Privacy Policy

Last updated: May 31, 2026  ·  Effective date: May 31, 2026

At REZZA, your privacy matters. This policy explains what personal data we collect, why we collect it, and how you can control it.

Contents
1. Who We Are 2. Data We Collect 3. How We Use Data 4. Legal Basis 5. Data Sharing 6. Third-Party Integrations 7. Data Retention 8. Security 9. International Transfers 10. Your Rights 11. Cookies 12. Children 13. Policy Changes 14. Contact & DPO

Short version: We collect only what we need to run REZZA, never sell your data to third parties, store it securely on cloud infrastructure, and give you full rights to access, correct, or delete it. Third-party connections (Stripe, social platforms, Canva, etc.) are governed by their own policies in addition to ours.

1. Who We Are

REZZA ("we," "us," or "our") operates the business management platform available at getrezzanow.com. For purposes of applicable data protection law, REZZA is the data controller for personal data collected through our platform, except where we act as a data processor on behalf of our business customers.

To contact us about privacy matters: privacy@getrezzanow.com

2. Personal Data We Collect

2.1 Account and Identity Data

  • Name, email address, username, and password (hashed)
  • Profile photo (if uploaded)
  • Business name, address, phone number (if provided)
  • Role within the platform (admin, staff, client)

2.2 Transaction and Billing Data

  • Subscription plan and billing history
  • Invoice and payment records (amounts, dates, status)
  • Payment method type and last-four digits (stored by Stripe; we do not store full card numbers)

2.3 Service Usage Data

  • Appointments, schedules, and calendar data
  • Messages exchanged within the platform
  • Social media post content, scheduling, and analytics
  • Tasks, notes, and project data you create
  • Course and learning progress data

2.4 Technical and Log Data

  • IP address, browser type, device identifiers
  • Pages visited, features used, timestamps
  • Error logs and crash reports
  • Session tokens and authentication records

2.5 Third-Party Integration Data

When you connect third-party accounts (social media platforms, Canva, etc.), we receive access tokens and the profile information you authorize. We use this data only to provide the integration features you enable.

2.6 Client Data (Processed on Your Behalf)

If you are an administrator, you may enter personal data about your own clients into REZZA (names, contact details, appointment information, etc.). You are the data controller for that data; REZZA processes it on your behalf as a data processor.

3. How We Use Personal Data

Purpose Examples
Providing the Service Creating accounts, processing bookings, sending invoices, syncing social posts
Billing and Payments Charging subscription fees, issuing receipts, managing payment failures
Communications Account confirmations, appointment reminders, billing notifications, security alerts
Service Improvement Analyzing aggregate usage trends to improve features and performance
Security & Fraud Prevention Detecting unauthorized access, preventing abuse, enforcing Terms of Service
Legal Compliance Meeting tax, audit, and regulatory obligations; responding to lawful requests
Marketing (opt-in only) Sending product updates, tips, or promotional emails if you have opted in

Where applicable data protection law requires a legal basis for processing personal data, we rely on:

  • Contract performance — to provide the Service you have signed up for
  • Legitimate interests — for security monitoring, fraud prevention, and Service improvement
  • Legal obligation — to comply with applicable laws
  • Consent — for marketing emails and optional cookies (you may withdraw consent at any time)

5. Data Sharing and Disclosure

We do not sell your personal data. We share data only in the following circumstances:

5.1 Service Providers (Sub-processors)

We work with trusted third-party providers who process data on our behalf under strict data processing agreements:

  • Stripe — payment processing
  • Render / AWS — cloud hosting and database infrastructure
  • SendGrid / Mailgun — transactional email delivery
  • Canva — design integration (access token stored; design data accessed only on your request)

5.2 At Your Direction

When you connect social media accounts or other third-party services, data is shared with those platforms as necessary to perform the integration.

5.3 Legal Requirements

We may disclose data if required by law, court order, or government authority, or if we believe in good faith that disclosure is necessary to protect our rights, your safety, or the safety of others.

5.4 Business Transfers

In the event of a merger, acquisition, or sale of assets, your data may be transferred as part of the transaction. We will notify you via email or prominent notice on the Service before your data becomes subject to a different privacy policy.

6. Third-Party Platform Integrations

6.1 Social Media Platforms

When you connect Facebook, Instagram, LinkedIn, Twitter/X, or TikTok, we store OAuth access tokens to publish posts and retrieve analytics on your behalf. We access only the permissions you grant. You can revoke access at any time from your REZZA account or directly in the third-party platform's settings.

6.2 Canva

The optional Canva integration allows you to import your Canva designs as media for social media posts. When you connect Canva, we store an OAuth access token to retrieve your design list and export design images. We access only design metadata (titles, thumbnails) and design content (images) that you explicitly select. We do not read, store, or share your Canva designs beyond what is needed to attach them to your posts. Access tokens are stored encrypted. You can disconnect Canva at any time from your account settings, at which point your Canva token is permanently deleted within 30 days.

6.3 Stripe

Payment details are handled directly by Stripe. REZZA does not store full credit card numbers. Please review Stripe's Privacy Policy.

7. Data Retention

We retain personal data for as long as your account is active or as needed to provide the Service. After account closure:

  • Account and profile data — deleted within 30 days of account closure
  • Billing records — retained for 7 years to comply with tax and accounting obligations
  • Third-party access tokens (social media, Canva, etc.) — revoked and deleted within 30 days of disconnection or account closure
  • Anonymized usage analytics — retained indefinitely (not linked to individuals)

You may request early deletion of your data by contacting us at privacy@getrezzanow.com, subject to any legal retention obligations.

8. Security

We implement industry-standard measures to protect your data, including:

  • Encryption in transit — all data is transmitted over HTTPS/TLS
  • Encryption at rest — sensitive fields (OAuth tokens, credentials) are encrypted at rest using AES-256
  • Password hashing — passwords are hashed using bcrypt; we never store plaintext passwords
  • WebAuthn / passkey support — for passwordless, phishing-resistant authentication
  • Access controls — role-based access ensures users see only their own data
  • Dependency updates — security patches applied regularly

Despite these measures, no method of transmission over the internet is 100% secure. If you discover a security vulnerability, please disclose it responsibly to security@getrezzanow.com.

9. International Data Transfers

REZZA is hosted on cloud infrastructure (Render / AWS) that may be located outside your country of residence. By using the Service, you acknowledge that your data may be transferred to and processed in countries where data protection laws may differ from those in your country. Where required, we ensure adequate safeguards are in place (such as Standard Contractual Clauses for EEA users).

10. Your Privacy Rights

Depending on your location, you may have the following rights regarding your personal data:

👁️
Right to Access

Request a copy of the personal data we hold about you.

✏️
Right to Rectification

Ask us to correct inaccurate or incomplete data.

🗑️
Right to Erasure

Request deletion of your personal data ("right to be forgotten").

📦
Right to Portability

Receive your data in a machine-readable format.

⏸️
Right to Restriction

Request that we limit processing of your data in certain circumstances.

🚫
Right to Object

Object to processing based on legitimate interests or for direct marketing.

↩️
Withdraw Consent

Withdraw consent for marketing communications at any time.

⚖️
Lodge a Complaint

File a complaint with your local data protection authority.

To exercise any of these rights, contact us at privacy@getrezzanow.com. We will respond within 30 days.

11. Cookies and Tracking

We use the following types of cookies and similar technologies:

  • Essential cookies — required for authentication, session management, and CSRF protection. These cannot be disabled.
  • Functional cookies — remember your preferences (theme, timezone, language).
  • Analytics cookies — help us understand how the Service is used (aggregate, non-personal). You can opt out.

We do not use advertising or tracking cookies for third-party advertising purposes. You can manage cookie preferences in your browser settings.

12. Children's Privacy

The Service is not directed to children under 18. We do not knowingly collect personal data from minors. If you believe a child has provided us with personal data, please contact us at privacy@getrezzanow.com and we will promptly delete it.

13. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of material changes by email or by prominently posting a notice in the Service at least 14 days before the changes take effect. The "Last updated" date at the top reflects the most recent revision.

14. Contact and Data Protection Officer

For privacy questions, data subject requests, or security disclosures:

REZZA Privacy Team

Email: privacy@getrezzanow.com

Security: security@getrezzanow.com

We aim to respond to all privacy requests within 30 days.