Privacy Policy

Last updated: March 12, 2026

1. Introduction

Calemio ("we", "our", "us") is operated by Mio Bilgi Teknolojileri A.Ş., a company registered in Sivas, Turkey. This Privacy Policy ("Policy") explains how we collect, use, store, protect, and share your personal data when you use our mobile application and related services (collectively, the "Service"). By accessing or using the Service, you acknowledge that you have read and understood this Policy and agree to the collection and processing of your data as described herein. This Policy is incorporated into and forms part of our Terms of Service. The organization is committed to protecting privacy in compliance with the Turkish Personal Data Protection Law No. 6698 (KVKK), the EU General Data Protection Regulation (GDPR), and other applicable data protection and privacy legislation worldwide.

2. Data Controller

The data controller responsible for your personal data is: Mio Bilgi Teknolojileri A.Ş. — Address: Sivas Teknokent, Sivas, Turkey — Email: info@miox.io. For GDPR-related inquiries, you may also contact our EU representative at legal@miox.io. For KVKK-related inquiries and data subject requests, you may contact us using the same email address. We have appointed an internal data protection coordinator to oversee compliance with applicable data protection laws.

3. Data We Collect

3.1 Account Information

When you create an account, we collect your name, email address, phone number, and optional profile photo. For business accounts, we additionally collect business name, business address, industry/sector, working hours, service descriptions and pricing, staff information (names, roles, working schedules), and branch/location details. You are responsible for ensuring the accuracy and currency of all information you provide.

3.2 Appointment Data

To provide core scheduling functionality, we store appointment details including date, time, duration, service type, assigned staff member, room or resource allocation, client information, user-added notes, appointment status (confirmed, cancelled, completed, no-show), rescheduling history, and recurring appointment patterns.

3.3 Client Information

Client names, phone numbers, email addresses (when provided), appointment history, service preferences, notes, and communication preferences are stored. Users bear full responsibility as data controllers for obtaining appropriate, informed consent from their clients before entering their personal data into the Service. Users must maintain records of such consent in accordance with applicable data protection laws.

3.4 AI Assistant Interactions

The AI assistant (Mio) processes voice commands, text queries, scheduling requests, and contextual conversation data to provide scheduling suggestions, business insights, and operational support. Conversations may be retained for up to 12 months to improve service quality and AI model accuracy. For more information on AI data processing, please refer to our AI Disclosure.

3.5 Payment Information

Subscription payments are processed exclusively through the Apple App Store and Google Play Store. We do not directly collect, process, or store your credit card numbers, bank account details, or other financial payment instruments. All payment processing is subject to the privacy policies and terms of Apple and Google, respectively. We may receive transaction confirmation details (such as subscription status, plan type, and renewal dates) from these platforms for account management purposes.

3.6 Device and Usage Data

We automatically collect certain information when you access the Service, including device type and model, operating system type and version, app version, unique device identifiers, IP address (anonymized for analytics), language and locale preferences, push notification tokens, time zone settings, crash logs and diagnostic data, and general usage statistics (e.g., feature usage frequency, session duration).

3.7 Cookies and Tracking Technologies

Our website and web-based services may use cookies and similar tracking technologies to enhance your browsing experience, analyze traffic patterns, and personalize content. We use session cookies (necessary for service operation), preference cookies (to remember your settings), and analytics cookies (for understanding usage patterns). You can configure your browser to refuse cookies, though this may limit certain functionality. Our mobile application does not use browser cookies but may use similar technologies for analytics and functionality purposes.

4. How We Use Your Data

We use the data we collect for the following purposes:

  • Providing, operating, and maintaining the appointment management Service, including all core features and functionality
  • Sending appointment reminders, confirmations, cancellation notices, and follow-up notifications to you and, where applicable, to your clients on your behalf
  • Powering AI-assisted scheduling suggestions, business insights, analytics, and the Mio AI assistant functionality
  • Processing and managing subscriptions, billing, and account administration
  • Improving, personalizing, and optimizing the Service, including app performance, user interface, and user experience
  • Communicating with you about service updates, new features, maintenance schedules, and important changes to our policies
  • Providing customer support, responding to your inquiries, and resolving technical issues
  • Detecting, preventing, and addressing fraud, security threats, technical issues, and abuse of the Service
  • Conducting anonymized and aggregated data analysis for research, statistical purposes, and service improvement
  • Complying with applicable legal obligations, regulatory requirements, and responding to lawful governmental requests

5. Legal Basis for Processing

We process your personal data based on one or more of the following legal grounds:

  • Contract performance: Processing that is necessary for the performance of our contract with you, including providing the Service, managing your account, and processing subscriptions
  • Legitimate interest: Processing for our legitimate business interests, such as improving and securing the Service, analytics, fraud prevention, and direct marketing (where you have not opted out), balanced against your rights and freedoms
  • Consent: Where we process data based on your explicit consent, such as for marketing communications, optional AI features, and non-essential cookies. You may withdraw consent at any time without affecting the lawfulness of processing based on consent before its withdrawal
  • Legal obligation: Processing that is necessary for compliance with a legal obligation to which we are subject, including tax reporting, financial record-keeping, and responding to lawful requests from public authorities

6. Data Storage, Security, and Transfers

6.1 Security Measures

We implement and maintain appropriate technical and organizational security measures to protect your personal data against unauthorized access, alteration, disclosure, or destruction. These measures include:

  • Encryption of data at rest using AES-256 encryption and in transit using TLS 1.3
  • Database-level encryption for sensitive fields using PostgreSQL pgcrypto
  • Strict access controls with role-based permissions and the principle of least privilege for all personnel

6.2 Data Location

Data is primarily stored on secure servers within the European Economic Area (EEA). If data is transferred outside the EEA, we ensure that appropriate safeguards are in place, including Standard Contractual Clauses (SCCs) approved by the European Commission, adequacy decisions, or other legally recognized transfer mechanisms in accordance with GDPR Article 46 requirements.

6.3 Security Limitations

While we strive to protect your personal data, no method of transmission over the Internet or method of electronic storage is 100% secure. We cannot guarantee the absolute security of your data. In the event of a data breach, we will notify affected users and relevant supervisory authorities within the timeframes required by applicable law (72 hours under GDPR, and as required under KVKK).

7. Data Retention

We retain your personal data only for as long as necessary to fulfill the purposes for which it was collected, as described in this Policy. Specifically: active account data is retained for the duration of your account's existence; upon account deletion, personal data is removed within 30 days, except where longer retention is required by applicable law; financial and transaction records may be retained for up to 10 years as required by Turkish commercial and tax law; AI conversation logs are retained for up to 12 months, unless you request earlier deletion; anonymized and aggregated data (which cannot identify you) may be retained indefinitely for research and statistical purposes; backup copies of data may persist in our secure backup systems for up to 90 days after deletion from primary systems, after which they are permanently removed.

8. Data Transfers

Your information, including personal data, may be transferred to and maintained on computers located outside of your state, province, country, or other governmental jurisdiction where the data protection laws may differ from those of your jurisdiction. If you are located outside the Republic of Turkey and choose to provide information to us, please note that we transfer the data to Turkey and process it there. For transfers outside the EEA, we implement appropriate safeguards as described in Section 6.2. Your consent to this Privacy Policy followed by your submission of such information represents your agreement to such transfers.

9. Data Sharing and Disclosure

We do not sell, rent, or trade your personal data to third parties for their marketing purposes. We may share your data with the following categories of recipients, and only to the extent necessary:

  • Cloud infrastructure and content delivery providers: BunnyCDN (content delivery network) provides content distribution and caching services on our behalf, subject to strict data processing agreements
  • Error tracking services: Sentry processes anonymous error reports and device information to detect and resolve application errors and performance issues. This data is used solely for improving service quality
  • Push notification services: Firebase Cloud Messaging (FCM) is used to send appointment reminders, calendar updates, and important account notifications. Use of FCM is subject to Google's data processing terms
  • Payment and subscription management: Apple and Google process subscription payments on our behalf. RevenueCat is used as an intermediary to manage subscription status and provide analytics. We share only the data necessary for transaction processing and subscription management
  • AI service providers: OpenAI processes data server-side solely for delivering Calemio's AI assistant (Mio) features, bound by data processing agreements. User data is not sent directly to OpenAI; all requests are routed through Calemio servers
  • Map and location services: Google Maps is used to display business locations on the map and provide location-based services. Use of Google Maps is subject to Google's privacy policy
  • Weather services: Open-Meteo is used to provide weather-based scheduling recommendations for businesses. Only location data (coordinates) is shared with this service; no personal data is transmitted
  • App distribution infrastructure: Expo is used for distributing and managing app updates. Only device information and app version data is shared with Expo
  • Legal authorities: We may disclose your data when required by law, court order, or governmental regulation, or when we believe disclosure is necessary to protect our rights, your safety, or the safety of others, or to investigate fraud or respond to a lawful government request

10. Your Rights

Under KVKK (Turkey)

In accordance with Turkish Personal Data Protection Law No. 6698, you have the following rights:

  • Right to learn whether your personal data is being processed
  • Right to request information about the processing of your personal data
  • Right to learn the purpose of processing and whether data is used in accordance with its purpose
  • Right to know the third parties to whom your personal data has been transferred, domestically or abroad
  • Right to request rectification of incomplete or inaccurate personal data
  • Right to request deletion or destruction of your personal data under the conditions set forth in Article 7 of KVKK
  • Right to object to automated processing that produces results exclusively against you
  • Right to claim compensation for damages arising from the unlawful processing of your personal data

Under GDPR (EU/EEA)

If you are located in the European Union or European Economic Area, you additionally have the following rights:

  • Right to receive your personal data in a structured, commonly used, and machine-readable format (data portability)
  • Right to restrict the processing of your personal data under certain circumstances
  • Right to withdraw consent at any time where processing is based on consent, without affecting the lawfulness of prior processing
  • Right to lodge a complaint with your local data protection supervisory authority
  • Right to object to processing based on legitimate interests, including profiling

11. Push Notifications

We use push notifications to send appointment reminders, schedule updates, service notifications, and important account alerts. Push notifications are essential for the core functionality of the appointment management Service. You can disable push notifications at any time through your device settings, though this may affect your ability to receive timely appointment reminders and important service communications. We do not use push notifications for third-party advertising.

12. Children's Privacy

The Service is not directed to, and not intended for use by, individuals under the age of 18. We do not knowingly collect personal data from children under 18 years of age. If we become aware that we have inadvertently collected personal data from a child under 18, we will take immediate steps to delete such data from our systems. If you are a parent or guardian and believe that your child has provided us with personal data without your consent, please contact us immediately at info@miox.io so we can take appropriate action.

13. Do Not Track Signals

We honor Do Not Track (DNT) signals sent by your browser. When a Do Not Track browser mechanism is in place, we do not track your activity, plant cookies for advertising purposes, or use advertising technologies. Please note that this applies to our website and web services; our mobile application uses its own analytics infrastructure as described in this Policy.

14. Third-Party Links

The Service may contain links to third-party websites, applications, or services that are not operated or controlled by us. This Privacy Policy does not apply to any third-party sites or services. We have no control over and assume no responsibility for the content, privacy policies, or practices of any third-party websites or services. We strongly encourage you to review the privacy policy and terms of any third-party site you visit.

15. Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technologies, legal requirements, or for other operational purposes. Material changes will be communicated to you through the app, by email, or via prominent notice on our website at least 30 days before taking effect. The "Last updated" date at the top of this Policy indicates when the latest revisions were made. Your continued use of the Service after changes take effect constitutes acceptance of the updated Policy. We encourage you to review this Policy periodically. If you do not agree with a revised Policy, you should stop using the Service and delete your account.

16. Contact Us

If you have any questions, concerns, requests, or complaints about this Privacy Policy, your personal data, or our data protection practices, please contact us at: Mio Bilgi Teknolojileri A.Ş. — Email: info@miox.io — Address: Sivas Teknokent, Sivas, Turkey. We aim to respond to all data protection inquiries within 30 days (or within the shorter timeframes required by applicable law). If you are not satisfied with our response, you have the right to lodge a complaint with the Turkish Personal Data Protection Authority (Kişisel Verileri Koruma Kurumu — www.kvkk.gov.tr) or, if applicable, your local EU/EEA data protection supervisory authority. © 2026 Calemio by Mio Bilgi Teknolojileri A.Ş. All rights reserved.