What are the institutional and regulatory implications of this document?

(1) REGULATORY LANDSCAPE: This policy directly engages the GDPR (EU and UK), the California Consumer Privacy Act as amended by the CPRA, and potentially the Swiss Federal Act on Data Protection. The policy cites Standard Contractual Clauses and European Commission adequacy decisions as international transfer mechanisms, and names The DPO Centre Europe Ltd (EEA) and The DPO Centre (UK) as designated representatives. The FTC's general consumer protection authority is also relevant given the US-ba…

How does Calm's Calm Privacy Policy affect users?

The policy permits Calm to collect sensitive lifestyle data and share it with advertising partners and analytics providers for targeted advertising purposes. Users in California, the EU, and the UK are granted rights to access, correct, delete, and opt out of targeted advertising and data sharing under applicable law, with similar rights extended to other users subject to local legal requirements. Opt-out procedures are established through calm.com/optout, the Cookie Preferences Manager, and mo…

How often is Calm's Calm Privacy Policy updated?

ConductAtlas monitors this document daily and captures every version with cryptographic hashing and timestamp verification. Update frequency varies — see the change timeline on this page for complete version history.

Can I get alerted when Calm updates this document?

Yes. Watcher subscribers ($9.99/month) can add Calm to their watchlist and receive same-day email alerts whenever this document or any other Calm document changes.

CA-D-000218

Calm Privacy Policy

Calm

Last change detected April 19, 2026 Privacy policy

SHA-256: 8ed73dc0c7bd8d40dc9… 2 versions captured 0 changes documented

Create free account

Track 1 platform and get the weekly governance digest. No credit card required.

View original document at Calm ↗

This page describes what the document states, permits, or reserves. It does not constitute a legal determination about enforceability. Regulatory applicability may vary by jurisdiction. Methodology

10 Total

0 High severity

7 Medium severity

3 Low severity

Summary

This document establishes Calm's data collection, use, and sharing practices for users of its meditation and sleep application. Calm collects personal data including sleep patterns, mood check-ins, meditation history, and health app data, and the policy authorizes use of this data for behavioral advertising on other platforms through advertising partners. The policy establishes opt-out mechanisms available through calm.com/optout, cookie preference settings, and device-level ad tracking controls.

Technical / Legal Breakdown

This document is Calm.com, Inc.'s Privacy Policy (last updated December 12, 2024), governing the collection, use, and disclosure of personal data across Calm's websites, mobile applications, and related services, with stated legal bases including contractual performance, legitimate interests, and consent depending on the processing activity. The policy states that Calm collects a broad range of data including identifiers, health-adjacent data (sleep habits, moods, check-in reflections), device and usage data, inferred characteristics such as gender and age estimates, and third-party health app data (Apple HealthKit, Google Health Connect); the terms authorize disclosure of this data to service providers, advertising partners, analytics providers, and affiliated entities, and permit use for behavioral advertising and cross-platform ad targeting. Notably, the policy discloses that Calm may convert email addresses or phone numbers into advertising identifiers for cross-platform ad targeting, and that it makes educated guesses about user gender or age from derived data; while these practices are disclosed, their interaction with GDPR's requirements around inferred sensitive data and the CCPA's definition of sensitive personal information may require further evaluation depending on jurisdiction. The policy explicitly engages GDPR (citing Standard Contractual Clauses and adequacy decisions for international transfers), the California Consumer Privacy Act as amended (CPRA), and the UK GDPR, with Calm.com, Inc. designated as data controller and named EU and UK DPO representatives identified; California consumers and EU/EEA/UK users receive materially distinct disclosures and rights, and compliance teams should note the policy's reliance on legitimate interests as a legal basis for marketing and analytics processing, which faces heightened scrutiny under GDPR.

Institutional Analysis

Institutional analysis available with Professional

Regulatory exposure by statute, material risk assessment, vendor due diligence action items, and enforcement precedent. Available on Professional.

Start Professional free trial

Medium — 7 provisions

Cross-Platform Ad Targeting Using Email or Phone Identifiers Compare →

Calm may share a hashed or converted version of your email address or phone number with advertising partners so they can target you with Calm ads on other websites and apps.

Added May 11, 2026 Standard Seen across 189 platforms
Health App Data Collection (Apple HealthKit and Google Health Connect) Compare →

If you give Calm permission, it can access your sleep data from your phone's health app, and it states it will only use that data for its original purpose without drawing health conclusions from it.

Added May 11, 2026 Standard Seen across 251 platforms
Inferred Characteristics Including Age and Gender Estimates

Calm may estimate your age and gender based on data it collects, even if you have not provided that information directly, and may use these inferences to predict your future behavior.

Added May 11, 2026 Rare
Disclosure of Data in Business Transactions

Calm may transfer your personal data to another company if Calm is acquired, merges, or sells its assets, even if that company has different privacy practices.

Added May 11, 2026 Rare
International Data Transfer Mechanisms Compare →

Calm transfers personal data outside of the EU and other jurisdictions and uses legal mechanisms such as Standard Contractual Clauses to make those transfers lawful; you can request a copy of these agreements by emailing Calm.

Added May 11, 2026 Standard Seen across 246 platforms
Behavioral Advertising and Cookie-Based Tracking Compare →

Calm allows third-party advertising and analytics companies to place tracking technologies on your devices to collect information about your behavior across the web and use it to serve targeted ads.

Added May 11, 2026 Standard Seen across 251 platforms
Mood, Sleep, and Wellness Data Collection Compare →

Calm collects sensitive personal information including your moods, personal reflections, sleep habits, and meditation goals that you enter during check-ins within the app.

Added May 11, 2026 Standard Seen across 251 platforms

Low — 3 provisions

Employer-Provided Subscription Disclosure Compare →

If your employer or a family member pays for your Calm subscription, Calm may tell them that you signed up and are using it.

Added May 11, 2026 Standard Seen across 198 platforms
User Privacy Rights and Global Applicability Compare →

All Calm users, regardless of where they live, have the right to know what data Calm holds about them, access or correct it, delete it, or opt out of data being used for advertising.

Added May 11, 2026 Standard Seen across 262 platforms
California Financial Incentives Notice

Calm may offer rewards like discounts or gifts in exchange for participating in surveys or providing testimonials, and collecting your personal data is part of that exchange; you can opt out of ongoing programs at any time.

Added May 11, 2026 Rare