Privacy Policy

Last updated: 26 March 2026

Purpose of our policy#

Calibre Analytics Pty Ltd ACN 617 601 582 (we, us or our) has adopted this Privacy Policy to ensure that we have standards in place to protect the Personal Information that we collect about individuals that is necessary and incidental to:

  • Providing the system and services that we offer; and
  • The normal day-to-day operations of our business.

This Privacy Policy follows the standards of:

  • The Australian Privacy Principles set by the Australian Government for the handling of Personal Information under the Privacy Act 1988 (Cth) (Privacy Act);
  • The regulations and principles set by the European Union's General Data Protection Regulation (EU GDPR) and the United Kingdom General Data Protection Regulation (UK GDPR) for the handling of Personal Data; and
  • The California Consumer Privacy Act of 2018, as amended by the California Privacy Rights Act of 2020 (CCPA), for the handling of Personal Information of California residents.

By publishing this Privacy Policy we aim to make it easy for our customers and the public to understand what Personal Information we collect and store, why we do so, how we receive, obtain, store and/or use that information, and the rights of control an individual has with respect to their Personal Information in our possession.

Who and what this policy applies to#

Our Privacy Policy deals with how we handle "personal information" and "personal data" as it is defined in the Privacy Act, the EU GDPR, the UK GDPR, and the CCPA respectively (Personal Information).

We handle Personal Information in two distinct capacities:

  • As a controller (or "business" under the CCPA): We collect and process Personal Information about our customers, users, website visitors, and prospective customers for our own purposes, such as providing account access, billing, customer support, and marketing.
  • As a processor (or "service provider" under the CCPA): We process Personal Information on behalf of our customers in the course of delivering our Services, including data collected through synthetic monitoring and Real User Monitoring. This processing is governed by our Data Processing Agreement (DPA). If you are a visitor to a website that uses Calibre’s Real User Monitoring, the operator of that website (our customer) is the controller of your data, and you should refer to their privacy policy for information about how your data is handled.

Our Privacy Policy does not apply to information we collect about businesses or companies, however it does apply to information about the people in those businesses or companies which we store.

The Privacy Policy applies to all forms of information, physical and digital, whether collected or stored electronically or in hardcopy.

If, at any time, an individual provides Personal Information or other information about someone other than himself or herself, the individual warrants that they have that person's consent to provide such information for the purpose specified.

We consider the protection of privacy of children very important. We do not knowingly collect personal data from children under the age of 16 without obtaining parental consent. If an individual is under 16 years of age, then they should not use or access the service at any time or in any manner. If we learn that Personal Information has been collected on the service from persons under 16 years of age and without verifiable parental consent, then we will take the appropriate steps to delete such information. For data collected through our Services on behalf of customers (including Real User Monitoring), age verification is the responsibility of the customer.

The information we collect#

Information we collect as a controller#

In the course of business it is necessary for us to collect Personal Information. This information allows us to identify who an individual is for the purposes of our business, contact the individual in the ordinary course of business and transact with the individual. The types of information we may collect include:

  • Account Information. We collect personal details such as an individual's name, email address, and organisation when they register for a Calibre account.
  • Contact Information. We may collect information such as an individual's email address, third-party usernames, residential, business and postal address and other information that allows us to contact the individual.
  • Financial Information. We may collect financial information related to an individual such as any bank or credit card details used to transact with us, processed through our payment provider Stripe. We do not store full credit card numbers on our servers.
  • Usage Information. We collect information about how individuals interact with Calibre, including log data, feature usage, and session information, for the purposes of improving our Services and providing support.
  • Support Correspondence. We collect any personal correspondence that an individual sends us, including through our customer support platform (Intercom).
  • Website Analytics. We use Fathom Analytics to collect anonymous usage data about visitors to calibreapp.com. Fathom does not use cookies and does not collect Personal Information.

Information we process on behalf of customers#

When customers use our Services (including synthetic monitoring and Real User Monitoring), we process data on their behalf as a processor. This data may include:

  • Synthetic monitoring data: Performance test results, page URLs, and associated metrics for websites the customer has configured for monitoring.
  • Real User Monitoring (RUM) data: Performance metrics collected from real visitors to the customer's website, including page paths, Core Web Vitals measurements (LCP, CLS, INP), session identifiers (ephemeral, discarded when the browser tab closes), and derived data such as approximate city and country (derived from IP address at the network edge — the IP address itself is never stored), browser name and version, device vendor and model, and operating system.

This data is processed strictly in accordance with our customers' instructions and the Data Processing Agreement. We do not use this data for our own purposes other than as permitted by the DPA (such as generating anonymised, aggregated benchmarks that cannot identify any individual or customer).

How information is collected#

Most information will be collected in association with an individual's use of our Calibre Analytics services (Calibre), an enquiry about Calibre, or generally dealing with us. However we may also receive Personal Information from sources such as public records and our business partners. In particular, information is likely to be collected as follows:

  • Registrations/Subscriptions. When an individual registers or subscribes for a service, account, connection or other process whereby they enter Personal Information details in order to receive or access something, including a transaction.
  • Supply. When an individual supplies us with goods or services.
  • Contact. When an individual contacts us in any way, including via email, our website, or our customer support platform.
  • Access. When an individual accesses us physically we may require them to provide us with details for us to permit them such access. When an individual accesses us through the internet we may collect information using analytics services (see Website Analytics above).
  • Real User Monitoring. When a customer installs our RUM JavaScript snippet on their website, the snippet collects performance data from the website's visitors. The snippet uses browser sessionStorage to maintain an ephemeral session identifier during a browsing session. No cookies are used. The session identifier is automatically discarded when the visitor closes their browser tab and is never used for cross-session tracking.

As there are many circumstances in which we may collect information both electronically and physically, we will endeavour to ensure that an individual is always aware of when their Personal Information is being collected.

Where we obtain Personal Information without an individual's knowledge (such as by accidental acquisition from a client) we will either delete/destroy the information, or inform the individual that we hold such information, in accordance with the Australian Privacy Principles and the GDPR.

Lawful bases for processing (GDPR)#

We will only process Personal Information when we can identify a lawful basis to do so. The lawful bases we rely upon are:

  • Contractual necessity (Article 6(1)(b) GDPR): Where processing is necessary to perform our contract with you, such as providing access to Calibre, managing your account, processing payments, and delivering the Services you have subscribed to.
  • Legitimate interests (Article 6(1)(f) GDPR): Where we have an identifiable legitimate interest and the processing is necessary to achieve it, balanced against the individual's interests, rights and freedoms. This includes product improvement, security monitoring, and fraud prevention. We will keep a record of our legitimate interests assessments.
  • Consent (Article 6(1)(a) GDPR): Where we rely upon consent, we will only rely upon express, clear and informed consent. Any consent provided may specify and/or restrict the purpose, and can be withdrawn at any time without penalty. This includes consent for marketing communications.
  • Legal obligation (Article 6(1)(c) GDPR): Where processing is necessary to comply with a legal obligation to which we are subject, such as tax reporting or responding to lawful requests from authorities.

For data we process on behalf of customers (as a processor), the lawful basis for processing is determined by the customer (as controller).

When personal information is used and disclosed#

In general, the primary principle is that we will not use any Personal Information other than for the purpose for which it was collected other than with the individual's permission.

We will retain Personal Information for the period necessary to fulfil the purposes outlined in this Privacy Policy unless a longer retention period is required or permitted by law. Specific retention periods are set out in the Data Retention section below.

If it is necessary for us to disclose an individual's Personal Information to third parties in a manner compliant with applicable data protection laws in the course of our business, we will inform you that we intend to do so, or have done so, as soon as practical.

We will not disclose or sell an individual's Personal Information to unrelated third parties under any circumstances, unless the prior written consent of the individual is obtained.

Information is used to enable us to operate our business, especially as it relates to an individual. This may include:

  • The provision of goods and services between an individual and us;
  • Verifying an individual's identity;
  • Communicating with an individual about their relationship with us, our goods and services, and (where the individual has opted in) our marketing and promotions;
  • Investigating any complaints about or made by an individual, or if we have reason to suspect that an individual is in breach of any of our terms and conditions or that an individual is or has been otherwise engaged in any unlawful activity; and/or
  • As required or permitted by any law (including the Privacy Act).

The individual shall have the right to object at any time to the processing of their Personal Information for direct marketing purposes, which includes profiling to the extent that it is related to such direct marketing. If we receive such a request, we will stop the processing of Personal Information for direct marketing purposes immediately without charge or penalty.

There are some circumstances in which we must disclose an individual's information:

  • Where we reasonably believe that an individual may be engaged in fraudulent, deceptive or unlawful activity that a governmental authority should be made aware of;
  • As required by any law (including the Privacy Act); and/or
  • In order to sell our business (in that we may need to transfer Personal Information to a new owner).

Automated processing#

We use automated processing in limited circumstances:

  • Bot detection: Our Real User Monitoring service uses automated techniques to identify and filter out bot and automated traffic at the network edge, including analysis of request patterns, user agent strings, and behavioural heuristics. This processing determines whether performance data is collected or discarded.
  • Sampling: When customers configure a sampling rate for RUM, the system automatically determines whether to collect data from a particular visitor session.

No decisions with legal or similarly significant effects are made about individuals based on automated processing alone.

Sub-processors and third parties#

We use trusted third-party service providers to help us operate our business and deliver our Services. A current list of sub-processors is maintained on our GDPR page.

We require all sub-processors to enter into data processing agreements with us and to implement appropriate technical and organisational measures to protect Personal Information.

International data transfers#

Our servers and primary database are located in the United States. For Real User Monitoring, data is initially processed at globally distributed edge locations (provided by AWS Lambda@Edge) nearest to the website visitor, before being securely transferred to our centralised database in the United States.

For transfers of Personal Data from the European Economic Area (EEA), the United Kingdom, or Switzerland to the United States, we rely on:

  • The EU Standard Contractual Clauses (2021 SCCs), as adopted by the European Commission;
  • The UK International Data Transfer Addendum to the EU SCCs; and
  • Supplementary measures including encryption in transit (TLS 1.3 for RUM, TLS 1.2 or higher for other services), encryption at rest, data minimisation (particularly for RUM, where no IP addresses are stored), and customer controls (EEA/EU exclusion, sampling, path masking, configurable retention).

Details of these transfer mechanisms and supplementary measures are set out in our Data Processing Agreement (Schedule 1, Parts D and F).

Individuals in the EEA and UK retain all rights under the EU GDPR and UK GDPR respectively, regardless of where their data is processed. The governing law clause in our Terms of Service does not affect these rights.

Data retention#

We retain Personal Information for the periods set out below, unless a longer retention period is required by law:

Data CategoryRetention Period
Account informationDuration of the account, plus 90 days after termination
Billing and payment records7 years (tax and accounting obligations)
Support correspondence3 years from last interaction
Marketing consent recordsDuration of consent, plus 3 years
Synthetic monitoring dataDuration of the customer's subscription
RUM performance data3–24 months, as configured by the customer, with automatic deletion
Website analytics (Fathom)As determined by Fathom Analytics' retention policy

Opting "in" or "out"#

An individual may opt to not have us collect and/or process their Personal Information. This may prevent us from offering them some or all of our services and may terminate their access to some or all of the services they access with or through us. They will be aware of this when:

  • Opt In. Where relevant, the individual will have the right to choose to have information collected and/or receive information from us (for clarity, consent must involve an unambiguous positive action to opt in); or
  • Opt Out. Where relevant, the individual will have the right to choose to exclude himself or herself from some or all collection of information and/or receiving information from us.

If an individual believes that they have received information from us that they did not opt in or out to receive, they should contact us using the details set out in the Contact section below.

The safety and security of personal information#

We have appointed a Data Protection Officer to oversee the management of this Privacy Policy and compliance with applicable data protection laws. This officer may have other duties within our business and also be assisted by internal and external professionals and advisors.

We will take all reasonable precautions to protect an individual's Personal Information from unauthorised access. This includes appropriately securing our physical facilities and electronic networks. Details of our security practices are available at calibreapp.com/security.

We use TLS encryption (TLS 1.2 or higher for platform services, TLS 1.3 for RUM) to protect data in transit, and AES-256 encryption to protect data at rest. Despite this, the security of online transactions and the security of communications sent by electronic means or by post cannot be guaranteed. Each individual that provides information to us via the internet or by post does so at their own risk. We cannot accept responsibility for misuse or loss of, or unauthorised access to, Personal Information where the security of information is not within our control.

We are not responsible for the privacy or security practices of any third party (including third parties that we are permitted to disclose an individual's Personal Information to in accordance with this policy or any applicable laws), unless otherwise required by applicable data protection laws. The collection and use of an individual's information by such third parties may be subject to separate privacy and security policies.

If an individual suspects any misuse or loss of, or unauthorised access to, their Personal Information, they should let us know immediately.

We are not liable for any loss, damage or claim arising out of another person's use of the Personal Information where we were authorised to provide that person with the Personal Information.

Data breach notification#

Where there is a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, Personal Information, then:

  • We will immediately establish the likelihood and severity of the resulting risk to wider rights and freedoms of natural persons;
  • If we determine there is a risk from the security breach, then we will notify the relevant supervisory authority and provide all relevant information on the particular breach as soon as reasonably practicable, and by no later than 72 hours after having first become aware of the breach;
  • If we determine there is a high risk from the security breach, we will notify the affected individuals and provide all relevant information on the particular breach without undue delay;
  • Where we are acting as a processor and become aware of a breach affecting data we process on behalf of a customer, we will notify the customer as soon as reasonably practicable, in accordance with our Data Processing Agreement.

We will document the facts relating to any security breach, its effects and the remedial action taken, and investigate the cause of the breach and how to prevent similar situations in the future.

Your rights#

Rights under the GDPR (EEA and UK residents)#

Subject to the EU GDPR and UK GDPR, individuals have the following rights:

  • Right of access: You may request a copy of the Personal Information we hold about you.
  • Right to rectification: You may request that we correct inaccurate or incomplete Personal Information.
  • Right to erasure: You may request that we delete your Personal Information in certain circumstances.
  • Right to restriction of processing: You may request that we restrict the processing of your Personal Information in certain circumstances.
  • Right to data portability: You may request to receive your Personal Information in a structured, commonly used, machine-readable format.
  • Right to object: You may object to the processing of your Personal Information based on legitimate interests or for direct marketing purposes.
  • Rights related to automated decision-making: You have rights in relation to automated decision-making and profiling.

We will respond to all requests as soon as practicable, and by no later than one month of receiving the request (or two months where the request is complex). Where we act as a processor, data subjects should direct their requests to the relevant customer (the controller) in the first instance. We will assist customers in responding to such requests in accordance with our Data Processing Agreement.

Rights under the CCPA (California residents)#

If you are a California resident, you have the following rights under the CCPA:

  • Right to know: You may request that we disclose what categories and specific pieces of Personal Information we have collected about you, the categories of sources, the business or commercial purposes for collection, and the categories of third parties with whom we share it.
  • Right to delete: You may request that we delete Personal Information we have collected about you, subject to certain exceptions.
  • Right to correct: You may request that we correct inaccurate Personal Information.
  • Right to opt out of sale or sharing: We do not sell Personal Information and do not share Personal Information for cross-context behavioural advertising purposes. Therefore, there is no need to opt out.
  • Right to non-discrimination: We will not discriminate against you for exercising any of your CCPA rights.

Where we act as a service provider (processor) under the CCPA, we process Personal Information on behalf of our customers strictly for the business purposes specified in our Data Processing Agreement. We do not sell, share, or use such information for any purpose other than performing the services.

To exercise any of your rights, please contact us using the details set out in the Contact section below. We may need to verify your identity before processing your request.

Rights under the Privacy Act (Australian residents)#

Subject to the Australian Privacy Principles, individuals have the right to request access to and correction of their Personal Information. We will respond within 28 days of receiving a written request.

How to access, update and/or remove information#

Users of Calibre can update their Personal Information from within their account or profile at any time to ensure it is accurate and complete.

It is an individual's responsibility to provide us with accurate and truthful Personal Information. We cannot be liable for any information that is provided to us that is incorrect.

Where a request to access Personal Information is manifestly unfounded, excessive and/or repetitive, we may refuse to respond or charge an individual a reasonable fee for our costs incurred in meeting their request. Where we refuse to respond to a request, we will explain why to the individual, informing them of their right to complain to the supervisory authority and to a judicial remedy without undue delay and at the latest within 28 days.

We may be required to delete or remove all Personal Information we have on an individual upon request in the following circumstances:

  • Where the Personal Information is no longer necessary in relation to the purpose for which it was originally collected and/or processed;
  • When the individual withdraws consent;
  • When the individual objects to the processing and there is no overriding legitimate interest for continuing the processing;
  • The processing of the Personal Information was otherwise in breach of applicable data protection laws;
  • The Personal Information has to be erased in order to comply with a legal obligation; and/or
  • The Personal Information is in relation to a child.

We may refuse to delete or remove all Personal Information we have on an individual where the Personal Information was processed for the following reasons:

  • To exercise the right of freedom of expression and information;
  • To comply with a legal obligation for the performance of a public interest task or exercise of official authority;
  • For public health purposes in the public interest;
  • Archiving purposes in the public interest, scientific research, historical research or statistical purposes; or
  • The exercise or defence of legal claims.

Complaints and disputes#

If an individual has a complaint about our handling of their Personal Information, they should address their complaint in writing to the details below.

If we have a dispute regarding an individual's Personal Information, we both should first attempt to resolve the issue directly between us.

An individual in the EEA shall have the right to lodge a complaint with their local supervisory authority. An individual in the UK may complain to the Information Commissioner's Office (ICO). An individual shall also have the right to seek a judicial remedy where he or she considers that his or her rights under the GDPR have been infringed.

An individual in Australia may complain to the Office of the Australian Information Commissioner (OAIC).

Contacting individuals#

From time to time, we may send an individual important notices, such as changes to our terms, conditions and policies. Where such information is materially important to the individual's interaction with us, they may not opt out of receiving these communications.

Contact#

All correspondence with regards to privacy should be addressed to:

Privacy Lead Calibre Analytics Pty Ltd V119 / 425 Smith Street Fitzroy, Victoria, 3065 Australia

Email: privacy@calibreapp.com

Additions to this policy#

If we decide to change this Privacy Policy, we will post the changes to this page and update the "Last updated" date above. Please refer back to this Privacy Policy to review any amendments.

We may do things in addition to what is stated in this Privacy Policy to comply with applicable data protection laws, and nothing in this Privacy Policy shall deem us to have not complied with such laws.