Privacy

This policy covers two different relationships, so it helps to be clear about which one applies to you.

When you sign up for Noeza and we handle your account, your sign-in, and your billing, we decide how that information is used. In privacy law terms we are the controller of your account data, and this policy explains what we do with it.

When you add your own customers to Noeza so they can receive your calendar feed, that information belongs to you and you decide how it is used. You are the controller, and we act as your processor. We handle your customers' data only to provide the service to you, on your instructions, and we do not use it for our own purposes. This processing is governed by our data processing agreement with you.

If you are a subscriber and you have a question about your data, please contact the business that added you to Noeza. They can update or remove your information, and they can ask us to help.

We collect only what we need to run the service. Here is what that means in practice.

Business account holders. When you create an account we collect your email address and a password (handled by our sign-in provider), your business name and the details you choose to add, such as a logo, brand color, time zone, and the wording on your customer onboarding page. We use this to create and secure your account and to provide the service. We also collect billing identifiers so we can manage your subscription.

Website and contact-form visitors. When you send us a message through our contact form we collect your name, email address, an optional company name, and your message. We use this only to read and reply to you. The message is sent straight to our inbox by our email provider, and we do not store contact-form submissions in our database. Your email address is set as the reply-to address so we can write back.

We handle account data because it is necessary to provide the service you signed up for. We handle the messages you send us because it is necessary to answer the request you chose to send. We keep billing records to meet our contractual and legal obligations. Where we rely on your consent for anything, you can withdraw it at any time.

To deliver a business's calendar feed, we handle information about that business's customers. This is the data where the business is the controller and we are the processor.

What this includes. A subscriber's name and email address, an optional reference from the business's own systems, and the calendar events the business chooses to send, such as a title, a date, an optional time, a short description, a link, and reminder settings. To deliver the feed we also create a unique, secret feed link for each subscriber.

Where it comes from. If you are a subscriber, we received your details from the business you have a relationship with, such as your clinic, salon, gym, or other provider, not from you directly. That business decides what to send you and is responsible for having a proper basis to do so, and for telling you about it. To exercise your rights over this data, please contact that business. If you contact us instead, we will pass your request to the business and help them respond.

Sensitive details. A calendar event can sometimes reveal sensitive things, for example that an appointment is with a particular kind of provider. The business that sends the events is responsible for handling any sensitive information lawfully. We ask businesses not to put special categories of personal data into Noeza unless they are allowed to.

Feed access records. When a subscriber's calendar app checks their feed for updates, we record the time of the check and the calendar app's identifier (its user-agent). We use this to keep the service reliable, to detect abuse, and to show the business when a feed was last checked. We do not record subscribers' IP addresses in the application. Our hosting providers may process connection IP addresses at the network level as part of running the service.

Each subscriber's feed is reached through a unique web address that contains a secret token. This link works like a password. Anyone who has it can view that subscriber's upcoming events without signing in. Keep it private, and do not post it publicly or share it where others can see it.

To protect these links we:

• serve every feed only over an encrypted (HTTPS) connection,
• ask search engines not to index feed pages, and
• set the page so the secret link is not passed on to other sites you might open.

No secret-link system can be completely immune to exposure, for example through browser history, forwarding, or someone looking over your shoulder. If a feed link is ever exposed, contact us or the business that issued it so a new link can be created and the old one retired.

• We never sell, rent, or trade your personal information. We never have, and we never will.
• We do not run third-party analytics, and we do not load ad trackers or advertising pixels.
• We do not track people across other websites or apps.
• We protect our contact form with bot protection that runs on our own servers, so no outside company sees or scores your visitors to check they are human.
• We do not use your name or business in marketing without your permission.
• We make money from software subscriptions, not from your data. Selling it is not our business model, so we have no reason to.

We keep this simple. When you sign in to your dashboard, we use a single cookie to keep you signed in. It is strictly necessary to provide the service you asked for, so it does not require a consent banner.

We do not use analytics cookies, advertising cookies, or cross-site trackers. Our bot protection sets no tracking cookies and does no fingerprinting.

We share data only with the service providers we need to run Noeza, and only so they can do work for us. Each is bound by a contract to protect the data and to use it only on our instructions.

We may also disclose data if the law requires it, or to protect our rights, our users, or the public. If Noeza is ever involved in a merger or sale, we will require that this policy continues to protect your data.

Noeza is operated from the United Arab Emirates. The providers that store and process data for us are configured to use servers in the European Union, so your personal data is primarily stored in the EU.

Some access and processing happens from outside the EU, including by our team in the United Arab Emirates. For transfers outside the UAE, the United Kingdom, or the European Economic Area we rely on recognized safeguards such as standard contractual clauses, so that your data keeps a similar level of protection wherever it is handled.

• Account data is kept while your account is active, and for a limited period afterwards. We delete or anonymize it once it is no longer needed, unless we must keep records longer to meet a legal or tax obligation.
• Subscriber data and calendar events are kept while the business keeps them in Noeza. We delete them on the business's instruction, or shortly after the business's account is closed.
• Feed access records are kept for a short period for security and reliability, then deleted or aggregated.
• Contact-form messages are not stored in our database. They live only in our email inbox, where we keep them for as long as we need to handle your request.

Whoever and wherever you are, you can ask us to show you the personal data we hold about you, correct it, export it, delete it, or restrict or stop certain processing. You can object to decisions made only by automated means, and where we rely on your consent you can withdraw it at any time. We aim to respond within 30 days, and we will tell you if a complex request needs a little longer.

Additional rights for the EEA, UK, and Switzerland. Where the GDPR or UK GDPR applies to our processing of your personal data, you also have the rights it grants, including data portability and the right to complain to your local supervisory authority. In the United Kingdom that authority is the Information Commissioner's Office.

Additional rights for California residents. Where the CCPA applies, and as a matter of policy, you can ask us to know what personal information we hold, to delete it, to correct it, and you will not be treated differently for asking. We do not sell or share your personal information, and we have not done so in the past twelve months, so there is nothing to opt out of. We honor recognized opt-out preference signals, such as Global Privacy Control, where they apply.

To make a request, or to ask anything about how we handle your data, use our contact page. To protect your account we may need to confirm your identity before we act. If your data was added by a business, please contact that business, and we will help them respond.

We protect your data with technical and organizational measures. Data is encrypted in transit over HTTPS and protected at rest by our infrastructure providers, access to data is limited to those who need it, and our providers hold recognized security certifications. No service can promise perfect security, but we work to keep your data safe and to respond quickly if something goes wrong. If a data breach affects you and the law requires it, we will notify you and the relevant authority without undue delay.

Noeza is a tool for businesses and is not directed to children. We do not knowingly collect personal data from children through our own service. A business is responsible for having a proper basis for every contact it adds, including any consent required for a minor. If you believe a child's data has been added, contact the business or us, and we will help have it removed.

We update this policy when our practices change or the law requires it. When we make a meaningful change, we will refresh the "last updated" date at the top of this page, and where the change is significant we will give notice before it takes effect.