Calibre Privacy Policy
Effective date: 3 July 2026
Last updated: 3 July 2026
1. Who we are
Data controller: Calmela (trading as Calibre)
App: Calibre — watch catalogue for iOS
Website: calibrewatches.app
Contact: info@calibrewatches.app
This policy explains how we collect, use, store, and share personal data when you use the Calibre mobile app, our website, and related services. We have not appointed a Data Protection Officer because we are not legally required to; privacy questions go to the contact above.
2. What data we collect
| Category | Examples | Purpose |
|---|---|---|
| Account | Email address; sign-in provider (Google, Apple, or email/password); profile name and avatar provided by that provider | Authentication, account management, support |
| Vault / collection | Watches you add; purchase date and price; optional condition, maintenance notes, and document details | Core product — your personal collection |
| Concierge | Messages you send to the in-app assistant and any photos or files you attach | AI-assisted discovery (processed on our servers — see §4) |
| Usage | How you interact with features, and a random per-install identifier, session identifier, and app/OS version | Product improvement and recommendations (see §3) |
| Device & technical | App/OS version, device model, approximate region inferred from your IP address, and crash and diagnostic logs | Reliability, security, debugging |
| Support | Emails and messages you send us | Responding to and recording your requests |
We do not collect special-category data (such as health data) and ask that you do not submit it. Biometric unlock (Face ID / Touch ID) is performed entirely by iOS on your device — we never receive or store biometric data. We do not collect payment-card data and are not a payment processor.
Please do not put sensitive personal data, or other people's personal data, into free-text fields, Vault notes, or Concierge messages and attachments. Photos you attach may contain embedded metadata (e.g. location, timestamps); remove it first if you do not wish to share it.
3. Usage analytics
When analytics is enabled, we collect limited, privacy-friendly usage data through our analytics provider (PostHog) to understand how features are used and to improve the app. This includes events such as which screens and watches you view, searches and filters you apply, actions on recommendations, and interactions with the Concierge — together with a random per-install identifier, a session identifier, and your app and OS version.
These identifiers are random values we generate; they are not Apple's advertising identifier (IDFA). We do not track you across other companies' apps or websites and do not use your data for cross-context behavioural advertising, so Calibre does not show an App Tracking Transparency prompt. You can turn analytics off at any time in Account.
4. AI features (Concierge, recommendations, imagery)
- You are interacting with AI. The Concierge is an automated assistant powered by a third-party large language model (Google Gemini), processed on our servers. Your prompts and any attachments are sent to the model solely to generate a response to you.
- We do not train AI on your data. We do not use your prompts, attachments, Vault, or account data to train AI models, and our provider is engaged under terms that do not permit training on content we send.
- Outputs may be wrong. AI output can be inaccurate or incomplete and is not professional advice (financial, legal, authentication, or valuation). See our Terms of Service.
- Limited profiling, no significant automated decisions. Recommendations use limited profiling (e.g. watches you viewed or favourited) to personalise suggestions. This does not produce legal or similarly significant effects within the meaning of Article 22 GDPR. You may object to this profiling (see §12).
- Catalogue imagery may be AI-generated and is illustrative — see the Terms of Service.
5. Legal bases (GDPR)
We process personal data on the following bases:
| Processing | Legal basis |
|---|---|
| Account and vault features | Contract — necessary to provide the service you request |
| Concierge | Contract — processing your prompt is necessary to provide the feature you invoke |
| Recommendations and personalisation | Legitimate interests — improving and personalising the app, with proportionate impact. You may object at any time (Article 21 GDPR) |
| Usage analytics | Consent — you can enable or disable analytics in Account, and withdraw at any time |
| Marketing emails (if any) | Consent — opt-in, withdrawable at any time |
| Security, fraud prevention, legal compliance | Legal obligation and/or legitimate interests |
| Account deletion | Legal obligation / Contract — honouring your right to erasure |
6. How we use data
- Operate sign-in, sync your vault and favourites, and power recommendations.
- Run the Concierge assistant (your prompts are sent to our AI provider to generate a response).
- Understand feature adoption and fix issues through analytics.
- Send service and, with your consent, optional product communications (see §14).
- Comply with law, prevent abuse, and enforce our Terms of Service.
We do not sell your personal data, and we do not share it for cross-context behavioural advertising.
7. Sharing and subprocessors
We share personal data only with the processors below, who act on our instructions under data-processing agreements:
| Provider | Role | Location / notes |
|---|---|---|
| Supabase, Inc. | Hosting, database, authentication, and storage | Provisioned in an EU region, under Supabase's Data Processing Addendum. |
| Google LLC | Large language model for the Concierge (Gemini) | Under Google's data-processing terms. Some processing may occur outside the EEA (see §8). |
| PostHog, Inc. | Product analytics (see §3) | Hosted in PostHog's EU region; analytics data stays in the European Union. |
| Apple Inc. | Push-notification delivery and, if you choose it, Sign in with Apple | Standard Apple platform terms. |
| Website hosting provider | Serving calibrewatches.app, including this policy | Under its standard data-processing terms. |
When you sign in with Google or Apple, that provider acts as an independent identity provider under its own privacy policy. We may also disclose data where required by law, to enforce our Terms, or in connection with a merger, acquisition, or asset sale (with notice where required). We will update this policy when we add or replace a sub-processor that handles your personal data, and notify you where required to do so.
8. International transfers
Some subprocessors (notably Google / Gemini) may process data outside the European Economic Area, including in the United States. Where they do, we rely on Standard Contractual Clauses approved by the European Commission and, where applicable, the EU–U.S. Data Privacy Framework, with additional safeguards. Copies of the relevant safeguards are available on request to the contact in §1.
9. Retention
| Data | Retention |
|---|---|
| Account, vault, and favourites | Until you delete your account (Account → Delete Account) or ask us to delete it |
| Analytics and session data | Up to 12 months, then deleted or aggregated; also deleted when you delete your account |
| Backups | Retained for a limited period (up to around 30 days) and then aged out |
10. Security
We use industry-standard measures, including encryption in transit, access controls on user data, and server-side handling of privileged operations such as account deletion.
Your collection and its estimated value can reveal information about your personal wealth. We treat it accordingly, restrict access to it, and you remain in control of what you add and of any export or share you create. If you believe your account has been compromised, contact us immediately at the address in §1.
11. Personal-data breaches
If a personal-data breach is likely to result in a risk to your rights and freedoms, we will notify the competent supervisory authority within 72 hours where required, and inform affected users without undue delay where the risk is high.
12. Your rights (GDPR)
Under the GDPR you may have the right to:
- Access and receive a copy of your data
- Rectify inaccurate data (e.g. update your display name in Account)
- Erase your data — use Delete Account in the app (permanent)
- Restrict or object to certain processing, including profiling for recommendations
- Portability — request a machine-readable export of your account and vault data
- Withdraw consent where processing is consent-based (e.g. analytics, marketing)
- Complain to a supervisory authority
To exercise any of these rights, email info@calibrewatches.app. We respond within one month where required, and we will not discriminate against you for exercising your rights.
Spanish DPA: Agencia Española de Protección de Datos (AEPD) — https://www.aepd.es. EU users may also complain to their local authority.
13. US state privacy rights
If you are a resident of a US state with a privacy law (e.g. California, Virginia, Colorado, Connecticut), you may have the right to know, access, correct, delete, and obtain a portable copy of your personal information, and to opt out of its "sale" or "sharing." We do not sell or share your personal information and do not use it for cross-context behavioural or targeted advertising. To exercise your rights, email info@calibrewatches.app; you may use an authorised agent.
14. Communications and notifications
Push notifications (such as price alerts and the optional weekly picks digest) are delivered only with the operating-system permission you grant and can be turned off in Account or iPhone Settings at any time. We send account and service messages where necessary to operate the App. We send optional marketing or product emails only with your consent, and every such email includes an unsubscribe link.
15. Children
Calibre is not directed at children under 16 years of age, and we do not knowingly collect their personal data. We rely on your self-declared eligibility at sign-up. If you believe a child has provided us personal data, contact us and we will delete it.
16. Cookies and the website
The mobile app does not use cookies. Our website uses strictly-necessary cookies only — for example, to keep a signed-in session active. Public pages, including this policy and the Terms of Service, set no advertising or cross-site tracking cookies.
17. Changes
We may update this policy. The latest version is always shown in-app under Account → Privacy Policy, and the effective date above is updated when changes are made. Material changes will be notified in-app or by email to the address associated with your account where appropriate.