Legal
Privacy Policy
Last updated: May 18, 2026
1. Who We Are
Data Controller:
Calla Ref GmbH
Gumpendorfer Straße 63F, 1060 Vienna
Austria
Email: contact@callaref.com
We operate the CALLA REF platform at app.callaref.com ("the Service"), a curated Reformer Pilates video streaming app. If you have questions about this policy, contact us at contact@callaref.com.
2. What Data We Collect and Why
2.1 Account Registration
When you create an account, we collect:
| Data | Required | Legal Basis |
|---|---|---|
| Email address | Yes | Contract (Art. 6(1)(b) GDPR) |
| First and last name | Yes | Contract |
| Phone number | Optional | Contract |
| Date of birth | Optional | Contract |
| Partner / hotel code | If applicable | Contract |
We use this to create and manage your account, verify your identity, and send transactional emails (account confirmation, password reset).
2.2 Subscription Data
We record your subscription plan (B2C: monthly or annual; B2B: per-seat monthly or annual, or Enterprise), activation date, and renewal date to provide access to content.
Legal basis: Contract (Art. 6(1)(b) GDPR).
2.3 Usage and Progress Data
While you use the Service, we record:
- Which videos you have watched and how many times
- Your session completion status per video
- Your last watched timestamp per video
- Fitness goals you set (weekly sessions, weekly minutes)
- Your activity streak (current and longest)
- Videos you have marked as favourites
Purpose: To power your personal dashboard, progress tracking, and personalised recommendations. B2B / hotel-kiosk accounts do not have an individual dashboard; goals, favourites and streaks are not collected for them (see § 2.5).
Legal basis: Contract (Art. 6(1)(b) GDPR) — this data is core to the service you signed up for.
2.4 Activity Logs
We log the following events with a timestamp, your IP address, and browser/device identifier (User-Agent):
- Login
- Logout
- Session start / session end
Purpose: Security monitoring, abuse prevention, and session integrity.
Legal basis: Legitimate interests (Art. 6(1)(f) GDPR) — to protect the platform and our users from unauthorised access.
Retention: 90 days. Logs older than this are deleted automatically.
2.5 B2B / Hotel Guest Users
If you access the Service via a hotel or partner kiosk, your usage may be tracked under a shared account. The following data is recorded per session:
- Video watched, seconds watched, completion status
- Timestamp
This data is shared in aggregated, anonymised form with the hotel/partner for analytics purposes. Individual guest data is not shared with the hotel.
Legal basis: Legitimate interests of the hotel partner to understand service usage.
3. Cookies and Local Storage
We do not use advertising cookies. Essential storage (keeping you signed in) is always active. Analytics and session recording are off by default and only run if you opt in via the consent banner. You can change or withdraw your choice at any time using the "Cookie settings" link in the footer.
| Storage | Name | Purpose | Necessary? |
|---|---|---|---|
| Cookie (session) | Supabase auth token | Keeps you logged in | Yes — required |
| localStorage | calla-music-volume | Remembers your music volume preference | Functional |
| localStorage | calla_consent_v1 | Stores your analytics consent choice | Yes — required |
| localStorage | calla_device_token | Identifies this device for single-device sign-in | Functional |
| localStorage | calla_device_location | Remembers which studio location this device belongs to (business accounts) | Functional |
| localStorage / cookie | PostHog & Google Analytics | Product analytics — set only after you opt in | Consent required |
| sessionStorage | calla-partner-code | Remembers your hotel/partner context for the current session | Functional |
Auth cookies are set with SameSite=Lax and Secure=true (HTTPS only). Session storage is cleared when you close the browser tab. localStorage volume preference is cleared on inactivity timeout (kiosk mode only).
4. Third-Party Services
We share your data with the following processors. Each has signed a Data Processing Agreement (DPA) with us as required by GDPR Art. 28.
| Processor | Purpose | Data Shared | Location |
|---|---|---|---|
| Supabase Inc. | Database, authentication, file storage | All account and usage data | EU (Frankfurt) |
| Mux Inc. | Video streaming and delivery | Video playback events, device type, IP | USA (SCCs in place) |
| Vercel Inc. | Application hosting & basic web-vitals analytics | All HTTP request data including IP | USA (SCCs / DPF) |
| PostHog | Product analytics & session recording — only with your consent | Usage events, pages, device, IP, session replay | EU (Frankfurt) |
| Stripe | Payment processing & invoicing | Email, name, billing address, VAT ID, payment data | USA (SCCs / DPF) |
| Resend | Transactional & administrative email | Email address, name | USA (SCCs) |
| Google (Analytics 4) | Web analytics — only with your consent | Pages, device, IP | USA (SCCs / DPF) |
Mux Analytics: Mux collects basic playback analytics (buffering, quality metrics) via inferred.litix.io. This data is used to ensure video delivery quality. See Mux's Privacy Policy.
HaveIBeenPwned: When you reset your password, a partial hash of your new password is checked against the HaveIBeenPwned service to protect you from using compromised passwords. No identifiable data leaves your device — only a 5-character prefix of the password hash is transmitted.
5. Data Transfers Outside the EU
Your account database (Supabase) and product analytics (PostHog) are hosted in the EU (Frankfurt). Some processors are US-based (Mux, Vercel, Stripe, Resend, Google). Transfers to the USA are safeguarded by EU Standard Contractual Clauses (GDPR Art. 46(2)(c)) and, where the processor is certified, the EU–US Data Privacy Framework. Analytics processors (PostHog, Google) receive nothing from your browser unless you opt in. Independently of that choice, our servers send PostHog a small number of subscription-lifecycle events — checkout started, subscription activated or cancelled, payment failed, and changes an administrator makes to your access — linked to your account ID, so that we can operate and reconcile billing. These are sent to PostHog’s EU servers. This is billing telemetry, not behavioural tracking: your browsing and viewing activity is never sent without your consent.
6. Your Rights
Under GDPR, you have the following rights:
| Right | What it means |
|---|---|
| Access (Art. 15) | Request a copy of all data we hold about you |
| Rectification (Art. 16) | Correct inaccurate personal data |
| Erasure (Art. 17) | Request deletion of your account and associated data |
| Portability (Art. 20) | Receive your data in a machine-readable format |
| Object (Art. 21) | Object to processing based on legitimate interests |
| Restriction (Art. 18) | Request we limit processing while a dispute is resolved |
You can exercise the most common rights yourself in the app under Profile → Data & privacy: download a machine-readable export of your data, or permanently delete your account (deletion asks for your password, to confirm it is really you). Business accounts are an exception: they sign in on shared in-studio devices, so these self-service tools are not offered there — email contact@callaref.com and we will handle the request directly. For any other request, email contact@callaref.com; we respond within 30 days. Account deletion removes your profile and usage data from our active systems and cancels any active subscription. Two caveats: (1) billing/invoice records are kept for 7 years where Austrian tax law requires it (§132 BAO, GDPR Art. 17(3)(b)), in a form no longer linked to your profile; (2) data already transmitted to our processors (e.g. Stripe invoices, prior Mux/PostHog events) is removed on our documented request cycle, not instantly.
7. Data Retention
| Data Category | Retention Period |
|---|---|
| Account profile | Until account deletion |
| Video progress & favourites | Until account deletion |
| Subscription records | 7 years (tax/accounting purposes) |
| Activity logs (IP, User-Agent) | 90 days |
| Partner login/watch events | 12 months |
| Consent & withdrawal-waiver records | Up to 3 years after account closure (legal-claims defence) |
| Billing & invoice records | 7 years (§132 BAO) |
8. Children
The Service is intended for users aged 16 and over. We do not knowingly collect data from children under 16. If you believe a child has registered, contact us at contact@callaref.com and we will delete the account promptly.
9. Security
We implement the following technical measures to protect your data:
- HTTPS encryption in transit (TLS)
- Row-Level Security on all database tables
- Signed, time-limited video playback tokens (2-hour expiry)
- Rate limiting on all API endpoints
- Timing-safe webhook signature verification
- Leaked password protection via k-anonymity hash check
10. Health and Fitness Disclaimer
The content provided through the Service — including all Reformer Pilates videos, instructions, and recommendations — is for general informational and educational purposes only. It is not a substitute for professional medical advice, diagnosis, or treatment.
You acknowledge and agree that you exercise entirely at your own risk. Calla Ref GmbH, its instructors, employees, partners, and affiliates shall not be liable for any injury, health issue, physical damage, or loss arising from or in connection with your use of the Service, including but not limited to injuries sustained during or as a result of following any workout content.
Before beginning any exercise programme, you should consult a qualified healthcare professional, particularly if you have pre-existing health conditions, injuries, or are pregnant. You are solely responsible for ensuring that the exercises are appropriate for your individual fitness level and physical condition.
By using the Service, you confirm that you are not pregnant. Reformer Pilates exercises may pose risks during pregnancy, and the Service is not designed for use by pregnant individuals. If you are or become pregnant, you must discontinue use of the Service and consult your healthcare provider before resuming any exercise programme.
By using the Service, you assume full responsibility for any risks, injuries, or damages — known or unknown — that may result from your participation in any activities shown or described on the platform.
11. Changes to This Policy
We will notify you by email and update the "Last updated" date at the top of this page if we make material changes. Continued use of the Service after notification constitutes acceptance.
12. Contact and Supervisory Authority
Questions: contact@callaref.com
You have the right to lodge a complaint with your national data protection authority. In Austria: Datenschutzbehörde. In Germany: BfDI or your state authority.