Privacy Policy
This Privacy Policy describes what personal data Callday collects, how it is processed, and what rights you have regarding your data. It applies to the callday.io website and the Callday iOS app.
Callday is operated from Germany. Because of that, the EU General Data Protection Regulation (GDPR) is the legal framework for everything we do with your data — even if you live in the US. We've translated the legal references below for an English-speaking audience, but they refer to the same statutes cited in the German version.
1. Data Controller
Controller within the meaning of Article 4(7) GDPR:
Jan Bettermann Bensberger Marktweg 338 51069 Cologne Germany
Email: hello@callday.io
2. What Data We Collect
2.1 When You Visit This Website
When you access this website, your browser automatically transmits information to our hosting provider, which is stored temporarily in server logs:
- IP address (truncated/anonymized)
- Date and time of the request
- Page accessed
- Amount of data transferred
- Browser type and version
- Operating system
- Referrer URL
Legal basis: Art. 6(1)(f) GDPR (legitimate interest in operating a stable, secure website).
2.2 When You Join the Waitlist
If you sign up for the Callday waitlist or early access, we collect:
- Email address
- Time of signup
Purpose: Informing you about the launch and beta access. Legal basis: Art. 6(1)(a) GDPR (consent) or Art. 6(1)(b) GDPR (pre-contractual measures).
2.3 When You Use the iOS App
The Callday app stores lead data and call outcomes locally on your device first. When you sign in, we sync the following data to our database:
- Account data: name, email address, authentication method (Apple, Google, or email)
- Profile data: daily goal, calling days, industry categorization
- App data: imported lead lists, call outcomes, notes, appointments, calendar and reminder settings
- Optionally, if you connect your Google account: an OAuth refresh token, so Callday can send confirmation emails through your Gmail account. The token is stored encrypted and used only server-side.
Purpose: Providing app functionality, cross-device synchronization, automatic email sending for booked appointments. Legal basis: Art. 6(1)(b) GDPR (contract performance).
2.4 When You Subscribe via the Website (Stripe)
If you subscribe to Callday through our website, payment processing runs through our payment provider Stripe. The following data is processed:
- Email address (transmitted to Stripe for invoicing)
- Billing address (name, street, postal code, country — as required for tax purposes)
- Payment method information (credit card, SEPA direct debit, etc.) — processed exclusively by Stripe and not transmitted to us; we only see the last four digits of the card or the bank name for recognition
- Subscription status (active, cancelled, paused) and billing history
If you subscribe via Apple In-App Purchase, we only receive an Apple transaction ID and the subscription status — no payment method data.
Purpose: Contract performance, invoicing, recurring billing, statutory retention of accounting records. Legal basis: Art. 6(1)(b) GDPR (contract performance) and Art. 6(1)(c) GDPR (statutory bookkeeping obligations under § 147 German Fiscal Code (AO) and § 257 German Commercial Code (HGB)).
3. Recipients and Third-Party Processors
We use carefully selected data processors (Art. 28 GDPR):
- Supabase (Inc., USA / Frankfurt region) — Authentication and database. Data processing takes place in the EU region (Frankfurt). Contractual basis: Data Processing Agreement (DPA) and EU Standard Contractual Clauses, where data flows to the US are necessary.
- Vercel (Inc., USA) — Website hosting. EU Standard Contractual Clauses per GDPR.
- Google LLC (USA) — Optional, if you connect your Gmail account. Callday then sends appointment confirmation emails through your own account; Google processes these emails according to Google's privacy policies.
- Apple Inc. (USA) — For "Sign in with Apple" and for In-App Purchases.
- Stripe Payments Europe, Limited (Ireland) — Payment processing for web subscriptions. Stripe processes payment method data as an independent controller (within the meaning of Art. 4(7) GDPR) and is PCI-DSS Level 1 certified. For processing on our behalf (e.g. subscription management), our DPA with Stripe applies, plus EU Standard Contractual Clauses where data flows to the US are necessary.
- Resend (Inc., USA) — Sending transactional emails (account confirmations, subscription receipts, beta application confirmations). Only the email address and message contents are processed. EU Standard Contractual Clauses per GDPR.
We do not share your data with third parties for advertising purposes and we do not sell it.
4. Google API Services User Data Policy
When you connect your Google account (Gmail) with Callday, we use the
OAuth scope gmail.send to send appointment confirmation emails on your
behalf from your Gmail account. We do not read, store, or process any
incoming emails, contacts, or other Gmail content. The OAuth refresh token
is stored encrypted on the server side and is used exclusively to send the
confirmation emails you trigger.
Callday's use and transfer to any other app of information received from Google APIs will adhere to the Google API Services User Data Policy, including the Limited Use requirements.
In concrete terms: data received via Google APIs is used solely to provide the feature described above. It is not used for advertising, not used to train AI or machine-learning models, not transferred to third parties, and not read by humans — except with your explicit consent, for security purposes (e.g. abuse detection), for anonymized internal operations, or as required by law.
5. Data Retention
- Server logs: maximum 14 days
- Waitlist emails: until you opt out, or at the latest 24 months after the app launches
- Account and app data: for the duration of your account. When you delete your account, all data is removed from our active systems within 30 days; backups are overwritten with the next backup rotation.
- Invoicing and payment data: 10 years per § 147 AO and § 257 HGB (statutory retention obligation for accounting records under German law). Subscription status and account link are removed when your account is deleted, independent of the retention obligation.
6. Your Rights
You have the right at any time to:
- Access your stored data (Art. 15 GDPR)
- Rectify inaccurate data (Art. 16 GDPR)
- Delete your data (Art. 17 GDPR)
- Restrict processing (Art. 18 GDPR)
- Data portability (Art. 20 GDPR)
- Object to processing (Art. 21 GDPR)
- Withdraw consent with effect for the future (Art. 7(3) GDPR)
You can delete your account, including all data, directly in the app: Settings → Account → Delete account.
For other requests, please contact hello@callday.io.
7. Right to Lodge a Complaint
You have the right to lodge a complaint with a data protection supervisory authority, in particular in the EU member state of your habitual residence, your place of work, or the place of the alleged infringement.
The authority responsible for our location in Germany is: Landesbeauftragte für Datenschutz und Informationsfreiheit Nordrhein-Westfalen (State Commissioner for Data Protection and Freedom of Information of North Rhine-Westphalia), Kavalleriestraße 2–4, 40213 Düsseldorf, Germany.
8. Data Security
We use technical and organizational measures to protect your data — in particular SSL/TLS encryption for every data transmission, encrypted storage of sensitive values (e.g. OAuth tokens), and access restrictions at the database level (Row-Level Security).
9. Changes to This Policy
We update this Privacy Policy when our feature set, legal requirements, or the third-party services we use change. The current version is always available at callday.io/privacy.
Last updated: 2026-06-11