Back to Calius

Legal

Privacy Policy

Calius

Last updated: May 25, 2026

1. Who We Are

Calius ("Calius", "we", "us") is operated by CentexSolutions. This Privacy Policy explains what personal data we collect when you use the Calius desktop application, mobile application, and website (collectively, the "Service"), how we use it, with whom we share it, and your rights under the EU General Data Protection Regulation (GDPR) and the German Federal Data Protection Act (BDSG). For data protection inquiries, contact: privacy@calius.io.

2. Scope and Storage Model

Calius is designed as a local-first application. The substantial majority of your operational data, including third-party platform credentials, session tokens, OAuth refresh tokens, and listing drafts, is stored exclusively on your own device, encrypted with AES-256-GCM using a key derived from your hardware machine ID. We do not transmit, copy, or back up this device-local data to our servers under any circumstances.

A limited set of operational metadata is transmitted to and stored on Calius servers, as described in Section 3. We do not sell personal data, we do not use it for advertising, and we do not share it with any third party for marketing purposes.

3. What We Collect and Why

3.1 Account and Licensing

  • Your email address and Discord identifier (when you sign in via Discord).
  • A license key associated with your account.
  • A device hardware identifier (HWID) used to bind a license to your machine.

Legal basis: Art. 6(1)(b) GDPR (performance of contract). Retention: for the duration of your account plus 6 months after deletion for fraud-prevention purposes.

3.2 Inventory and Listing Metadata

  • Item titles, descriptions, prices, photographs you upload, category assignments, and condition data you choose to store via Calius.
  • Per-platform listing identifiers, sale prices, and timestamps for items you list through the Service.

Legal basis: Art. 6(1)(b) GDPR (performance of contract). Retention: for as long as the item exists in your inventory; deletion removes the record within 30 days.

3.3 Telemetry

  • Application version, operating system family (mac/win), session start time, and a heartbeat once per minute while the app is running.
  • A randomly generated per-session UUID and a hashed, non-reversible device token.

We do not collect browsing history, file contents, screen contents, keystrokes, or location. Legal basis: Art. 6(1)(f) GDPR (legitimate interest in operating, securing, and improving the Service). Retention: 90 days.

3.4 Error and Diagnostics

When a request to a third-party platform fails, we may log the platform name, HTTP status, and a short error excerpt to an internal channel for incident response. We do not log credentials, tokens, request bodies, or response bodies containing personal data of buyers or sellers. Legal basis: Art. 6(1)(f) GDPR. Retention: 30 days.

4. Third-Party Platform Integrations

Calius integrates with third-party marketplaces (currently Vinted, Kleinanzeigen, and eBay) on your explicit instruction. When you connect a third-party account:

  • Credentials and tokens (Vinted, Kleinanzeigen): Stored exclusively on your local device, encrypted as described in Section 2. They never leave your machine and are not transmitted to Calius servers.
  • OAuth tokens (eBay): Stored exclusively on your local device, encrypted as described in Section 2. We do not store eBay user passwords at any time.
  • Operational data exchanged with the platform:When you list, edit, delete, or fetch sales data, your device communicates directly with the third-party platform's API. Calius does not interpose, log, or retain the body of these requests on our servers.

Each integrated platform has its own privacy policy, which applies to data processed by that platform. Calius is an independent service and is not affiliated with, endorsed by, or officially connected to any third-party platform.

5. eBay Marketplace Account Deletion Notifications

As required by eBay's developer program, Calius operates an endpoint that may receive marketplace account-deletion notifications from eBay. Calius does not persist personal data of eBay users on its servers; therefore, no deletion action is required on receipt. Notifications are acknowledged with an HTTP 200 response and are not retained beyond transient request handling.

6. AI Features

When you use AI-assisted features (such as title or description generation), the text and images you submit are forwarded to our AI subprocessor solely for the purpose of generating the requested output. We do not retain these inputs or outputs on our servers beyond the immediate request, and we do not use them to train any model. Legal basis: Art. 6(1)(b) GDPR.

7. Subprocessors

We rely on a small number of carefully selected subprocessors to operate the Service:

  • Supabase (database and object storage; EU region) — for inventory records, photographs, license records, and seller profiles.
  • Hetzner Online GmbH (server hosting; Germany) — for the calius.io API and website.
  • Anthropic, PBC (AI model provider) — only for content actively submitted to AI features.
  • Stripe Payments Europe Ltd. — for license payment processing.
  • Discord Inc. — for authentication when you choose to sign in via Discord.

Where a subprocessor is located outside the EU/EEA, transfers are protected by Standard Contractual Clauses pursuant to Art. 46 GDPR.

8. Security

  • All transport is TLS-encrypted (HTTPS).
  • All sensitive data on your device (passwords, tokens, license key) is encrypted at rest with AES-256-GCM using a key derived from your machine ID.
  • Server-side data is hosted in EU data centers with restricted administrative access.
  • We do not use server-side analytics scripts, advertising trackers, or third-party session-replay tooling on the Calius application surfaces that handle authentication or authorization callbacks.

No method of transmission or storage is perfectly secure. We continuously work to maintain appropriate technical and organizational measures pursuant to Art. 32 GDPR.

9. Your Rights

Under the GDPR, you have the right to:

  • Request access to the personal data we hold about you (Art. 15 GDPR).
  • Request rectification of inaccurate data (Art. 16 GDPR).
  • Request erasure of your data (Art. 17 GDPR), subject to legal retention obligations.
  • Request restriction of processing (Art. 18 GDPR).
  • Data portability (Art. 20 GDPR).
  • Object to processing based on legitimate interests (Art. 21 GDPR).
  • Lodge a complaint with a supervisory authority (Art. 77 GDPR). In Germany, the competent authority depends on the federal state of your residence.

To exercise any of these rights, contact us at privacy@calius.io. We will respond within 30 days.

10. Cookies and Tracking

The calius.io website uses only strictly necessary first-party cookies for authentication and session management. We do not use advertising cookies, third-party analytics that process personal data, or cross-site tracking. The OAuth callback pages (/ebay/oauth/accepted and /ebay/oauth/declined) do not set cookies, execute third-party scripts, or contact any external host.

11. Children

The Service is not directed to individuals under the age of 16. We do not knowingly collect personal data from children. If you believe a child has provided us with personal data, please contact us so that we can remove it.

12. Changes to This Policy

We may update this Privacy Policy from time to time. Material changes will be announced in the application or by email at least 14 days before they take effect. The "Last updated" date at the top of this page indicates the version in force.

13. Contact

For any privacy-related inquiry, including requests to exercise your rights, contact:
privacy@calius.io