Privacy Policy

Verge is a product of CalmHQ Studio, a sole-trader studio based in the United Kingdom building tools for the human at the screen. For the purposes of UK GDPR, CalmHQ Studio is the Data Controller — we decide what data is collected and why.

You can reach us at hello@calmhqstudio.com for any data-related question. We aim to respond within 5 business days; legally mandated requests (subject-access, deletion) within 30 days as required.

The exact data set depends on which surface you use. We've broken it down by area:

The Verge website (this page and others)

• Pages you visit and how you got here (referrer), via standard server logs that auto-expire after 30 days.
• Your IP address and user-agent, captured for security and abuse prevention.
• Cookie preference (stored locally on your device, see Cookies Policy).

Beta waitlist signup

• Email address.
• Your self-described trader role (active / funded / swing / curious).
• The wearable you'll use (Apple Watch / Garmin / Whoop / Oura / Polar / Fitbit / Other / None).
• Optional: free-text "anything else useful" and how you found us.
• Captured server-side: IP address, browser language, user-agent (for fraud prevention).
• A verification token sent to your email; deleted after you confirm.

The Verge iOS app (when it launches)

• HealthKit data you authorise: heart rate, heart-rate variability, sleep stages, movement, and similar physiological signals.
• Your trading session data you choose to log: timestamps, instrument, P&L (manually entered), psychological tags.
• Settings and preferences (notification choices, thresholds, etc.).
• Diagnostic crash reports and anonymised performance metrics (if you opt in).

We do not collect your trading-platform credentials, your bank details, your contacts, your photos, or your location unless you explicitly enable a feature that requires one (e.g., GPS-tracked recovery walks).

For each category, we use the data only for these purposes:

• Website data — operate the site, prevent abuse, learn what's useful.
• Beta signup — invite you to the beta, send build updates, run the feedback prize draw, prevent bots from flooding the form.
• App data — give you the personalised biometric insights the app is designed to provide. Compute your contextual baseline, surface deviations, generate session reports.
• Crash / performance reports — find and fix bugs.

We do not use your data for advertising, sell it to data brokers, share it with insurers or employers, or train machine-learning models on individually-identifiable health data. Aggregated, fully-anonymised statistics may be used to improve algorithms — for example, learning typical heart-rate ranges by age band — but never in a way that can be traced back to you.

Under UK GDPR, we need a lawful basis for processing personal data. Ours are:

• Consent — you actively sign up for the beta waitlist; you authorise HealthKit access in the app; you opt into cloud sync. You can withdraw consent at any time.
• Contract — once you become a paying customer, we process your data to provide the service you've paid for.
• Legitimate interest — operating the website, preventing abuse, maintaining security. Balanced against your rights and freedoms; you can object at any time.
• Legal obligation — retaining transactional records for tax purposes (when paid plans launch).

UK GDPR treats biometric and health data as a "special category" requiring stronger protections. We follow this model with three commitments:

• On-device by default. Your physiological data — heart rate, HRV, sleep, motion — is stored on your iPhone in the Verge app's local store. It does not leave your device unless you explicitly enable cloud sync.
• End-to-end encrypted when synced. If you enable cloud sync, data is encrypted with a key derived from your account before leaving the device. We hold the encrypted bytes; we cannot read the plaintext.
• Explicit consent at every step. The iOS app requests HealthKit permission for each data type individually. You can revoke at any time in iOS Settings → Privacy → Health → Verge.

We share personal data only with these categories of recipients, in each case bound by data-processing agreements:

• Firebase (Google Cloud) — authentication, secure storage, and serverless backend functions. Servers used: europe-west2 (London) where possible.
• Resend — to deliver verification and notification emails.
• Cloudflare — captcha (Turnstile) and DDoS protection.
• Vercel — the platform that hosts the website.
• Stripe (when paid plans launch) — payment processing. Card details go directly to Stripe; we never see them.
• Legal requests — if compelled by a UK court order or law-enforcement request, we may disclose data. We will challenge overly broad requests.

We do not share with: advertisers, data brokers, insurers, employers, recruiters, or any third party for marketing.

We're based in the UK. Most of our processors are too, or operate UK/EU data centres we use exclusively. Where data is transferred outside the UK / EEA, we rely on:

• The UK's adequacy decisions (currently in place for the EU/EEA).
• Standard Contractual Clauses approved by the UK ICO.
• The UK Addendum to the EU SCCs where required.

Specifically: Stripe and Vercel may process data in the US under these mechanisms. Firebase is configurable; we use UK / EU regions where supported.

• Beta waitlist signups — until 90 days after public launch, or until you ask us to delete it.
• Server logs — 30 days, then auto-purged.
• App data (your account) — for as long as your account is active. Deleted within 30 days of account deletion.
• App data (locally on device) — stays on your device until you delete the app or its data, regardless of what we hold.
• Transactional records (paid plans, invoices) — 6 years, as required by UK tax law.

Under UK GDPR you have the right to:

• Access a copy of the personal data we hold about you.
• Rectify data that's inaccurate or out of date.
• Erase your data ("right to be forgotten"), subject to limited exceptions (e.g. legal retention obligations).
• Restrict processing while disputed.
• Object to processing based on legitimate interest.
• Data portability — receive a machine-readable export of your data.
• Withdraw consent at any time.
• Complain to the UK Information Commissioner's Office (ICO) at ico.org.uk/concerns.

To exercise any of these, email hello@calmhqstudio.com from the address linked to your account. We'll respond within 30 days.

• HTTPS / TLS everywhere — no data is ever transmitted unencrypted.
• On-device storage uses iOS Keychain and secure file APIs where appropriate.
• Cloud-synced biometric data is end-to-end encrypted before transit.
• Server-side keys (Firebase Admin, Stripe, Resend) are stored only in encrypted environment-variable stores, never in code.
• Two-factor authentication is enforced on all founder accounts.
• Captcha + per-IP rate limiting protects public endpoints from abuse.

No system is unbreachable. If a breach affecting your personal data occurs, we'll notify you within 72 hours of becoming aware, as required by UK GDPR.

Verge is not intended for users under 18. We do not knowingly collect data from children. If you believe a child has provided us with data, please email us and we'll delete it.

We use a small number of strictly necessary and functional cookies. No advertising or cross-site-tracking cookies. The full breakdown is in our Cookies Policy.

We'll update this policy as the product evolves. Material changes will be communicated by email to active users and announced on the website. The "Last updated" stamp at the top of this page reflects the most recent revision.

Questions, requests, or complaints — email hello@calmhqstudio.com.

You also have the right to complain directly to the UK ICO without contacting us first: ico.org.uk/concerns.