The short version:
- ✓ We collect only what you give us and what the app needs to function.
- ✓ We do not sell your data. Ever.
- ✓ We do not use tracking pixels, ad networks, or behavioral analytics.
- ✓ Your pay and work data is yours. You can delete it at any time.
- ✓ We use Cloudflare infrastructure — your data stays in the US.
1. Who We Are
Callsheet is an independent app for entertainment industry stagehands to track work calls and pay. It is operated by an individual developer, not a corporation. We are not affiliated with IATSE, any union local, or any employer.
Contact: support@callsheet.challon.io
2. What We Collect
Information you provide directly:
- Account info: Email address, display name, and password (stored as a salted hash — we cannot recover or read your password).
- Work data: Call dates, call types, employers, show names, venues, call times, out times, breaks, pay calculations, and notes that you enter into the app.
Information collected automatically:
- Session tokens: We store a session refresh token in an HttpOnly cookie (not readable by JavaScript). This keeps you logged in for up to 7 days.
- Basic request logs: Cloudflare may log IP addresses and request metadata as part of standard infrastructure operation. We do not control or actively review these logs.
What we do NOT collect:
- We do not run analytics or tracking scripts.
- We do not use cookies for advertising or behavioral profiling.
- We do not collect device fingerprints or location data.
- We do not use third-party SDKs that track you across sites.
3. How We Use Your Data
We use your data exclusively to provide the Service:
- To authenticate you and maintain your session.
- To store, display, and calculate your work call history and pay.
- To respond to support requests you send us.
We do not use your data for any other purpose — not advertising, not analytics, not AI training, not resale.
4. Data Storage and Security
- Database: Cloudflare D1 (SQLite at the edge). Your data is stored in Cloudflare's US infrastructure.
- Passwords: Hashed using PBKDF2-SHA256 with 100,000 iterations and a random per-user salt. We cannot recover your password.
- Sessions: HttpOnly, Secure, SameSite=Strict cookies. Access tokens expire in 15 minutes; refresh tokens in 7 days.
- Transport: All traffic is served over HTTPS via Cloudflare.
While we take reasonable security measures, no system is perfectly secure. During the beta period, we recommend not storing information you would consider highly sensitive. Always keep your own records.
5. Data Sharing
We do not sell, rent, or share your personal data with third parties
with the following limited exceptions:
- Infrastructure providers: Cloudflare processes requests and stores data as our hosting provider. Cloudflare's privacy policy applies to their handling of infrastructure-level data.
- Legal requirements: We may disclose information if required by law, court order, or to protect the safety of users or others.
6. Your Rights and Choices
- Access: You can view all your data through the app at any time.
- Correction: You can edit any of your data in the app.
- Deletion: You can delete individual calls or employers in the app. To delete your entire account and all associated data, contact us at support@callsheet.challon.io. We will process account deletion requests within 30 days.
- Export: Data export (CSV/PDF) is planned for a future release. In the meantime, contact us and we can assist.
7. Data Retention
We retain your data for as long as your account is active. If you delete your account, we will permanently delete all associated personal data within 30 days, except where retention is required by law.
During the beta period, we may need to reset the database. We will provide at least 7 days notice before any such reset and encourage you to keep your own records.
8. Cookies
We use one functional cookie:
refresh_token — HttpOnly session cookie. Contains an encrypted token used to keep you logged in. Expires after 7 days or when you sign out. Required for the Service to function.
We do not use advertising cookies, analytics cookies, or any third-party tracking cookies.
9. Children's Privacy
Callsheet is not intended for use by anyone under the age of 18. We do not knowingly collect personal data from minors. If you believe a minor has created an account, contact us and we will delete it.
10. Changes to This Policy
We may update this Privacy Policy from time to time. We will notify you of material changes via email or an in-app notice. The "last updated" date at the top of this page will always reflect the most recent version.