Calido's privacy policy.
Calido is a video calling app for iPhone and iPad, with Android arriving after the iOS release, operated by Murat Pisat (“we”, “us”). This policy describes every piece of information the app and our backend touch.
The short version. Calls are peer-to-peer and SRTP-encrypted. We do not see, record, or transcode audio or video. We do not use advertising identifiers, analytics SDKs, location, or your device's contact book. We collect what we need to sign you in, ring the other phone, and keep abusive accounts off the service.
1. Information we collect
From you, at sign-up
- Email address, verified through our identity provider (self-hosted Logto). Apple Hide My Email relays are detected and not used for auto-linking.
- Display name you choose for your profile.
- Username (5–32 characters, lowercase) so other people can find you.
From your device, automatically
- Device identifier, generated by the app (not Apple's IDFA or vendor identifier). Used to route calls and correlate diagnostic logs.
- Device model and iOS version, and a capability record (codec support, HDR capture, HDR display).
- VoIP push token issued by Apple, so we can wake the app when someone calls you.
When you use the app
- Call metadata: caller, callee, timestamps, duration, end reason, and negotiated codec. The audio and video content itself is never collected.
- Contact relationships: who you added, blocked, or have a pending request with.
- Moderation reports you submit: category, free-text details (up to 2,000 characters), and an optional reference to the call or contact you are reporting.
- Diagnostic logs emitted by the app (encoder bitrate, FPS, ICE state, error codes). Logs deliberately omit authentication tokens, email addresses, and any text you type.
- Username and email lookups: the plaintext query is never stored. We keep only a one-way hash so we can detect abuse.
2. What we do not collect
- No precise or coarse location. Calido does not request location permission.
- No access to the iOS Contacts app. We never ask for it.
- No advertising identifier (IDFA). App Tracking Transparency is never shown.
- No Photos access. No microphone or camera access outside an active call.
- No health, fitness, financial, sensitive, or biometric data.
- No crash SDK, no Firebase Analytics, no Sentry, no Crashlytics, no Mixpanel, no Amplitude, no Meta Pixel.
- No cookies set by the Calido app or by Calido's own code on the marketing site. Cloudflare, as the edge host, may set a short-lived bot-mitigation cookie (
__cf_bm); it is not linked to your account and is never read by us. - No call audio or video is collected, stored, or reviewed.
3. Privacy Nutrition Label
For the Apple App Store privacy card, Calido declares:
| Category | What we declare |
|---|---|
| Data used to track you | None. |
| Contact Info (linked) | Name, Email Address |
| User Content (linked) | Customer Support (moderation report text only) |
| Identifiers (linked) | User ID, Device ID |
| Usage Data (linked) | Product Interaction (diagnostic events) |
| Diagnostics (linked) | Performance Data, Other Diagnostic Data |
4. How the app uses information
- Making calls ring. Routing call invitations to your devices via Apple Push Notification service (VoIP).
- Signing you in. Logto verifies your credentials; we store the resulting user ID and email on our servers.
- Finding people. Username and email discovery against accounts that exist on Calido, rate-limited to prevent enumeration.
- Keeping the service healthy. Diagnostic logs help debug call failures. They are linked to your user ID and never shown to other users.
- Moderation. Reports are reviewed and may lead to warnings, restrictions, or account termination.
5. Permissions the app requests
| Permission | When it's asked | Usage string |
|---|---|---|
| Camera | First video call or onboarding permission screen | “Calido needs camera access to capture HDR video for calls.” |
| Microphone | First call of any kind | “Calido needs microphone access for audio during calls.” |
| Local Network | Only when you open the Connection Test screen in Settings | “Calido uses local network access for the in-app Connection Test diagnostic.” |
6. Audio and video content
Audio and video stream peer-to-peer using SRTP. When a direct path is impossible, media is relayed through TURN servers we operate. The relay only forwards encrypted packets; it cannot decrypt them. Calido does not retain any TURN media traffic, and no frame or audio is persisted on any server we operate.
7. Who else sees your data
Calido uses these sub-processors. Every one is either self-hosted by us or is a standard Apple/Google service required to deliver calls.
| Party | Role | What they receive |
|---|---|---|
| Hetzner (Germany) | Backend, database, identity host | Account data at rest and in transit (backend, Postgres, Redis, Logto) |
| Apple Push Notification service | Wake push to iPhone | Device VoIP token; call ID, caller name, action |
| Logto (self-hosted) | Sign-in / identity | Email, display name, the password you enter on its pages |
| Apple & Google Sign-In | Federated sign-in (optional) | OAuth assertion forwarded via Logto |
| TURN relays (operated by us) | NAT traversal relay when direct peer-to-peer fails | Encrypted packets that are opaque to the relay and never stored |
| Google STUN | IP discovery for WebRTC | Transient public IP (standard WebRTC behavior) |
| Firebase Cloud Messaging | Android wake push (when Android ships) | FCM token and call payload (identical shape to APNs) |
| Cloudflare Pages | Static hosting and CDN for the marketing website only (not the app backend) | Standard HTTP request metadata (IP, user agent, URL, timestamp); automatic Web Analytics beacon is not injected on /calido/* |
We do not share data with advertising networks, data brokers, or analytics vendors. There are no such SDKs in the app.
8. Where data is processed
Account data, contacts, moderation records, and diagnostic logs are stored and processed on servers in Germany. Sign-in and push delivery go through Apple and Google's global infrastructure. TURN relay servers, used only when a direct peer-to-peer path fails, run in multiple regions so calls connect reliably worldwide. They only see encrypted packets and never store them.
These pages you are reading now are served from Cloudflare's global edge network. Cloudflare sees the standard request information every web host sees (your IP, your browser's user agent, the path you fetched, the time). This is used purely for delivery and bot mitigation; no analytics or tracking beacon runs on Calido pages.
9. How long we keep it
| Data | Retention |
|---|---|
| Account profile (profile, identity, devices) | Until you delete your account |
| Contact relationships (accepted, pending, blocked) | Until you remove the contact, unblock the user, or delete your account |
| Call signaling state (in Redis) | Up to 12 hours, then erased automatically |
| Call history (on your device, as JSON) | Until you delete the entry or uninstall the app |
| Diagnostic logs | Target ≤ 30 days, operator-managed |
| Discovery audit hashes | Target ≤ 30 days, operator-managed |
| Moderation reports | Indefinite, for moderation history |
| Username history | Indefinite, to prevent reclaim abuse |
| VoIP push tokens | Replaced on each app launch; cleared on account deletion |
| Identity session tokens | Refresh token 14 days; revoked on sign-out |
10. Your rights
You can exercise the following rights directly in the app or by writing to calido@murat.run.
- Access & portability: email us and we will export your data.
- Correction: edit your display name and username in Settings → Account.
- Erasure: Settings → Account → Danger Zone → Delete Account. See the account deletion page.
- Restriction & objection: email us.
- Blocking: swipe left on any contact and tap Block. Review or unblock anyone from Settings → Account → Blocked.
- Reporting: long-press a contact or tap Report during a call.
For residents of California: Calido does not sell or share personal information for cross-context behavioral advertising. There are no advertising network integrations.
11. Children
Calido is intended for adults. We do not knowingly collect data from children under 13 (or under 16 where that threshold applies). If we learn a child has an account, we delete it.
12. Security
- TLS on every client–server connection. SRTP end-to-end between peers.
- Identity tokens stored in the iOS Keychain; refresh tokens rotate on every exchange.
- Discovery queries are rate-limited and kept only as hashed prefixes.
- Suspended accounts are rejected at sign-in, device registration, and call setup.
13. Changes
When we update this policy we will change the date at the top and, for material changes affecting what we collect, notify users in-app.
14. Contact
Privacy inquiries: calido@murat.run. Controller of record: Murat Pisat (sole operator).