Calry Privacy Policy
calry.app | Version 2.0 — Last updated: 2 July 2026
Calry is a unified API for the vacation-rental and hospitality industry, operated by OnSeason Limited, a company registered in England and Wales (company number 17167619, VAT number GB 520706816) with its registered office at Unit 16 Diss Business Hub, Hopper Way, Diss, England, IP22 4GT (“OnSeason”, “Calry”, “we”, “us” or “our”). We are the data controller for the personal data described in this policy.
This Privacy Policy explains how we collect and use personal data for which we are the controller, and describes your rights under the UK GDPR and the Data Protection Act 2018. We are committed to protecting your privacy and handling your data transparently.
1. Important: What This Policy Covers
This policy covers data we control. It applies to personal data we determine the purposes and means for — namely data about visitors to calry.app, users of the Calry dashboard and service, and people who contact us for sales, support or other enquiries.
It does not cover data we process for our customers. When our customers use the Calry API to connect and synchronise their systems, personal data belonging to their guests and end users passes through and is stored on our infrastructure. For that data we act as a processor on our customers’ documented instructions; the customer is the controller. That processing is governed by our Data Processing Agreement and by each customer’s own privacy policy — not by this policy. If you are a guest or end user of a property manager or business that uses Calry, please contact that business as the controller of your data.
2. Personal Data We Collect
Depending on how you interact with us, we may collect the following categories of personal data as a controller:
| Category | Examples | Source |
|---|---|---|
| Account & dashboard users | Name, business email, company, job title, login credentials, account/API activity and logs | You / your use of the service |
| Website visitors | IP address, device and browser type, pages viewed, referring URLs, and cookie/analytics identifiers | Collected automatically |
| Sales & marketing contacts | Name, business email, company, role, demo requests and communications with us | You / your enquiry |
| Support contacts | Correspondence, support tickets and their contents | You |
| Billing contacts | Name, business email, billing address, VAT number and payment references (card details are handled directly by our payment processor, not stored by us) | You |
3. How and Why We Use Your Data
We use personal data for the purposes below, each with a lawful basis under Article 6 of the UK GDPR:
| Purpose | Lawful basis |
|---|---|
| Provide, operate and maintain the Calry service and dashboard, and manage your account | Performance of a contract |
| Authenticate users, secure our systems and prevent fraud or misuse | Legitimate interests (security of our service) |
| Respond to enquiries, demo requests and provide support | Legitimate interests / steps prior to a contract |
| Issue invoices, collect payment and keep financial records | Performance of a contract / legal obligation |
| Send service and product communications, and marketing about similar services (you may opt out at any time) | Legitimate interests / consent |
| Analyse usage and improve our service, site and communications | Legitimate interests / consent (for non-essential cookies) |
| Comply with legal obligations and respond to lawful requests | Legal obligation |
Where we rely on legitimate interests, we have assessed that our interests are not overridden by your rights. Where we rely on consent (for example, non-essential cookies or certain marketing), you may withdraw it at any time.
4. Cookies & Analytics
4.1 We use essential cookies to operate the site and authenticate users, and analytics/functionality cookies to understand usage and improve the service. Non-essential cookies are set only where permitted through our cookie banner, and you can manage your preferences at any time through your browser or the banner.
4.2 We use Google Analytics 4 (GA4) and PostHog to understand how our site and service are used and to improve them. These tools set analytics cookies and may process usage data (such as IP address, device information and interactions) on our behalf. Further detail on the specific cookies we use is set out in our Cookie Policy, and you can control non-essential cookies through our cookie banner.
5. Who We Share Data With
5.1 We share personal data only where necessary, with:
(a) service providers who process data on our behalf under contract — including cloud hosting and storage, analytics (Google Analytics 4 and PostHog), email/CRM, and payment processing (Stripe);
(b) professional advisers (such as lawyers, accountants and auditors) where reasonably required;
(c) a purchaser or successor entity in connection with a merger, acquisition or reorganisation, subject to this policy; and
(d) public authorities, regulators or law enforcement where we are legally required to do so.
5.2 We do not sell your personal data. Our service providers are bound by contractual obligations to protect it and to use it only to provide services to us.
6. International Transfers
6.1 We and some of our service providers store and process personal data on servers located in both the United Kingdom / European Economic Area (EEA) and the United States. This means personal data may be transferred outside the UK/EEA.
6.2 Where we transfer personal data to a country not covered by UK or EU adequacy regulations (including the United States), we rely on an appropriate safeguard — the UK International Data Transfer Agreement (IDTA) or the UK Addendum to the EU Standard Contractual Clauses, and the EU Standard Contractual Clauses where relevant — or on the recipient’s certification under the EU–US Data Privacy Framework and its UK Extension.
7. How Long We Keep Data
We keep personal data only for as long as necessary for the purposes set out above and to meet our legal, accounting and reporting obligations. Our standard retention periods are:
| Data | Retention period |
|---|---|
| Account & dashboard user data | For the duration of your account, plus 12 months after closure |
| Website usage & analytics data | Up to 14 months in identifiable form (aligned with our analytics tools’ settings) |
| Sales & marketing contacts | Until you opt out, or after 24 months of inactivity, then deleted or suppressed |
| Support correspondence | Up to 24 months after the request is resolved |
| Invoices & financial records | 6 years, as required by UK tax law |
Where data is no longer needed, we securely delete or anonymise it. Some data may be retained longer where required to comply with a legal obligation or to establish, exercise or defend legal claims.
8. Your Rights
8.1 Under the UK GDPR you have the right to: access your personal data; have inaccurate data corrected; have data erased (in certain circumstances); restrict or object to processing; data portability; and, where processing is based on consent, to withdraw that consent at any time. You also have the right not to be subject to a decision based solely on automated processing that produces legal or similarly significant effects.
8.2 To exercise any of these rights, contact us at privacy@calry.app. We will respond within one month, as required by law.
8.3 If you have a concern, you have the right to lodge a complaint with the UK Information Commissioner’s Office (ICO) at ico.org.uk. If you are in the EEA, you may also complain to your local supervisory authority. We would appreciate the chance to address your concerns before you approach the regulator.
9. Security
9.1 We maintain an information security management system aligned with ISO/IEC 27001:2022 and appropriate technical and organisational measures to protect personal data, including encryption in transit and at rest, access controls and monitoring. We are pursuing ISO/IEC 27001:2022 certification and SOC 2 Type II attestation. No method of transmission or storage is completely secure, but we work to protect your data using appropriate measures.
10. Children
10.1 Calry is a business-to-business service and is not directed to children. We do not knowingly collect personal data from anyone under the age of 18. If you believe a child has provided us with personal data, please contact us and we will take steps to delete it.
11. Third-Party Links
11.1 Our site and service may link to third-party websites we do not operate. We are not responsible for their content or privacy practices, and we encourage you to review their privacy policies.
12. Changes to this Policy
12.1 We may update this Privacy Policy from time to time. We will post the updated version on this page and update the “Last updated” date, and where changes are material we will provide a more prominent notice (for example, by email or an in-service notice) before they take effect.
13. Contact Us
For any privacy question or to exercise your rights, contact:
Data Controller: OnSeason Limited (operating the Calry service)
Registered address: Unit 16 Diss Business Hub, Hopper Way, Diss, England, IP22 4GT, United Kingdom
Company / VAT: Company No. 17167619 · VAT GB 520706816
Privacy contact: privacy@calry.app
ICO registration: Pending