'%3e%3cpath%20d='M56.68%2028.16V8.11H63.83V10.15C64.9%209.21%2065.9%208.53%2066.83%208.11C67.76%207.69%2068.75%207.48%2069.83%207.48C71.33%207.48%2072.7%207.81%2073.95%208.48C75.2%209.15%2076.1%2010.03%2076.66%2011.14C77.7%209.89%2078.78%208.96%2079.88%208.37C80.98%207.78%2082.21%207.48%2083.57%207.48C85.03%207.48%2086.33%207.78%2087.46%208.39C88.59%209%2089.48%209.85%2090.13%2010.95C90.78%2012.05%2091.11%2013.34%2091.11%2014.8V28.15H83.96V16.74C83.96%2015.63%2083.67%2014.76%2083.1%2014.12C82.53%2013.48%2081.74%2013.16%2080.75%2013.16C80.08%2013.16%2079.51%2013.29%2079.02%2013.56C78.53%2013.83%2078.15%2014.2%2077.87%2014.67C77.6%2015.14%2077.46%2015.68%2077.46%2016.3V28.16H70.31V16.69C70.31%2015.63%2070.03%2014.78%2069.48%2014.14C68.93%2013.49%2068.15%2013.17%2067.14%2013.17C66.47%2013.17%2065.89%2013.31%2065.4%2013.59C64.9%2013.87%2064.52%2014.26%2064.24%2014.75C63.97%2015.25%2063.83%2015.82%2063.83%2016.47V28.16H56.68Z'%20fill='%23063D3F'/%3e%3cpath%20d='M23.59%208.11H14.35L7.15%2015.12V0H0V28.16H7.15V20.8L14.86%2028.16H24.02L13.55%2018.1L23.59%208.11Z'%20fill='%23063D3F'/%3e%3cpath%20d='M54.02%200H46.87V28.16H54.02V0Z'%20fill='%23063D3F'/%3e%3cpath%20d='M37.06%208.11V9.28C35.54%208.16%2033.67%207.48%2031.47%207.48C25.32%207.48%2021.36%2012.35%2021.36%2018.06C21.36%2023.77%2025.31%2028.64%2031.47%2028.64C33.67%2028.64%2035.54%2027.96%2037.06%2026.84V28.16H44.21V8.11H37.06ZM32.29%2022.61C29.8%2022.61%2027.8%2020.62%2027.8%2018.14C27.8%2015.66%2029.8%2013.63%2032.29%2013.63C34.78%2013.63%2036.78%2015.66%2036.78%2018.14C36.78%2020.62%2034.78%2022.61%2032.29%2022.61Z'%20fill='%23063D3F'/%3e%3cpath%20d='M131.18%208.11V9.28C129.66%208.16%20127.79%207.48%20125.59%207.48C119.44%207.48%20115.48%2012.35%20115.48%2018.06C115.48%2023.77%20119.43%2028.64%20125.59%2028.64C127.79%2028.64%20129.66%2027.96%20131.18%2026.84V28.16H138.33V8.11H131.18ZM126.4%2022.61C123.91%2022.61%20121.91%2020.62%20121.91%2018.14C121.91%2015.66%20123.91%2013.63%20126.4%2013.63C128.89%2013.63%20130.89%2015.66%20130.89%2018.14C130.89%2020.62%20128.89%2022.61%20126.4%2022.61Z'%20fill='%23063D3F'/%3e%3cpath%20d='M114.2%2018.45C114.2%2012.48%20109.36%207.64%20103.39%207.64C97.42%207.64%2092.58%2012.48%2092.58%2018.45C92.58%2019.93%2092.88%2021.33%2093.41%2022.61H113.37C113.91%2021.33%20114.2%2019.92%20114.2%2018.45Z'%20fill='%23FF8470'/%3e%3cpath%20d='M103.39%2029.26C107.89%2029.26%20111.74%2026.52%20113.37%2022.61H93.41C95.04%2026.51%2098.89%2029.26%20103.39%2029.26Z'%20fill='%23063D3F'/%3e%3c/g%3e%3cdefs%3e%3cclipPath%20id='clip0_7493_5542'%3e%3crect%20width='138.33'%20height='29.26'%20fill='white'/%3e%3c/clipPath%3e%3c/defs%3e%3c/svg%3e)
Kalmoa Privacy Statement
1. Who we are (Data Controller)
We are Kalmoa B.V., located at 3e Binnenvestgracht 23G, 2312 NR Leiden. The Netherlands, registered in the Dutch Chamber of Commerce under number 96089393 (“Kalmoa”, “we”, “us”, or “our”). This privacy statement applies to you if you use our services or interact with us, including the use of our website, mobile application, wellbeing scans, customer support channels and payment flows. In this privacy statement we explain what personal data we collect, how we use it, who we share it with, and how we keep it secure.
Kalmoa is the entity that determines the purpose and means of the processing of “personal data”: any information relating to and identified or identifiable natural person (also referred to as “data subject”). An identifiable person in one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person. In this context, Kalmoa acts as the data controller.
We are committed to protecting your personal data and ensuring transparency about how we process such personal data. Personal data will only be collected for valid purposes which will be explained to you. The personal data will not be used in any manner incompatible with those specified purposes.
If you have questions about this privacy statement, please contact us at privacy@kalmoa.com.
2. Personal data and purpose of processing
We process the following categories of personal data, depending on how you interact with us, and process such personal data for the purposes set out below:
App- and website data
· App- and website data IP address;
· Device type and model;
· Operating system;
· Browser type;
· Session timestamps;
· Usage and interaction data; and
· Cookie preferences.
We process this personal data to ensure the proper functioning, security, and improvement of our website, mobile application, products and services, to maintain network security, and to prevent fraud.
Legal basis: performance of a contract (article 6(1)(b) GDPR). In addition, insofar as we process personal data to enhance our site and app functionalities, such processing is based on legitimate interest (article 6(1)(f) GDPR). These legitimate interests include improving user experience, ensuring IT security, addressing technical issues, and developing our digital services in line with user needs.
Account and contact information
· Name;
· Email address;
· Password or login credentials; and
· Communication preferences.
We process this personal data to create and manage your Kalmoa account and your relationship with us, to enter into contracts (orders for products and services) with us, and to notify you about changes to our products and services, general terms and conditions or privacy statement. We may also process this personal data to maintain network security, to prevent fraud and in the context of a business reorganization or group restructuring exercise.
Legal basis: performance of a contract (article 6(1)(b) GDPR).
Payment information
· Name;
· Payment details; and
· Billing information.
We process this personal data to process payments for products and services, and to collect and recover money owed to us. We may also process this personal data to prevent fraud and in the context of a business reorganization or group restructuring exercise.
Legal basis: performance of a contract (article 6(1)(b) GDPR).
Scan initiation information
· Name;
· Date of birth; and
· Gender.
We process this personal data to confirm that, when a scan is initiated, the scan is associated with the correct person (user).
Legal basis: performance of a contract (article 6(1)(b) GDPR).
Scan data
· Identifier;
· Date of birth;
· Psychophysiological signals;
· Derived wellbeing indicators; and
· Interpretation values generated by our analysis engine.
We process this personal data to create and deliver wellbeing insights and present results to the user in the Kalmoa app. We may also use this data in aggregated and (pseudo)anonymized form as set out below.
Legal basis: performance of a contract (article 6(1)(b) GDPR). We only process personal data that qualifies as special category data based on your explicit consent (Article 9(2)(1) GDPR).
Customer support information
· Name;
· Email address;
· Phone number (optional);
· Support ticket content (including problem description and system information); and
· Communication history.
We process this personal data to provide customer support, and ensure the resolution of any (technical) issues with products or services.
Legal basis: performance of a contract (article 6(1)(b) GDPR.
Aggregated data
We use aggregated data to provide a comparison between scans for the users, for example to set out how a user’s scores relate to other men/women of its age category.
We furthermore use aggregated data, where possible in (pseudo)anonymized form, to improve our services and to run statistical analyses on the scan findings.
Legal basis: the comparison is based on performance of a contract (article 6(1)(b) GDPR), and the additional use is based on our legitimate interest, namely to improve performance, reliability, and usability of our services (Article 6(1)(f) GDPR).
3. How do we obtain your personal data?
In most cases we collect personal data about you directly from you. For example, when you provide your account and contact information, payment information, customer support information or scan initiation information. Additionally, we may collect psychophysiological signals measured by sensors in the headset you wear during the use of our scan app. We may also collect personal data directly through our app or website. For example, the personal data collect through our cookies.
4. Automated systems and AI tools
We use automated systems, including large language models (“LLMs”), solely to help create the narrative text of your scan results. The substantive analysis of scan data is performed exclusively by Kalmoa’s own algorithms, using our internal reference database. LLMs are only used to enhance readability and ensure user-friendly and consistent phrasing.
The LLM does not conduct any analysis, interpretation, diagnosis or automated decision making. It only receives fully pseudonymized input, such as:
· Age (or date of birth without identifiers);
· Gender; and
· Analysis descriptors.
The LLM never receives names, email addresses, account identifiers or raw scan signals.
5. Automated decision making
We do not take decisions about you based solely on automated processing and do not engage in profiling.
6. Who we share your personal data with?
To the extent necessary for any of the aforementioned purposes of processing, we share your personal data with third parties ("recipients"). The following categories of recipients may have access to your personal data:
· Any of our subsidiaries and affiliates that support our processing of personal data under this privacy statement;
· Service providers under contract with us to support our business operations and assist us in providing the products and services to you. Our current (sub)processors are: Google Cloud, Mollie and AWS Frankfurt;
· Our auditors, legal advisors and other professional service providers engaged by us for compliance reasons;
· Government agencies, courts, supervisory authorities, law enforcement or intelligence agencies, if we have a legal obligation to provide personal data to them;
· Third parties for the purposes of fraud protection and credit risk reduction and to prevent cybercrime; and
· Third parties buying or interested in buying (a stake in) Kalmoa, or in the context of a business reorganization or group restructuring exercise, and any professional service providers involved is such activities.
Under no circumstances will Kalmoa sell your personal data to any third party. All sharing of personal data with (sub)processors or other recipients as specified in this article occurs strictly without any form of sale, trade, or exchange for monetary value.
7. International data transfers
All personal data processed by us and our processors stays within the European Economic Area (“EEA”), or are only transferred to countries for which the European Commission has adopted an adequacy decision. If it becomes necessary to transfer personal data to countries outside the EEA to countries that do not have such adequacy decision, we will ensure that appropriate safeguards are implemented as required under the GDPR. These safeguards may include use of Standard Contractual Clauses approved by the European Commission or other permitted mechanisms.
8. Data retention
In principle, your personal data will not be kept longer than necessary for the purpose for which your personal data was collected, unless a legal obligation obliges us to keep the personal data for a longer period, such as the seven-year fiscal retention period.
You may request deletion of your personal data at any time.
9. Security
Kalmoa is committed to secure the processing of your personal data, by maintaining adequate administrative, technical and physical controls with are designed to protect your personal data against loss or theft, as well as against any unauthorized access, risk of loss, disclosure, copying, misuse or modification. Therefore, we have implemented security measures where appropriate and applicable, such as, but not limited to:
· Encryption of personal data in transit;
· Strict access controls;
· Multi-factor authentication;
· Logging and monitoring;
· Secure storage in a dedicated cloud environment;
· Strong (sub)processor oversight; and
· Regular vulnerability assessments.
10. Your rights under applicable data protection law
· Right of access – You have the right to request access to the personal data we process about you, more specifically about the purposes, the categories of personal data concerned, the (categories of) recipients, the retention periods or the criteria for establishing them, the source of the personal data and the appropriate safeguards in case of transfer of the personal data outside the EEA.
· Right to rectification of personal data and restriction of processing – You have the right to have incorrect personal data that we process about you rectified, and to have incomplete personal data completed by us. Furthermore, you have the right, at your request, to restrict personal data processing in the following cases:
o If you dispute the accuracy of the personal data, you may ask us to restrict the personal data processing for the period during which we verify the accuracy of the personal data;
o If the processing is unlawful and you request us, instead of deleting the personal data, to restrict the use of the personal data;
o In case we no longer need your personal data for the processing purposes, but you still need them for the establishment, exercise or substantiation of a legal claim;
o If you have objected to the processing of your personal data, and you are awaiting our response as to whether our legitimate interests outweigh your interests.
· Right to object – You have the right to object to the processing of personal data because of your specific situation, but only insofar as this processing is carried out on the basis of one of our legitimate interests. We will then cease processing your personal data unless our interest in processing your personal data outweighs your interests or when our interest is related to the establishment, exercise or enforcement of a legal claim.
· Right to the deletion of personal data – In the following cases, you may have the right to have personal data deleted by us at your request:
o If we no longer need the personal data for the purposes for which it was collected or obtained;
o If you have withdrawn your consent, insofar as your personal data are processed on the basis of consent, and we also have no other legal basis for processing your personal data;
o If you have objected to the processing of your personal data and we have no overriding interest, or if you have objected to the processing of your personal data for direct marketing purposes;
o If we need to delete personal data in order to comply with a statutory obligation.
Please note that the above does not apply in all cases. We do not have to delete your personal data if we need it for, as an example, the establishment, exercise or substantiation of a legal claim.
· Right to personal data portability – If we process your personal data pursuant to your consent or in execution of an agreement with you and the processing is automated, you have the right to obtain your personal data from us or have us transfer it to a third party in a commonly used file format.
· Right to withdraw consent – If your personal data is processed on the basis of consent, you have the right to withdraw your consent at any time. Please note that withdrawing consent does not affect personal data processing that took place before you withdrew your consent.
You can exercise all of the aforementioned rights by sending an e-mail to privacy@kalmoa.com clearly describing your request. Please note that we need to establish your identity before we can respond to your request. How we do this depends on your specific situation. We try to respond to all legitimate requests within one month. Occasionally it may take us longer than a month if your request is particularly complex or you have made a number of requests. In this case, we will notify you and keep you updated.
· Right to file a complaint – If you disagree with the way we process your personal data, you have the right to file a complaint with the competent Data Protection Authority.
11. Changes to this privacy statement
We may update this privacy statement to reflect changes in our services or legal requirements. The latest version is always available on our website and can be accessed here.
12. Special information for California residents
The California Privacy Rights Act (the “CPRA”) provides specific rights to California consumers regarding their personal information. The following provisions apply only to California consumers. To the extent that the following provisions are different from the general provisions above, the following provisions prevail.
Right to Know:
You have the right to send us a request, not more than twice in a 12-month period, for any of the following information.
- The categories of personal information we collect, use, share, sell and disclose about you;
- The categories of sources of the personal information that we collect about you;
- Our business or commercial purposes for such collection or disclosure of personal information;
- The categories of third parties with whom we disclose, share, or sell that personal information, and categories of personal information that each recipient received; and
- The specific personal information that we collect about you.
Right to Deletion:
You have the right to request that we delete any of your personal information that it has collected from you and retained, subject to certain exceptions.
For example, we may deny your deletion request if retaining the information is necessary for us to complete the transaction or service that you requested, detect security incidents, or enable internal uses that are reasonable aligned with your expectations.
How to exercise your California privacy rights:
Mechanisms to submit Requests to Know and to Delete:
To exercise the right to know and the right to delete, please submit a verifiable consumer request to us by sending us an email at: privacy@kalmoa.com;
Please describe your request with sufficient detail that allows us to properly understand, verify, evaluate, and respond to it.
Process:
Once the initial identification and verification process is complete, we will send you an acknowledgement of receipt within 10 days from receiving your request and a reference number. Any request that you submit to us is subject to an identification process to verify your identity or authority to make the request.
Note, we cannot respond to your request if we cannot verify your identity or authority to make the request and confirm with a level of confidence appropriate to the sensitivity of the information that the personal information we have collected and retained in our systems and databases relates to you.
Time period:
We will endeavor to respond to a verifiable consumer request within 45 days of its receipt. If we require more time, we will inform you.
Designating an authorized agent:
To exercise any of these privacy rights you can also designate another person to act on your behalf. In this case, we will need this person to provide us with a legally-enforceable written authorization (such as a power of attorney, or proof that the agent is registered with the Secretary of State to act on your behalf).
Fees:
We will typically not charge a fee to fully respond to your requests. However, if we determine that the request warrants a fee according to the CPRA, we will tell you why and give you a cost estimate before completing your request.
To obtain this information in an alternative format:
If you require this notice to be provided in a different format, please contact us at privacy@kalmoa.com.
Right to Opt-out of the Sale or Sharing of Personal Information:
California consumers also have the right to opt out of the “sale” or “sharing” of their personal data, as such terms are defined under the CPRA.
Under the CPRA, the term “sell” means exchanging your personal information by us with a third party for money or anything else of value. The term “share” means disclosing your personal information by us to a third party for cross-context behavioral advertising, in exchange for money or anything else of value. Thus, when we use the term “share” under this section, we are using it in the narrow meaning of how it is defined under California law.
Currently, we do not “sell” and/or “share” Personal Information in order to participate in digital advertising networks to deliver advertising that is tailored to your interests.
Right to Opt-out of Profiling:
California consumers—subject to certain exceptions—may have a right to opt out of forms of automated processing performed on personal information to evaluate, analyze, or predict personal aspects related to your economic situation, health, personal preferences, interests, reliability, behavior, location or movements (“Profiling”).
We engage in cookie-based or digital advertising-based Profiling. To opt out of this practice, please follow the instructions detailed above regarding opting out of the sale or sharing of your personal information.
We do not otherwise engage in Profiling.
Right to Limit Disclosure of Sensitive Personal Information:
California Consumers may have a right to limit the processing of their Sensitive Personal Information (as defined by the CPRA). We do not collect or process Sensitive Personal Information for inferring characteristics or use or disclose Sensitive Personal Information for purposes other than those permitted by law.
Financial Incentives:
We may offer various financial incentives permitted by the CPRA that can result in different prices, rates, or quality levels. Any permitted financial incentive we offer will reasonably relate to your personal information’s value and contain written terms that describe the program’s material aspects. Participation in a financial incentive program requires your prior opt in consent, which you may revoke at any time.
Nevada residents
Nevada residents have the right to opt-out of the sale of certain covered information collected by website operators. While we do not sell your personal information as defined under Nevada law, if you are a Nevada resident, you may still submit an opt-out request to privacy@kalmoa.com.
Other state residents
If you reside in Virginia, Colorado, Connecticut, Utah, or another state with a comprehensive privacy law, you may have additional rights as described in Section 9 above. Please contact us at privacy@kalmoa.com to exercise these rights.
Last updated: March 4, 2026