CALLABack

Legal

Privacy Policy

Last updated: May 18, 2026

1. Who We Are

Data Controller:
Calla Ref GmbH
Gumpendorfer Straße 63F, 1060 Vienna
Austria
Email: contact@callaref.com

We operate the CALLA REF platform at app.callaref.com ("the Service"), a curated Reformer Pilates video streaming app. If you have questions about this policy, contact us at contact@callaref.com.

2. What Data We Collect and Why

2.1 Account Registration

When you create an account, we collect:

DataRequiredLegal Basis
Email addressYesContract (Art. 6(1)(b) GDPR)
First and last nameYesContract
Phone numberOptionalContract
Date of birthOptionalContract
Partner / hotel codeIf applicableContract

We use this to create and manage your account, verify your identity, and send transactional emails (account confirmation, password reset).

2.2 Subscription Data

We record your subscription plan (B2C: monthly or annual; B2B: per-seat monthly or annual, or Enterprise), activation date, and renewal date to provide access to content.

Legal basis: Contract (Art. 6(1)(b) GDPR).

2.3 Usage and Progress Data

While you use the Service, we record:

  • Which videos you have watched and how many times
  • Your session completion status per video
  • Your last watched timestamp per video
  • Fitness goals you set (weekly sessions, weekly minutes)
  • Your activity streak (current and longest)
  • Videos you have marked as favourites

Purpose: To power your personal dashboard, progress tracking, and personalised recommendations. B2B / hotel-kiosk accounts do not have an individual dashboard; goals, favourites and streaks are not collected for them (see § 2.5).

Legal basis: Contract (Art. 6(1)(b) GDPR) — this data is core to the service you signed up for.

2.4 Activity Logs

We log the following events with a timestamp, your IP address, and browser/device identifier (User-Agent):

  • Login
  • Logout
  • Session start / session end

Purpose: Security monitoring, abuse prevention, and session integrity.

Legal basis: Legitimate interests (Art. 6(1)(f) GDPR) — to protect the platform and our users from unauthorised access.

Retention: 90 days. Logs older than this are deleted automatically.

2.5 B2B / Hotel Guest Users

If you access the Service via a hotel or partner kiosk, your usage may be tracked under a shared account. The following data is recorded per session:

  • Video watched, seconds watched, completion status
  • Timestamp

This data is shared in aggregated, anonymised form with the hotel/partner for analytics purposes. Individual guest data is not shared with the hotel.

Legal basis: Legitimate interests of the hotel partner to understand service usage.

3. Cookies and Local Storage

We do not use advertising cookies. Essential storage (keeping you signed in) is always active. Analytics and session recording are off by default and only run if you opt in via the consent banner. You can change or withdraw your choice at any time using the "Cookie settings" link in the footer.

StorageNamePurposeNecessary?
Cookie (session)Supabase auth tokenKeeps you logged inYes — required
localStoragecalla-music-volumeRemembers your music volume preferenceFunctional
localStoragecalla_consent_v1Stores your analytics consent choiceYes — required
localStoragecalla_device_tokenIdentifies this device for single-device sign-inFunctional
localStoragecalla_device_locationRemembers which studio location this device belongs to (business accounts)Functional
localStorage / cookiePostHog & Google AnalyticsProduct analytics — set only after you opt inConsent required
sessionStoragecalla-partner-codeRemembers your hotel/partner context for the current sessionFunctional

Auth cookies are set with SameSite=Lax and Secure=true (HTTPS only). Session storage is cleared when you close the browser tab. localStorage volume preference is cleared on inactivity timeout (kiosk mode only).

4. Third-Party Services

We share your data with the following processors. Each has signed a Data Processing Agreement (DPA) with us as required by GDPR Art. 28.

ProcessorPurposeData SharedLocation
Supabase Inc.Database, authentication, file storageAll account and usage dataEU (Frankfurt)
Mux Inc.Video streaming and deliveryVideo playback events, device type, IPUSA (SCCs in place)
Vercel Inc.Application hosting & basic web-vitals analyticsAll HTTP request data including IPUSA (SCCs / DPF)
PostHogProduct analytics & session recording — only with your consentUsage events, pages, device, IP, session replayEU (Frankfurt)
StripePayment processing & invoicingEmail, name, billing address, VAT ID, payment dataUSA (SCCs / DPF)
ResendTransactional & administrative emailEmail address, nameUSA (SCCs)
Google (Analytics 4)Web analytics — only with your consentPages, device, IPUSA (SCCs / DPF)

Mux Analytics: Mux collects basic playback analytics (buffering, quality metrics) via inferred.litix.io. This data is used to ensure video delivery quality. See Mux's Privacy Policy.

HaveIBeenPwned: When you reset your password, a partial hash of your new password is checked against the HaveIBeenPwned service to protect you from using compromised passwords. No identifiable data leaves your device — only a 5-character prefix of the password hash is transmitted.

5. Data Transfers Outside the EU

Your account database (Supabase) and product analytics (PostHog) are hosted in the EU (Frankfurt). Some processors are US-based (Mux, Vercel, Stripe, Resend, Google). Transfers to the USA are safeguarded by EU Standard Contractual Clauses (GDPR Art. 46(2)(c)) and, where the processor is certified, the EU–US Data Privacy Framework. Analytics processors (PostHog, Google) receive nothing from your browser unless you opt in. Independently of that choice, our servers send PostHog a small number of subscription-lifecycle events — checkout started, subscription activated or cancelled, payment failed, and changes an administrator makes to your access — linked to your account ID, so that we can operate and reconcile billing. These are sent to PostHog’s EU servers. This is billing telemetry, not behavioural tracking: your browsing and viewing activity is never sent without your consent.

6. Your Rights

Under GDPR, you have the following rights:

RightWhat it means
Access (Art. 15)Request a copy of all data we hold about you
Rectification (Art. 16)Correct inaccurate personal data
Erasure (Art. 17)Request deletion of your account and associated data
Portability (Art. 20)Receive your data in a machine-readable format
Object (Art. 21)Object to processing based on legitimate interests
Restriction (Art. 18)Request we limit processing while a dispute is resolved

You can exercise the most common rights yourself in the app under Profile → Data & privacy: download a machine-readable export of your data, or permanently delete your account (deletion asks for your password, to confirm it is really you). Business accounts are an exception: they sign in on shared in-studio devices, so these self-service tools are not offered there — email contact@callaref.com and we will handle the request directly. For any other request, email contact@callaref.com; we respond within 30 days. Account deletion removes your profile and usage data from our active systems and cancels any active subscription. Two caveats: (1) billing/invoice records are kept for 7 years where Austrian tax law requires it (§132 BAO, GDPR Art. 17(3)(b)), in a form no longer linked to your profile; (2) data already transmitted to our processors (e.g. Stripe invoices, prior Mux/PostHog events) is removed on our documented request cycle, not instantly.

7. Data Retention

Data CategoryRetention Period
Account profileUntil account deletion
Video progress & favouritesUntil account deletion
Subscription records7 years (tax/accounting purposes)
Activity logs (IP, User-Agent)90 days
Partner login/watch events12 months
Consent & withdrawal-waiver recordsUp to 3 years after account closure (legal-claims defence)
Billing & invoice records7 years (§132 BAO)

8. Children

The Service is intended for users aged 16 and over. We do not knowingly collect data from children under 16. If you believe a child has registered, contact us at contact@callaref.com and we will delete the account promptly.

9. Security

We implement the following technical measures to protect your data:

  • HTTPS encryption in transit (TLS)
  • Row-Level Security on all database tables
  • Signed, time-limited video playback tokens (2-hour expiry)
  • Rate limiting on all API endpoints
  • Timing-safe webhook signature verification
  • Leaked password protection via k-anonymity hash check

10. Health and Fitness Disclaimer

The content provided through the Service — including all Reformer Pilates videos, instructions, and recommendations — is for general informational and educational purposes only. It is not a substitute for professional medical advice, diagnosis, or treatment.

You acknowledge and agree that you exercise entirely at your own risk. Calla Ref GmbH, its instructors, employees, partners, and affiliates shall not be liable for any injury, health issue, physical damage, or loss arising from or in connection with your use of the Service, including but not limited to injuries sustained during or as a result of following any workout content.

Before beginning any exercise programme, you should consult a qualified healthcare professional, particularly if you have pre-existing health conditions, injuries, or are pregnant. You are solely responsible for ensuring that the exercises are appropriate for your individual fitness level and physical condition.

By using the Service, you confirm that you are not pregnant. Reformer Pilates exercises may pose risks during pregnancy, and the Service is not designed for use by pregnant individuals. If you are or become pregnant, you must discontinue use of the Service and consult your healthcare provider before resuming any exercise programme.

By using the Service, you assume full responsibility for any risks, injuries, or damages — known or unknown — that may result from your participation in any activities shown or described on the platform.

11. Changes to This Policy

We will notify you by email and update the "Last updated" date at the top of this page if we make material changes. Continued use of the Service after notification constitutes acceptance.

12. Contact and Supervisory Authority

Questions: contact@callaref.com

You have the right to lodge a complaint with your national data protection authority. In Austria: Datenschutzbehörde. In Germany: BfDI or your state authority.