Last updated: May 6, 2026
Privacy Policy
This Privacy Policy describes how Amorati BV, a company registered in Belgium, doing business as Calmo ("Calmo," "we," "us," or "our"), handles personal information when you use our website and software at calmo.ai (the "Service"). Calmo helps record labels and music organizations collect demos, manage submissions and deliverables, organize catalog assets, and handle contract signing workflows.
Who is responsible for your data
Calmo generally acts as a controller of personal data we need to run the platform and your user account—for example authentication, billing (through our payment and subscription partners), security, product analytics, and communications with you.
If you use the Service as part of a label or other organization ("Organization"), that Organization is often the controller (or decides the purposes) for business data it enters about third parties—for example artists who submit demos or deliverables through a portal, notes, or custom forms. For that category of data, Calmo typically acts as a processor on the Organization's instructions, except where we also rely on our own purposes (such as securing the Service or understanding how the product is used in aggregate).
Information we collect
- Account and profile data. When someone at an Organization registers or uses the Service, we collect information such as name, email address, passwords for accounts that use email/password sign-in (stored using industry-standard hashing), and organization membership and settings. If you sign in with a third party (for example Google), we receive profile details from that provider according to your choices and their privacy policy. We do not collect phone numbers, government IDs, or postal addresses for label accounts themselves (separate from what Organizations collect about artists in forms).
- Content you submit. We store demos, audio files, artwork, metadata, messages, notes, and other materials Organizations and their contacts upload or enter—including through customizable deliverable forms defined by an Organization.
- Integrations (URLs). Where the product lets users link Spotify, SoundCloud, or similar services, we store the URLs or identifiers you provide so we can display or fetch public metadata as part of the workflow. We do not use those integrations to log listening or playback history.
- API use. Organizations may use our HTTP API with an API key. API requests may include or attach personal data (for example creating or updating records about artists). That processing is generally under the Organization's instructions when the data relates to their business, while Calmo still processes account and technical data as described here.
- Custom domains. An Organization may configure a custom hostname for a public portal. Visitors see the Organization's branding and domain in the browser; traffic is served over HTTPS and routed to Calmo's infrastructure so we can provide the Service (including security and abuse prevention).
- Usage and diagnostics. We collect technical data such as IP address, device and browser type, general log data, and in-product analytics to operate, secure, and improve the Service. We use essential cookies and similar technologies for sign-in and sessions; where you give consent, we use analytics cookies and tools as described in our Subprocessors list.
- Billing. If an Organization subscribes to paid plans, our billing and payment partners process payment-related information. We receive the metadata needed to manage the account.
- Communications. If you contact us (for example by email or Discord), we keep the content of those messages and related contact details.
How we use information
We use personal information to:
- Provide, maintain, and improve the Service;
- Authenticate users, enforce permissions within Organizations, and prevent abuse;
- Send transactional emails (such as verification, security notices, and workflow notifications);
- Send marketing emails only where you have opted in (for example through a consent checkbox or a dedicated signup), and honor unsubscribe links on those messages;
- Analyze usage in aggregate to improve performance and user experience;
- Meet legal obligations and respond to lawful requests.
Legal bases (EEA, UK, and similar regions)
Where applicable privacy laws require a legal basis, we rely on performance of a contract with you or your Organization, our legitimate interests (such as securing the Service and understanding product usage in a privacy-respecting way), your consent (including for marketing email and non-essential cookies or analytics where we ask for it), and compliance with legal obligations.
How we share information
We do not sell your personal information. We share data with service providers ("subprocessors") that help us run the Service. A current list of material subprocessors and their roles is on our Subprocessors page, which we update when we add or replace vendors in a material way.
We also share information with professional advisers where required by law or to protect our rights.
Organizations control their portals and deliverable workflows. Information artists or other third parties submit to an Organization through the Service is available to that Organization's authorized users in accordance with the Organization's own practices.
Support access
Our staff may access account or Organization data when strictly necessary to respond to a support request you initiated, to fix a technical problem, or to investigate security or abuse. We apply internal access controls and aim to limit access to what is needed for that purpose.
Retention
We keep information for as long as your account is active or as needed to provide the Service, comply with law, resolve disputes, and enforce our agreements. Retention periods can vary depending on the type of data and your Organization's use of the product.
Security
We use administrative, technical, and organizational measures designed to protect personal information. No method of transmission or storage is completely secure; we encourage strong passwords (where you use email/password sign-in) and safeguarding your login credentials.
International transfers
Calmo is established in Belgium (European Economic Area). We primarily process data through infrastructure and subprocessors described on our Subprocessors page. Some providers may process data in other countries; where required, we use appropriate safeguards (such as standard contractual clauses approved by the European Commission) for transfers outside the EEA.
Your rights and choices
Depending on where you live, you may have rights to access, correct, delete, or export personal information, or to object to or restrict certain processing. You may also have the right to lodge a complaint with a data protection authority. To exercise rights, contact us at the email below. Where applicable, we will respond within a reasonable period consistent with local law.
Where the law requires us to provide it, you may request a copy or structured export of personal information we hold about you in connection with your account.
Children
The Service is designed for music businesses and professionals (for example record labels). It is not directed at children under 18. We do not knowingly collect personal information from anyone under 18 outside legitimate flows where a label invites an artist or contributor and local law allows it (for example a teen artist submitting a demo with appropriate involvement of a parent, guardian, or the label). If you believe we have collected information from a child improperly, contact us and we will take appropriate steps.
Changes to this policy
We may update this Privacy Policy from time to time. We will post the revised version on this page and update the "Last updated" date. Material changes may be communicated through the Service or by email where appropriate.
Contact
Questions about this policy or privacy requests: contact@calmo.ai
This page is provided for transparency. It is not legal advice; please consult qualified counsel for compliance with your obligations.