Privacy Policy

Introduction

Kaza("we," "our," or "us") is committed to protecting your privacy. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our service. This Privacy Policy is part of our Terms of Service.

Information We Collect

We collect information that you provide directly to us, including:

• Account information (email address, name)
• Usage data and preferences
• Payment information (processed securely by our payment providers)
• Content you create or upload to the Service
• Client and lead information you enter into the Service (client name, email, phone, session details)
• Information received from connected third-party services you authorize (such as Google Calendar and Instagram)

Google User Data & Google API Services

Kaza integrates with Google Calendar so photographers can manage bookings directly from the Service. When you connect your Google Account, we request access only to the scopes necessary to provide this functionality. This section describes how we access, use, store, and share Google user data.

Scopes We Request

• https://www.googleapis.com/auth/calendar.events — to create, read, update, and delete calendar events associated with bookings you confirm in Kaza. This scope is limited to events and does not grant access to other calendar settings or calendars you have not authorized.
• openid, email, profile — to identify your Google Account and associate it with your Kaza account.

How We Access Google User Data

Google user data is accessed only via Google's official OAuth 2.0 flow. You explicitly grant access during the Google consent screen, and you can revoke access at any time (see below). We do not access Google user data without an active, authorized OAuth grant from you.

How We Use Google User Data

We use Google user data solely to provide user-facing features of Kaza, specifically:

• Creating calendar events on your primary Google Calendar when you approve or confirm a booking
• Updating or cancelling those events when the associated booking changes or is cancelled
• Reading events previously created by Kaza to keep booking records in sync with your calendar
• Attaching client-provided booking details (name, email, session type) to the calendar event

We do not use Google user data for advertising, we do not sell it, we do not transfer it to data brokers or information resellers, and we do not use it to train generalized or third-party AI/ML models.

How We Store Google User Data

OAuth access and refresh tokens are stored encrypted at rest in our database (Supabase, hosted on infrastructure with industry-standard security). Access is protected by row-level security so only your account can read your tokens. Calendar event IDs and confirmed booking times are stored to allow us to update or cancel events you created through the Service. We do not maintain a general copy of your calendar.

How We Share Google User Data

We do not share Google user data with third parties except in the following limited cases:

• With infrastructure sub-processors strictly necessary to operate the Service (e.g., Supabase for encrypted storage, Vercel for hosting). These providers are contractually bound to confidentiality and may not use the data for their own purposes.
• When required to comply with applicable law, legal process, or enforceable governmental request
• With your explicit consent or at your direction

Human access to Google user data is restricted and occurs only (a) with your explicit consent, (b) for security purposes or to investigate abuse, (c) to comply with applicable law, or (d) in an aggregated and anonymized form used to improve the Service.

Limited Use Disclosure

Kaza's use and transfer to any other app of information received from Google APIs will adhere to Google API Services User Data Policy, including the Limited Use requirements.

Retention & Deletion of Google User Data

You may disconnect your Google Account at any time from the Kaza Integrations settings page. Upon disconnection, we immediately revoke your OAuth tokens with Google and delete stored tokens from our database. Calendar event references associated with past bookings may be retained in your booking history for record-keeping, but we will no longer access your Google Calendar. Full deletion of all Google-sourced data occurs within 30 days of disconnection or account deletion.

Revoking Access

You can revoke Kaza's access to your Google data at any time by:

• Disconnecting Google Calendar from the Integrations page inside the Kaza dashboard, or
• Visiting https://myaccount.google.com/permissions and removing Kaza from your authorized apps.

How We Use Your Information

We use the information we collect to:

• Provide, maintain, and improve our services
• Process payments and manage subscriptions
• Communicate with you about service updates
• Ensure security and prevent fraud

We process your information based on your consent and our legitimate business interests in providing and improving the Service.

Analytics

We may use analytics tools to understand how users interact with our Service. This includes tracking page views, feature usage, and general usage patterns to help us improve the experience.

Information Sharing

We do not sell your personal information. We may share your information only in the following circumstances:

• With service providers who assist in operating our platform
• To comply with legal obligations or protect our rights
• With your consent or at your direction

Your information may be transferred to and processed in countries outside your country of residence, including the United States, where data protection laws may differ.

Data Security

We implement appropriate technical and organizational measures to protect your information, including encryption, secure authentication, and regular security audits. However, no method of transmission over the Internet is 100% secure, and we cannot guarantee absolute security.

Data Retention

We retain your account data for as long as your account is active or as needed to provide services. You may request deletion of your account and associated data at any time.

Account & Data Deletion

You may request permanent deletion of your account and all associated data at any time. Upon receiving a valid deletion request, we will process your request within 30 days.

Grace Period: Account deletion includes a 7-day grace period during which you may contact us to undo the deletion. After this period, the deletion becomes permanent and cannot be reversed.

What Gets Deleted: All data stored in our systems, including your account information, content, and usage data, will be permanently removed. Payment processing is handled by a third-party provider; subscription and billing records are managed in accordance with their retention policies and applicable legal requirements.

How to Request Deletion: To delete your account, send an email to support@heykaza.comfrom the email address associated with your account. Use the subject line "Delete Account" and include your account email address in the message body.

Please note that while we will delete all data within our control, you are responsible for any data you maintain outside of our systems.

Your Rights

You have the right to:

• Access and review your personal information
• Correct inaccurate or incomplete data
• Request a copy of your data in a portable format
• Delete your account and associated data
• Opt-out of marketing communications

Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of any changes by posting the new policy on this page and updating the "Last Updated" date.

Contact Us

If you have questions about this Privacy Policy, please contact us at support@heykaza.com