CalmBP Privacy Policy
This Privacy Policy explains how Double Door Media LLC ("CalmBP," "we," "us," or "our") collects, uses, shares, and protects information when you use the CalmBP iOS application (the "App") and the website at https://calmbp.com (the "Site"). It also explains the choices you have about that information.
Please read it carefully. If you do not agree with this Policy, please do not use the App or the Site.
CalmBP is designed for adults 18 and older in the United States. We do not knowingly direct the App or the Site to anyone under 18.
If you are a resident of Washington, Nevada, Connecticut, or any other state with a separate consumer-health-data law, please also review our Consumer Health Data Privacy Policy, which contains the disclosures and rights required by those laws.
1. Who We Are and How to Reach Us
Double Door Media LLC
Oregon, USA
Email: [email protected]
Support: [email protected]
If you have questions about this Privacy Policy or wish to exercise any of the rights described below, email [email protected]. We respond to verifiable rights requests within forty-five (45) days, as required by applicable law.
2. Scope
This Privacy Policy applies to information collected through the App and the Site. It does not apply to:
- Information collected by Apple about your device, your Apple ID, or your App Store purchases. Apple's privacy practices are governed by Apple's privacy policy.
- Information collected by Google when you sign in with a Google account. Google's privacy practices are governed by Google's privacy policy.
- Information collected by any third-party service that you may access through the App (for example, your device's calendar provider).
When you sign in with Apple or Google, the App receives only the limited account information that Apple or Google authorizes, typically a stable identifier and, if you choose, an email address.
3. Information We Collect
The categories below use the labels used in the California Consumer Privacy Act (Cal. Civ. Code §1798.140) and similar US state privacy laws.
3.1 Information You Provide Directly
- Account information. Your email address (from Apple Sign In or Google Sign In).
- Health and wellness data. Blood pressure readings (systolic, diastolic, pulse), the time at which each reading was taken, any notes or context tags you add, your medications and dosing schedule, whether you have taken each dose, walks and other exercise (duration, type, mood), sleep records (duration, quality), weight, sodium/alcohol/caffeine intake, resting heart rate, and your stated mood for the day.
- Nicotine and substance-use data. If you choose, your current nicotine status (never, former, current) and your nicotine or substance use, plus per-day usage counts and the timestamp of your most recent use. This information is used to time-contextualize your readings relative to recent use. You can decline to provide this at any time, change your status, or delete prior logs.
- Tracked profiles. If you track other people from your account ("tracked profiles", for example a parent, spouse, or other adult whose blood pressure you are helping manage), you may provide a display name, relationship label, and avatar emoji for each tracked person, along with the health data you record on their behalf. Tracked profiles are for other adults (18 and older) whose data you have authority to record. You are responsible for having that person's permission, or appropriate legal authority, to record and store their data in the App. See Section 3.5.
- Care Circle invitations. If you enable Care Circle (Plus Care feature), you provide the email address of each person you invite, whether a caregiver you ask to view your readings or a loved one you ask to follow. We use that email to deliver the invitation, to link the two accounts if it is accepted, and to deliver any Care Circle alerts you have configured. We do not use it for marketing.
- Voice entry (on-device only). When you use the voice-entry feature to log a reading, transcription happens entirely on your device. Your microphone is activated only while you are interacting with the voice-entry button, and the audio is processed locally to extract the spoken numbers. The audio recording never leaves your device. It is not sent to our backend or to any third party. We receive only the parsed blood pressure numbers from the on-device transcription.
- Photographs (transient). When you use the camera to scan your blood pressure cuff's display, the image is sent through our backend to our AI provider to read the numbers shown. The image is sent as captured (not de-identified) so the numbers can be read. The image is held only in memory long enough to receive the response and is never written to our database or to disk.
- Preferences. Your notification preferences (off, passive, normal) for each kind of reminder; your preferred walk window; your step goal; your selected app theme.
3.2 Information from Other Apps and Devices (with your permission)
- Apple HealthKit / Health Connect. With your explicit per-category permission, the App reads blood pressure readings, sleep, weight, walks, step counts, and resting heart rate from Apple Health (iOS) or Health Connect (Android). With your explicit permission, the App also writes blood pressure readings and weight back to Apple Health.
- Calendar. With your explicit permission, the App reads only the free/busy times in your device's calendar(s) so that it can suggest walks during gaps in your schedule. We never read meeting titles, attendees, locations, or content.
3.3 Information Collected Automatically
- Device and session information. The App collects information needed to operate, including your device's timezone, your operating system version, the App version, and a third-party push notification token used to deliver notifications. Your IP address is used for rate-limiting and abuse prevention, and we retain it only as long as needed for that security purpose. Our hosting provider's platform request logs also retain request metadata (including IP) per the provider's default log retention.
- Subscription state. Our subscription-management provider reports purchase and renewal events to us. We store your subscription status, expiration date, product identifier, and trial start date (for users who start a trial).
- Consent records. When you agree to our Terms of Service, Privacy Policy, or Medical Disclaimer (either by signing in, by tapping the acknowledgment on the first-launch disclaimer screen, or by re-accepting an updated policy), we record the version you agreed to and the timestamp. This is the only way we can answer "what did this user agree to and when" if a regulator or a dispute requires it.
- Diagnostic data. Our error-monitoring provider applies best-effort redaction that replaces health-data fields and blood-pressure-pattern numbers with placeholder tokens. Some of this scrubbing happens on your device and some happens on our provider's servers. The redaction is heuristic, so we cannot guarantee that no health information ever appears in a crash report.
- Doctor share link snapshots. When you mint a "Share via link" doctor share from the Show Doctor screen, we store the rendered report (HTML or PDF) so it can be retrieved at the public URL you share. The link is unauthenticated: no login is required to view it, so anyone you forward the link to can open the report until it expires (by default within about a day) or you revoke it from within the App.
3.4 Information We Do Not Collect
We do not collect:
- Location data (we don't request location permission)
- Contact lists or photo libraries
- Microphone audio outside of explicit voice-entry sessions
- Camera images outside of explicit cuff-scan sessions
- Web-browsing history or activity in other apps
- Persistent device advertising identifiers (IDFA)
- Behavioral or interest profiles for advertising
3.5 Information About Other People You Track or Share With
- Other people you track. Any tracked person must also be an adult (18 and older). If you use tracked profiles to log readings, medications, or other data for another adult, you represent that you have that person's permission, or appropriate legal authority, to record and store their data in the App. We treat data about a tracked person the same way we treat data about you under this Policy: the same use, retention, security, and sharing rules apply. If you export or share a tracked person's clinical report, you attest that you have that person's consent.
- Care Circle links. When you set up a Care Circle link, by inviting a caregiver or by accepting a caregiver's invitation to share your readings, we store the relevant email address so we can send the invitation and, if you authorize alerts, deliver Care Circle notifications. When the link is accepted, we associate the caregiver's CalmBP account with your Care Circle so the App can grant them read-only access to your account's wellness data, including the data of every other person you track under the account (tracked profiles). Caregivers cannot edit or delete records. Either member can revoke the link at any time from Settings → Care Circle, which immediately ends the caregiver's access.
4. How We Use Information
We use the categories above for the following business and operational purposes only:
- Provide and operate the App. Store, organize, and display your readings, medications, walks, sleep, weight, and other data; surface trends, averages, and patterns; generate reminders and nudges; sync your data across every device you sign into the App on.
- Generate insights. Compute correlations within your own data (for example, comparing your readings on walking days versus non-walking days). Generate the plain-language description of each insight using our AI provider, sending a de-identified summary (never your name, your email, or any identifier that links to you outside our systems). When you type your own question in Insights Chat, the words you type are also sent to our AI provider to answer it from that de-identified summary, as described in Section 13.
- Communicate with you. Send push notifications you have opted in to; respond when you contact support; send transactional emails for the small set of account events that require a response delivered to your inbox (email verification, Care Circle invitations to caregivers you choose, confirmation when you delete your account, and security incident notices required by law). For other notices, including changes to this Policy, we use in-App messaging. We do not use your information for marketing email.
- Process subscriptions and prevent fraud or abuse. Receive subscription events from our subscription-management provider; enforce per-user rate limits on the cuff-display photo-scan feature; detect and limit automated/bot-like usage patterns.
- Improve reliability. Investigate crashes and errors via our error-monitoring provider; fix defects.
- Comply with law. Respond to legal process, protect our legal rights, and meet our regulatory obligations.
We do not use your information to:
- Show you advertising
- Build a profile of you for advertising
- Train any third party's general-purpose AI model
5. How We Share Information
We share information only with the limited set of service providers and only for the purposes listed below. Each provider acts as our service provider/processor under written terms and may not use the data for its own purposes.
| Category of recipient | What they receive | Why |
|---|---|---|
| Apple, Inc. | Limited account info for Sign in with Apple; In-App Purchase events; HealthKit reads/writes (on-device) | Authentication, subscription billing, on-device health data access |
| Our AI provider | Cuff images during the cuff-display scan, sent as captured (not de-identified) so the numbers can be read; for the AI Insights path, a de-identified window of your recent health metrics, from which we remove direct identifiers such as your name and email. The AI sees that you take medications and your adherence, but not the medication names. Processed on the provider's paid tier (under our agreement with the provider, data submitted on this tier is not used to train its models). | Image-to-data, insight-text generation, and AI Insights Suite (Daily Briefing, Insights Chat, Weekly Recap). Content is processed in-memory and not persisted by us. Voice audio is never sent to the AI provider. Voice transcription is fully on-device. |
| Sign-in providers (Apple, Google) | Limited account info to verify your identity | Authentication |
| Our cloud hosting provider (US) | All data your App sends to our backend, in transit | Hosting our backend service |
| Our cloud database and authentication provider (US) | All data your App stores in our database (all tiers) | Encrypted database storage and authentication |
| Our subscription management provider | Your user identifier, App Store/Play subscription events, your subscription state | Subscription management; cross-device entitlement |
| Our push-notification delivery provider | A device push token and push notification payloads. Most payloads contain only non-clinical reminder text. A Care Circle alert (Plus Care), sent to a caregiver's own device, also includes the private label the caregiver chose for the person they support and the fact that a reading crossed the caregiver's alert threshold or that the person has not logged recently. The reading values themselves are not included; they stay in the app. | Push delivery to Apple/Google notification services |
| Our error-monitoring provider | Crash reports, stack traces, basic device context, with best-effort redaction of health-data fields | Error monitoring |
| Our transactional email provider | Recipient email address and message content. Invitation and verification emails contain no health data. A clinical report you choose to export may be delivered to your own email as an attachment via this provider. | Delivering transactional account email (including Care Circle invitations) and any report you choose to email yourself. Not used for marketing email. |
| Caregivers linked to your account | Read-only access to your account's wellness data in all categories, including the data of every other person you track under the account (tracked profiles). Caregivers cannot edit or delete records. Access continues until either member revokes it. | Allowing the person you chose to support you to view your wellness data |
| Recipients of a doctor share link | Whatever appears in the BP report you generate (readings, dates, medications you've logged, context tag categories). The link is unauthenticated, so anyone you forward it to can open the report until it expires or you revoke it. | Letting you show a clinician (or anyone else you choose) a recent snapshot of your blood pressure history without giving them App access |
On written request to [email protected], we'll share the current named list of subprocessors that fit each category above. The law in the regimes that apply to us requires categories, not names, so we list categories here and provide the specific names on request.
Care Circle sharing. If you enable Care Circle, a caregiver gets read-only access to your account's wellness data in all categories, including the data of every other person you track under the account (tracked profiles). A Care Circle link can start from either side: you can invite a caregiver to view your data, or you can accept an invitation from someone who asked to follow your readings. Either way, the access exists only because you authorized it by inviting or accepting, it stays read-only (caregivers cannot edit or delete your records), and you can revoke it at any time from Settings → Care Circle, which immediately ends their access. Members of an active circle also see your first name, to identify you.
Doctor share links. A doctor share link is an unauthenticated public URL. No login is required to view it, so anyone who has the URL can open the report until it expires (by default within about a day) or you revoke it. Treat the link like the report itself. You are responsible for who you send it to. We do not verify the recipient, do not confirm they are a clinician, and do not control what they do with the report once viewed.
We do not share information with any other party, except:
- With your consent (for example, if you tell us to share your data with a future integration you've authorized).
- In connection with a corporate transaction. If we sell or transfer any part of our business, your information may be one of the transferred assets. We will provide notice as required by law and your rights under this Policy will continue.
- As required by law. When compelled by valid legal process and after we have evaluated whether the process is valid, narrow, and legally enforceable.
We never share data sourced from Apple HealthKit for advertising, marketing, data mining, or any other purpose besides the core wellness functionality you asked us to provide. Apple's HealthKit terms require this and we adhere to it.
6. Where We Store Information
CalmBP is operated from the United States. All of our service providers store data in the United States. If you access the App from outside the United States, you understand that your information will be transferred to, processed in, and stored in the United States.
7. How Long We Keep Information
| Category | Retention |
|---|---|
| Account record and core health data (BP readings, medications and adherence, walks, sleep, weight, intake, mood, resting heart rate, nicotine logs) | While your account is active. Deleted promptly on an account-deletion request, and within thirty (30) days. Residual copies in server backups are overwritten on the standard backup-rotation cycle. |
| Operational and security records (diagnostics, abuse-prevention counters, notification logs) | While your account is active, and deleted with it. |
| Calendar free/busy windows | Up to seven (7) days in the past, fourteen (14) days in the future |
| Care Circle invitations and caregiver link records | While the invitation is pending or the caregiver link is active. Revoked, expired, or accepted-then-removed records are purged promptly. |
| Doctor share link snapshots (rendered HTML or PDF) | Until the link expires (by default within about a day) or you revoke it, then deleted. |
| Tracked profile records | Same retention as the account that owns them. Deleted when you archive the profile or delete your account. |
| Subscription state | For the life of the account, then deleted with the account |
| Consent acknowledgment records (policy versions, ack timestamps, arbitration opt-out flag) | For the life of the account. On deletion, retained for seven (7) years as a pseudonymous record to satisfy our legal-defense exception under GDPR Article 17(3)(e) and equivalent state-law provisions. No name, email, or health data is retained. |
| Aggregated, de-identified analytics | Indefinitely (cannot be used to identify you) |
You can request deletion at any time using the in-App "Delete account and all data" control, or by emailing [email protected].
8. How We Protect Information
We use industry-standard measures to protect your information:
- Encryption. We protect your information with encryption in transit and at rest, both on our servers and in the local database on your device. The on-device key is held in the platform's hardware-backed secure storage (the device keychain).
- Authentication: Session tokens are stored in the platform's hardware-backed secure storage so they are not captured by device backups.
- Access control: We apply access controls so the App returns only your data. Row-level database policies are in place as a secondary safeguard.
- Least-privilege practices: API keys are scoped and rotated; service-role credentials never leave our backend.
- Diagnostic data: Our error-monitoring service applies best-effort redaction so that blood pressure values, medication names, and other sensitive fields are scrubbed from crash reports. Some of this scrubbing happens on our provider's servers, so we cannot guarantee that no health information ever appears.
- Health data: We do not use HealthKit data for any purpose other than the App's wellness features.
No security system is perfect. If we ever experience a breach affecting your unsecured personal health information, we will notify you as required by law.
9. Your Choices and Rights
You have the rights below regardless of where you live, subject to the conditions and exceptions in applicable law. State-specific additional rights are described in Section 10.
- Access. Request a copy of the personal information we hold about you. Use Settings → Privacy & Data → Download all my data or email [email protected].
- Correct. Ask us to correct inaccurate information. Most fields are editable in-App; for anything else email [email protected].
- Delete. Ask us to delete your account and all associated data. Use Settings → Privacy & Data → Delete account and all data, or email [email protected].
- Portability. Receive your data in a portable, machine-readable format (JSON). Use Settings → Privacy & Data → Download all my data. The export covers the personal data you have provided or that we have derived from it. Operational records that are not personal data are excluded from the export but are still wiped if you delete your account.
- Withdraw consent. Revoke any in-App permission (HealthKit, calendar, notifications) at any time via iOS Settings. Revocation does not affect data already processed under that consent.
- Opt out of profiling for legal-effect decisions. We do not make legal-effect decisions about you using automated processing. The correlation engine produces wellness observations and does not affect your legal rights, your access to services, or any benefit.
- Non-discrimination. We will not deny you service, charge you a different price, or provide a different quality of service for exercising any right under this Policy.
To exercise any right, contact [email protected]. We will verify your request by asking you to send the request from the email address associated with your account, and we may ask for additional information solely to verify your identity. We respond within forty-five (45) days, with one extension permitted under applicable law.
10. State-Specific Notices
10.1 California Residents (CCPA / CPRA)
If you live in California, you have additional rights under the California Consumer Privacy Act, as amended:
- Right to know the categories of personal information we have collected about you, the categories of sources, the business and commercial purposes for collection, the categories of personal information disclosed for a business purpose, and the categories of third parties with whom we share information.
- Right to delete the personal information we have collected from you.
- Right to correct inaccurate personal information.
- Right to opt out of "sale" or "sharing" of personal information. We do not sell or share your personal information.
- Right to limit the use of sensitive personal information. Your health data is sensitive personal information under California law. We use it only to provide the App's features, to communicate with you, and as otherwise described in Section 4. We do not use it to infer characteristics about you. You may limit our use further by emailing [email protected].
- Right to non-discrimination for exercising any of these rights.
If you wish to designate an authorized agent to make a request on your behalf, the agent must provide written authorization signed by you and must be able to verify their identity directly with us.
10.2 Washington Residents (My Health My Data Act)
If you live in Washington, you have additional rights under the My Health My Data Act (RCW Ch. 19.373). Those rights, our consumer-health-data practices, and the categories of consumer health data we process are described in our separate Consumer Health Data Privacy Policy, which is linked from the homepage of calmbp.com.
10.3 Nevada Residents (SB 370)
If you live in Nevada, you have additional rights under SB 370. Those rights and our consumer-health-data practices are also described in our Consumer Health Data Privacy Policy. We do not sell consumer health data.
10.4 Connecticut Residents (CTDPA + Health Data Amendments)
If you live in Connecticut, you have additional rights under the Connecticut Data Privacy Act, including the right to access, correct, delete, port, and opt out of certain processing, and additional protections for consumer health data. Use the contacts in Section 9 to exercise these rights, or see our Consumer Health Data Privacy Policy.
10.5 Texas Residents (TDPSA)
If you live in Texas, you have rights under the Texas Data Privacy and Security Act. NOTICE: We do not sell sensitive personal data. Use the contacts in Section 9 to exercise your access, correction, deletion, portability, and opt-out rights.
10.6 Other US States
Residents of Colorado, Virginia, Utah, Iowa, Indiana, Tennessee, Montana, Oregon, Delaware, New Jersey, New Hampshire, Kentucky, Rhode Island, Minnesota, Maryland, and other states with comprehensive privacy laws have the rights conferred by those laws, including, at minimum, the rights to access, correct, delete, port, and opt out of certain processing. Use the contacts in Section 9.
11. Children
CalmBP is intended for users 18 and older and is not directed to children. We do not knowingly collect personal information from anyone under 18. If you believe someone under 18 has provided us with personal information, please contact [email protected] and we will delete it.
12. HealthKit-Specific Disclosure
When you grant the App access to Apple HealthKit, we will:
- Read only the categories of data you explicitly authorize (currently: blood pressure, sleep, weight, steps, walks, and resting heart rate).
- Use HealthKit data only to provide the App's health and wellness features (display readings, generate trends, compute correlations, set walk/medication reminders).
- Never use HealthKit data for advertising, marketing, data mining, profiling, sale, or any purpose other than the App's health features.
- Never disclose HealthKit data to any third party for advertising or marketing purposes.
This is required by Apple's HealthKit terms and we adhere to it.
13. AI Insights Suite (Plus subscribers, opt-in)
The AI Insights Suite (Daily Briefing, Insights Chat, Weekly Recap) is a Plus-only feature that is off by default. You enable it explicitly via an in-App consent screen separate from these Terms and from your HealthKit permission. You can revoke at any time in Settings → AI Features.
When enabled, here is what happens on each AI request:
- We assemble a de-identified payload from your data: blood-pressure values, the date/time of each reading, context tag categories you chose (e.g., "caffeine," "stressed"), Apple Health sleep / step / walking-workout totals, and that you take medications and your adherence. We remove direct identifiers. Your name, email, account identifier, device identifier, IP address, your medication names, and any free-text notes you've entered on readings are not included. When you type your own question in Insights Chat, the words you type are also sent to our AI provider to answer your question from that de-identified payload; that typed text is not stored and is not added to the de-identified payload.
- The payload is sent to our AI provider on its paid tier. Under our agreement with the provider, data submitted on this tier is not used to train its models.
- The provider returns a text response, to which we append our standard medical disclaimer.
- We do not store your prompts. A response may be briefly cached on our server and then deleted, so a repeated request does not trigger a duplicate AI call. We otherwise log technical metadata only, such as timing and whether a response was returned.
Chat history. Chat conversations are not saved as a history on our backend or on your device. Revoking AI consent in Settings → AI Features stops all further AI calls.
AI outputs are informational only and are not medical advice, diagnosis, or treatment. Do not delay seeking care from a licensed clinician based on AI output. In an emergency, call 911.
14. Cookies and Similar Technologies
The App is a native iOS application and does not use cookies in the App itself. The Site (calmbp.com) is a static information page that does not set cookies or run analytics scripts.
15. Changes to This Policy
If we materially change this Policy, we will notify you by displaying an acknowledgment-required notice in the App when you next open it. For material changes, we will give you at least thirty (30) days' advance notice in this way before the change takes effect. The "Effective Date" at the top of this Policy reflects the most recent version.
You can review previous versions by emailing [email protected].
16. Contact
Privacy questions, rights requests, and complaints:
[email protected]
General support:
[email protected]
Postal:
Double Door Media LLC
Oregon, USA
(For postal address, request via email; we provide on request to comply with state-law disclosure obligations.)
© 2026 Double Door Media LLC. All rights reserved.