Privacy Policy

Calentivo is operated by an Estonian company incorporated under Estonian law. Where the Company acts as a data controller, it determines the purposes and means of processing personal data in accordance with Article 4(7) GDPR. The Company contact email for privacy inquiries is privacy@calentivo.com.

Because the Company is established in Estonia, the competent supervisory authority is the Estonian Data Protection Inspectorate (Andmekaitse Inspektsioon), located in Tallinn, Estonia. Data subjects have the right to lodge a complaint with this authority or with the supervisory authority in their country of habitual residence.

The Company role depends on the nature of the data and the context in which it is processed.

When individuals or businesses create and manage Calentivo accounts, enter into subscription agreements, communicate with us, or otherwise interact directly with us as customers, the Company acts as a data controller. In those cases, we determine the purposes and means of processing personal data such as account information, billing details, and communication records.

When a business customer uses Calentivo to manage bookings made by its own clients, the Company acts solely as a data processor for that booking data. The business remains the data controller and determines how and why the data is processed. We process such data only on documented instructions from the business customer and only as needed to provide the Service. End customers should direct booking-data privacy requests primarily to the business they booked with.

For business customers, we typically process identification and contact information such as name, company name, email address, phone number, billing address, VAT number where applicable, and account login credentials. We may also process subscription information, usage data related to platform operation, and communications with support. Legal bases may include contract performance under Article 6(1)(b) GDPR, legal obligations under Article 6(1)(c) GDPR, and legitimate interests under Article 6(1)(f) GDPR such as service improvement and security.

When acting as a processor for business customers, we may process booking data entered into the platform, including end-customer name, email address, phone number, booked service details, appointment date and time, and notes provided with the booking. We do not determine the purpose of this processing beyond providing booking functionality, and we do not use such data for our own independent purposes.

When individuals visit our website or interact with Calentivo online, certain technical data may be collected automatically, including IP address, browser type, device information, operating system, referring URLs, and related log data. This helps us maintain proper functionality, security, and performance of the website and Service.

We do not intentionally collect or process special categories of personal data under Article 9 GDPR unless such data is voluntarily entered into the booking system by a business customer and processed strictly on that customer instructions.

Calentivo is not a payment processor. We do not process, store, or control end-customer payment card details or financial transactions between businesses and their customers. Payments made by end customers to businesses using Calentivo are handled by payment service providers selected by those businesses.

For subscription billing and account top-ups related to Calentivo, we use Stripe as our payment service provider. Stripe processes payment information as an independent data controller under its own privacy policy and regulatory obligations. We do not have access to full payment card numbers and do not store sensitive payment credentials on our systems.

Where business customers integrate their own Stripe accounts or other third-party payment gateways into Calentivo, those integrations are controlled by the customer. We provide technical connectivity only and do not act as a controller of payment data in that context.

To operate Calentivo efficiently and securely, we use selected third-party service providers that process personal data on our behalf under data processing agreements.

We use OpenAI for certain AI-assisted features and automation within the platform. We also use Bird to send SMS and WhatsApp notifications, including appointment reminders, when enabled by our customers. These providers may process limited personal data such as names, phone numbers, or message content solely to deliver requested functionality.

Where personal data is transferred outside the European Economic Area, we apply appropriate safeguards under Articles 44 to 49 GDPR. These safeguards may include Standard Contractual Clauses approved by the European Commission or reliance on an adequacy decision. We take reasonable steps to ensure an essentially equivalent level of protection to that guaranteed within the European Union.

Personal data is retained only as long as necessary for the purposes for which it was collected.

For business customers, personal data is generally retained for the duration of the contractual relationship and then for the period required by accounting, tax, and legal obligations under Estonian law. In certain cases, retention may extend up to ten years.

Booking data processed on behalf of business customers is retained for the duration of the customer account and according to customer instructions. After termination of the contractual relationship, and subject to legal retention obligations, the data will be deleted or anonymized. Technical logs and website-related data are retained in line with operational, security, and legal requirements.

We implement appropriate technical and organizational measures to protect personal data against unauthorized access, accidental loss, alteration, or disclosure. Measures include encrypted connections (TLS/HTTPS), secure hosting environments, access controls, role-based permissions, and internal data handling policies.

Access to personal data is limited to personnel and service providers who need access for legitimate business purposes. We review and update security practices regularly to maintain an appropriate level of protection based on technological developments and the nature of the processed data.

Under GDPR, individuals have the right to access personal data, request rectification of inaccurate data, request erasure in certain circumstances, restrict processing, object to processing based on legitimate interests, and receive data in a structured, commonly used, machine-readable format where applicable.

Where processing is based on consent, individuals may withdraw consent at any time without affecting the lawfulness of processing carried out before withdrawal. Requests related to personal data processed by us as controller can be sent to privacy@calentivo.com.

Where we act as a processor on behalf of a business customer, we assist the controller in responding to requests and may redirect the individual to the relevant business. Individuals also have the right to lodge a complaint with the Estonian Data Protection Inspectorate or another competent supervisory authority in the European Union.

Our website uses cookies and similar technologies to ensure functionality, improve user experience, analyze usage patterns, and, where consent is provided, support marketing activities. Essential cookies are used on the basis of legitimate interests in operating a secure and functional website. Non-essential cookies are used only where consent has been obtained.

More details about cookies, including how to manage preferences, are provided in our separate Cookie Policy.

We may update this Privacy Policy from time to time to reflect legal changes, technological developments, or modifications to the Service. The most recent version is always available on our website. Where material changes are made, we will take reasonable steps to inform users in advance.