Your data, treated carefully.

This Privacy Policy describes how Calendify ("we", "us") collects, uses, shares, and protects personal data when you use our website, mobile apps, and related services (the "Service").

Our practices are aligned with the Moroccan Law 09-08 on the protection of personal data and the EU General Data Protection Regulation (GDPR) where it applies.

The data controller for your personal data is Digital Era Solutions, a company operating in Morocco. When you book with a professional on our platform, that professional is a separate, independent data controller for the clinical and appointment data they collect during your visit. Calendify acts as their processor for that data (we store it on their behalf).

For all data-protection inquiries, our Data Protection Officer is reachable at privacy@calendify.ma.

Account information

• First name, last name, email, phone number.
• A hashed password (we never see or store your password in plain text).
• For professionals: clinic name, address, city, profession, license number, bio, profile photo.
• For patients: optional city and a national identifier (CIN) required only when a professional has to link you to an in-person walk-in record.

Appointment data

• Bookings (date, time, service, status, completion notes).
• Queue positions and wait-time estimates.
• Reviews you post and helpful-counts they receive.

Device & technical data

• Device type, operating system, browser, app version.
• Push-notification tokens, so we can reach you with queue updates and reminders.

• Run the Service. Authenticate you, show your appointments, send reminders, process payments for professionals, and show patients their queue position in real time.
• Communicate with you. Account emails, booking confirmations, changes to our Terms, and — only if you opt in — product updates.
• Improve the Service. Aggregate, anonymized analytics about how features are used help us decide what to build next.
• Keep things safe. Detect fraud, spam, abuse, and unauthorized access.
• Meet legal obligations. Retain billing records, respond to lawful requests, and comply with tax, accounting, and data-protection laws.

Under Law 09-08 and the GDPR, we rely on:

• Performance of a contract — when we need your data to run the Service for you (create bookings, send reminders, process payments).
• Legitimate interest — security, fraud prevention, and product improvement, weighed against your rights and freedoms.
• Consent — for optional marketing communications and, where required, for non-essential analytics. You can withdraw consent at any time.
• Legal obligation — retention of fiscal and billing records, or when authorities make a valid legal request.

We do not sell your data. Ever.

We share data strictly with:

• Your professional. When you book with a professional, they see the information needed to provide the service — your name, contact info, appointment history, and any notes you share.
• Clinic staff. If your professional has granted access to staff members, they can see the same information.
• Service providers. Vetted infrastructure partners who process data on our instructions — currently Supabase (database + authentication), Apple / Google (push notifications), and an email provider for transactional emails. Each is under a written data-processing agreement.
• Authorities. Only when we're legally required (valid subpoena, court order, or regulatory request under Law 09-08 or the CNDP).

Personal data is stored on managed database infrastructure operated by Supabase, in data centers located in the European Union. Transfers outside Morocco or the EU, when necessary (for example push notifications routed through Apple's or Google's global infrastructure), rely on appropriate safeguards such as Standard Contractual Clauses.

• Encryption in transit — all traffic is served over HTTPS (TLS 1.2+).
• Encryption at rest — our database is encrypted at rest using AES-256.
• Row-level security — every table enforces access policies at the database layer, so users can only see rows they're authorized to see. Even if application code has a bug, the database still says no.
• Password hashing — passwords are hashed with bcrypt (via Supabase Auth). We never see the originals.
• IP hashing — we never store raw IP addresses. Only a salted SHA-256 hash, which can't be reversed without the salt.
• Least-privilege access — only a small number of staff can access production data, and only with logged, audited access.

• Account data: as long as your account is active, plus 30 days after closure (so you can reactivate).
• Appointment records: kept while your relationship with the professional is active. After closure, professional obligations may require them to retain clinical records for longer, independently of Calendify.
• Billing & invoices: retained for 10 years as required by Moroccan accounting law.
• Analytics events: retained for up to 24 months in an anonymized form.
• Backups: encrypted snapshots are kept for 30 days for disaster recovery before being rotated out.

Under Law 09-08 and, where applicable, the GDPR, you have the right to:

• Access — request a copy of the personal data we hold about you.
• Rectification — correct inaccurate or incomplete data (most fields are editable directly in your account).
• Erasure — ask us to delete your data, subject to legal retention obligations (billing records, for example).
• Portability — export your data in a machine-readable format.
• Restriction and objection — ask us to pause processing or object to processing based on legitimate interest.
• Withdraw consent — for anything you previously opted into, at any time.
• Lodge a complaint — with the Moroccan CNDP (Commission Nationale de contrôle de la protection des Données à caractère Personnel), or with your local EU supervisory authority if you're in the EU.

To exercise these rights, email privacy@calendify.ma from the address associated with your account. We'll respond within 30 days.

Calendify is not designed for children under 16. We don't knowingly collect personal data from children without the consent of a parent or legal guardian. Parents who book appointments for their children through their own account are responsible for the information they share on the child's behalf.

Calendify uses a minimal set of cookies and local-storage items:

• Session cookies — keep you logged in.
• Preference storage — remember your language, sidebar collapse state, and similar UI preferences.
• Anonymous session ID — a random identifier stored in your browser's localStorage, used to stitch analytics events from the same session together. It contains no identifying information and never leaves the browser except in analytics payloads.

We do not use third-party advertising cookies. We do not track you across other websites.

Product analytics events are captured in our own analytics_events table (hosted on Supabase in the EU), not sent to third parties like Google Analytics or Facebook. Events contain the event name, a handful of properties (like the button clicked), the anonymous session ID, a coarse geo hint (country), and a hashed IP.

If you'd rather not be included in analytics at all, email privacy@calendify.ma and we'll flag your account for exclusion.

We update this policy when we change how we handle data or when regulations change. Whenever we do, we'll update the "Last updated" date above and, for material changes, notify you by email or in-app. Continuing to use the Service after a change means you accept the updated policy.

Our Data Protection Officer welcomes your questions, concerns, and rights requests:

• Email: privacy@calendify.ma
• Security reports: security@calendify.ma
• General questions: hello@calendify.ma

You can also read our Terms of Service for the rules around using Calendify.