Privacy Policy

1. Overview & who we are

Calenza is a product of Red Zen Cloud LLC, a limited liability company organized under the laws of the State of Delaware, United States. We provide software that lets service businesses (each, a “Shop”) manage appointments and walk-ins, run a staff calendar, track staff commissions and pay, take payment at checkout, and keep books that reconcile.

This policy applies to the calenza.app marketing website, the app.calenza.app web application, and the Calenza mobile applications for iOS and Android (together, the “Services”). It does not apply to third-party services we link to or integrate with, which are governed by their own privacy policies.

2. Our role: data controller vs. data processor

Our responsibilities depend on whose data is involved. This distinction matters for your rights and ours, so we state it plainly:

• We are a controller for the personal data of the people who hold accounts and use the Services — Shop owners, managers, and staff who sign in. We decide how and why that account data is processed.
• We are a processorfor the data a Shop enters about its own clients (for example, a client’s name, phone number, appointment history, and notes). The Shop is the controller of that data: it decides what to collect and why, and it is responsible for having a lawful basis and for informing its clients. We process that data only to provide the Services to the Shop and on the Shop’s instructions. See Notice for shops’ clients.

3. Personal data we collect

3.1 Account & identity data (you, as a user)

• Account credentials and profile: email address, and authentication data used to sign you in. We do not store your password in readable form.
• Shop & membership: Shop name, your role (owner, manager, or staff), and team invitations (the email address invited and the role granted).

3.2 Business & operational data (entered by the Shop)

• Clients: client name, phone number (normalized), and free-text notes a Shop chooses to keep. (We do not require or collect client email addresses.)
• Staff: staff names and pay configuration (commission rate, salary, targets) the Shop sets.
• Catalog & operations: services, products, prices, stock, bookings, walk-ins, sales, tickets, discounts, commissions, payouts, and the reports and cash-drawer figures derived from them.
• Settings: currency, timezone, tax rate, open hours, and locations.

3.3 Technical & usage data

• Device & log data: IP address, browser/device type, operating system, and timestamps generated when you use the Services, used for security, debugging, and abuse prevention.
• Push tokens (mobile): if you enable notifications, a device push token so we can deliver operational alerts.
• Integration tokens: if a Shop connects Google Calendar, the associated Google account email and OAuth tokens (stored securely; see Google Calendar integration).

We do not use third-party advertising trackers, and we do not sell personal data.

4. How we use personal data

• To provide, operate, and maintain the Services and your account.
• To process bookings, checkout, commissions, payouts, and reporting.
• To send operational messages (e.g., team invitations, push notifications you enable, and service or security notices).
• To secure the Services, prevent fraud and abuse, and enforce our Terms.
• To provide support and respond to your requests.
• To comply with legal obligations and to establish, exercise, or defend legal claims.
• To improve reliability and develop new features, using aggregated or de-identified data where practical.

We do not use the contents of a Shop’s business data for advertising, and we do not use Google user data for any purpose other than providing the calendar feature you connect (see Section 6).

5. Legal bases for processing (GDPR / UK GDPR)

Where the GDPR or UK GDPR applies, we rely on the following legal bases:

• Contract — to provide the Services you or your Shop signed up for.
• Legitimate interests — to secure, maintain, and improve the Services and prevent abuse, balanced against your rights.
• Consent — for optional features you switch on (e.g., push notifications, connecting Google Calendar). You may withdraw consent at any time.
• Legal obligation — to meet our legal and regulatory duties.

6. Google Calendar integration & Limited Use

Connecting Google Calendar is optional and is initiated by a Shop owner. When connected, we request the Google Calendar scope (https://www.googleapis.com/auth/calendar) so that scheduled appointments can be pushed to the connected calendar and changes made in Google Calendar can flow back to your schedule. We also read the Google account email to identify the connected account.

Calenza’s use and transfer of information received from Google APIs adheres to the Google API Services User Data Policy, including the Limited Use requirements. Specifically:

• We use Google Calendar data only to provide and improve the calendar-sync feature you enabled.
• We do not transfer this data to others except as needed to provide that feature, for security, or to comply with law.
• We do not use this data for advertising.
• We do not allow humans to read this data unless you give explicit consent, it is necessary for security or to comply with law, or the data is aggregated and anonymized for internal operations.

You can disconnect Google Calendar at any time in Settings, which revokes our access and deletes the stored connection. You can also revoke access from your Google Account permissions.

7. Payments & subscriptions

Calenza may offer paid subscription plans. When billing is enabled, payments are processed by Stripe, Inc. as our payment processor. Your card and payment details are collected and processed directly by Stripe under Stripe’s Privacy Policy; we do not store full card numbers on our systems. We retain limited billing records — such as a Stripe customer/subscription identifier, plan, status, and invoices — to manage your subscription, provide receipts, and meet tax and accounting obligations.

Where mobile in-app purchases are used, the Apple App Store or Google Play processes the transaction under its own terms and privacy policy, and we receive only the purchase/subscription status needed to grant access.

8. Mobile apps & app stores

The Calenza apps are distributed through the Apple App Store and Google Play. Those platforms may collect install, device, crash, and store-account information under their own policies. Within the apps:

• Push notifications are optional; declining them does not affect core functionality. We store a device push token only if you enable them.
• Over-the-air updates are delivered through Expo Application Services to ship fixes and improvements; this involves app-version and update metadata, not your business data.
• We follow Apple’s and Google’s data-handling and disclosure requirements, including the App Store privacy “nutrition label” and Google Play Data safety disclosures.

9. How we share data

We share personal data only as described here:

• Within your Shop: account and business data is visible to authorized members of the same Shop according to their role. Data is strictly isolated between Shops.
• Service providers (sub-processors): vetted vendors who process data on our behalf to run the Services (see Section 10).
• Legal & safety: when required by law, legal process, or to protect the rights, property, or safety of users, the public, or us.
• Business transfers: in connection with a merger, acquisition, financing, or sale of assets, subject to this policy.

We do not sell personal data, and we do not share it for cross-context behavioral advertising.

10. Sub-processors

We use the following sub-processors to provide the Services. Each is bound by contractual data-protection obligations.

11. International data transfers

We and our sub-processors may process data in the United States and other countries whose data-protection laws may differ from yours. Where we transfer personal data from the EEA, the UK, or Switzerland to a country without an adequacy decision, we rely on appropriate safeguards such as the European Commission’s Standard Contractual Clauses (and the UK Addendum), together with supplementary measures where needed. You may request more information using the contact details below.

12. Data retention & deletion

We retain personal data for as long as your account is active and as needed to provide the Services. Because Calenza keeps financial records (sales, commissions, payouts), some data is retained while it is needed for the integrity of the books and to meet tax, accounting, and legal obligations.

• Account deletion: a Shop owner can delete their account from within the app. This permanently and atomically deletes the owner’s account and the entire Shop’s data, including clients, staff, bookings, sales, commissions, and payouts.
• Disconnecting Google Calendar deletes the stored Google connection and tokens.
• Backups & logs: residual copies may persist in encrypted backups or security logs for a limited period before being overwritten on our standard cycle.

If you are a member of a Shop you do not own and want your personal data removed, contact your Shop owner (the controller) or us, and we will assist as a processor.

13. Security

We use technical and organizational measures appropriate to the risk, including: encryption in transit (TLS); data hosted on managed, access-controlled infrastructure; strict per-Shop isolation enforced at the database layer (row-level security); role-based access control; a server-side, write-protected commission ledger; and least- privilege access for our team. No method of transmission or storage is completely secure, so we cannot guarantee absolute security. If we become aware of a breach affecting your personal data, we will notify you and the relevant authorities as required by law.

14. Your privacy rights

Subject to applicable law, you may have the right to access, correct, delete, export (port), or restrict processing of your personal data, and to object to certain processing. You can exercise many of these directly in the app (editing your profile, exporting data to CSV, disconnecting integrations, or deleting your account). For anything else, contact us at privacy@redzen.cloud. We will not discriminate against you for exercising your rights, and we will respond within the time required by applicable law.

15. Additional rights — EU/EEA & UK (GDPR)

If you are in the EEA or the UK, you have the rights to:

• access your personal data and obtain a copy;
• rectify inaccurate or incomplete data;
• erase your data (“right to be forgotten”) where applicable;
• restrict or object to processing, including processing based on legitimate interests;
• data portability; and
• withdraw consent at any time, without affecting prior lawful processing.

You also have the right to lodge a complaint with your local supervisory authority. If you act as a controller (for example, a Shop processing client data) and require a Data Processing Addendum, contact legal@redzen.cloud.

16. Additional rights — California (CCPA/CPRA)

If you are a California resident, you have the rights to know what personal information we collect and how we use and disclose it; to access and delete it; to correct inaccurate information; and to be free from discrimination for exercising your rights.

We do not sell personal information and do not share it for cross-context behavioral advertising as those terms are defined under the CCPA/CPRA. The categories of personal information we collect, our purposes, and our disclosures to sub-processors are described in Sections 3, 4, 9, and 10. To exercise your rights, email privacy@redzen.cloud; you may use an authorized agent, and we will verify requests as required.

17. Additional rights — MENA (PDPL)

If you are located in a jurisdiction in the Middle East and North Africa with a Personal Data Protection Law (for example, Lebanon, Saudi Arabia, the UAE, or Qatar), you may have rights to access, correct, delete, and object to the processing of your personal data, and to be informed about how it is handled. We honor these rights in line with applicable local law. Contact privacy@redzen.cloud to make a request.

18. Children’s privacy

The Services are intended for businesses and their staff and are not directed to children. We do not knowingly collect personal data from anyone under 16. If you believe a child has provided us personal data, contact us and we will delete it.

19. Notice for shops’ clients

20. Changes to this policy

We may update this Privacy Policy from time to time. When we make material changes, we will update the “Last updated” date and, where appropriate, notify you through the Services or by email. Your continued use of the Services after an update means you accept the revised policy.

21. Contact us

For privacy questions or to exercise your rights, contact:

• Privacy: privacy@redzen.cloud
• Legal: legal@redzen.cloud
• Red Zen Cloud LLC, [REGISTERED ADDRESS — to be confirmed before launch]