Privacy Policy

Banacare, LLC is a limited liability company with its principal place of business at 123 Innovation Drive, Suite 400, San Francisco, CA 94105, United States. We operate Calmo, an AI-powered personal email assistant that connects to Gmail or Outlook via secure OAuth to help users prioritize email, create Daily Digest summaries, draft replies in their own voice, and manage unsubscribe recommendations.

This Privacy Policy applies to users of the Service, visitors to calmo.email, and anyone who contacts us or subscribes to our communications. It covers personal data collected directly from you, from your email provider with authorization, and through automated means such as cookies, logs, and analytics.

Regional Specifics

• United States: Additional California and state privacy disclosures are provided below. We do not sell personal information.
• EEA, United Kingdom, and Switzerland: We act as data controller for account and service data. Data Processing Agreements are available where applicable.
• Other Jurisdictions: We comply with applicable local data protection laws and provide additional information upon request.

Account and Registration Data

When you create an account, we collect your name, email address, hashed password, billing information processed through Stripe or another trusted processor, subscription status, connected email address, and OAuth access or refresh tokens from Google or Microsoft. We never receive, store, or access your email password.

Email Account Data

With your explicit authorization through OAuth 2.0, we access and process:

• Metadata: sender, recipient, subject, date/time, labels, read/unread status, and thread information.
• Content: email body text and attachment metadata. Full attachment content is not processed unless you enable advanced features.
• Interaction History: emails opened, replied to, archived, or deleted, plus approved replies used for your Personal Tone Profile.
• Contacts: basic contact information for reply suggestions and unsubscribe matching.

You can revoke OAuth permissions at any time through your Google Account or Microsoft Account security settings.

AI Processing Data

AI features such as email prioritization, Daily Digest generation, personalized reply suggestions, and unsubscribe recommendations may require sending limited email excerpts and metadata to third-party LLM providers under contracts that prohibit training on your data and require short retention or zero-retention where technically available.

Current LLM providers include Groq, Google Gemini Flash, and Anthropic Claude Haiku. A current subprocessor list is maintained at calmo.email/legal/subprocessors.

Usage, Analytics, Device, and Cookie Data

We collect feature usage, email processing volume, estimated time saved, engagement with recommendations, error logs, performance metrics, IP address, device type, browser, operating system, referring URLs, and crash reports. We use essential cookies for authentication and functional cookies for preferences. We do not use advertising, retargeting, or cross-site tracking cookies.

To Provide and Improve the Core Service

• Connect securely to your email account and maintain OAuth authorization.
• Analyze and categorize incoming emails into priority levels.
• Generate and deliver your personalized Daily Digest.
• Create reply suggestions that match your writing style, tone, vocabulary, and formality.
• Recommend unsubscribes from low-value newsletters and promotional senders.
• Apply labels, archive, or move messages only when you approve or configure rules.
• Provide usage analytics and productivity insights.

To Communicate With You

• Send transactional emails such as Daily Digest delivery, receipts, security alerts, and account notices.
• Respond to support requests, feedback, and bug reports.
• Send product updates or educational content when permitted, with opt-out options.

For Security, Legal, and Business Purposes

• Detect and respond to fraud, spam, abuse, phishing, and unauthorized access attempts.
• Enforce our Terms of Use and comply with legal obligations.
• Conduct aggregated, anonymized research and product improvement.
• Facilitate legitimate business transfers with appropriate contractual safeguards.

For users in the EEA, United Kingdom, and Switzerland, we process personal data under these legal bases:

Contract Performance

Processing necessary to connect your email account, generate Daily Digests, create reply suggestions, provide unsubscribe recommendations, maintain your account, and deliver the Service.

Legitimate Interests

Improving the Service, ensuring security and fraud prevention, conducting aggregated analytics, and marketing similar services with opt-out controls.

Consent

Optional features such as marketing communications, non-essential cookies, or contributing anonymized data to improve the product. You may withdraw consent at any time.

Legal Obligation

Complying with tax, accounting, anti-money-laundering, statutory requirements, or valid legal requests.

Special Categories of Data

We do not intentionally collect special categories of personal data. If such data appears incidentally in email content, it is handled only as necessary for the Service and deleted promptly if irrelevant.

We Do Not Sell Your Personal Data

Calmo does not sell, rent, lease, or trade your personal data or email content for advertising, marketing, or other commercial purposes. We also do not share personal information for cross-context behavioral advertising.

Service Providers and Data Processors

We share limited data with trusted vendors that help operate the Service. Vendors are bound by confidentiality obligations and data processing terms.

• AI / LLM inference providers such as Groq, Google, and Anthropic.
• Cloud infrastructure and storage providers.
• Database and authentication providers such as Supabase or equivalent services.
• Payment processors such as Stripe.
• Privacy-conscious analytics, monitoring, customer support, and transactional email providers.

A current subprocessor list is published at calmo.email/legal/subprocessors.

Legal, Safety, Business Transfers, and Aggregated Data

We may disclose data if required by law or to protect rights, property, safety, or users. In a merger, acquisition, reorganization, or asset sale, personal data may transfer to a successor bound by this Policy or a substantially equivalent policy. We may also share aggregated or de-identified statistics that cannot reasonably identify a person.

Retention Periods

• Account data, OAuth tokens, Personal Tone Profile, and processed metadata are retained while your account remains active.
• Raw email content is processed in real time or near-real time and is not stored long-term unless needed for enabled features.
• Data sent to LLM providers is deleted within short provider retention windows or immediately where zero-retention configurations are available.
• Identifiable usage logs are retained for a limited period for security, debugging, and product improvement.
• Billing and financial records are retained as required for tax, accounting, and audit obligations.
• Security and fraud logs are retained as needed for incident response and compliance.

Your Right to Delete Your Data

You may delete your account and associated personal data through account settings or by emailing privacy@calmo.email. Upon verified request, we delete or anonymize account data, Personal Tone Profile, and metadata within applicable legal timelines, while retaining only information required for legal compliance or abuse prevention.

Data Portability

Upon verified request, we will provide a machine-readable export of applicable personal data, such as account settings, approved replies, categorization history, and usage statistics.

GDPR / UK GDPR Rights

Subject to applicable exceptions and verification, EEA, UK, and Swiss residents may have rights of access, rectification, erasure, restriction, portability, objection, consent withdrawal, and complaint to a supervisory authority.

CCPA / CPRA Rights

California residents may have rights to know, delete, correct, opt out of sale or sharing, limit use of sensitive information, and non-discrimination. We do not sell or share personal information as defined by CCPA/CPRA.

Choices Available to All Users

• Opt out of marketing communications through unsubscribe links or account settings.
• Enable or disable AI features and Personal Tone Profile learning in settings.
• Manage non-essential cookies through our consent controls or browser settings.
• Pause, deactivate, or delete your account.

To exercise privacy rights, email privacy@calmo.email. We may require reasonable identity verification.

We maintain an information security program designed to protect personal data and email content against unauthorized access, alteration, disclosure, or destruction.

Technical Safeguards

• Encryption in transit using modern TLS.
• Encryption at rest for databases, file storage, and backups.
• Secure OAuth 2.0 / OpenID Connect flows with Google and Microsoft.
• Network security controls, segmentation, monitoring, and DDoS protection.
• Secure development practices, dependency scanning, code reviews, and security testing.

Organizational Safeguards

• Least-privilege access controls and multi-factor authentication for production access.
• Audit logging and documented incident response procedures.
• Privacy and security training for employees and contractors.
• Vendor review and security commitments for service providers.

No information system can guarantee absolute security. If a data breach occurs, we will notify affected users and relevant authorities as required by law.

Calmo is headquartered in the United States. Personal data may be transferred to, stored in, and processed in the United States or other jurisdictions where our service providers operate.

Safeguards for EEA / UK / Swiss Users

Where required, we rely on safeguards such as Standard Contractual Clauses, supplementary technical and organizational measures, encryption, access controls, and transfer impact assessments.

Government Requests

We evaluate legal requests for validity and lawfulness, challenge overbroad or unlawful demands where appropriate, and notify affected users where legally permitted. Transparency information may be published at calmo.email/legal/transparency.

The Service is not directed to individuals under 18 years of age or the applicable age of majority in their jurisdiction. We do not knowingly collect personal data from children. If you believe a child provided personal data, contact privacy@calmo.email and we will take appropriate steps to delete it.

California Privacy Rights

In the preceding 12 months, we may have collected identifiers, commercial information, internet or electronic network activity, approximate geolocation derived from IP address, and inferences related to the Service. We do not sell or share personal information for cross-context behavioral advertising.

Other US State Privacy Laws

We comply with applicable privacy laws in states such as Virginia, Colorado, Connecticut, Utah, and other states as they become effective. Residents may exercise available rights by contacting privacy@calmo.email.

We may update this Privacy Policy to reflect changes in data practices, legal requirements, Service features, or industry standards. For material changes, we will provide notice through email, in-app notice, or another appropriate method before the changes take effect where required.

Continued use of the Service after changes take effect constitutes acceptance of the updated Policy. If you do not agree, you may delete your account before the changes apply.

Privacy Team Contact

EU Representative

Data Protection Officer

We have appointed a Data Protection Officer for GDPR/UK GDPR compliance. Contact: dpo@calmo.email.

Complaints to Supervisory Authorities

If you believe we have not adequately addressed your concerns, you may lodge a complaint with your local data protection supervisory authority. For many EEA users, the relevant authority may be the Irish Data Protection Commission at dataprotection.ie.