Privacy Policy

The data controller for all personal data processed through CallSheet is:

We collect the following categories of personal data:

• Account data — name and e-mail address, provided via Kinde authentication (our identity provider).
• Company profile — company name, address, phone number, e-mail, website, VAT number, fiscal/tax code, and company logo (optional).
• Crew data — names, roles, e-mail addresses, and phone numbers of crew members you add to your productions.
• Production data — project names, shooting schedules, call sheet content (including location addresses and emergency hospital information).
• Usage preferences — language, theme, and notification preferences.
• Technical data — session tokens and authentication cookies strictly necessary for the service to function.

We share data with the following sub-processors under appropriate Data Processing Agreements:

• Kinde (Kinde Pty Ltd, Australia)— identity and authentication provider. Stores your e-mail address and authentication logs. Kinde's privacy policy: kinde.com/privacy-policy
• Cloudflare R2 (Cloudflare, Inc., USA)— object storage used exclusively for company logo files you upload. Cloudflare's privacy policy: cloudflare.com/privacypolicy

We do not use Google Analytics, advertising networks, or any other tracking or profiling tools.

CallSheet uses only strictly necessary cookies placed by Kinde to maintain your authenticated session. No consent is required for these cookies as they are essential for the service to operate. We do not use any analytical, advertising, or tracking cookies.

Personal data is retained for as long as your account is active. Upon account deletion (see Section 8), all personal data stored in CallSheet's database is permanently deleted immediately.

Note: your authentication record in Kinde's systems is not automatically deleted. To request deletion of your Kinde identity record, contact us at privacy@casheet.it.

Company logo files uploaded to Cloudflare R2 are deleted immediately when you remove the logo or delete your account.

Kinde Pty Ltd is headquartered in Australia, a country which the European Commission has not issued an adequacy decision for. Transfers are covered by Standard Contractual Clauses (SCCs) incorporated in Kinde's Data Processing Agreement.

Cloudflare R2 storage is configured to the EU region. No personal data is transferred outside the EEA via Cloudflare under normal operation.

As a data subject under GDPR you have the following rights:

• Right of access (Art. 15) — you can download a complete copy of all personal data we hold on you from Settings → Data & Privacy → Export my data.
• Right to rectification (Art. 16) — you can correct or update your data at any time from the Settings page.
• Right to erasure (Art. 17) — you can permanently delete your account and all associated data from Settings → Data & Privacy → Delete my account.
• Right to data portability (Art. 20) — the Export function provides your data in machine-readable JSON format.
• Right to restriction of processing (Art. 18) — contact us to request restriction.
• Right to object (Art. 21) — contact us to object to processing based on legitimate interests.
• Right to withdraw consent — where processing is based on consent, you may withdraw it at any time without affecting the lawfulness of prior processing.

To exercise any right not automated above, contact us at privacy@casheet.it. We will respond within 30 days.

You have the right to lodge a complaint with the Italian data protection supervisory authority:

We may update this Privacy Policy from time to time. The "Last updated" date at the top of this page will reflect the most recent revision. Continued use of CallSheet after a material change constitutes acceptance of the updated policy.