Privacy Policy

1. Introduction

Effective date

May 1, 2026 (initial publication)

Reading time

~15 minutes

Celerora LLC ("Celerora," "we," "us," or "our"), a Texas limited liability company, is committed to protecting your privacy. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our booking management platform, including our website and all related services (collectively, the "Service").

What is "personal information"? Personal information (also called personal data) is any information that identifies you or could reasonably be used, alone or combined with other information, to identify you. This includes things like your name, email address, phone number, postal address, payment metadata, IP address, and information about how you use the Service.

This Privacy Policy applies to users worldwide. If you access the Service from outside the United States, your information may be transferred to and processed in the United States and other countries as described below.

Please read this Privacy Policy carefully. By accessing or using Celerora, you acknowledge that you have read and understood this Privacy Policy. The specific legal grounds we rely on to process your personal data — including performance of our contract with you, our legitimate interests, your consent for specific purposes (such as marketing communications), and compliance with legal obligations — are described in Section 12 (Legal Basis for Processing). The Terms of Service govern your contractual agreement to use the Service.

If you do not agree with our privacy practices, please do not use the Service.

2. Information We Collect

Information You Provide

We collect information you voluntarily provide when using the Service:

• Account Information: Name, email address, phone number, password, and business name
• Profile Information: Service descriptions, pricing, availability, business address, photos, and logo
• Payment Information: Credit card details and billing address (processed securely by Stripe; Celerora does not store full card data). We store limited payment metadata for display and account management, such as card brand, last four digits, expiry month/year, and Stripe payment method IDs.
• Booking Information: Appointment details, service preferences, customer notes, and scheduling data
• Communications: Messages sent through the platform, AI chatbot conversations, support inquiries, and reviews
• AI Configuration: Business descriptions, common questions and answers, and AI personality settings

Information Collected Automatically

When you access the Service, we automatically collect:

• Usage Data: Booking activity, account events, and other actions you take within the Service. If we add product analytics or error monitoring tools in the future (see Section 6), this category will expand to include pages visited, features used, and similar interaction data; we will update this policy and notify you of material changes before doing so.
• Device Information: Browser type, operating system, device type, and screen resolution
• Network Information: IP address and general location based on IP (city/region level)
• Log Data: Access times, error logs, and referring URLs

Information from Third Parties

• Google Calendar: Calendar events and availability (with your explicit permission)
• OAuth Providers: when you sign in with Google, we receive your Google account ID, email address, email-verification status, first and last name, profile picture URL, and locale preference (the standard claims in a Google-issued ID token)
• Payment Processors: Transaction confirmations and payment status from Stripe for subscription fees and booking deposits (including any related refunds and chargebacks)
• SMS Providers: Delivery status and responses from Telnyx

Customer Reputation Data

For our No-Show Protection feature, we collect and calculate:

• Booking completion rates, cancellation history, and no-show incidents
• Reputation scores (0-100 scale) based on booking behavior
• Risk levels (low, medium, high) for deposit requirements
• Provider ratings and feedback about customers

3. How We Use Your Information

We use the information we collect for the following purposes:

Service Delivery

• Process bookings, manage appointments, and facilitate scheduling
• Send booking confirmations, reminders, and notifications via email and SMS
• Process subscription payments and deposit transactions
• Sync calendars with Google Calendar when authorized
• Provide customer support and respond to inquiries

AI Features

• Power the AI Lead Responder to answer customer inquiries
• Generate instant quotes based on job descriptions
• Personalize AI responses based on your business configuration

No-Show Protection

• Calculate and maintain customer reputation scores
• Determine deposit requirements based on booking history
• Process deposit payments and forfeitures

Platform Improvement

• Develop new features and services based on user feedback and product decisions
• Monitor and ensure platform security and integrity
• Detect and prevent fraud, abuse, and unauthorized access
• If we add product analytics or error monitoring tools in the future (see Section 6), we may also analyze aggregated usage patterns to improve features and user experience

Communications

• Send service-related announcements and updates
• Send marketing communications (with your consent, and you can opt out anytime)
• Respond to your requests, questions, and feedback

4. AI Features & Data

Celerora uses artificial intelligence to power features like the AI Lead Responder and Instant Quote Generator. Here's how we handle data related to AI features:

AI Conversation Data

• Customer inquiries and AI responses are stored to provide conversation history
• Conversations are accessible to the service provider whose business the AI represents, for quality assurance and follow-up
• Conversations are also accessible, on a limited and as-needed basis, to authorized Celerora personnel for purposes such as platform support, debugging, security review, and abuse investigation
• AI conversations are processed by third-party AI providers (OpenAI and Anthropic)
• These providers process data according to their own privacy policies and data processing agreements

AI Training & Improvement

Current configuration (as of the effective date of this policy). We currently use commercial API tiers from OpenAI and Anthropic. Under the commercial terms those vendors have in effect today, content submitted via API is not used by them to train their general-purpose models by default, and we have not enabled any opt-in feature that would change that behavior. We also do not use your individual conversations to train any model of our own.

Commitment to update. If we change AI providers, switch to a different API tier, enable a vendor feature that would result in your content being used for model training, or build our own model that is trained on user content, we will update this Privacy Policy and notify users in advance, as described in Section 15. Any change that broadens the use of your content for training qualifies as a material change.

Aggregated metrics. We may review aggregated, non-identifying metrics (such as message volume, feature usage, and response latency) to improve service quality and reliability. These metrics do not include the content of individual conversations.

Your AI Data Controls

Available controls depend on your role on the platform. As described in Section 12, AI Lead Responder conversations are typically controlled by the service provider whose business the AI represents.

If you are a service provider using the AI Lead Responder:

• View, reopen, take over, or delete individual conversations through your AI Responder dashboard
• Enable or disable the AI Lead Responder at any time in your settings
• Adjust AI configuration (business personality, common questions, handoff rules, active hours) at any time

If you are a customer whose data appears in an AI conversation:

• Because the AI Responder represents the service provider you contacted, the provider is the primary controller of those conversation records. You may contact the provider directly to request deletion of conversation data they hold about you.
• You may also email privacy@celerora.com to request deletion of personal data we hold about you, including any AI conversation content (subject to the retention exceptions described in Section 9). We will either fulfill the request or coordinate with the provider, as appropriate.
• Closing your Celerora account (see Section 9) results in scrubbing of personal identifiers from any AI conversation records that contain your information, within the timeframes described in that section.

5. Information Sharing

We do not sell your personal information. We may share your information in the following circumstances:

Between Users

Service providers and customers can see each other's relevant booking information (names, contact details, booking specifics). Customer reputation scores are visible only to service providers, not publicly.

Service Providers (Vendors)

We share data with third-party vendors who help us operate the Service. They fall into the following categories:

• Payment processing (e.g., Stripe)
• Communication providers (e.g., Telnyx for SMS, Resend for email)
• AI and machine-learning providers (e.g., OpenAI, Anthropic)
• Calendar and identity providers (e.g., Google for Calendar OAuth)
• Cloud infrastructure and hosting (e.g., Vercel, Neon, Cloudflare R2, Upstash)
• Bot and spam protection (e.g., Cloudflare Turnstile)

For the current named list of all sub-processors, including each vendor's purpose, the categories of data shared, applicable international transfer safeguards, and processing location, see our Sub-processors page. These vendors are contractually obligated under Data Processing Agreements to protect your data and use it only for the specific services they provide to us.

Legal Requirements

We may disclose your information when required by law, such as in response to a subpoena, court order, or government request, or when necessary to protect our rights, property, or safety, or the rights, property, or safety of others.

Business Transfers

If Celerora is involved in a merger, acquisition, or sale of assets, your information may be transferred as part of that transaction. We will notify you of any such change and any choices you may have regarding your information.

Third-Party Links

The Service may contain links to third-party websites and services (for example, Stripe payment pages, Google Calendar OAuth, or external service-provider sites). When you follow a link to a third-party site, you leave the Service and this Privacy Policy no longer applies. We are not responsible for the content or privacy practices of third-party sites. We encourage you to review the privacy policy of any site you visit.

6. Cookies and Tracking Technologies

We use a small number of cookies — and similar browser-storage mechanisms — to operate the Service. We do not currently use cookies for advertising, behavioral profiling, or third-party analytics.

Cookies we currently set

The following first-party cookies are set by Celerora itself:

• auth-token— essential authentication cookie. HttpOnly, SameSite=Lax, Secure (in production). Lifetime: 7 days, or 30 days if you choose "Remember me" at sign-in. Used to identify your logged-in session.
• refresh-token— essential authentication cookie used to obtain new session tokens without forcing you to re-enter your password. HttpOnly, SameSite=Lax, Secure (in production). Lifetime: 30 days, or 90 days if you choose "Remember me".

Cookies set by integrated third parties

On certain pages we load third-party widgets that set their own cookies for the specific function they perform:

• Cloudflare Turnstile — set on signup, login, and public booking pages to detect and block bots. These cookies are essential for fraud prevention.
• Stripe— when you reach a Stripe-hosted checkout or Stripe Connect onboarding flow, Stripe sets its own cookies to operate that flow. These cookies are governed by Stripe's privacy policy.

Cookies we do not currently use

We do not currently set product-analytics cookies, error-monitoring cookies, ad pixels, retargeting cookies, or session-replay cookies. If we add such tools in the future (for example, PostHog for product analytics or Sentry for error monitoring), we will update this Section 6, deploy a cookie consent banner where required, and treat the change as a material policy change subject to the 30-day notice described in Section 15.

Cookie Management

You can control cookies through your browser settings. However, disabling certain cookies may affect platform functionality. Options include:

• Block all cookies (may prevent login)
• Block third-party cookies only
• Clear cookies when you close your browser
• Receive alerts before cookies are set

Do Not Track

Some browsers offer a "Do Not Track" (DNT) signal. Because there is no industry standard for honoring DNT signals, we do not currently respond to them. We may revisit this practice as web standards evolve.

Cookie Consent for EU/UK Users

If you are located in the European Economic Area (EEA) or the United Kingdom and we introduce non-essential analytics or advertising cookies, we will display a cookie consent banner that allows you to accept, reject, or selectively configure non-essential cookies before they are set, in accordance with the ePrivacy Directive and UK PECR requirements.

7. SMS Communications

When you provide your phone number on Celerora, you may opt in to receive SMS/MMS messages from us. We use separate consent for transactional and promotional SMS — consenting to one does not consent to the other. Pre-checked consent boxes are never used; you must affirmatively opt in. Consent is captured electronically through dedicated, unchecked-by-default checkboxes so we maintain a verifiable record of when and how each user opted in.

Where consent is captured. Two surfaces capture SMS consent — both use the same dual-checkbox pattern:

1. Customersopt in at the point of submitting a booking request or estimate request through a service provider's public booking page.
2. Service providers opt in via their account profile at /profile after signup. The phone field is optional; the consent checkboxes only appear once a phone number has been entered and saved. Provider sign-up itself does not collect SMS consent.

After you have opted out, replying with re-opt-in keywords (described in the SMS Communications Policy) restores transactional SMS only; promotional SMS requires fresh affirmative consent through the relevant consent checkbox.

Phone verification.When a service provider enters a phone number, Celerora may send a one-time 6-digit verification code to confirm the number is real and reachable before honoring SMS consent. This verification SMS is sent only in response to an explicit user action (clicking "Verify phone") and is not subject to opt-out keywords because it is initiated by the user themselves.

Promotional SMS — including rebook reminders, special offers, and marketing campaigns from service providers — requires prior express written consent under the Telephone Consumer Protection Act (TCPA), 47 CFR § 64.1200(f)(9). We collect this consent through a separate, unchecked-by-default checkbox with the required disclosure language at one of the two surfaces above. Service providers cannot mark customers as opted-in on their behalf; only the user can grant promotional consent through that checkbox. For full details on consent capture, opt-out methods, and message types, see our SMS Communications Policy.

Transactional Messages

The exact set of messages depends on whether you are a customer (booking a service) or a service provider (operating an account on the platform):

Customers may receive:

• Booking confirmations
• Appointment reminders
• Deposit and payment requests
• "On my way" arrival notifications
• Quote notifications and updates
• No-show or cancellation alerts

Service providers may receive:

• Account-security messages (password resets, sign-in alerts, phone-verification codes)
• New-booking and booking-change notifications
• Payment and payout notifications
• Customer-care responses to inbound questions

Promotional Messages

Promotional messages are sent only with separate, additional opt-in (see SMS Communications Policy). Categories include:

• Rebook reminders for past services
• Special offers, promotions, or seasonal availability from service providers you have previously booked
• Marketing campaigns from service providers on our platform

Current channel scope. Promotional messages may be delivered by email, SMS, or both, depending on the message type and current platform capabilities. As of the effective date of this policy, ifpromotional content is delivered via SMS, it is limited to rebook reminders for past services. Special offers and marketing campaigns are sent by email today; if and when we extend either to SMS, this section will be updated and we will treat the change as a material change under Section 15. In practice that means: you will receive 30 days' advance notice (by email or in-app banner) and a revised "Last updated" date before the change takes effect, and you may withdraw promotional SMS consent at any time using the opt-out methods described in our SMS Communications Policy.

Frequency & Costs

Message frequency varies based on your booking activity and the providers you engage with. Standard message and data rates may apply. Carriers are not liable for delayed or undelivered messages.

Opt-Out & Help

• Opt out of all SMS: Reply STOP, CANCEL, END, QUIT, or UNSUBSCRIBE to any message. You will receive one final confirmation message.
• Opt out of marketing only: Reply STOP MARKETING to stop promotional messages while continuing to receive transactional messages.
• Help: Reply HELP for assistance.
• Re-Subscribe (transactional only): Reply START, SUBSCRIBE, UNSTOP, RESUME, or YES to any prior message to re-enable transactional SMS (booking confirmations, reminders, etc.). Promotional SMS is not automatically restored — to receive promotional messages again you must give new affirmative consent through the relevant consent checkbox (on a future booking or estimate-request form, or on your account profile if you are a service provider).

Your Mobile Information

8. Data Security

We implement industry-standard security measures to protect your personal data:

• Encryption in Transit: All data transmitted to and from our servers uses TLS/SSL encryption
• Encryption at Rest: Our databases and object storage are encrypted at rest by our cloud providers — Neon for PostgreSQL (AES-256), Cloudflare R2 for files (AES-256), and Upstash for Redis (encryption at rest on paid tier, which we maintain). Passwords are hashed using bcrypt and are never stored or transmitted in plaintext. Full payment card data is never stored on our servers — Stripe handles card data directly under PCI-DSS.
• Access Controls: Direct access to production data is limited to authorized Celerora personnel and is logged through our cloud-provider audit logs.
• Secure Authentication: Passwords are hashed with bcrypt; users may enable optional two-factor authentication (TOTP) on their account.
• Dependency Monitoring: We monitor security advisories for our open-source dependencies and apply security patches in our regular release cadence.
• PCI Compliance: Payment processing is handled by PCI-DSS compliant providers (Stripe).
• Account Protection: Accounts are automatically locked after multiple consecutive failed login attempts to mitigate credential-stuffing attacks.

Notification of Data Breaches

In the event of a personal data breach affecting your information, we will notify the relevant authorities and affected individuals within the timelines required by applicable law.

EU and UK (GDPR / UK GDPR). Where the breach falls within the scope of GDPR Article 33 or UK GDPR, we will notify the competent supervisory authority without undue delay and, where feasible, no later than 72 hours after becoming aware of the breach. Where the breach is likely to result in a high risk to your rights and freedoms (GDPR Article 34), we will also notify affected individuals without undue delay.

United States.Where the breach falls within the scope of an applicable U.S. state breach-notification statute, we will notify the state attorney general (or other designated authority) and affected residents within the time period required by that state's law. Notification timelines, content requirements, and reporting thresholds vary by state and may differ materially from the 72-hour GDPR rule. Examples of states with breach-notification statutes that may apply to our users include California, Texas, Virginia, Colorado, Florida, Delaware, Utah, New York, Illinois, Massachusetts, and Washington, among others.

Other jurisdictions. We will comply with breach-notification obligations under any other applicable law that applies to our processing of your personal information.

In any breach notice, we will provide a description of what happened, the categories of data involved, the likely consequences, and the measures we have taken or propose to take in response. We will also cooperate with any regulator investigating the breach.

9. Data Retention

We retain your personal data only as long as necessary for the purposes outlined in this policy. How deletion and retention interact when you close your account:

1. Immediately — direct identifiers on your account record (name, email, phone, address, business profile, profile photo, password hash) are scrubbed.
2. Within 30 days — non-retention personal data linked to your account is deleted: notifications, AI conversations, account and provider settings, emergency-availability slots, expired authentication tokens, and security events older than 90 days.
3. Up to 7 years — underlying transactional records (bookings, payments, payouts, invoices, public reviews) are retained in pseudonymized form to comply with tax, financial, and dispute-resolution obligations. In these retained records direct identifiers are removed or replaced; the records remain technically linked to an internal account ID for audit purposes but are not used to contact or re-identify you.

Account deletion is not available while you have active bookings (status pending, confirmed, or in-progress). Cancel or complete those bookings first, then return to your settings to delete your account.

• Active Accounts: Data is retained while your account remains active
• Closed Accounts: Account-record identifiers are scrubbed immediately; non-retention personal data is deleted within 30 days; transactional records (bookings, payments, payouts) are retained in pseudonymized form for up to 7 years
• Booking Records: Retained for 7 years for tax, legal, and dispute-resolution purposes
• Payment Records: Transaction records retained for 7 years per financial regulations
• AI Conversations: Retained for as long as needed to provide the service. You can request deletion at any time through your account or by contacting us, subject to our need to retain records related to ongoing disputes, fraud or abuse investigations, security incidents, or actual or threatened legal claims.
• Reputation Data: Customer reputation scores and related no-show history are retained while relevant to the No-Show Protection feature, which functions as a fraud-prevention and risk-scoring mechanism. You can request deletion at any time, subject to our need to maintain records that support fraud and abuse prevention, dispute resolution, and legal claims; in particular, we may retain reputation history where it is being used to investigate or respond to a documented incident, or where deletion would defeat the integrity of the risk-scoring system.
• Marketing Communications Preferences: Retained until you unsubscribe.
• Analytics Data (when applicable): If we add product analytics or error monitoring tools, anonymized or pseudonymized data may be retained for platform improvement purposes. We do not currently operate any product-analytics pipeline; this category will be activated and disclosed in detail when such tools are introduced.

You may request early deletion of your data, subject to our legal obligations to retain certain information.

10. Your Privacy Rights

Regardless of your location, we provide all users with the privacy rights listed below. Some rights can be exercised directly through the Service; others currently require contacting us by email. We are continuing to expand self-serve tooling and will update this section as more rights become available in-product.

Self-serve actions in the Service

• Account deletion: Account → Delete Account. Account closure triggers a deletion process described in Section 9.
• Profile correction: edit your name, email, phone number, address, business details, and other profile fields directly in your account.
• SMS opt-out: reply STOP, CANCEL, END, QUIT, or UNSUBSCRIBE to any message to opt out of all SMS, or STOP MARKETING to opt out of marketing SMS only (see Section 7).
• Email notification preferences (service providers): provider accounts can adjust per-category email preferences (booking notifications, payment alerts, etc.) in account settings.

Rights exercised by emailing us

The following rights currently require contacting us at privacy@celerora.com. We will verify your identity (see Section 11) and respond within the timelines described below.

• Access (Right to Know): request a copy of the personal data we hold about you.
• Portability: request a copy of your personal data in a structured, commonly used, machine-readable format. We currently provide portability exports manually on request; we are building self-serve export tooling for a future release.
• Correction (for fields not editable in your account): request correction of personal data that you cannot edit yourself (for example, information about you submitted by another user, or system-generated records).
• Object: object to processing of your personal data based on legitimate interests, public interest, or for direct marketing purposes.
• Restrict: request restriction of processing in specific circumstances (for example, while we investigate the accuracy of data you have contested).
• Withdraw Consent: withdraw any consent you have previously given (for example, marketing email consent for customer accounts that lack a self-serve preferences page). Withdrawal does not affect the lawfulness of processing carried out before the withdrawal.
• Marketing email opt-out (customers): until self-serve preferences are available for customer accounts, you may opt out of marketing emails by clicking the unsubscribe link in any marketing email or by emailing privacy@celerora.com. Service-related transactional emails (booking confirmations, security alerts) are sent regardless of marketing preferences and are required to use the Service.

Response timelines

• General requests: we aim to respond within 30 days of receipt
• GDPR / UK GDPR: within one month, extendable by up to two further months for complex requests (see Section 12)
• CCPA / CPRA: within 45 days, extendable by an additional 45 days with notice (see Section 11)

11. California Privacy Rights (CCPA)

If you are a California resident, the California Consumer Privacy Act (CCPA) provides you with additional rights regarding your personal information:

Your CCPA / CPRA Rights

• Right to Know: Request disclosure of the categories of personal information we have collected, the categories of sources, the business or commercial purposes for collecting it, the categories of third parties with whom we have shared it, and the specific pieces of personal information we hold about you
• Right to Delete: Request deletion of your personal information, subject to certain exceptions (such as records we must retain for tax, legal, or fraud-prevention reasons)
• Right to Correct: Request correction of inaccurate personal information we hold about you
• Right to Opt-Out of Sale or Sharing: Opt out of the sale or sharing of your personal information. We do not sell or share personal information as those terms are defined under the CCPA/CPRA
• Right to Limit Use of Sensitive Personal Information: Direct us to limit the use of sensitive personal information. We do not directly collect sensitive personal information ourselves (such as government identifiers like Social Security or tax IDs, biometrics, health information, precise geolocation, or racial/ethnic origin). For service providers, government IDs and tax identifiers required for KYC verification are collected directly by Stripe through Stripe-hosted forms; that information is held by Stripe under its own privacy practices and is not stored on our servers
• Right to Non-Discrimination: We will not discriminate against you for exercising your privacy rights, deny you services, charge different prices, or provide a different level or quality of service
• Right to Use an Authorized Agent:You may designate an authorized agent to make CCPA/CPRA requests on your behalf. We will require written authorization from you and verification of the agent's identity before processing such requests

Categories of Personal Information Collected

• Identifiers: Name, email, phone number, IP address, account/user IDs, session tokens
• Customer Records: Service addresses, billing addresses, tokenized payment card metadata (last 4, brand, expiry — full card data held by Stripe)
• Commercial Information: Booking history, services purchased, subscription status, deposits, invoices
• Internet Activity: Interactions with our platform features and pages
• Geolocation Data: Service addresses you provide and general location based on IP address
• Visual Data: Profile photos, service photos, and other images you upload to the Service
• Professional Information: Business name, services offered, hours of operation (for service providers)
• Inferences: Customer reputation scores, preferences derived from activity, AI-generated quote and message drafts

Categories of Sources

We collect personal information from the following categories of sources:

• Directly from you — when you sign up, create a profile, book a service, send a message, or contact support
• Automatically — through your use of the Service, including server logs, cookies, and device data
• From third-party services you authorize — such as Google (Calendar OAuth) or Stripe (payment processing)
• From service providers acting on our behalf — such as Telnyx (SMS delivery status) or Resend (email delivery status)

Business or Commercial Purposes for Collection

We use the categories of personal information listed above for the following business or commercial purposes:

• Providing, operating, and maintaining the Service (booking, scheduling, payments, communication)
• Authenticating users and securing accounts
• Processing subscription payments and customer deposits
• Sending transactional and (with consent) promotional communications
• Operating the No-Show Protection feature (calculating reputation scores and risk levels)
• Powering AI features (Lead Responder, quote generation)
• Detecting and preventing fraud, abuse, and unauthorized access
• Complying with legal, accounting, and regulatory obligations
• Resolving disputes and enforcing our Terms of Service

Categories of Third Parties Disclosed To

In the preceding 12 months, we have disclosed personal information to the following categories of third parties for business purposes (for the named vendors in each category, see our Sub-processors page):

• Payment processors (e.g., Stripe)
• Communication providers (e.g., Telnyx for SMS, Resend for email)
• AI and machine-learning providers (e.g., OpenAI, Anthropic)
• Cloud infrastructure and hosting providers (e.g., Vercel, Neon, Cloudflare R2, Upstash)
• Identity, authentication, and bot-protection providers (e.g., Google OAuth, Cloudflare Turnstile)
• Other service providers who help us operate the Service under contractual data-protection obligations
• Government authorities, courts, and law enforcement when required by valid legal process
• Successor entities in the event of a merger, acquisition, or sale of assets (with notice as described in Section 5)

"Do Not Sell or Share My Personal Information"

Celerora does not sell or share personal information as those terms are defined under the CCPA/CPRA. We do not exchange your personal data for monetary or other valuable consideration with third parties, and we do not share your personal information with third parties for cross-context behavioral advertising. We have not sold or shared personal information in the preceding 12 months and do not intend to do so.

If we ever change this practice— for example, by introducing advertising pixels, third-party retargeting, session-replay tools that transmit your activity to a vendor, or any other integration that would constitute "sale" or "sharing" under the CCPA/CPRA — we will treat that as a material change under Section 15. This means we will (a) update this Privacy Policy in advance, (b) provide the 30-day advance notice described in Section 15, and (c) implement an appropriate consent or opt-out mechanism (such as a "Do Not Sell or Share" link and cookie consent banner where required) before the change takes effect. The integration will not go live until those steps are complete.

Submitting CCPA / CPRA Requests

To submit a request to exercise any of the rights above, email privacy@celerora.com with "CCPA Request" in the subject line. We will respond within 45 days (with a possible 45-day extension if reasonably necessary, with notice to you).

Verification of Identity

To protect your privacy, we will verify your identity before fulfilling a request. For most requests we will ask you to confirm details we already hold (such as your account email and a recent transaction or booking). For sensitive requests we may require additional verification. If we cannot verify your identity using reasonable means, we may decline the request and will explain why. Authorized agents must provide written authorization signed by you, and we may contact you directly to confirm.

Shine the Light (California Civil Code §1798.83)

California residents whose business relationship with us is primarily for personal, family, or household purposes may request, once per calendar year, a list of the categories of personal information we disclosed to third parties for those third parties' direct marketing purposes during the preceding calendar year, along with the names and addresses of those third parties. To make a request, email privacy@celerora.com with "Shine the Light Request" in the subject line. We do not currently share personal information with third parties for their direct marketing purposes.

12. European Privacy Rights (GDPR)

If you are located in the European Economic Area (EEA), United Kingdom, or Switzerland, the General Data Protection Regulation (GDPR) provides you with additional rights:

Legal Basis for Processing

We process your personal data based on the following legal grounds:

• Contract Performance: Processing necessary to provide the Service you requested, including booking management, payments, calendar sync, and AI features (such as the AI Lead Responder and quote generation) that you have chosen to use
• Legitimate Interests: Processing for our legitimate business interests (security, fraud prevention, debugging, and platform reliability), balanced against your rights and freedoms
• Consent: Processing based on your explicit consent for specific purposes — including promotional email and SMS marketing communications. You can withdraw consent at any time without affecting the lawfulness of prior processing
• Legal Obligation: Processing required to comply with applicable tax, accounting, and other legal obligations

Your GDPR Rights

In addition to the rights listed in Section 10, you have the right to:

• Right to Erasure (Article 17): Request that we erase your personal data. This is a qualified right and applies in specific circumstances, including: (a) the data is no longer necessary for the purpose for which it was collected; (b) you withdraw consent and there is no other legal basis; (c) you object to processing and there are no overriding legitimate grounds; (d) the data was unlawfully processed; or (e) erasure is required by law. Some data may be retained where necessary for legal claims, compliance with legal obligations (e.g., tax records), or freedom of expression
• Right to Object to Direct Marketing (Article 21.2): You have an absolute right to object to processing of your personal data for direct marketing purposes at any time, and we will stop such processing immediately
• Object to Other Processing (Article 21.1): Object to processing based on legitimate interests or public interest, in which case we must demonstrate compelling legitimate grounds to continue
• Lodge a Complaint: File a complaint with your local data protection authority
• Withdraw Consent: Withdraw consent at any time (this does not affect lawfulness of prior processing)
• Object to Profiling: Object to automated decision-making, including profiling, that produces legal effects or similarly significantly affects you

Response Timelines

We will respond to GDPR requests without undue delay and in any event within one month of receipt (GDPR Article 12.3). We may extend this period by up to two further months where necessary, taking into account the complexity and number of requests. We will inform you of any such extension within one month of receiving the request and explain the reason for the delay.

Data Controller and Processor Roles

Celerora is a B2B platform where service providers (our customers) use our infrastructure to operate their own businesses, including managing their own customer relationships. Our role under GDPR, UK GDPR, and similar laws therefore varies depending on the type of data and the user involved.

When Celerora acts as the Data Controller — we determine the purposes and means of processing — for:

• Account information you provide directly to us (name, email, password, profile fields)
• Authentication, security, and audit-log records
• Subscription billing data for service-provider accounts
• Marketing communications that Celerora itself sends about the Service
• Server-side request logs and operational metrics used for platform reliability, security, and debugging

When a service provider acts as the Data Controller and Celerora acts as the Data Processor — the provider determines the purposes; we process on their behalf — for:

• The provider's customer records, customer notes, and internal CRM data
• Customer lists used for the provider's rebook reminders and marketing campaigns
• AI Lead Responder conversations between the provider's AI assistant and the provider's customers
• Service-related communications the provider sends through the platform

In these scenarios, the service provider — not Celerora — is responsible for the lawfulness of the underlying collection, the legal basis for processing, and fulfilling data-subject rights requests. Celerora provides the technical infrastructure and supports providers in meeting these obligations.

Even where a service provider is the primary controller for their customer data, Celerora may also act as an independent controller of that data for limited purposes — including platform security, fraud and abuse prevention, enforcement of our Terms of Service, and compliance with our own legal obligations. Processing for those purposes is conducted by Celerora on its own behalf, not on behalf of the provider.

Joint controllership. For some data — such as a booking record created when a customer books a service provider directly through our marketplace — Celerora and the service provider may act as joint controllers. Each party maintains the data for related but distinct purposes (Celerora for operating the marketplace and providing the booking experience; the provider for delivering the service to their customer).

Data Processing Agreements (DPAs) for service providers. Service providers who use Celerora and require a written Data Processing Agreement to satisfy their own regulatory obligations (e.g., a provider serving EU customers needing a GDPR Article 28 DPA from their processor) may request our standard DPA by emailing privacy@celerora.com with "DPA Request" in the subject line.

Where to direct your rights requests. If you are unsure which entity to contact:

• For account, authentication, billing, or platform-level data, contact Celerora at privacy@celerora.com.
• For data held by a specific service provider about their relationship with you (their customer notes, the marketing list they uploaded, their AI assistant's conversations with you), contact the service provider directly. They are the data controller for that information.
• If you contact us about provider-controlled data, we will either forward the request to the relevant provider, or assist the provider in responding — whichever is appropriate.

Contact and Data Protection Officer. For GDPR or UK GDPR inquiries addressed to Celerora as the controller, contact us at privacy@celerora.com. We have not appointed a Data Protection Officer as we are not required to do so under GDPR Article 37; all privacy inquiries are handled by our Privacy Team at the address above.

UK GDPR (United Kingdom Residents)

Following the UK's departure from the EU, the United Kingdom maintains its own data protection regime under the UK GDPR and Data Protection Act 2018. The rights described above apply to UK residents in substantially the same form, including the right to make a Data Subject Access Request (DSAR), to which we will respond within one month of receipt (extendable by up to two further months for complex or numerous requests, with notice).

UK residents may lodge a complaint with the Information Commissioner's Office (ICO) at any time at www.ico.org.uk. We would, however, appreciate the opportunity to address your concerns directly before you contact the ICO — please reach out to us at privacy@celerora.com.

Data transferred from the UK to the United States is protected under the UK Extension to the EU-US Data Privacy Framework, or under Standard Contractual Clauses (SCCs) issued by the European Commission with the UK Addendum approved by the ICO, as applicable to each sub-processor.

13. International Data Transfers

Celerora is based in the United States. If you access the Service from outside the United States, your data will be transferred to and processed in the United States, which may have different data protection laws than your country.

Transfer Mechanisms

For transfers of personal data from the European Economic Area (EEA), the United Kingdom, or Switzerland to the United States, we rely on the legal safeguards described below:

• EU-US Data Privacy Framework (DPF), including the UK Extension and Swiss-US DPF, where the receiving sub-processor is certified under the Framework
• Standard Contractual Clauses (SCCs) approved by the European Commission, with the UK International Data Transfer Addendum approved by the ICO and the Swiss equivalent for transfers from Switzerland
• Data Processing Agreements (DPAs) with each sub-processor named on our Sub-processors page, incorporating the safeguards above as part of the vendor's standard terms

The specific mechanism varies by sub-processor and may change over time as vendors update their DPF certification status or DPA terms. Where a sub-processor is DPF-certified, we rely on that certification; where it is not, we rely on SCCs (with UK Addendum or Swiss equivalent as applicable) incorporated into the sub-processor's DPA.

How to Obtain Copies of Safeguards

You have the right under GDPR Article 13(1)(f) and UK GDPR to obtain copies of the safeguards we rely on for international transfers. To request a copy, or to ask which specific mechanism applies to a given sub-processor, email privacy@celerora.com with "Transfer Safeguards Request" in the subject line. We will respond within one month.

14. Children's Privacy

Direct registration and booking

Celerora is intended for use by adult business owners and the adult customers of those businesses. We do not knowingly permit anyone under the age of 18 to register an account or book a service directly through Celerora, and we do not knowingly collect personal information from anyone under 18 through those direct registration or booking flows.

U.S. — COPPA (Children's Online Privacy Protection Act):in accordance with COPPA, we do not knowingly collect personal information directly from children under the age of 13 through our account or booking flows. If we learn that we have inadvertently collected such information directly from a child under 13 without verified parental consent, we will delete it promptly. Information about a child that an adult (parent, guardian, or service provider) submits in connection with a booking is governed by the "Information About Minors Submitted by Adults" subsection below.

EU/UK — GDPR / UK GDPR:our 18-year minimum age for direct registration and booking is more conservative than the GDPR Article 8 default age of digital consent (16, or as low as 13 depending on EU member state). We do not knowingly accept direct account registration or bookings from anyone under 18; where we inadvertently do so, we will delete the resulting data promptly upon learning of it. Information about a minor that an adult submits through our booking flows is governed by the "Information About Minors Submitted by Adults" subsection below.

If you are a parent or guardian and believe your child has provided us with personal data, please contact us immediately at privacy@celerora.com and we will take steps to delete the information promptly.

Information About Minors Submitted by Adults

Some bookings on Celerora involve services delivered to or about minors (for example, tutoring, haircuts, kids' party entertainment, or pediatric services). When an adult — a parent, guardian, or service provider — submits information about a minor through the Service (such as the minor's name, age, special needs, or notes about the booking), the adult represents and confirms that they have the legal authority to share that information.

Information about minors submitted in this way:

• Is used only to deliver the service requested and to maintain the booking record
• Is not used for marketing or promotional communications targeted at the minor
• Is not sold or shared for cross-context behavioral advertising or any third-party marketing purpose
• Is eligible for deletion upon request by the parent or legal guardian. To request deletion of a minor's information, email privacy@celerora.com with sufficient detail to identify the relevant booking record

Service-provider responsibility

Service providers who use Celerora to manage bookings, customers, and communications are independently responsible for compliance with all laws governing services involving minors, including (where applicable) COPPA, FERPA, HIPAA, and state-level child-data protection statutes. Celerora provides infrastructure for booking management; service providers are responsible for the lawfulness of their own collection, retention, and use of minor data on the platform.

Special-category data and HIPAA

If a booking involves health, medical, behavioral, or other sensitive information about a minor, service providers should consider whether HIPAA or analogous state laws apply to their practice and ensure they have appropriate consent and safeguards in place. Celerora is not a HIPAA Business Associate and does not enter into Business Associate Agreements; providers in regulated practices should evaluate platform fit accordingly.

15. Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices or applicable laws. We will notify you of changes by:

• Updating the "Last updated" date at the top of this policy
• Sending you an email notification for significant changes
• Displaying a prominent notice on our platform

Material changes will be announced at least 30 days before taking effect. We consider a change "material" if it:

• Expands the categories of personal information we collect
• Introduces new purposes for using personal information that are incompatible with the original purposes
• Adds new categories of third parties with whom we share personal information
• Reduces the rights or controls available to you
• Changes the legal basis on which we process your data

Non-material changes (such as clarifications, typo corrections, contact updates, or additions to the sub-processor list when a vendor is replaced with another performing the same function) take effect when posted, with the "Last updated" date revised accordingly.

The current version of this Privacy Policy is always available at this URL with the revised "Last updated" date at the top. The version posted at any given time describes how we handle your information from that effective date forward. If you no longer agree with our practices, you can stop using the Service or contact us to manage your preferences and exercise your rights as described in Section 10.

16. Contact Us

If you have any questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us:

For GDPR-related inquiries, you may also contact your local data protection authority.