Kalum Privacy Policy
NeuEra Apps ("we," "our," or "us") is committed to protecting your privacy. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use the Kalum mobile application and related services (collectively, the "Service").
Please read this Privacy Policy carefully. By using the Service, you agree to the collection and use of information in accordance with this policy. If you do not agree, please do not use the Service.
1. Who We Are
Data Controller: NeuEra Apps, operated by Parham Modirniya, United States of America.
Privacy contact: hello@neuera.app
If you are located in the European Economic Area (EEA), the United Kingdom, or Switzerland, NeuEra Apps acts as the data controller for the personal information collected through Kalum.
2. Information We Collect
2.1 Personal Information You Provide
- Phone Number: Required for account creation and verification through Firebase Authentication (Google).
- Email Address: Optional. You may provide an email for account recovery and customer-support correspondence.
- Country of Residence: Selected during registration to determine the legal market and the currency for purchases.
2.2 Information Collected Automatically
- Call Metadata: Destination phone numbers you dial, call duration, call status (completed, failed, busy, no answer, canceled), call start/end timestamps, and the country code of each destination.
- Transaction Data: Credit purchases, amounts in your local currency and in USD, payment method type (Apple in-app purchase, card via Stripe, Google Pay via Stripe), and transaction timestamps. On iOS, purchases are processed by Apple and we receive an Apple transaction identifier, the product identifier, and a signed receipt. On Android and the web, purchases are processed by Stripe and we receive a payment method type but never the card number itself.
- Device and App Information: Operating system and version, app version, model information, and language preference, used to deliver correct app behavior and to investigate bugs.
- Device Attestation Tokens: Firebase App Check (Play Integrity on Android, DeviceCheck on iOS) generates a token confirming that requests come from a genuine, unmodified Kalum app. The token is verified by Firebase and does not identify you personally.
- Crash Diagnostics: If the app crashes, Firebase Crashlytics captures a stack trace, the device model, the OS version, and the app state at the moment of the crash. Crashlytics installation IDs are pseudonymous and not linked to your phone number by us.
- Network Address: Your IP address is observed transiently when you connect, and is used for rate limiting and abuse prevention. We do not build a long-term profile from your IP.
2.3 Information Stored on Your Device
The following data lives only on your device. It does not leave the device unless you explicitly send it (for example, in a customer-support email):
- Authentication Tokens: Encrypted and stored in your device's secure storage — iOS Keychain (hardware-backed where available) or Android EncryptedSharedPreferences (AES-256).
- Saved Contacts: A list of contacts you have added inside Kalum (name, phone number, country code). Contacts may be added manually or imported from your device's address book when you tap "Import from contacts" — see Section 2.5 for details.
- Recent Numbers: A short list of the most recently dialed phone numbers, kept for quick redial.
- Cached Account Metadata: Your phone number, account identifier, and balance, kept locally so the app can show your account state quickly when you return.
2.4 Information We Do Not Collect by Default
We do not collect, transmit to our servers, or share with third parties (except as described in this Privacy Policy):
- The audio of your voice calls — voice flows directly between your device and Twilio and is not routed through our servers.
- The contents of your device's address book — see Section 2.5 for the opt-in contact-import flow.
- Your microphone audio outside of an active call, your calendar, your browsing history, or your files.
- Advertising identifiers — the Android
AD_IDpermission is explicitly removed from the app. - Biometric data or government identifiers — Face ID / Touch ID, where used to confirm a payment, are evaluated on-device by the operating system; we receive only a "succeeded" or "failed" result, never your biometric template.
- Your geographic location is not used to track you. The Stripe SDK on iOS declares an optional location permission that is only invoked at the moment you take a card-payment action; we do not receive your coordinates and we do not store location data.
2.5 Optional Permission-Gated Flows
Some features require an operating-system permission and only run when you actively use them. We list these so it is clear what triggers them and what we receive:
- Import from contacts (iOS Contacts / Android
READ_CONTACTS). When you tap "Import from contacts" we ask your operating system for access to your address book. We read only the name and phone number of the contact you select and save it as a Kalum saved contact on your device. We do not upload your address book to our servers. - Scan card during top-up (iOS Camera, optionally Photo Library). If you choose to scan a payment card during checkout, the Stripe mobile SDK opens your camera, recognizes the card number on-device, and sends the resulting card details directly to Stripe. We never see the card number or the image.
- Approximate location during a card payment (iOS Location When-In-Use). The Stripe mobile SDK may briefly request approximate location to satisfy card-network fraud-risk requirements. The location is used by Stripe; we do not receive or store it.
- Authorize a sensitive payment action (iOS Face ID / Touch ID, Android biometric prompt). The operating system evaluates your biometric on-device and returns only "succeeded" or "failed" to the app. We never receive your biometric data.
These permissions are declared in the app so that the operating system can ask you for consent at the moment a feature is used. Declining a prompt does not affect your ability to place calls.
3. How We Use Your Information
We use the information we collect for the following purposes. For users in the EEA, the United Kingdom, and Switzerland, the legal basis under the GDPR is shown in the third column.
| Purpose | Data Used | GDPR Lawful Basis |
|---|---|---|
| Create and verify your account | Phone number, Firebase UID, country | Performance of a contract |
| Place voice calls | Destination phone number, account identifier | Performance of a contract |
| Bill calls and process credit purchases | Call metadata, transaction data | Performance of a contract |
| Show your call history and balance | Call metadata, transaction data | Performance of a contract |
| Customer support | Account information, call history, contents of your support messages | Legitimate interest |
| Detect and prevent fraud and abuse | Usage patterns, device attestation, IP address, rate-limiting counters | Legitimate interest; legal obligation in some jurisdictions |
| Diagnose and fix crashes and bugs | Crash diagnostics, device and app information | Legitimate interest |
| Comply with legal obligations | Any of the above as required by law | Legal obligation |
| Service improvement | Aggregated, de-identified usage statistics | Legitimate interest |
We do not use your information for:
- Advertising, marketing to third parties, or building advertising profiles.
- Selling, renting, or sharing personal information for cross-context behavioral advertising.
- Profiling that produces legal or similarly significant effects on you.
4. Information Sharing and Disclosure
We share your information only in the following circumstances.
4.1 Service Providers (Sub-processors)
Kalum relies on the following providers to operate the Service. Each provider acts as our processor and may only use your information for the purposes described below.
| Provider | Purpose | Categories of Data Shared |
|---|---|---|
| Firebase Authentication (Google LLC) | Phone number verification and identity tokens | Phone number, verification codes, Firebase UID |
| Firebase App Check (Google LLC) | Device attestation to block bots and modified clients | Device attestation tokens (Play Integrity / DeviceCheck) |
| Firebase Crashlytics (Google LLC) | Crash and stability diagnostics | Anonymous installation ID, device and OS version, stack traces, app state at crash |
| Twilio Inc. | Voice call routing over the public telephone network | Account identifier, destination phone number, call control signaling, call audio (in transit only) |
| Apple Inc. | iOS in-app purchase processing (StoreKit / App Store) | Apple transaction identifier, product identifier, signed receipt. We never receive the payment method or card number. |
| Stripe, Inc. | Payment processing on Android and the web (cards, Google Pay) | Account identifier (in payment metadata), purchase amount, payment method type. Card numbers are sent directly from your device to Stripe and are never received by us. |
| Fly.io, Inc. | Cloud hosting for our backend and database | All data described above, processed and stored on infrastructure operated by Fly.io |
We have data-processing agreements in place with these providers and rely on appropriate safeguards (including the European Commission's Standard Contractual Clauses where applicable) for international transfers.
Important:
- Voice call audio flows directly between your device and Twilio's servers using encrypted media streams. Our servers never receive, decode, or store call audio.
- Payment card details (PAN, CVV, expiry) are submitted from your device directly to Apple (iOS) or Stripe (Android, web). We never receive, process, or store card numbers.
- We do not integrate any analytics, telemetry, or advertising SDKs (no Sentry, Mixpanel, Amplitude, AppsFlyer, Adjust, Facebook SDK, or similar).
4.2 Legal Requirements
We may disclose your information if required by law, regulation, legal process, or enforceable governmental request — for example, in response to a court order, subpoena, or lawful request from a public authority. We will challenge requests we believe are unlawful, overbroad, or improper.
4.3 Business Transfers
If NeuEra Apps is involved in a merger, acquisition, financing, or sale of assets, your information may be transferred as part of that transaction. We will provide notice in the app and on this Privacy Policy page before your information becomes subject to a different privacy policy.
4.4 With Your Consent
We may share your information for other purposes only with your explicit consent.
5. Third-Party Privacy Notices
The providers listed above maintain their own privacy policies:
- Firebase / Google: https://firebase.google.com/support/privacy and https://policies.google.com/privacy
- Twilio: https://www.twilio.com/legal/privacy
- Apple: https://www.apple.com/legal/privacy/
- Stripe: https://stripe.com/privacy
- Fly.io: https://fly.io/legal/privacy-policy
We are not responsible for the privacy practices of these providers; we are responsible for the categories of data we share with them and the purposes of that sharing as described in this Privacy Policy.
6. Permissions Used by the App
Kalum requests only the permissions it needs. Some permissions are required for the calling experience; others are optional and only used by specific features, as described in Section 2.5.
6.1 iOS
Required for calling:
- Microphone — to capture your voice during an active call.
- Background Audio / VoIP — to keep an active call connected when the app is not in the foreground.
Optional, only invoked when you use the corresponding feature:
- Contacts — to import a name and phone number when you tap "Import from contacts".
- Camera — to scan a payment card during credit top-up, if you choose to.
- Photo Library — declared by the Stripe payment SDK; used only if you opt into a flow that requires selecting an image (for example, sharing a screenshot with support).
- Face ID / Touch ID — to authorize a sensitive payment action when you choose biometric confirmation.
- Approximate Location (When-In-Use) — declared by the Stripe payment SDK and only used at the moment of a card payment for card-network fraud-risk checks. Kalum does not track your location.
6.2 Android
Required for calling:
RECORD_AUDIO,MODIFY_AUDIO_SETTINGS— microphone and audio routing during calls.BLUETOOTH,BLUETOOTH_CONNECT— to use Bluetooth headsets and car kits during calls.POST_NOTIFICATIONS— to show in-call notifications.FOREGROUND_SERVICE,FOREGROUND_SERVICE_MICROPHONE— to keep an active call alive when the app is backgrounded.INTERNET— to reach our servers and Twilio's.
Optional, only requested when you use the corresponding feature:
READ_CONTACTS— to import a name and phone number when you tap "Import from contacts".
Kalum does not request the Android advertising ID (AD_ID), background location, the device camera, photo storage, or unrestricted contacts read.
7. Data Security
7.1 In Transit
- All traffic between your device and our servers uses HTTPS / TLS 1.2+.
- Webhook callbacks from Stripe and Twilio are verified using cryptographic signatures (HMAC-SHA256 / Stripe signature scheme) and replay-window checks.
- App Store server notifications and Apple receipt validations are verified against Apple's signed responses.
- Voice media between your device and Twilio uses Twilio's encrypted media transport.
7.2 At Rest
- Authentication tokens are stored in platform-secured storage (iOS Keychain, Android EncryptedSharedPreferences with AES-256).
- Backend databases are hosted on managed PostgreSQL with encryption at rest and access restricted to operational staff under principle of least privilege.
- We do not store passwords — authentication is delegated to Firebase Authentication.
7.3 Application-Level Controls
- JWT-based authentication with RS256 signature verification on every request.
- Per-user and per-IP rate limiting.
- Device attestation via Firebase App Check.
- Optimistic locking on financial records to prevent race conditions on credit balances.
- Webhook and receipt idempotency to ensure double-charges and duplicate credits cannot be created by replayed events or replayed App Store receipts.
While we strive to use commercially acceptable means to protect your information, no method of transmission over the Internet or electronic storage is 100% secure. If we become aware of a breach affecting your personal information, we will notify you without undue delay and within the timeframes required by applicable law.
8. Your Privacy Rights
The rights available to you depend on where you live. To exercise any right, contact hello@neuera.app. We may verify your identity using the phone number associated with your account and one or more details about recent activity.
We will respond within the timeframes required by applicable law (typically 30 days under GDPR/UK GDPR; up to 45 days under the CCPA, with one extension permitted).
8.1 Rights Available to All Users
- Access: Ask us what personal information we hold about you.
- Correction: Ask us to correct inaccurate personal information.
- Deletion: Ask us to delete your account and personal information. You may also delete your account at any time from Settings → Delete Account inside the Kalum app. Deletion is subject to limited legal exceptions (such as records we are required to keep for tax or anti-fraud purposes).
- Portability: Request a copy of your account information and call/transaction history in a portable format.
- Objection / Restriction: Object to or restrict certain processing.
8.2 EEA, UK, and Swiss Residents (GDPR / UK GDPR)
You also have the right to:
- Withdraw consent at any time, where processing is based on consent.
- Lodge a complaint with your local data protection authority. EEA authorities are listed at edpb.europa.eu; UK residents may complain to the ICO at ico.org.uk.
8.3 California Residents (CCPA / CPRA)
If you are a California resident, you have the rights listed in 8.1, plus:
- Right to know the categories and specific pieces of personal information we have collected, the categories of sources, the business or commercial purposes, and the categories of third parties with whom we share it.
- Right to non-discrimination for exercising your CCPA rights.
- Right to limit use of sensitive personal information — the only category of "sensitive personal information" Kalum collects is your phone number, used to log you in and to bill calls.
We do not sell your personal information and we do not "share" it for cross-context behavioral advertising as those terms are defined under the CCPA. We have not done so in the preceding twelve months.
8.4 Authorized Agents
You may authorize an agent to make a request on your behalf. We will require written authorization from you and proof of the agent's identity.
9. Data Retention
We keep your information for as long as your account is active and for the periods listed below after account closure.
| Data Category | Retention After Account Deletion |
|---|---|
| Account profile (phone number, email, country) | Deleted within 30 days of a verified deletion request |
| Authentication tokens | Revoked on sign-out; expire automatically |
| Call detail records | Up to 7 years (financial records, tax, and anti-fraud), then deleted or de-identified |
| Transaction records (credit purchases, refunds) | Up to 7 years (financial records, tax, and anti-fraud), then deleted or de-identified |
| Crash logs (Firebase Crashlytics) | Per Firebase Crashlytics defaults (typically 90 days) |
| De-identified aggregate analytics | Indefinitely |
After the retention periods expire, we either delete the data or de-identify it so it can no longer be linked to you.
10. Children's Privacy
Kalum is intended for users 18 years of age or older. We do not knowingly collect personal information from anyone under 18. If you are a parent or guardian and believe your child under 18 has provided us with personal information, please contact hello@neuera.app and we will take steps to delete that information.
11. International Data Transfers
We are based in the United States, and our service providers operate primarily in the United States and the European Union. Your information may be transferred to, processed in, and stored in countries other than your country of residence.
For transfers from the EEA, the United Kingdom, or Switzerland to countries that are not the subject of an adequacy decision, we rely on the European Commission's Standard Contractual Clauses (and the UK International Data Transfer Addendum where applicable) put in place by our service providers, together with supplementary technical measures such as encryption in transit and at rest.
By using the Service, you understand that your information will be transferred to the United States and other countries where our service providers operate.
12. Changes to This Privacy Policy
We may update this Privacy Policy from time to time. When we do, we will:
- Post the updated policy at legal.neuera.app/kalum/privacy/.
- Update the "Last Updated" date and the version number.
- Maintain the previous version in our public archive at /kalum/privacy/archive.html.
- For material changes, give you advance notice in the app and, where you have provided one, by email.
You are encouraged to review this Privacy Policy periodically. Continued use of the Service after a non-material change takes effect signifies your acceptance of the updated policy.
13. Contact
For privacy questions or to exercise your rights:
Email: hello@neuera.appService Operator: NeuEra Apps
Operated by: Parham Modirniya
Country of Operation: United States of America
We will respond to all privacy-related inquiries within the time required by applicable law and, in any case, no later than 45 days from receipt.
14. Summary
| What we collect | Why | Who has access | How long |
|---|---|---|---|
| Phone number | Account verification, billing | NeuEra Apps, Firebase | Account lifetime + retention period |
| Email (optional) | Account recovery, support | NeuEra Apps | Account lifetime + retention period |
| Country | Pricing, market eligibility | NeuEra Apps, Apple / Stripe | Account lifetime |
| Call destination numbers | Billing, routing | NeuEra Apps, Twilio | Up to 7 years for financial records |
| Call duration and status | Billing, support | NeuEra Apps, Twilio (during call) | Up to 7 years for financial records |
| Payment metadata (amount, method type) | Transaction records | NeuEra Apps, Apple (iOS) or Stripe (Android, web) | Up to 7 years for financial records |
| Card details | Process payment | Apple (iOS) or Stripe (Android, web) — never received by us | Apple / Stripe retention |
| Crash diagnostics | Bug fixing | NeuEra Apps, Firebase | ~90 days |
| Saved contacts (manual or opt-in import) | Quick dialing | Local device only | Until you delete them or uninstall the app |
We never collect or have access to:
- Voice call audio
- Card numbers
- Geographic location (Stripe SDK may request it during card payment, but we do not receive it)
- Your full address book (only the contacts you explicitly import)
- Photos beyond what you choose to share with support
- Browsing history
- Advertising identifiers
- Biometric data
Last Updated:
Version: 2026-05-24
Effective Date: