Privacy Policy

Calbarry (“Calbarry”, “we”, “us”) operates a software-as-a-service platform for EU Pay Transparency Directive (2023/970) compliance. The legal entity operating the service is identified in the signed agreement with each customer.

For questions about this policy, the processing of your personal data, or to exercise your rights, contact us at /contact.

This policy describes how we handle personal data we collect directly — in particular, data about visitors to our website, prospects who contact us, and the authorised users of customer organisations.

When we process personal data on behalf of a customer organisation — for example, the salary and employee records uploaded to compute a pay-equity report — we act as a processor. That processing is governed by the Data Processing Agreement (DPA) signed between Calbarry and the customer, not by this policy.

From website visitors

• Standard request metadata: IP address, user agent, request timestamp, referrer. Used for security monitoring and to generate aggregate, non-identifying traffic statistics.
• A request-id stamped on every server-side log line. Not derived from personal data; used only for correlating logs during debugging.

From people who contact us

• Name, work email address, company name.
• The free-text message you submit and the headcount bucket you select.
• Submissions are forwarded to a founder inbox and are not retained in our application database. We keep the reply thread in our email provider only for as long as it takes to reply and serve as a contractual record.

From authorised users of customer organisations

• Email address and display name (used for sign-in and audit).
• Authentication factors you choose to enrol: a time-based one-time-password (TOTP) secret stored encrypted, and / or one or more passkey credentials (public key only — the private key never leaves your device).
• Session identifiers and timestamps, IP address of each session, and a record of security-relevant events (sign-in, MFA enrolment, password reset, recovery-code use).

• Performance of a contract (Art. 6(1)(b)) — providing the service to authenticated users of customer organisations.
• Legitimate interests (Art. 6(1)(f))— responding to inbound enquiries, securing the service against abuse, keeping immutable audit logs to meet our customers’ compliance obligations. Our legitimate interests are balanced against your fundamental rights; the assessment is documented internally and available on request.
• Legal obligation (Art. 6(1)(c)) — record-keeping requirements applicable to us as a data processor and as an employer / contractor of our own personnel.

We do not rely on consent for any of the processing described above. We do not engage in profiling or automated decision-making with legal effects on individuals.

• To provide, secure, and improve the service.
• To respond to enquiries and provide customer support.
• To maintain an append-only audit trail of security and administrative events, available to authorised admins of the relevant organisation under Article 7 of the EU Directive 2023/970.
• To detect and prevent abuse, fraud, and security incidents.
• To comply with applicable law and respond to lawful requests.

We do not sell personal data. We do not use personal data for behavioural advertising, third-party analytics, or marketing enrichment.

Production data is stored and processed exclusively within the European Union. We do not transfer personal data outside the EEA for production processing. Limited operational metadata (such as aggregated, non-identifying error reports) may be processed by security and observability tooling located in the EU; the full sub-processor list is provided as an appendix to the DPA.

If we ever need to engage a non-EEA sub-processor in the future, we will rely on the EU Commission’s Standard Contractual Clauses (Decision 2021/914) and notify affected customers in advance with a right to object.

• Account and authentication data — kept while the user account is active and for up to 90 days after deactivation, after which it is deleted or anonymised.
• Audit events — retained for seven (7) years in line with the long-tail evidentiary needs of compliance customers. Audit events are append-only and cannot be modified by us or the customer.
• Contact-form submissions — retained in the recipient inbox only as long as needed to handle the enquiry and serve as a contractual record, then deleted.
• Backups — encrypted, EU-resident, and rotated on a documented schedule. Personal data deleted from the primary store is removed from backups within the next backup cycle.

You may, free of charge, exercise the following rights:

• Access — request a copy of your personal data.
• Rectification — ask us to correct inaccurate data.
• Erasure — ask us to delete your data, subject to the legal grounds we may have for retaining it (e.g. audit log, contractual records).
• Restriction — ask us to pause processing while a dispute is resolved.
• Portability — receive your data in a structured, machine-readable format.
• Objection — object to processing based on legitimate interests.
• Lodge a complaint with your local Data Protection Authority. A list is maintained by the European Data Protection Board at edpb.europa.eu.

Where you are an authorised user of a customer organisation, requests under these rights should generally be directed to your employer (the controller) first. We will support our customers in responding within statutory timelines.

We implement technical and organisational measures appropriate to the risk, including encryption of sensitive fields at rest, multi-factor authentication for all roles, role-based access control, an append-only audit trail, and EU-only data residency. A more detailed description of our security controls is on the Security page.

The application uses strictly necessary cookies only — primarily a session cookie set by our authentication system. We do not set marketing, advertising, or third-party analytics cookies.

The service is intended for use by business customers and their authorised personnel. We do not knowingly collect personal data from children.

We may update this policy as our practices evolve, the law changes, or to clarify wording. Material changes will be communicated to active customers via email at least thirty (30) days before they take effect.

For any privacy-related question or to exercise the rights described above, contact us at /contact.