use the following providers to operate the app, website, subscriptions, email delivery and therapist dashboard:

• Vercel — website hosting, performance and security logs.
• RevenueCat and Google Play Billing — subscription and purchase management; we do not process card details.
• Supabase — authentication, therapist dashboard, invite codes, parent consent, audit logs and aggregated professional summaries.
• Resend — transactional emails such as therapist invite codes and system messages.
• Google Analytics — optional, consent-based aggregated website analytics; we do not use it for advertising targeting or child profiling.

These providers act only in the required technical/processor role and may not use the data for their own advertising purposes.

A therapist or institutional invite code can only be redeemed through the Parent Zone consent flow. The parent sees a preview of the professional/institution, access expiry and the categories of data that may be shared.

The connection becomes active only after explicit approval. We store the consent version, timestamp, displayed text snapshot and data-sharing scope. The parent can revoke the connection in the app at any time; after revocation, the professional receives no further family summaries.

Professional access is audit-logged: we record which authorized professional opened a family/child summary and when. The dashboard does not receive invite-code hashes, raw event logs, payment data or parent contact details.

We keep data only for as long as needed for the relevant purpose or where legal/security reasons justify it. For therapist features, the guiding retention rules are:

• Active therapist-family connection: for the duration of the connection, or until the parent revokes it.
• Revoked connection and access audit records: up to 24 months for dispute, security and compliance purposes.
• Expired or unused invite-code metadata: up to 12 months for abuse prevention and security.
• Legacy plaintext therapist codes are not part of the production flow; public access is disabled and remaining legacy data has been deleted.

In therapist or institutional use, the professional/institution may use only minimal, purpose-limited summaries for families that approved the connection. The data may not be used for profiling, automated decision-making or disclosure to third parties without separate parent approval.

For institutional/B2B use, separate data processing terms (DPA) define roles, access, incident reporting, deletion and subprocessors. Main technical subprocessors may include Supabase, Vercel, Resend, RevenueCat and Google Play.

You may request access, correction, deletion, restriction or object to the personal data we store. You can also revoke a therapist connection inside the app.

For privacy requests, contact us:

info@calmika.com

For privacy questions, deletion requests or parental rights, reach us at:

info@calmika.com

If we materially change this notice, we update the “Last updated” date and, where appropriate, provide a separate notice. The therapist data-sharing text version is stored as a snapshot at the moment of consent.