Calm

Calm

Review date: June 17, 2022

|
|

Mozilla says

|
People voted: Super creepy

"Take a deep breath" Those are the first words you see when you open this meditation app. Then you hear the soothing sounds of rain in the forest or waves at beach. Ahh...feeling calmer already. Calm is a popular app to meditate, relax, and help you fall asleep. Your stressed out privacy researcher here at *Privacy Not Included has actually relied on it for a number of years to help keep the anxiety of reading all these privacy policies at bay. Unfortunately, this researcher didn't actually read their privacy policy until doing our research for these mental health apps.

Dang it! Calm's privacy policy now has us all stressed out. Seems not only do they collect a pretty good amount of personal information, they also gather data from outside sources, and use lots of tracking and data collect to target ads and share information with a number of third parties for things like marketing and research. That's rather stressful. This privacy researcher is gonna go take a few more deep breaths...on my own, with no app collecting my data.

UPDATE: Here's a thing Calm did to help calm this stressed out privacy researcher's frazzled nerves a little. After we launch our review, we had some productive conversations with them that resulted in them updating their privacy policy. On June 16, 2022, Calm change their privacy policy to clearly grant all users -- not only those in the EU and California living under stricter privacy laws -- the same rights to access and delete their data. This is progress. Thanks Calm.

What could happen if something goes wrong?

Uhg...Calm, why oh why must you ruin our zen meditation vibe with stressful privacy practices? You know what's rather stressful? When a company says, "Calm uses your data to personalize your online experience and the advertisements you see on other platforms based on your preferences, interests, and browsing behavior." OK, so, there are certainly more stressful things in life. But still, what if we just want to meditate in peace without all our data being used to find ways to sell us more stuff or keep us on the app longer? Pardon us as we go take another deep breath.

Calm says they don't sell your personal information (yay!). Sadly, they say they can use it -- and other things like your actions, preferences, interests. machine learning, and browsing behavior -- to target you with ads and personalizations and the like. They also say they "may obtain information about you from publicly available sources, marketing and advertising partners, consumer research platforms, and/or business contact databases." Potentially gathering even more data on you from data brokers and advertising companies, nope, these are not calming privacy practices at all. Then there's this (unfortunately) common practice where they say they "also share aggregated or other information not subject to obligations under the data protection laws of your jurisdiction with third parties." Here's where we have to remind you that it's been found to be relatively easy to de-anonymize such data, data they say they can share without restriction.

What's the worst that could happen? Well, could Calm get to know all about your meditation practices, your mood, your gender, your location, and more. Then use or share that information to target you with ads about things, like a wine company thinking you're ripe for targeting with wine ads when you're using the app a lot because that might mean you're stressed out. But you're a recovering alcoholic and the wine ads add to your stress. It's just one potential scenario of how targeted ads based on on your behavior and identifiers on the app could go wrong. Not something any of us need when we just want to meditate in peace, dang it!

Tips to protect yourself

  • Do NOT use your Facebook account to login.
  • Chose a strong password.
  • mobile

Can it snoop on me? information

Camera

Device: N/A

App: No

Microphone

Device: N/A

App: No

Tracks location

Device: N/A

App: No

What can be used to sign up?

Facebook and Google registration is available

What data does the company collect?

How does the company use this data?

Calm does not "sell" the personal information they collect (and will not sell it in the future without providing a right to opt out)." They do allow their advertising partners to collect certain device identifiers and electronic network activity via the Services to show ads that are targeted to your interests on other platforms.

Calm uses your data to personalize your online experience and the advertisements you see on other platforms based on your preferences, interests, and browsing behavior.

Calm "may obtain information about you from publicly available sources, marketing and advertising partners, consumer research platforms, and/or business contact databases."

Calm may also "share data with your consent or at your direction. For instance, you may choose to share actions you take on our Services with third-party social media services via the integrated tools we provide via our Services."

Calm allow others to "provide analytics services and serve advertisements on their behalf across the web and in mobile applications. These entities use cookies, web beacons, device identifiers and other technologies to collect information about your use of the Services and other websites and online services, including your IP address, device identifiers, web browser, mobile network information, pages viewed, time spent on pages or in apps, links clicked, and conversion information. This information may be used by Calm and others to, among other things, analyze and track data, determine the popularity of certain content, deliver advertising and content targeted to your interests on our Services and other websites and online services, and better understand your online activity."

Calm will also "share aggregated or other information not subject to obligations under the data protection laws of your jurisdiction with third parties. For example, we sometimes share aggregate information with research organizations to help facilitate their research."

How can you control your data?

When we first reviewed Calm in May, 2022, their data retention details, deletion request rights and access request rights were mentioned only for Californian and European residents. On June 16, 2022, after some conversations with Calm, they updated their privacy policy to grant all users rights to access and delete their data. This is good change.

Their privacy policy now states, "Subject to certain limits and conditions provided under law, we honor the exercise of the right of access or deletion for all of our users, regardless of their location. Any Calm user may exercise this right by contacting us at [email protected]"

What is the company’s known track record of protecting users’ data?

Average

No known privacy or security incidents discovered in the last 3 years.

Child Privacy Information

We did not find information about children privacy in their privacy policy.

Can this product be used offline?

Yes

Users can download and save meditations for offline use

User-friendly privacy information?

No

Links to privacy information

Does this product meet our Minimum Security Standards? information

Yes

Encryption

Yes

Strong password

Yes

Security updates

Yes

Manages vulnerabilities

Yes

One vulnerability disclosed at openbugbounty still remains unpatched.

Privacy policy

Yes

Does the product use AI? information

Yes

Calm uses AI to increase engagement, personalize user experience, suggest content. "Calm's user data is directly fed into the third-party machine learning system, including all purchase and behavioural data,"

Is this AI untrustworthy?

Can’t Determine

What kind of decisions does the AI make about you or for you?

How to convert new users, engage existing users, retain the users they have

Is the company transparent about how the AI works?

Can’t Determine

Does the user have control over the AI features?

No

*privacy not included

Dive Deeper

Comments

Got a comment? Let us hear it.