How CalmSignal collects, uses, stores, retains, and protects your personal data
This Privacy Policy explains how CalmSignal collects and processes personal data in connection with calm-signal.com and the CalmSignal early access programme. It is drafted in compliance with Regulation (EU) 2016/679 (GDPR), the German Federal Data Protection Act (BDSG), and the German Telecommunications and Telemedia Data Protection Act (TTDSG).
CalmSignal is currently operated as an unincorporated joint venture by Sebastian Weber and Lucia Kedrová pending incorporation of a formal legal entity. Both individuals act as joint data controllers within the meaning of Articles 4(7) and 26 GDPR and bear joint and several responsibility for compliance with all data protection obligations set out in this policy. In accordance with Article 26 GDPR, the founders have determined their respective data protection responsibilities as follows: Sebastian Weber holds primary responsibility for technical data security measures, data architecture, and processor relationships; Lucia Kedrová holds primary responsibility for participant-facing communications, consent management, and data rights request handling. Notwithstanding this internal allocation, both controllers remain fully and jointly liable to data subjects. Upon incorporation, the incorporated entity will assume sole data controller status and this policy will be updated accordingly.
Contact for all data protection matters: contact@calm-signal.com.
The CalmSignal early access programme is a personal data collection and baseline modelling activity.
The product collects biometric data from connected health applications and behavioural metadata from keyboard usage across the participant's device, constructs a personal pattern baseline for each participant, and presents visualisations of that data to the user.
The product does not flag, alert, or communicate any inference about mood states, episode onset, or any clinical condition. It is not a medical device. All visualisations are informational representations of personal data only. No clinical function, therapeutic benefit, or diagnostic output is provided or implied.
Users see their own data visualised. They draw their own conclusions. CalmSignal draws none.
The CalmSignal early access programme is designed for adults who have received a diagnosis of Bipolar I disorder from a qualified healthcare professional. CalmSignal acknowledges that participants may be living with a serious psychiatric condition and has designed all aspects of data collection, communication, and consent with the needs and welfare of that population in mind.
A diagnosis of Bipolar I disorder does not affect a person's legal capacity to consent to data collection and processing under German law or EU law. Participation requires and presumes full legal capacity. By participating, each individual confirms they are providing consent freely, voluntarily, with full understanding, and without external pressure, undue influence, or substantially impaired capacity at the time of consent.
CalmSignal strongly recommends that participants discuss their intention to join the early access programme with their treating healthcare professional prior to registration.
CalmSignal collects the following categories of personal data. Health application data, keyboard metadata, and questionnaire responses constitute special category data under Article 9 GDPR and are processed only on the basis of explicit consent as described in Clause 5.
In accordance with Article 13(2)(f) GDPR, CalmSignal discloses that the processing described below involves profiling within the meaning of Article 4(4) GDPR. Specifically, CalmSignal builds a personal behavioural baseline for each participant by analysing biometric and typing pattern data over time. This profiling activity does not produce any automated decision with legal or similarly significant effect and does not engage Article 22 GDPR. Its sole purpose is to generate personal pattern visualisations for the participant's own review.
| Data Category | Specific Data Points | Legal Basis | Retention |
|---|---|---|---|
| Waitlist registration | Email address; date and time of registration | Art. 6(1)(a) GDPR — consent | 12 months or until unsubscribe |
| Questionnaire responses | Diagnosis self-declaration; mood pattern self-report; support service usage; eligibility confirmation | Art. 9(2)(a) GDPR — explicit consent | Retained subject to annual review (see Clause 6) |
| Health app data | Sleep duration and quality; resting heart rate; heart rate variability; step count; activity levels; other biometric data from device health application | Art. 9(2)(a) GDPR — explicit consent via OAuth 2.0 | Retained subject to annual review (see Clause 6) |
| Keyboard metadata | Keystroke timing; typing speed; error rate; autocorrect usage; backspace frequency; special character use across all device applications during active use. MESSAGE CONTENT AND TEXT ARE NEVER COLLECTED. | Art. 9(2)(a) GDPR — explicit consent | Retained subject to annual review (see Clause 6) |
| Technical data | IP address; browser type; device type; pages visited | Art. 6(1)(f) GDPR — legitimate interest | 90 days |
With explicit prior consent, CalmSignal requests read-only access to data stored in the participant's native device health application through a standard OAuth 2.0 authorisation flow. Access is limited to the categories listed above. CalmSignal does not write any data to the health application. OAuth authorisation can be revoked at any time through device settings, immediately ceasing further data collection. Revocation does not delete previously collected data; a separate written deletion request is required.
With explicit prior consent, CalmSignal operates a custom keyboard on the participant's device. This keyboard collects metadata about the mechanics of typing behaviour only, across all applications on the device during active typing sessions. The content of any message, text, search query, or other input typed by the user is never collected, processed, stored, or transmitted under any circumstances whatsoever.
The metadata-only collection restriction is enforced at the technical level within the keyboard software. The keyboard intercepts only timing and behavioural metadata at the point of keystroke event handling, before any character or word is formed or stored in device memory. No character buffer, word buffer, clipboard access, or text rendering pipeline is accessed by the keyboard at any point. This technical restriction cannot be overridden by configuration or user behaviour.
Collection occurs across all applications on the device during active typing sessions in order to generate a representative behavioural baseline. Participants are informed of this cross-application scope as a material characteristic of the data collection activity.
Participants receive graphs and visualisations derived from their collected data. All visualisations are informational representations of personal pattern data only. No clinical inference, risk indicator, alert, flag, or clinical assessment of any kind is embedded in or communicated through any visualisation. Participants do not have access to underlying raw data tables or individual data points.
Data is processed solely for: constructing individual personal baseline models from biometric and behavioural data; improving the accuracy of the product's pattern recognition and baseline modelling algorithms; testing the technical data collection and processing infrastructure; and generating the training dataset required for ongoing product development. Data is not processed for any clinical inference, alerting, monitoring, or diagnostic purpose.
Anonymised and aggregated insights that cannot be attributed to any individual participant may be used by CalmSignal for product development, academic research, and commercial purposes. Participants who do not wish their anonymised data to be used for secondary purposes may opt out of this secondary use at any time by contacting contact@calm-signal.com. Opting out of secondary use does not affect participation in the early access programme or the processing of individually identifiable data for primary purposes.
All processing of special category data under Article 9 GDPR is based exclusively on explicit consent under Article 9(2)(a) GDPR. This consent is obtained through a dedicated standalone consent screen in the onboarding flow, presented after the main terms acceptance and before any data collection begins.
This screen presents the special category data collection in plain language with its own independent checkbox, separate from and in addition to the general Terms acceptance. This consent is freely given, specific, informed, unambiguous, and separately recorded in the consent audit trail with the participant's email address, IP address, date, and timestamp. Consent can be withdrawn at any time without detriment by contacting contact@calm-signal.com. Withdrawal results in the immediate cessation of further data collection. Withdrawal does not affect the lawfulness of processing carried out prior to withdrawal.
Data collected through the early access programme is retained for product development purposes for as long as that purpose remains active. CalmSignal commits to conducting an annual review of all retained participant data to assess whether continued retention remains necessary and proportionate. Data that no longer contributes to baseline model development as assessed at each annual review will be deleted or anonymised. Participants will be notified of any material change to the retention period by email at least thirty days before that change takes effect.
Waitlist email addresses are retained for twelve months from collection or until the participant unsubscribes, whichever is earlier. Technical data is retained for ninety days.
You have the right to request deletion of all individually identifiable data associated with your account at any time, regardless of the annual review cycle, by contacting contact@calm-signal.com with the subject line Data Deletion Request.
Deletion will be completed within thirty calendar days of receipt of a valid written request. Anonymised and aggregated data that cannot be re-identified will be retained following deletion. Opting out of secondary anonymised use is a separate right exercisable independently of deletion. See Clause 4.5.
In the event that CalmSignal permanently ceases operations, is dissolved, or sells or transfers substantially all of its assets or data holdings to a third party, participants will be notified by email at least thirty days prior to any such event where reasonably practicable. All individually identifiable participant data will be deleted within sixty days of the cessation of operations. No transfer of individually identifiable participant data to any third party or successor entity will occur without separate explicit consent from each affected participant obtained prior to the transfer. Anonymised and aggregated data that cannot be attributed to any individual may be transferred to a successor entity without further consent.
All personal data is stored on servers located within the European Union, provided by Hetzner Online GmbH, Gunzenhausen, Federal Republic of Germany. Data is encrypted at rest using AES-256 encryption and in transit using TLS 1.3 or equivalent. Access to personal data is restricted to named CalmSignal team members on a strict need-to-know basis with access logging maintained.
CalmSignal has executed a Data Processing Agreement with Hetzner Online GmbH in accordance with Article 28 GDPR prior to the commencement of any participant data processing on Hetzner infrastructure. Hetzner's subcontractor list is available at hetzner.com/AV/subunternehmer.pdf.
In the event of a personal data breach likely to result in a risk to the rights and freedoms of data subjects, CalmSignal will notify the competent German supervisory authority within 72 hours of becoming aware of the breach and will notify affected participants without undue delay, providing details of the nature of the breach, the data affected, the likely consequences, and the remedial measures taken, in accordance with Articles 33 and 34 GDPR.
The following third party processors are engaged under GDPR-compliant Article 28 data processing agreements:
No personal data is transferred outside the European Economic Area. If this changes, Standard Contractual Clauses pursuant to Article 46 GDPR will be implemented and this policy updated before any such transfer occurs.
CalmSignal maintains a documented internal process for responding to data subject rights requests within the statutory timeframes. Upon receipt of a valid Subject Access Request, CalmSignal will produce a complete structured export of all individually identifiable data held about the requesting participant across all systems and deliver it in a commonly used machine-readable format within thirty calendar days.
Participants are encouraged to submit Subject Access Requests to contact@calm-signal.com with the subject line Subject Access Request to facilitate timely processing.
The following rights are available to all participants under GDPR and BDSG, exercisable at any time by contacting contact@calm-signal.com at no charge, with a response provided within one calendar month:
You have the right to lodge a complaint with the competent German data protection supervisory authority if you consider that processing of your personal data infringes GDPR or BDSG. The competent authority is determined by the federal state in which CalmSignal is registered upon incorporation. A full directory of all German supervisory authorities is available at bfdi.bund.de.
This website currently deploys only strictly necessary cookies. No analytics, advertising, tracking, or profiling cookies are set. If non-essential cookies are introduced, a TTDSG and GDPR compliant consent mechanism will be implemented prior to their deployment and this policy will be updated.
This website and the early access programme are not directed at individuals under 18 years of age. No personal data is knowingly collected from any person under 18. Contact contact@calm-signal.com immediately if you believe data has been collected from a minor. Any such data will be deleted promptly upon confirmation.
Material changes will be communicated to registered participants by email at least fourteen days before taking effect. The version number and effective date will be updated on every revision. Continued participation following notification constitutes acceptance of the revised policy.
All data protection queries, rights requests, consent withdrawals, deletion requests, and secondary use opt-outs: contact@calm-signal.com. Please include a descriptive subject line to ensure timely handling.