Privacy Policy

1. Introduction

Calniq ("we", "us", "our") operates the calniq.com website and the Calniq booking platform (the "Service"). This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our Service.

We are committed to protecting your privacy and complying with applicable data protection laws, including the General Data Protection Regulation (GDPR) where applicable.

2. Information We Collect

2.1 Account Information (from you, our Customer)

When you register for Calniq, we collect:

• Name and email address
• Phone number (optional)
• Business name
• Password (stored encrypted, never in plain text)

2.2 Payment Information

Payment processing is handled entirely by Stripe. We do not store your credit card number, CVV, or full card details on our servers. We only receive and store:

• Card type (e.g., Visa, Mastercard)
• Last four digits of your card
• Stripe Customer ID (for managing your subscription)

2.3 Booking Data (from your end customers)

When your customers make bookings through your widget, the following data is collected and stored in your Calniq account:

• Customer name, email, and phone number
• Service address
• Booking date, time, and selected services
• Optional: messages, preferred contact times

You, as the business owner, are the data controller for your end customers' booking data. We act as a data processor on your behalf.

2.4 Usage and Analytics Data

We may collect:

• UTM parameters and referral source (for your marketing analytics)
• Google Analytics Client ID (if configured by you)
• Google Ads click identifiers (gclid, gbraid, wbraid) — passed through to your analytics
• Browser type, device information, and IP address (for security and service improvement)

2.5 Google Calendar Data

If you connect Google Calendar, we access:

• Calendar event times (to check availability — we only read busy/free status)
• Calendar names (for display in settings)

We store an encrypted OAuth refresh token to maintain the connection. We do not read, store, or share the content of your calendar events beyond what is necessary for availability checking. You can disconnect Google Calendar at any time from your settings.

3. How We Use Your Information

We use your information to:

• Provide the Service — manage your account, process bookings, sync calendars, send notifications
• Process payments — manage subscriptions, send receipts, handle billing issues
• Communicate with you — send service-related emails (booking confirmations, trial reminders, payment receipts, important updates)
• Improve the Service — analyze usage patterns to fix bugs and develop new features
• Ensure security — detect and prevent fraud, unauthorized access, and abuse

We do not sell, rent, or trade your personal information to third parties. We do not use your data for advertising purposes.

We process personal information as necessary to perform our contractual obligations, comply with legal requirements, and pursue our legitimate business interests.

4. Data Sharing

We share your data only with the following service providers, solely for the purpose of operating the Service:

• Stripe — payment processing (Stripe Privacy Policy)
• Resend — email delivery (Resend Privacy Policy)
• Google — calendar integration, only when you explicitly connect it (Google Privacy Policy)

We may also disclose information if required by law or to protect our rights and safety.

5. Webhooks and Third-Party Integrations

When you configure webhooks, booking data is sent to the URLs you specify. You are responsible for ensuring that the receiving systems handle this data in compliance with applicable privacy laws. We send webhook data over HTTPS with HMAC signature verification for security.

6. Data Security

We implement appropriate technical and organizational measures to protect your data:

• All data is transmitted over HTTPS/TLS encryption
• Passwords are hashed using bcrypt
• Sensitive tokens (Google Calendar, API keys) are encrypted at rest
• Server access is restricted via SSH key authentication and firewall rules
• Regular security monitoring and file integrity checks
• Single-session enforcement to prevent unauthorized access

While we take security seriously, no method of transmission over the Internet is 100% secure. We cannot guarantee absolute security of your data.

In the event of a data breach involving personal information, we will notify affected users in accordance with applicable law.

7. Data Retention

Active accounts: We retain your data for as long as your account is active.

Cancelled accounts: After cancellation, we retain your data for 90 days to allow you to resubscribe and restore your setup. After 90 days, your data may be permanently deleted.

Booking data: Booking records are retained for the lifetime of your account. You can export your bookings as CSV at any time from your admin panel.

Payment records: Payment history is managed by Stripe and subject to their retention policies.

8. Your Rights

You have full control over your data through the admin panel:

• Access — view all your data directly in the admin panel
• Export — download your bookings as CSV at any time
• Deletion — delete individual projects or your entire account from Settings
• Correction — edit your business information, services, and booking details directly

For any data requests that cannot be handled through the admin panel, contact us at [email protected]. We will respond within 30 days.

We do not sell personal information as defined under the California Consumer Privacy Act (CCPA).

9. Cookies and Local Storage

Admin panel: We use session cookies to keep you logged in. These are essential cookies required for the Service to function.

Booking widget: The widget uses the browser's localStorage (not cookies) to temporarily store UTM tracking parameters for your marketing analytics. No personal information is stored in localStorage. The stored data includes campaign source, medium, and click identifiers that help you track your advertising effectiveness.

We do not use tracking cookies, advertising cookies, or third-party analytics cookies on our platform.

10. Children's Privacy

The Service is not directed to children under 18. We do not knowingly collect personal information from children. If you believe a child has provided us with personal information, please contact us and we will delete it promptly.

11. International Data Transfers

Your data may be stored and processed on servers located in the United States. If you are located outside the US, your data will be transferred internationally. We rely on our service providers' compliance measures to ensure adequate protection for international data transfers.

12. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of material changes via email or through the Service. The "Last updated" date at the top indicates when the policy was last revised.

13. Contact

If you have questions about this Privacy Policy or wish to exercise your data rights, please contact us:

Email: [email protected]
Website: calniq.com