Last updated: 26 March 2026
What is GDPR?#
General Data Protection Regulation (GDPR) 2016/679 is a privacy and security law targeting organisations that collect or process people's data within the European Economic Area (EEA). It mandates respect for fundamental privacy rights and accountability from businesses handling personal data. The United Kingdom has adopted its own equivalent regime under the UK GDPR and the Data Protection Act 2018.
At Calibre, we believe data privacy is essential, so we implement strategies beyond GDPR compliance to ensure your data is safe. We believe in collecting the minimum amount of data, not only out of respect for privacy but also to reduce possible risks.
Since GDPR came into effect on May 25, 2018, Calibre is compliant with the regulation. Here's what we do:
- We work with GDPR principles in mind, collecting only data necessary to deliver our Services and always respecting consent requirements.
- We have a lawful basis for all processing we carry out.
- We constantly re-evaluate our security practices and make efforts to secure your data further. Where possible, we only store the absolute minimum of data for as short a time as necessary.
- We have a Privacy Lead, execute Data Processing Agreements with our customers, and maintain DPAs with our sub-processors.
- We use the EU Standard Contractual Clauses (2021 SCCs) for international data transfers, supported by supplementary technical and organisational measures.
- We are clear about how your data is collected and used. We make it easy to obtain it and permanently delete it.
Real User Monitoring and data protection#
Calibre’s Real User Monitoring (RUM) collects website performance data from real visitor sessions. RUM has been designed from the ground up with privacy as a core principle.
What RUM collects#
The RUM JavaScript snippet collects performance metrics (such as Largest Contentful Paint, Cumulative Layout Shift, and Interaction to Next Paint), page paths, page titles, and an ephemeral session identifier stored in sessionStorage. At the network edge, coarse location data (city, country), browser information, and device characteristics are derived from the request.
What RUM does not collect#
- No IP addresses are logged or stored. IP addresses are used transiently at the network edge to derive approximate geographic location, then discarded. They are never written to any database or log.
- No cookies are used. The RUM snippet does not set or read any cookies.
- No cross-session tracking. The session identifier is stored in sessionStorage, which is automatically cleared when the visitor closes the browser tab. Visitors cannot be tracked across sessions.
- No directly identifying information. The RUM snippet does not collect names, email addresses, or any other directly identifying personal data.
Privacy controls for customers#
Customers deploying RUM have granular control over data collection:
- EEA/EU exclusion: Customers can disable RUM data collection entirely for visitors located in the EEA or EU. When enabled, the RUM snippet returns an empty response and no data is collected.
- Sampling rate: Customers can configure what percentage of sessions are collected (e.g. 15%, 50%, 100%).
- Path masking: Customers can override page paths to prevent sensitive information (such as user IDs or account numbers) from being sent to Calibre.
- Allowed origins: Only domains explicitly authorised by the customer can send RUM data to Calibre.
- Data retention: Customers choose a retention period between 3 and 24 months. Data is automatically deleted after the configured period.
- Element attribution: Customers can control how page elements are identified using custom naming.
Customer obligations#
When deploying RUM, the customer is the controller of the data collected from their website visitors. This means the customer is responsible for:
- Privacy notices: Informing website visitors that performance data is collected, that session identifiers are stored in sessionStorage, and that data is transferred to the United States for processing.
- Consent: Obtaining any consent required under applicable laws. This may include consent under the ePrivacy Directive (or equivalent local laws) for the use of sessionStorage on the visitor's device. The legal analysis may vary by jurisdiction, and customers should seek their own legal advice on this point.
- Data subject requests: Responding to access, deletion, or other requests from their website visitors. Calibre will provide reasonable assistance in responding to such requests in accordance with our Data Processing Agreement.
Data Protection Impact Assessments#
Depending on the scale and nature of their deployment, customers using RUM may be required to conduct a Data Protection Impact Assessment (DPIA) under GDPR Article 35. Our Data Processing Agreement (Schedule 1) provides detailed documentation of processing activities, data flows, technical measures, and privacy safeguards to support this assessment. Calibre will provide reasonable additional assistance upon request.
Cookie consent#
Calibre’s website (calibreapp.com) uses Fathom Analytics for website analytics. Fathom does not use cookies, does not collect personal data, and is fully compliant with GDPR, ePrivacy, and CCPA without requiring visitor consent. As a result, we do not display a cookie consent banner on our website.
The Calibre RUM snippet, which operates on our customers' websites, also does not use cookies. It uses sessionStorage for an ephemeral session identifier that is automatically discarded when the browser tab is closed.
International data transfers#
All Calibre data is stored in the United States. For Real User Monitoring, data is initially processed at globally distributed edge locations (provided by AWS Lambda@Edge) nearest to the website visitor, before being securely transferred to our centralised database in the United States.
Transfer mechanisms#
For transfers of personal data from the EEA, the UK, or Switzerland, we rely on:
- EU Standard Contractual Clauses (2021 SCCs): Our Data Processing Agreement incorporates the EU Commission's Standard Contractual Clauses (Implementing Decision 2021/914) with a completed annexure.
- UK International Data Transfer Addendum: For transfers from the UK, our DPA includes the UK International Data Transfer Addendum to the EU SCCs, as issued by the Information Commissioner's Office.
Supplementary measures#
In accordance with the requirements of Schrems II (CJEU Case C-311/18), we implement supplementary technical and organisational measures to protect transferred data:
- Encryption in transit: TLS 1.3 or higher for platform services.
- Encryption at rest: AES-256 encryption for all stored data.
- Data minimisation: Particularly for RUM, where no IP addresses are stored and session identifiers are ephemeral.
- Customer controls: EEA/EU exclusion, sampling rate, path masking, and configurable data retention give customers granular control over what data is transferred.
- Edge processing: RUM data is processed at the edge location nearest to the visitor, with only processed, de-identified data transferred to the US.
Details of all supplementary measures are documented in Schedule 1, Part F of our Data Processing Agreement.
Our Data Processing Agreement (DPA)#
A Data Processing Agreement (DPA) is a crucial component of GDPR compliance. Alongside our Privacy Policy and Terms of Service, it regulates the technical and organisational requirements for processing data (storage, protection, access, and usage).
Our DPA incorporates:
- GDPR Article 28 processor obligations
- The EU 2021 Standard Contractual Clauses with completed annexure
- The UK International Data Transfer Addendum
- Detailed Technical and Organisational Measures (Schedule 1, Part D)
- CCPA Service Provider obligations
- A comprehensive description of processing activities for both Platform Services and RUM Services (Schedule 1, Part B)
Contact us at privacy@calibreapp.com to request an executable copy. As a small team, we cannot make changes to the standard DPA and cannot agree to sign customers' DPA.
Data subject rights#
If we are the controller#
If your request relates to your Calibre account or data we hold about you directly (e.g. account information, billing data, support correspondence), you can contact us directly at privacy@calibreapp.com. We will respond within one month (or two months for complex requests).
You have the right to access, rectify, erase, restrict processing of, or request portability of your personal data. You also have the right to object to processing based on legitimate interests and to lodge a complaint with your local supervisory authority.
If we are the processor#
If your request relates to data collected through a customer's use of Calibre (such as Real User Monitoring data collected from a website you visited), you should contact the operator of that website directly. They are the controller of your data.
If you contact us and we determine that we are acting as a processor for a customer, we will direct you to the relevant customer where possible and assist the customer in responding to your request in accordance with our Data Processing Agreement.
List of Sub-processors#
We only send your data to trusted third parties when it's essential to provide core Calibre services. Here's a list of sub-processors we currently use:
| Sub-processor | Nature of processing | Location of sub-processor |
|---|---|---|
| Amazon Web Services, Inc. | Infrastructure hosting | USA |
| Honeybadger Industries LLC | Error monitoring | USA |
| Crunchy Data Solutions, Inc. | Database hosting | USA |
| Google Auth SSO | USA | |
| Active Campaign | Application email delivery | USA |
| Intercom | Customer support | USA |
| Salesforce, Inc | Application hosting | USA |
| Solarwinds (Papertrail) | Log management | USA |
| Render, Inc | Platform hosting and infrastructure | USA |
California Consumer Privacy Act (CCPA)#
For California residents, the following additional disclosures apply:
Our role#
When we process data on behalf of our customers (including through RUM), we act as a service provider under the CCPA. We process personal information only for the business purposes specified in our Data Processing Agreement and do not sell, share, or retain personal information for any purpose other than performing the services.
Your rights#
California residents have the right to know what personal information we collect, to request deletion, to request correction, and to opt out of the sale or sharing of their personal information. We do not sell personal information and do not share personal information for cross-context behavioural advertising.
To exercise your rights, contact us at privacy@calibreapp.com. See our Privacy Policy for full details.
UK GDPR#
The United Kingdom has its own data protection regime under the UK GDPR and the Data Protection Act 2018. Calibre’s Data Processing Agreement includes the UK International Data Transfer Addendum to the EU SCCs for transfers of personal data from the UK.
UK residents have the same data protection rights as EEA residents, as set out in the Data subject rights section above. Complaints may be directed to the Information Commissioner's Office (ICO).
We're here for you#
If you have any questions regarding data protection compliance at Calibre, we're here to help. Contact us at privacy@calibreapp.com.