Privacy Policy - Calenya

1. Who we are

Calenya ("we", "us") operates the booking software at calenya.app. We act as a data controller under UK GDPR for data we collect from business owners, and as a data processor for personal data that business owners collect from their clients through our platform.

Contact: hello@calenya.app

2. Data we collect

Business owners (subscribers)

Name and email address (via Clerk authentication)
Business name, address, phone number, and description
Billing information processed by Stripe (we never see raw card details)
Usage data: services created, bookings received, availability settings

End clients (booking customers)

Name, phone number, and (optionally) email address provided at booking
Appointment history with the business they booked
OTP verification records (phone number + timestamp; deleted after 10 minutes)

3. How we use your data

Purpose	Lawful basis
Providing the booking software service	Contract performance
Processing subscription payments via Stripe	Contract performance
Sending booking confirmation email to clients	Contract performance
Sending booking confirmation and reminder SMS to clients	Consent
Sending rebook reminder email after appointment	Legitimate interests
Sending review request email after appointment	Legitimate interests
Account authentication via Clerk	Contract performance
Fraud prevention and security	Legitimate interests
Analysing aggregated usage patterns to improve the service	Legitimate interests

4. Third-party processors

We share data with the following sub-processors to deliver the service:

Provider	Purpose
Supabase (EU region)	Database hosting
Clerk	Authentication and identity management
Stripe	Payment processing and subscription billing
Twilio	SMS delivery (booking confirmations and reminders)
Resend	Transactional email delivery
OpenAI	AI-assisted service import and social media post generation (business owner features only)
Vercel	Application hosting and deployment

5. Data retention

OTP codes: deleted 10 minutes after creation
Booking records: retained for 7 years (UK accounting requirements) then deleted
Business owner account data: retained while account is active, then deleted within 30 days of account closure
Client contact data: retained as long as the business account is active; deleted when the business requests deletion

6. Your rights

Under UK GDPR you have the right to:

Access the personal data we hold about you
Correct inaccurate data
Request deletion of your data ("right to be forgotten")
Object to processing based on legitimate interests
Data portability
Restrict processing in certain circumstances
Withdraw consent at any time where processing is based on consent
Not be subject to solely automated decision-making that produces legal or similarly significant effects
Lodge a complaint with the ICO at ico.org.uk

To exercise any right, email hello@calenya.app. We will respond within 30 days.

7. International data transfers

Some of our sub-processors (including Clerk, Stripe, Twilio, Resend, OpenAI, and Vercel) are based in the United States. Where your data is transferred outside the UK, we ensure appropriate safeguards are in place, including standard contractual clauses approved by the ICO and, where applicable, the UK-US Data Bridge adequacy decision. By using Calenya you acknowledge that your data may be processed in countries outside the UK under these safeguards.

8. Cookies

Calenya uses only essential session cookies required for authentication. We do not use advertising or tracking cookies. No cookie consent banner is required for essential-only cookies under UK PECR.

9. Changes to this policy

We may update this policy as the service evolves. Material changes will be notified by email to business owners at least 14 days before they take effect.