The short version.

No pixels, no ad networks, no third-party analytics. We collect what we need to run the product, we don't sell any of it, and we'll delete it the moment you ask. That's the whole policy. The rest is just sentences.

What we collect

• The trial form. Name, email, brokerage, role, and whatever you put in the "anything we should know" box.
• Sign-in events. Your email, a short-lived magic-link token, and a session cookie so we don't ask for your email twice.
• Server access logs. Standard web stuff — IP, path, timestamp — kept for 30 days for security and abuse-blocking. Then they're rotated out.

What we don't collect

• No Google Analytics, no Facebook pixel, no Hotjar, no Segment, no third-party heatmap.
• No cookies on the marketing pages — none at all. Open the inspector if you don't believe us.
• No tracking across other sites. We don't know where you came from and we don't care.

Where it lives

The marketing site is on Hostinger shared hosting (Apache, US-routed). The API and database live on a small Hetzner VPS in Falkenstein, Germany. Backups are encrypted and held in a second EU region. We don't ship your data to sub-processors we haven't named here, and the only one we'd ever add is the transactional email provider when we outgrow Postfix.

Who we share it with

Nobody. Specifically: not advertisers, not data brokers, not "lead enrichment" tools, not other LOs, not anyone who emails us asking for it. The only exception is a lawful court order, in which case we'll tell you unless legally barred from doing so.

SMS communications

Cal sends SMS messages only to platform administrators who have explicitly added their mobile number to the platform's admin settings. SMS is used for operational alerts — new user signup notifications, customer lead capture alerts, automated software quality eval notifications, and system health alerts. No marketing SMS. Ever.

• Frequency. Variable. Most days zero. A typical week might see 5–25 messages, scaling with platform activity. Capped at 20 per minute by the platform itself.
• Mobile numbers are not shared. Your phone number is never sold, rented, shared, or disclosed to any third party for any purpose. Not to affiliates. Not to lenders. Not to advertisers. Period.
• Carrier costs. Message and data rates may apply, depending on your wireless plan. Cal does not charge for SMS.
• Opt out anytime. Reply STOP to any message to opt out (also accepted: UNSUBSCRIBE, CANCEL, END, QUIT). You can also remove your phone number directly in the platform admin settings.
• Help. Reply HELP for assistance, or email [email protected].
• Carriers and providers. SMS is delivered through Twilio (our messaging provider). US carriers (AT&T, Verizon, T-Mobile, and resellers) are not liable for delayed or undelivered messages.

How long we keep it

• Trial requests: kept while we're talking, then archived for 24 months in case you come back. Email us to wipe it sooner.
• Active accounts: kept while you're a customer.
• Closed accounts: 90 days after cancellation, then we run the delete script.

Your rights

California (CCPA/CPRA) and EU (GDPR) folks: you have the right to ask what we have on you, ask for a copy, and ask us to delete it. Email [email protected] with "privacy request" in the subject and Chris will handle it himself — usually within 72 hours, never more than 30 days.

Children

cal is a B2B tool for licensed mortgage professionals. We don't knowingly collect anything from anyone under 18, and you'd have to work hard to find a reason to give us yours.

Changes

If we change this policy in a way that materially affects you, we'll email every account before the change takes effect. Cosmetic edits (spelling, a clearer sentence) we just push.