Privacy Policy - Calenya

1. Who we are

Calenya ("we", "us") operates the booking software at calenya.app. We act as a data controller under UK GDPR for data we collect from business owners, and as a data processor for personal data that business owners collect from their clients through our platform.

Contact: privacy@calenya.app

2. Data we collect

Business owners (subscribers)

Name and email address (via Clerk authentication)
Business name, address, phone number, and description
Billing information processed by Stripe (we never see raw card details)
Usage data: services created, bookings received, availability settings

End clients (booking customers)

Name, phone number, and (optionally) email address provided at booking
Appointment history with the business they booked
OTP verification records (phone number + timestamp; deleted after 10 minutes)

3. How we use your data

Purpose	Lawful basis
Providing the booking software service	Contract performance
Processing subscription payments via Stripe	Contract performance
Sending booking confirmation SMS and email to clients	Legitimate interests
Sending 24-hour appointment reminders via SMS	Legitimate interests
Sending rebook reminder SMS after appointment	Legitimate interests
Sending review request SMS after appointment	Legitimate interests
Account authentication via Clerk	Contract performance
Fraud prevention and security	Legitimate interests
Improving the service	Legitimate interests

4. Third-party processors

We share data with the following sub-processors to deliver the service:

Provider	Purpose
Supabase (EU region)	Database hosting
Clerk	Authentication and identity management
Stripe	Payment processing and subscription billing
Plivo	SMS delivery (booking confirmations and reminders)
Resend	Transactional email delivery
OpenAI	AI-assisted service import (business owner feature only)
Vercel	Application hosting and deployment

5. Data retention

OTP codes: deleted 10 minutes after creation
Booking records: retained for 7 years (UK accounting requirements) then deleted
Business owner account data: retained while account is active, then deleted 30 days after account closure on request
Client contact data: retained as long as the business account is active; deleted when the business requests deletion

6. Your rights

Under UK GDPR you have the right to:

Access the personal data we hold about you
Correct inaccurate data
Request deletion of your data ("right to be forgotten")
Object to processing based on legitimate interests
Data portability
Lodge a complaint with the ICO at ico.org.uk

To exercise any right, email privacy@calenya.app. We will respond within 30 days.

7. Cookies

Calenya uses only essential session cookies required for authentication. We do not use advertising or tracking cookies. No cookie consent banner is required for essential-only cookies under UK PECR.

8. Changes to this policy

We may update this policy as the service evolves. Material changes will be notified by email to business owners at least 14 days before they take effect.