Legal

Privacy Policy

Your privacy matters to us. This policy explains how Calenxo collects, uses, and protects your personal data in compliance with GDPR and the POPI Act.

Last updated: March 2026

1

Information We Collect

We collect information in several ways depending on how you interact with Calenxo:

Account Information

When you sign up, we collect your name, email address, phone number, and password. Business owners also provide business name, address, operating hours, and service details.

Customer Data

On behalf of our business clients, we store end-customer names, contact details, booking history, and service preferences. Business clients are the data controllers for this information.

Communication Data

Messages processed through our WhatsApp integration, including booking requests, confirmations, and reminders. We do not read or use message content for purposes other than providing the service.

Usage & Technical Data

We automatically collect device information, IP addresses, browser type, pages visited, and feature usage patterns to improve our service. This data is anonymized where possible.

Payment Information

Payment processing is handled by Stripe. We do not store your full credit card details. We retain only the last four digits and expiry date for reference purposes.

2

How We Use Your Information

We use the information we collect for the following purposes:

  • Service delivery: Processing bookings, sending confirmations and reminders, and managing schedules
  • Account management: Authenticating users, managing subscriptions, and providing customer support
  • Platform improvement: Analyzing usage patterns to improve features, fix bugs, and optimize performance
  • Communication: Sending service-related notifications, product updates, and marketing communications (with your consent)
  • Security: Detecting and preventing fraud, abuse, and unauthorized access
  • Legal compliance: Meeting our obligations under applicable laws and regulations

We process your data based on one or more of the following legal bases: your consent, performance of a contract, our legitimate interests, or compliance with a legal obligation.

3

Data Sharing & Third Parties

We do not sell your personal data. We share data only in the following limited circumstances:

  • Service providers: We work with trusted third parties who assist in operating our platform, including cloud hosting (Vercel, Neon), payment processing (Stripe), email delivery, and messaging services (WhatsApp Business API).
  • Business clients: End-customer data is accessible to the business that the customer booked with. Each business can only access their own customers' data.
  • Legal requirements: We may disclose information when required by law, court order, or governmental authority.
  • Business transfers: In the event of a merger, acquisition, or sale of assets, your data may be transferred as part of that transaction.

All third-party service providers are bound by data processing agreements and are required to handle your data in accordance with this policy and applicable data protection laws.

4

Data Retention

We retain your data only for as long as necessary to fulfill the purposes described in this policy:

Data TypeRetention Period
Account dataDuration of account + 30 days
Booking recordsAs configured by business (default: 2 years)
WhatsApp messages90 days
Usage analytics12 months (anonymized)
Payment records7 years (legal requirement)

When data is no longer needed, it is securely deleted or anonymized. Business administrators can configure custom retention periods for customer data within the platform.

5

Your Rights

Under GDPR, the POPI Act, and other applicable data protection laws, you have the following rights:

Access

Request a copy of the personal data we hold about you

Rectification

Request correction of inaccurate or incomplete data

Erasure

Request deletion of your personal data ("right to be forgotten")

Restriction

Request that we limit how we process your data

Portability

Receive your data in a structured, machine-readable format

Objection

Object to processing based on legitimate interests or direct marketing

To exercise any of these rights, contact us at privacy@calenxo.com. We will respond within 30 days. If you are unsatisfied with our response, you have the right to lodge a complaint with your local data protection authority.

6

Cookies & Tracking

We use cookies and similar technologies for the following purposes:

  • Essential cookies: Required for the platform to function, such as authentication tokens and session management. These cannot be disabled.
  • Analytics cookies: Help us understand how visitors use our site so we can improve the experience. These are only set with your consent.
  • Preference cookies: Remember your settings and preferences, such as language and timezone.

You can manage your cookie preferences at any time using the cookie consent banner or through your browser settings. Disabling non-essential cookies will not affect core platform functionality.

7

Data Security

We take the security of your data seriously and implement industry-standard measures to protect it:

  • All data is encrypted in transit (TLS 1.2+) and at rest (AES-256)
  • Role-based access controls ensure users can only access data relevant to their role
  • Multi-tenant data isolation prevents cross-tenant data access
  • Regular security audits and vulnerability assessments
  • Automated monitoring for suspicious activity and unauthorized access attempts
  • Secure backup procedures with encrypted offsite storage

While we strive to protect your data, no method of transmission or storage is 100% secure. If you discover a security vulnerability, please report it to security@calenxo.com.

8

International Data Transfers

Calenxo operates globally, and your data may be processed in countries other than your own. When we transfer data internationally, we ensure appropriate safeguards are in place:

  • Standard Contractual Clauses (SCCs) approved by the European Commission
  • Data processing agreements with all service providers
  • Compliance with POPI Act requirements for cross-border transfers
9

Children's Privacy

Calenxo is not intended for use by individuals under the age of 18. We do not knowingly collect personal data from children. If you believe we have inadvertently collected data from a minor, please contact us immediately and we will take steps to delete it.

10

Changes to This Policy

We may update this privacy policy from time to time to reflect changes in our practices or applicable laws. When we make material changes:

  • We will notify registered users by email at least 30 days before changes take effect
  • We will update the "Last updated" date at the top of this page
  • For significant changes, we may display a prominent notice on our platform

Continued use of Calenxo after changes take effect constitutes acceptance of the updated policy.

11

Contact Us

If you have questions about this privacy policy or how we handle your data, we're here to help:

Response time: We aim to respond to all privacy inquiries within 5 business days.
Data Protection Authority: If you are not satisfied with our response, you have the right to complain to your local data protection authority. In South Africa, this is the Information Regulator (inforegulator.org.za).