Privacy Policy for Calypso — Explore Yourself

Last Updated: March 17, 2026

Data Controller: Ionut Gheorghe, operating as Calypso

Contact Email: privacy@getcalypso.co

Physical Address: Ionut Gheorghe, operating as Calypso

Introduction

Calypso is a gamified sexual education app designed for adults (18+). We take your privacy seriously. This Privacy Policy explains what data we collect, why we collect it, how we use it, and your rights.

This app is for users 18 and older only. We do not knowingly collect data from anyone under 18.

A) Data We Collect and Why

1. Account Data

Email address: Required to create your account and authenticate via Firebase Auth
Password: Used only for login, managed by Firebase Auth (hashed, never stored in plaintext by us)

Why: Necessary for account creation, login security, and account recovery.

2. Profile Data

Gender identity: Used to personalize lesson recommendations and quiz variants
Relationship context: Whether you're exploring solo or as a couple (affects lesson content and challenges)
Sexual curiosities: Topics you're interested in exploring (education customization)
Experience level: Beginner, intermediate, or advanced (paces lessons appropriately)
Pace preference: How fast you want to progress through modules

Why: Personalizes your learning experience. Different users need different content. We use these signals to recommend lessons and generate appropriate quiz variants.

3. Usage and Progress Data

Lesson progress: Which lessons you've started and completed
Quiz scores: Your answers and performance on the 5 quiz types (recall, scenario, true/false, reflection, apply-it)
Streak data: Your current streak and historical streak information
Badges earned: Which achievements you've unlocked
XP (Experience Points): Points earned from quizzes and challenges
Sparks (in-app currency): Balance and usage

Why: Tracks your learning progress, powers the gamification system, and enables personalized recommendations.

4. Coach Data

Messages you send to Coach: When you message the Coach feature, the text of your message is stored in our database
Coach AI integration (Phase 5+): Your message may be sent to OpenAI's API for personalized responses. See Section C for details.

Why: Enables the Coach feature to respond to your questions and provide personalized guidance.

5. Device Data

Device type: iPhone, Android, or web (Expo)
Operating system version: For compatibility troubleshooting only

Why: Ensures the app works properly on your device. We do NOT use this for fingerprinting, tracking, or profiling.

6. Payment Data

We NEVER see your credit card, debit card, or bank account information
Payment processing is handled entirely by Apple (in-app purchases), Google Play (in-app purchases), or RevenueCat (subscription management if integrated)
We only see: subscription status (active/inactive), renewal date, and receipt validation

Why: PCI DSS compliance and security. We intentionally do NOT handle payment data directly.

B) Sensitive Data — Your Special Category Information

Under GDPR Article 9 and similar privacy laws, some data you provide is considered "special category data" (data about sex life or sexual orientation) and receives additional legal protection.

What We Consider Sensitive

Your gender identity
Your relationship context (solo or couple)
Your sexual curiosities and interests
Your quiz responses about sexual topics
Messages to Coach about sexual subjects

Our Legal Basis: Explicit Consent

We collect this data only with your explicit consent, given during onboarding when you complete your profile. You are asked clearly what data we collect and why.

Your Rights Over Sensitive Data

You can revoke consent anytime by deleting your account
You can request deletion of sensitive data at any time
We will delete all sensitive data within 30 days of your request
Revoking consent does not affect the lawfulness of processing before the revocation

We Do NOT

Sell or share sensitive data with advertisers or marketers
Use sensitive data to create profiles sold to third parties
Use sensitive data for discriminatory purposes
Share sensitive data with anyone except service providers (Firebase, RevenueCat, OpenAI) who are bound by confidentiality agreements

Transparency

We collect sensitive data only to personalize your educational experience — to recommend relevant lessons, generate appropriate quiz variants, and provide better Coach responses. This is not about profiling you as a customer; it's about teaching you effectively.

C) Third Parties We Work With

1. Firebase (Google)

What we share: Email, password hash, profile data, usage data, Coach messages, device info
Why: Firebase provides our authentication, database, and hosting infrastructure
Their role: Data processor (they process data on our behalf, per our instructions)
Your data: Each user can only access their own data via Firestore security rules
Privacy policy: https://firebase.google.com/support/privacy
Data location: USA or EU based on Google's infrastructure (you can request confirmation)

2. RevenueCat (Phase 5 — Subscription Management)

What we share: Subscription status, renewal dates, receipt validation tokens (NOT credit card data)
Why: Manages subscriptions, validates receipts, and prevents fraud
Their role: Data processor
Privacy policy: https://www.revenuecat.com/privacy
Note: RevenueCat uses your device's App Store receipt, which Apple generates. We never handle the receipt content directly.

3. Google AdMob (Phase 5 — Ads in Free Tier)

What we share: Device type, OS version, approximate location (from IP)
Why: Displays ads to free users, helps monetize the app
Their role: Data processor and independent controller (they use data for their own advertising purposes too)
Privacy policy: https://policies.google.com/privacy
Advertising ID: AdMob may use Apple's IDFA (iOS) or Google Advertising ID (Android). See Section D for your control options.
Note: If you refuse App Tracking Transparency (ATT) on iOS, we do NOT pass your advertising ID to AdMob.

4. OpenAI (Phase 5+ — Coach AI)

What we share: ONLY the text of messages you send to Coach (no profile data, no quiz scores, no email)
Why: Generates personalized, context-aware responses to your Coach questions
Their role: Data processor (API provider)
Data handling by OpenAI:
- OpenAI does NOT use API data for model training (per their default API data usage policy)
- OpenAI retains API data for 30 days for security and abuse prevention, then deletes it
- Message content is encrypted in transit (HTTPS)
Privacy policy: https://openai.com/privacy
Your control: You can choose NOT to use Coach AI. If you disable it, your messages are not sent to OpenAI (stored locally in our system only).

Note on Data Processors: All third parties above are bound by written Data Processing Agreements (or are subject to their own privacy policies if a DPA is not required). We do not share data with these parties for their own marketing purposes.

D) Apple App Tracking Transparency (ATT)

If you use Calypso on iOS and we have AdMob (Phase 5), Apple requires us to show you a popup asking for permission to track your activity for advertising purposes.

What This Means

If you allow tracking: Your Apple advertising identifier (IDFA) may be shared with AdMob for personalized ads
If you refuse tracking: Your IDFA is NOT shared. AdMob will show you generic, non-personalized ads. We still function normally; ads are just less targeted.
Your right to change your mind: You can change your ATT choice anytime in iOS Settings → Privacy → Tracking

We Respect Your Choice

Regardless of your ATT choice, Calypso works fully. You are not restricted, punished, or disadvantaged for refusing tracking.

E) Your Rights

If You Are in the European Union (GDPR)

You have the following rights:

Right of Access (Article 15): Request a copy of all your personal data we hold
Right to Rectification (Article 16): Correct inaccurate data (e.g., update your profile)
Right to Erasure ("Right to Be Forgotten") (Article 17): Request deletion of your data
Right to Data Portability (Article 20): Request your data in a machine-readable format (JSON, CSV)
Right to Object (Article 21): Object to certain types of processing
Right to Withdraw Consent: Revoke consent for sensitive data processing at any time
Right to Lodge a Complaint: File a complaint with your local data protection authority (e.g., CNIL in France, ICO in UK)

If You Are in California, USA (CCPA)

You have the following rights:

Right to Know: Request what personal information we collect and how we use it
Right to Delete: Request deletion of your personal data (subject to certain exceptions)
Right to Opt-Out: Opt out of any "sale" or "sharing" of personal data for targeted advertising
- Note: We do NOT currently sell or share your data for cross-context behavioral advertising, so this right does not apply in practice
Right to Non-Discrimination: We will not discriminate against you for exercising your rights

If You Are Anywhere Else

Many privacy laws worldwide provide similar rights. Feel free to contact us, and we will do our best to honor your request.

How to Exercise Your Rights

Email: privacy@getcalypso.co

Subject line: "Privacy Request — [Your Name] — [Type of Request]"

Include in your email:

Your full name
Your account email address
What right you're exercising (access, deletion, portability, etc.)
Any relevant details

We will respond within:

GDPR (EU): 30 days
CCPA (California): 45 days
Other jurisdictions: 30 days (best effort)

Deleting Your Account In-App

You can also delete your account directly from the app:

Go to Settings → Account → Delete My Account
Confirm the deletion
All your data will be scheduled for deletion within 30 days

F) Security

Data in Transit

All communication between Calypso and our servers uses HTTPS encryption
No unencrypted data is sent over the network

Data at Rest (Firebase)

Your data is stored in Google's Firestore database with encryption at rest
Each user has unique Firestore security rules: only you can read/write your own data
An admin cannot view another user's data without your account credentials

Passwords

Your password is hashed by Firebase Auth using industry-standard hashing (bcrypt or better)
We never see or store your plaintext password
Firebase Auth enforces password complexity rules and enables optional 2FA

Payment Data

We intentionally do NOT handle credit card, debit card, or bank account information
Payments are processed entirely by Apple, Google, or RevenueCat — we only see subscription status

Limitations

While we use industry-standard security, no system is 100% secure
A severe breach could expose your data despite our precautions
In the event of a breach, we will notify affected users within 72 hours (GDPR) or as required by law

G) Data Retention

While Your Account is Active

We maintain all your data while your account is active
You can delete individual items (e.g., clear your progress) from the app at any time
The Coach message history can be viewed and deleted from within the app

After You Delete Your Account

All data associated with your account is deleted within 30 days
This includes: profile, quiz scores, lessons, badges, XP, Coach messages, device data
Firebase Auth account is deleted immediately; Firestore data is deleted within 30 days

Backups

Firebase maintains automatic backups for disaster recovery
These backups may persist for up to 30 days after deletion
We cannot manually delete backups, but they expire automatically

Anonymous Aggregated Data

We may retain statistical summaries that are not identifiable to you (e.g., "47% of users completed Module 1")
This data cannot identify you and may be retained indefinitely for analytics and product improvement
This is not considered "personal data" under GDPR and CCPA

Legal Holds

If we receive a legal request (subpoena, court order), we may be required to retain data longer than stated above
We will notify you of such requests unless legally prohibited from doing so

H) Children and Minors

Age Requirement

Calypso is for adults 18 and older only. A welcome screen checks your age before you can proceed.

If You Are Under 18

Please do not create an account
If you are a parent or guardian and believe a minor created an account, contact us immediately

Our Commitment

We do not knowingly collect data from anyone under 18
If we discover a user is under 18, we will delete that account and all associated data immediately
We comply with COPPA (Children's Online Privacy Protection Act) by not collecting data from users under 13; our threshold is even higher (18+)

Reporting a Minor

If you are a parent/guardian or a minor who has created an account by mistake, email us:

Email: privacy@getcalypso.co

We will respond within 24 hours.

I) Cookies and Tracking

Native App (No Cookies)

Calypso is a native mobile app (React Native + Expo). We do not use HTTP cookies, as the app does not communicate via the web (no browser).

No Fingerprinting

We do not build or use device fingerprints (combining multiple signals to identify a user secretly). We only use:

Your account email and password (which you provide explicitly)
Your device type (optional, for troubleshooting)

No Behavioral Tracking

We do not track you across other apps or websites. We do not monitor your web browsing, app usage outside Calypso, or other behavioral signals.

AdMob Tracking (Phase 5)

If AdMob is integrated, they may use your advertising ID (IDFA on iOS, Advertising ID on Android) for ad personalization
This is controlled by the App Tracking Transparency popup (iOS) or your device's ad preferences (Android)
You can reset your advertising ID or opt out of personalized ads in your device settings

J) Changes to This Privacy Policy

We may update this Privacy Policy to reflect changes in our practices, technology, or legal requirements.

How We Notify You

Email notification: We will send you an email at the address associated with your account
In-app notification: A banner will appear when you open the app
Website update: This policy will be posted with an updated "Last Updated" date

Your Rights if We Change the Policy

Substantial changes: If we make material changes (e.g., new types of data collection, new third parties), we will notify you at least 30 days in advance
Your choice: If you do not agree with changes, you may delete your account
No silent changes: We will never make surprise changes without your notice

K) Contact Us

Questions About Your Privacy

If you have questions, concerns, or requests regarding this Privacy Policy or our privacy practices:

Email: privacy@getcalypso.co

Mailing Address:

Ionut Gheorghe, operating as Calypso

Response Time: We aim to respond within 30 days.

Data Protection Authority

If you are in the EU or certain other jurisdictions, you also have the right to file a complaint with your local data protection authority:

EU: Contact your national data protection authority (e.g., CNIL in France, ICO in UK)
California: Contact the California Attorney General's office

Summary

In Plain English:

We collect data needed to run the app and personalize your experience
We treat sensitive data (your interests, experiences, identity) with special care and only use it to help you learn
We never sell your data or use it to manipulate you
We use trusted third parties (Google, Apple, RevenueCat, OpenAI) who are legally bound to protect your data
You control your data: you can request access, updates, or deletion anytime
Your data is encrypted and secure
If we change our practices, we'll tell you first

Your privacy matters. You're not a product; you're a person learning.