Skip to content

Legal

Security

Calenza keeps takings, commissions and pay for real businesses — so security and accuracy are the point, not an afterthought. Here is what we do, stated plainly and without overclaiming.

Effective:
June 29, 2026
Last updated:
June 29, 2026

Our approach

We build on managed, reputable infrastructure and keep the moving parts small. Where a protection is enforced by the system rather than by policy, we say so — and where a common certification does notyet apply to us, we don’t claim it. We do not hold a SOC 2 or similar certification at this time; this page describes the concrete measures actually in place.

Encryption & hosting

  • All connections to Calenza are encrypted in transit using TLS.
  • Your data is hosted on managed, access-controlled cloud infrastructure (Supabase), with encryption at rest provided by the platform.
  • The database is the single source of truth; the Services require connectivity and do not keep an offline copy of your data on the device.

Tenant isolation

Every business is strictly separated from every other. Isolation is enforced at the database layer with row-level security: each query is scoped to the signed-in user’s authorized shop, so one shop can never read or write another shop’s clients, sales, staff, or books.

Access control

  • Accounts are protected by authentication; passwords are never stored in readable form.
  • Within a shop, access follows roles (owner, manager, staff) — sensitive actions such as editing pay rates and recording payouts are restricted by role.
  • We apply least-privilege access for our own team and limit who can reach production systems.

Money & data integrity

Because Calenza handles money, correctness is a security property:

  • Money is stored as integer cents, and revenue counts only completed, paid tickets.
  • The staff commission ledger and payouts are write-protected on the server — they cannot be altered from the client, and double-pays or forged paid-status are rejected by the database itself.
  • Day-end figures reconcile: expected cash equals collected minus payouts, so the books can be checked against the drawer.

Integrations & payments

  • Google Calendar is optional and connected by the owner; access tokens are stored securely and are removed when you disconnect. Our use of Google data follows the Google API Services User Data Policy, including Limited Use (see the Privacy Policy).
  • When paid plans are enabled, card payments are processed by Stripe; we do not store full card numbers on our systems.

Your part

Security is shared. Use a strong, unique password, keep your devices and the app up to date, grant shop access only to people who need it, and remove members who leave. You can export your data at any time and permanently delete your account and shop from within the app.

Reporting a vulnerability

If you believe you’ve found a security issue, please tell us before disclosing it publicly, and give us a reasonable chance to investigate and fix it. Email support@redzen.cloud with details and steps to reproduce. We appreciate responsible disclosure and will work with you in good faith.