Kalum Privacy Policy
NeuEra Apps ("we," "our," or "us") is committed to protecting your privacy. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use the Kalum mobile application and related services (collectively, the "Service").
Please read this Privacy Policy carefully. By using the Service, you agree to the collection and use of information in accordance with this policy. If you do not agree, please do not use the Service.
1. Who We Are
Data Controller: NeuEra Apps, operated by Parham Modirniya, United States of America.
Privacy contact: privacy@kalum.app
If you are located in the European Economic Area (EEA), the United Kingdom, or Switzerland, NeuEra Apps acts as the data controller for the personal information collected through Kalum.
2. Information We Collect
2.1 Personal Information You Provide
- Phone Number: Required for account creation and verification through Firebase Authentication (Google).
- Email Address: Optional. You may provide an email for account recovery and customer-support correspondence.
- Country of Residence: Selected during registration to determine the legal market and the currency for purchases.
2.2 Information Collected Automatically
- Call Metadata: Destination phone numbers you dial, call duration, call status (completed, failed, busy, no answer, canceled), call start/end timestamps, and the country code of each destination.
- Transaction Data: Credit purchases, amounts in your local currency and in USD, payment method type (card, Apple Pay, Google Pay), and transaction timestamps. Card numbers themselves are processed by Stripe and are never received or stored by us.
- Device and App Information: Operating system and version, app version, model information, and language preference, used to deliver correct app behavior and to investigate bugs.
- Device Attestation Tokens: Firebase App Check (Play Integrity on Android, DeviceCheck on iOS) generates a token confirming that requests come from a genuine, unmodified Kalum app. The token is verified by Firebase and does not identify you personally.
- Crash Diagnostics: If the app crashes, Firebase Crashlytics captures a stack trace, the device model, the OS version, and the app state at the moment of the crash. Crashlytics installation IDs are pseudonymous and not linked to your phone number by us.
- Network Address: Your IP address is observed transiently when you connect, and is used for rate limiting and abuse prevention. We do not build a long-term profile from your IP.
2.3 Information Stored on Your Device
The following data lives only on your device. It does not leave the device unless you explicitly send it (for example, in a customer-support email):
- Authentication Tokens: Encrypted and stored in your device's secure storage — iOS Keychain (hardware-backed where available) or Android EncryptedSharedPreferences (AES-256).
- Saved Contacts: A list of contacts you have manually added inside Kalum (name, phone number, country code). Kalum does not read or import your device's address book.
- Recent Numbers: A short list of the most recently dialed phone numbers, kept for quick redial.
- Cached Account Metadata: Your phone number, account identifier, and balance, kept locally so the app can show your account state quickly when you return.
2.4 Information We Do Not Collect
- The audio of your voice calls — voice flows directly between your device and Twilio and is not routed through our servers.
- Location data — Kalum does not request, use, or store your geographic location.
- Your device's address book, photos, microphone audio outside of an active call, calendar, browsing history, or files.
- Advertising identifiers — the Android
AD_IDpermission is explicitly removed from the app. - Biometric data, government identifiers, or financial account credentials.
3. How We Use Your Information
We use the information we collect for the following purposes. For users in the EEA, the United Kingdom, and Switzerland, the legal basis under the GDPR is shown in the third column.
| Purpose | Data Used | GDPR Lawful Basis |
|---|---|---|
| Create and verify your account | Phone number, Firebase UID, country | Performance of a contract |
| Place voice calls | Destination phone number, account identifier | Performance of a contract |
| Bill calls and process credit purchases | Call metadata, transaction data | Performance of a contract |
| Show your call history and balance | Call metadata, transaction data | Performance of a contract |
| Customer support | Account information, call history, contents of your support messages | Legitimate interest |
| Detect and prevent fraud and abuse | Usage patterns, device attestation, IP address, rate-limiting counters | Legitimate interest; legal obligation in some jurisdictions |
| Diagnose and fix crashes and bugs | Crash diagnostics, device and app information | Legitimate interest |
| Comply with legal obligations | Any of the above as required by law | Legal obligation |
| Service improvement | Aggregated, de-identified usage statistics | Legitimate interest |
We do not use your information for:
- Advertising, marketing to third parties, or building advertising profiles.
- Selling, renting, or sharing personal information for cross-context behavioral advertising.
- Profiling that produces legal or similarly significant effects on you.
4. Information Sharing and Disclosure
We share your information only in the following circumstances.
4.1 Service Providers (Sub-processors)
Kalum relies on the following providers to operate the Service. Each provider acts as our processor and may only use your information for the purposes described below.
| Provider | Purpose | Categories of Data Shared |
|---|---|---|
| Firebase Authentication (Google LLC) | Phone number verification and identity tokens | Phone number, verification codes, Firebase UID |
| Firebase App Check (Google LLC) | Device attestation to block bots and modified clients | Device attestation tokens (Play Integrity / DeviceCheck) |
| Firebase Crashlytics (Google LLC) | Crash and stability diagnostics | Anonymous installation ID, device and OS version, stack traces, app state at crash |
| Twilio Inc. | Voice call routing over the public telephone network | Account identifier, destination phone number, call control signaling, call audio (in transit only) |
| Stripe, Inc. | Payment processing, including Apple Pay and Google Pay | Account identifier (in payment metadata), purchase amount, payment method type. Card numbers are sent directly from your device to Stripe and are never received by us. |
| Fly.io, Inc. | Cloud hosting for our backend and database | All data described above, processed and stored on infrastructure operated by Fly.io |
We have data-processing agreements in place with these providers and rely on appropriate safeguards (including the European Commission's Standard Contractual Clauses where applicable) for international transfers.
Important:
- Voice call audio flows directly between your device and Twilio's servers using encrypted media streams. Our servers never receive, decode, or store call audio.
- Payment card details (PAN, CVV, expiry) are submitted from your device directly to Stripe via Stripe's mobile SDK. We never receive, process, or store card numbers.
- We do not integrate any analytics, telemetry, or advertising SDKs (no Sentry, Mixpanel, Amplitude, AppsFlyer, Adjust, Facebook SDK, or similar).
4.2 Legal Requirements
We may disclose your information if required by law, regulation, legal process, or enforceable governmental request — for example, in response to a court order, subpoena, or lawful request from a public authority. We will challenge requests we believe are unlawful, overbroad, or improper.
4.3 Business Transfers
If NeuEra Apps is involved in a merger, acquisition, financing, or sale of assets, your information may be transferred as part of that transaction. We will provide notice in the app and on this Privacy Policy page before your information becomes subject to a different privacy policy.
4.4 With Your Consent
We may share your information for other purposes only with your explicit consent.
5. Third-Party Privacy Notices
The providers listed above maintain their own privacy policies:
- Firebase / Google: https://firebase.google.com/support/privacy and https://policies.google.com/privacy
- Twilio: https://www.twilio.com/legal/privacy
- Stripe: https://stripe.com/privacy
- Fly.io: https://fly.io/legal/privacy-policy
We are not responsible for the privacy practices of these providers; we are responsible for the categories of data we share with them and the purposes of that sharing as described in this Privacy Policy.
6. Permissions Used by the App
Kalum requests only the permissions it needs to function as a calling app.
6.1 iOS
- Microphone — to capture your voice during an active call.
- Background Audio / VoIP — to keep an active call connected when the app is not in the foreground.
6.2 Android
RECORD_AUDIO,MODIFY_AUDIO_SETTINGS— microphone and audio routing during calls.BLUETOOTH,BLUETOOTH_CONNECT— to use Bluetooth headsets and car kits during calls.POST_NOTIFICATIONS— to show in-call notifications.FOREGROUND_SERVICE,FOREGROUND_SERVICE_MICROPHONE— to keep an active call alive when the app is backgrounded.INTERNET— to reach our servers and Twilio's.
Kalum does not request the Android advertising ID (AD_ID), location, contacts read, camera, or storage.
7. Data Security
7.1 In Transit
- All traffic between your device and our servers uses HTTPS / TLS 1.2+.
- Webhook callbacks from Stripe and Twilio are verified using cryptographic signatures (HMAC-SHA256 / Stripe signature scheme) and replay-window checks.
- Voice media between your device and Twilio uses Twilio's encrypted media transport.
7.2 At Rest
- Authentication tokens are stored in platform-secured storage (iOS Keychain, Android EncryptedSharedPreferences with AES-256).
- Backend databases are hosted on managed PostgreSQL with encryption at rest and access restricted to operational staff under principle of least privilege.
- We do not store passwords — authentication is delegated to Firebase Authentication.
7.3 Application-Level Controls
- JWT-based authentication with RS256 signature verification on every request.
- Per-user and per-IP rate limiting.
- Device attestation via Firebase App Check.
- Optimistic locking on financial records to prevent race conditions on credit balances.
- Webhook idempotency to ensure duplicate charges or duplicate credits cannot be created by replayed events.
While we strive to use commercially acceptable means to protect your information, no method of transmission over the Internet or electronic storage is 100% secure. If we become aware of a breach affecting your personal information, we will notify you without undue delay and within the timeframes required by applicable law.
8. Your Privacy Rights
The rights available to you depend on where you live. To exercise any right, contact privacy@kalum.app. We may verify your identity using the phone number associated with your account and one or more details about recent activity.
We will respond within the timeframes required by applicable law (typically 30 days under GDPR/UK GDPR; up to 45 days under the CCPA, with one extension permitted).
8.1 Rights Available to All Users
- Access: Ask us what personal information we hold about you.
- Correction: Ask us to correct inaccurate personal information.
- Deletion: Ask us to delete your account and personal information, subject to limited legal exceptions (such as records we are required to keep for tax or anti-fraud purposes).
- Portability: Request a copy of your account information and call/transaction history in a portable format.
- Objection / Restriction: Object to or restrict certain processing.
8.2 EEA, UK, and Swiss Residents (GDPR / UK GDPR)
You also have the right to:
- Withdraw consent at any time, where processing is based on consent.
- Lodge a complaint with your local data protection authority. EEA authorities are listed at edpb.europa.eu; UK residents may complain to the ICO at ico.org.uk.
8.3 California Residents (CCPA / CPRA)
If you are a California resident, you have the rights listed in 8.1, plus:
- Right to know the categories and specific pieces of personal information we have collected, the categories of sources, the business or commercial purposes, and the categories of third parties with whom we share it.
- Right to non-discrimination for exercising your CCPA rights.
- Right to limit use of sensitive personal information — the only category of "sensitive personal information" Kalum collects is your phone number, used to log you in and to bill calls.
We do not sell your personal information and we do not "share" it for cross-context behavioral advertising as those terms are defined under the CCPA. We have not done so in the preceding twelve months.
8.4 Authorized Agents
You may authorize an agent to make a request on your behalf. We will require written authorization from you and proof of the agent's identity.
9. Data Retention
We keep your information for as long as your account is active and for the periods listed below after account closure.
| Data Category | Retention After Account Deletion |
|---|---|
| Account profile (phone number, email, country) | Deleted within 30 days of a verified deletion request |
| Authentication tokens | Revoked on sign-out; expire automatically |
| Call detail records | Up to 7 years (financial records, tax, and anti-fraud), then deleted or de-identified |
| Transaction records (credit purchases, refunds) | Up to 7 years (financial records, tax, and anti-fraud), then deleted or de-identified |
| Crash logs (Firebase Crashlytics) | Per Firebase Crashlytics defaults (typically 90 days) |
| De-identified aggregate analytics | Indefinitely |
After the retention periods expire, we either delete the data or de-identify it so it can no longer be linked to you.
10. Children's Privacy
Kalum is intended for users 18 years of age or older. We do not knowingly collect personal information from anyone under 18. If you are a parent or guardian and believe your child under 18 has provided us with personal information, please contact privacy@kalum.app and we will take steps to delete that information.
11. International Data Transfers
We are based in the United States, and our service providers operate primarily in the United States and the European Union. Your information may be transferred to, processed in, and stored in countries other than your country of residence.
For transfers from the EEA, the United Kingdom, or Switzerland to countries that are not the subject of an adequacy decision, we rely on the European Commission's Standard Contractual Clauses (and the UK International Data Transfer Addendum where applicable) put in place by our service providers, together with supplementary technical measures such as encryption in transit and at rest.
By using the Service, you understand that your information will be transferred to the United States and other countries where our service providers operate.
12. Changes to This Privacy Policy
We may update this Privacy Policy from time to time. When we do, we will:
- Post the updated policy at legal.neuera.app/kalum/privacy/.
- Update the "Last Updated" date and the version number.
- Maintain the previous version in our public archive at /kalum/privacy/archive.html.
- For material changes, give you advance notice in the app and, where you have provided one, by email.
You are encouraged to review this Privacy Policy periodically. Continued use of the Service after a non-material change takes effect signifies your acceptance of the updated policy.
13. Contact
For privacy questions or to exercise your rights:
Email: privacy@kalum.appService Operator: NeuEra Apps
Operated by: Parham Modirniya
Country of Operation: United States of America
We will respond to all privacy-related inquiries within the time required by applicable law and, in any case, no later than 45 days from receipt.
14. Summary
| What we collect | Why | Who has access | How long |
|---|---|---|---|
| Phone number | Account verification, billing | NeuEra Apps, Firebase | Account lifetime + retention period |
| Email (optional) | Account recovery, support | NeuEra Apps | Account lifetime + retention period |
| Country | Pricing, market eligibility | NeuEra Apps, Stripe | Account lifetime |
| Call destination numbers | Billing, routing | NeuEra Apps, Twilio | Up to 7 years for financial records |
| Call duration and status | Billing, support | NeuEra Apps, Twilio (during call) | Up to 7 years for financial records |
| Payment amounts and method | Transaction records | NeuEra Apps, Stripe | Up to 7 years for financial records |
| Card details | Process payment | Stripe only — never received by us | Stripe's retention |
| Crash diagnostics | Bug fixing | NeuEra Apps, Firebase | ~90 days |
| Manually added contacts | Quick dialing | Local device only | Until you delete them or uninstall the app |
We never collect or have access to:
- Voice call audio
- Card numbers
- Location data
- Your device's address book or photos
- Browsing history
- Advertising identifiers
- Biometric data
Last Updated:
Version: 2026-05-04
Effective Date: