Privacy Policy
Calendra — The Four Stars
Effective Date: May 26, 2026 · Last Updated: June 4, 2026
The Four Stars ("Company," "we," "us," or "our") operates Calendra, an embeddable online booking service for local businesses (the "Service"). Calendra lets a business owner connect a calendar, define services and working hours, embed a booking widget on their own website so visitors can book appointments, and optionally collect payment for those bookings. This Privacy Policy explains how we collect, use, disclose, and safeguard information when you use the Service — whether you are a business owner who manages a venue or a visitor who makes a booking. By using the Service, you consent to the practices described herein.
1. Information We Collect
a) Business Owner Account Information. When you sign up as a business owner, you authenticate with Google Sign-In, and we receive your name, email address, and Google account identifier. We use this to create and secure your account.
b) Venue & Business Information. For each venue you run, we store the details you provide — venue name, address, timezone, currency, contact email, your services (names, durations, prices, buffers), bookable resources (such as staff, tables, or rooms), and your weekly working hours and days off.
c) Google Calendar Data. When you connect a calendar, you grant Calendra access to your Google Calendar through Google's OAuth flow. We read your busy/free times to calculate available slots and prevent double-booking, and we create and update calendar events for bookings made through Calendra. We store the OAuth access and refresh tokens needed to do this, encrypted at rest. We do not read, store, or use the content of unrelated calendar events beyond busy/free availability. See Section 3 for details.
d) Customer Booking Information. When a visitor books through a venue's widget, we collect the information they enter to complete the booking — typically their name, email address, phone number, the selected service and resource, the chosen date and time, and any notes. This information is made available to the business owner who operates that venue.
e) Usage & Technical Data. We automatically collect standard technical data such as IP address, browser type, device and operating system information, and server log data (including timestamps and the pages or endpoints accessed) to operate, secure, and improve the Service and to protect against abuse.
f) Cookies. We use strictly necessary cookies to keep business owners signed in and to maintain session security. The Service does not use advertising or third-party tracking cookies.
g) Payment Information. If a business owner enables payments, bookings can be paid for at the time of booking. Card payments are processed by Stripe through an embedded Stripe payment form: card details are entered directly with Stripe and are never received or stored on Calendra's servers. We store only non-card payment metadata — such as the Stripe payment and account identifiers, the amount, currency, our platform fee, the processing fee, and the payment status and timestamps — to operate and reconcile bookings. A business owner who connects a payment account provides their identity, business, and bank details directly to Stripe during onboarding; we do not receive or store those banking details. See Section 5 for how payments work.
2. How We Use Your Information
We use the information we collect to:
- Provide, operate, and maintain the Service
- Authenticate business owners and manage their accounts and venues
- Read calendar availability and create or update calendar events for bookings
- Calculate open time slots and prevent overlapping or double bookings
- Process bookings made through the embedded widget and booking page
- Where payments are enabled, place a payment hold, capture or refund payment, calculate fees, and reconcile transactions via Stripe
- Send transactional emails — booking confirmations with calendar invites to customers, and new-booking alerts to owners
- Improve, personalize, and expand the Service
- Detect, prevent, and respond to fraud, abuse, or security incidents
- Comply with legal obligations
3. Google Calendar Access & Limited Use
Calendra requests access to your Google Calendar solely to provide the booking features you enable. Specifically, we use this access to read your busy/free times so we can offer accurate availability, and to create, update, or cancel calendar events that correspond to bookings made through Calendra.
Calendra's use of information received from Google APIs adheres to the Google API Services User Data Policy, including the Limited Use requirements. We do not transfer or sell Google user data to third parties, we do not use it for advertising, and we do not use it for any purpose other than providing and improving the booking features described above. Humans do not read your Google calendar data except where required for security, to comply with applicable law, or where you have given explicit consent. You can revoke Calendra's access at any time by disconnecting the calendar in your dashboard or via your Google Account permissions.
4. Data Sharing & Third-Party Services
We do not sell, rent, or trade your personal information. We share data only with the following service providers who help us operate the Service:
- Google (Sign-In & Calendar API): Used to authenticate business owners and to read availability and manage booking events on connected calendars.
- Stripe (Payments): Where enabled, Stripe processes subscription billing and customer booking payments (via Stripe Connect). Card details are handled directly by Stripe; we share with Stripe the information needed to create and manage payments. See Section 5.
- Email Delivery (SMTP): Transactional emails — booking confirmations (with a calendar
.icsinvite) to customers and new-booking alerts to owners — are delivered through a third-party email provider over secure SMTP. - Google Maps Platform: The venue location picker in the owner dashboard loads Google Maps, Places, and Geocoding services, which receive the IP address and map interactions of the owner using that feature.
- Cloud Infrastructure & Storage: Our application, PostgreSQL database, and object storage for uploaded files (such as venue logos) run on managed cloud infrastructure. Data is stored on our own servers, not shared with these providers for their own purposes.
We may also share data when:
- Required by Law: When required by law, court order, or governmental authority.
- Business Transfers: In connection with a merger, acquisition, or sale of assets, your data may be transferred to the acquiring entity.
5. Payments
Business owners may optionally enable payments so that customers pay when they book. Payments are processed by Stripe — for the owner's own Calendra subscription, and for customer booking payments through Stripe Connect, where funds are collected into the business's own connected Stripe account.
When a customer pays for a booking, their card details are entered directly into a secure payment form hosted by Stripe and are transmitted straight to Stripe. Calendra does not receive, process, or store full card numbers or other sensitive card data. We retain only the payment metadata needed to operate the booking — the Stripe payment and connected-account identifiers, amount, currency, our platform fee, the Stripe processing fee, the net amount, and payment status and timestamps (for example authorized, captured, or refunded).
Calendra charges the business a small per-booking platform fee on paid bookings, deducted via Stripe. The business — not Calendra — is the merchant of record for the underlying service and is responsible for its own pricing, taxes, refunds, chargebacks, and disputes.
Your use of Stripe is also subject to Stripe's Privacy Policy. Owners who connect a payment account also agree to Stripe's Connected Account Agreement and provide their identity and bank details directly to Stripe for verification (KYC); Calendra does not see or store those banking details.
6. Bookings & the Business's Role
When you make a booking through a venue's widget, the business that operates that venue receives and controls your booking details (such as your name, email, phone number, and appointment) in order to provide the service you booked and to manage its calendar. For data-protection purposes that business is the controller of its customers' booking data and Calendra acts as a processor on its behalf to deliver the booking, take payment where enabled, and send confirmations. Business owners subject to the GDPR or similar laws can request a Data Processing Agreement (DPA) from us at [email protected]. If you are a customer with questions about how a particular business uses your data, please contact that business directly.
7. Data Retention
- Account & venue data is retained for as long as your account is active.
- Booking records are retained for as long as the associated venue exists or as needed to provide the Service and meet legal or accounting obligations.
- Payment & transaction records (amounts, fees, and payment status — not card data) are retained for as long as required by applicable tax and accounting laws, which is typically several years even after a booking or account is deleted.
- Calendar OAuth tokens are stored only while a calendar is connected and are deleted when you disconnect it.
- Server logs are retained for a limited period for security and diagnostics, then deleted.
- Account deletion: You may delete your account at any time. Upon deletion, your personal data and venue data are permanently removed from our systems within 30 days, except where retention is required by law.
8. Data Security
We implement industry-standard security measures to protect your data. All traffic is transmitted over encrypted connections (TLS/SSL), calendar OAuth tokens are encrypted at rest, and application-to-database traffic stays on a private internal network that is not exposed to the public internet. However, no method of electronic transmission or storage is 100% secure, and we cannot guarantee absolute security.
9. Legal Bases & Your Rights
Where the GDPR or similar laws apply, we process personal data on these legal bases: performance of a contract (to provide the Service, manage accounts, and complete bookings and payments); legitimate interests (to secure, maintain, and improve the Service and prevent fraud and abuse); consent (for example, connecting your calendar, which you can withdraw at any time); and legal obligation (for example, retaining payment records for tax and accounting).
Depending on your jurisdiction, you may have the right to:
- Access the personal data we hold about you
- Request correction of inaccurate data
- Request deletion of your data and account
- Receive your data in a portable, machine-readable format
- Withdraw consent, including by disconnecting your Google Calendar
- Object to or restrict certain processing activities
- Lodge a complaint with your local data protection supervisory authority
To exercise any of these rights, contact us at [email protected]. If you booked through a business's widget and wish to access or delete your booking data, you may also contact that business directly, as it is the controller of that data.
10. Children's Privacy
The Service is intended for businesses and their adult customers and is not directed to children under 13. We do not knowingly collect personal information from children under 13. If we become aware that we have collected such data without appropriate consent, we will take steps to delete it promptly.
11. International Data Transfers
Your information may be transferred to and processed in countries other than your country of residence, including countries where our infrastructure and service providers (such as Google and Stripe) are located. These countries may have different data protection laws. Where we transfer personal data out of the European Economic Area, the United Kingdom, or Switzerland, we rely on appropriate safeguards such as the European Commission's Standard Contractual Clauses (and the UK Addendum) or an applicable adequacy decision, so that your data remains protected in accordance with this Privacy Policy.
12. Changes to This Policy
We may update this Privacy Policy from time to time. We will notify you of material changes by posting the updated policy on this page or by email. The "Last Updated" date at the top indicates when the latest revisions were made. Your continued use of the Service after any changes constitutes acceptance of the updated policy.
13. Contact Us
If you have any questions or concerns about this Privacy Policy or our data practices, please contact us at:
The Four Stars
Email: [email protected]