Calm transfers personal data outside of the EU and other jurisdictions and uses legal mechanisms such as Standard Contractual Clauses to make those transfers lawful; you can request a copy of these agreements by emailing Calm.
This analysis describes what Calm's agreement states, permits, or reserves. It does not constitute a legal determination about enforceability. Regulatory applicability and practical outcomes may vary by jurisdiction, enforcement context, and individual circumstances. Read our methodology
For EU, UK, and Swiss users, the lawfulness of data transfers to the US depends on these mechanisms being properly implemented and maintained.
Interpretive note: The policy does not specify which transfer mechanism applies in which context or confirm the existence of transfer impact assessments, creating some uncertainty about the completeness of compliance with post-Schrems II requirements.
Your personal data may be transferred to and processed in the United States, which may have different data protection standards than your home country; Calm states it uses legal transfer mechanisms including Standard Contractual Clauses to protect these transfers.
How other platforms handle this
Customer authorized Mistral AI to transfer Personal Data to any country deemed to have an adequate level of data protection by the European Commission. Customer also authorizes Mistral AI to perform International Data Transfers to (a) on the basis of adequate safeguards in accordance with Applicable...
Personal data collected by Unity may be transferred to and processed in countries outside of the European Economic Area, including the United States, where data protection laws may differ from those in your country. Where we transfer personal data from the EEA or the UK, we rely on appropriate safeg...
When we transfer personal data outside the European Economic Area, United Kingdom, or Switzerland, we use appropriate safeguards, including Standard Contractual Clauses approved by the European Commission, to ensure your data is protected.
Monitoring
Calm has changed this document before.
Receive same-day alerts, structured change summaries, and monitoring for up to 10 platforms.
"Where required by law, we provide adequate protection for the transfer of personal data in accordance with applicable law, such as by obtaining your consent, relying on the European Commission's adequacy decisions, or executing Standard Contractual Clauses. Where relevant, you may request a copy of these Standard Contractual Clauses by emailing us at support@calm.com.— Excerpt from Calm's Calm Privacy Policy
(1) REGULATORY LANDSCAPE: International data transfers from the EEA and UK to the US are regulated under GDPR Chapter V and the UK GDPR. The policy references European Commission adequacy decisions and Standard Contractual Clauses as transfer mechanisms. Following Schrems II, SCCs must be accompanied by a transfer impact assessment where the destination country's laws may not provide equivalent protection. The EU-US Data Privacy Framework may also be relevant if Calm has certified under it, though the policy does not reference this framework explicitly. (2) GOVERNANCE EXPOSURE: Medium. The policy asserts use of SCCs and adequacy decisions but does not specify which applies in which context, and does not reference transfer impact assessments. For organizations conducting due diligence on Calm as a data processor or sub-processor, the absence of specificity may require additional inquiry. (3) JURISDICTION FLAGS: EEA, UK, and Swiss users face the most direct exposure. The policy names separate representatives for EEA (The DPO Centre Europe Ltd, Dublin) and UK (The DPO Centre, London), which is consistent with post-Brexit requirements. Swiss users should be aware that Swiss data protection law has its own transfer requirements that may differ from the GDPR framework. (4) CONTRACT AND VENDOR IMPLICATIONS: Organizations using Calm as a vendor or employee benefit provider should request and review the applicable SCCs and any transfer impact assessments. The policy's offer to provide SCC copies upon request at support@calm.com is a positive disclosure commitment that should be tested in vendor assessments. (5) COMPLIANCE CONSIDERATIONS: Legal teams should confirm whether Calm has certified under the EU-US Data Privacy Framework and whether UK adequacy or transfer mechanisms are separately documented. Periodic review of transfer documentation should be incorporated into vendor management cycles given the evolving landscape of international transfer regulations.
Full compliance analysis
Regulatory citations, enforcement risk, and due diligence action items.
Free: track 1 platform + weekly digest. Watcher: 10 platforms + same-day alerts. No credit card required.
ConductAtlas detected a major restructuring of Meta’s privacy policy that removed detailed consumer rights disclosures and relocated them to separate documents.
Your genetic data may be transferred to a new owner as a business asset. Here is what the Terms of Service actually say and what you can do right now.
Professional Governance Intelligence
Need to monitor specific governance provisions?
Professional includes provision-level monitoring, governance timelines, regulatory mapping, and audit-ready analysis.
Built from archived source documents, structured governance mappings, and historical version tracking.
For EU, UK, and Swiss users, the lawfulness of data transfers to the US depends on these mechanisms being properly implemented and maintained.
Your personal data may be transferred to and processed in the United States, which may have different data protection standards than your home country; Calm states it uses legal transfer mechanisms including Standard Contractual Clauses to protect these transfers.
No. ConductAtlas is an independent monitoring service. We are not affiliated with, endorsed by, or sponsored by Calm.