Kalenda

Privacy Policy

Privacy Policy

This privacy policy explains what personal data we collect at kalenda.cloud-services-ag.com and via the Kalenda booking service, the purposes for which we process it, and what rights you have. The Swiss Data Protection Act (DPA, in force since 1 September 2023) and the EU GDPR apply.

1. Controller

The controller responsible for data processing is cloud services ag, St. Gallen, Switzerland. For questions reach us at kalenda@cloud-services-ag.com.

2. Categories of data

We process inventory data (name, email), communication data (messages, topics, IP addresses for spam protection), usage data (aggregated Plausible statistics without cookies) and contract data (for SaaS customers). During booking we ask for name, email and a brief topic.

3. Purposes and legal bases

Contract performance (bookings, SaaS operation) — Art. 31 (2) (a) DPA / Art. 6 (1) (b) GDPR. Security and spam protection (Altcha, rate limiting) — legitimate interest, Art. 31 (1) DPA / Art. 6 (1) (f) GDPR. Audience measurement via self-hosted Plausible — legitimate interest in aggregated, non-personal evaluation. Plausible uses no cookies and stores no IP addresses in clear text.

4. Third-party services and fonts

We use no third-party fonts (Google Fonts) and no US cloud services. Fonts (Outfit, DM Sans, JetBrains Mono under SIL OFL-1.1) are served from our own infrastructure. Analytics run via our own Plausible instance at plausible.cloud-services-ag.com. No data transfer to the United States takes place.

5. Data location and subprocessors

Data is processed in the Eastern Switzerland Data Centre (RZO Gais, Switzerland). For SaaS customers: no foreign subprocessors. Operational backups remain in Switzerland. For self-hosted deployments you decide where data lives — we do not process personal data of your end visitors.

6. Retention

Booking data is retained for the duration of the contract and afterwards until the statutory retention periods expire (10 years for business records under Swiss Code of Obligations). Spam-protection logs are deleted after 90 days. Plausible statistics are aggregated and contain no personal references.

7. Your rights

You have the right to access, rectification, erasure and data portability, and a right to complain to the Swiss Federal Data Protection and Information Commissioner (FDPIC) in Bern, or to the EU supervisory authority responsible for you. Send requests to kalenda@cloud-services-ag.com.

8. Security

We encrypt transport with TLS 1.3 (HSTS preload), enforce restrictive Content Security Policies, operate the service non-root in K8s containers and use Keeper Secrets Manager for central secrets management. Slot bookings are handled atomically via Valkey locking to rule out race conditions.

9. Changes

We reserve the right to adapt this declaration. The version published on this page is authoritative. Last update: May 2026.