Privacy Policy

Last updated: April 12, 2026

1. Introduction

Kloq is a product of Analog Mutations Ltd ("we", "our", "us"). Kloq is a privacy-first scheduling application. This Privacy Policy explains how we collect, use, and protect your information when you use our mobile application and services.

2. Privacy Architecture

Kloq uses two different privacy models depending on the type of event:

2.1 One-on-one meetings (zero-knowledge)

• Your identity is hashed. We store only a SHA3-256 hash of your username — we cannot reverse it to learn who you are.
• Booking details are end-to-end encrypted. Names, emails, and messages from bookers are encrypted on their device before reaching our server. We cannot read them.
• Private keys stay on your device. Your encryption keys are stored in your device's secure enclave (iOS Keychain / Android Keystore) and are never transmitted to our servers.

2.2 Group events and webinars (host-authenticated)

Group events and webinars involve multiple attendees sharing a meeting link and receiving confirmation emails from a consistent sender. To enable this, attendee names and email addresses are stored on our servers in a form our systems can read. This allows us to:

• Send instant confirmation emails with calendar attachments.
• Send cancellation notifications when the host cancels an event.
• Provide an attendee management view on the web dashboard.

We process this data only to operate the booking system. We do not use it for advertising, analytics beyond operational metrics, or share it with third parties except AWS SES for email delivery.

3. Information We Collect

3.1 Information you provide

• Hashed user ID: A one-way cryptographic hash of your chosen username.
• Booking page details: Page title, duration, timezone, and availability time slots (these are unencrypted as they must be publicly visible for scheduling).
• Encrypted booking data (1:1 meetings): Booker-submitted information (name, email, notes) encrypted with your public key — we cannot decrypt this.
• Group event and webinar attendee data: Attendee names, email addresses, and any notes or custom question responses. This data is stored on our servers and is necessary for sending confirmation emails, enforcing event capacity, and displaying attendee lists to hosts on the web dashboard and mobile app. We protect this data using standard security practices and restrict access to authorized personnel. Unlike 1:1 meeting data, it is not end-to-end encrypted — Kloq's servers can read it to operate the booking system (see Section 2.2).

3.2 Calendar data

When you connect a calendar (Google, Microsoft, or iOS), we access your calendar events only on your device to calculate availability. Calendar data is processed locally and is never sent to our servers. Only the resulting free/busy time slots are synced.

3.3 Device information

• Push notification token: To deliver real-time booking notifications.
• Platform identifier: (iOS/Android) to route notifications correctly.

4. How We Use Your Information

• To operate the scheduling service and display your availability to bookers.
• To deliver push notifications when new bookings are made.
• To relay encrypted booking data from bookers to you.

We do not use your data for advertising, profiling, analytics, or any purpose beyond operating the scheduling service.

5. Data Sharing

We do not sell, rent, or share your personal data with third parties. The only external services we use are:

• Firebase Cloud Messaging: For push notification delivery (Google's privacy policy applies to notification routing).
• OAuth providers (Google, Microsoft): For calendar access authorization — we receive only the access tokens you explicitly grant.
• Amazon Web Services (SES): For sending confirmation and cancellation emails to group event and webinar attendees. Attendee email addresses are transmitted to AWS for delivery purposes only.

6. Data Retention

• Sessions: Expire after 30 days.
• Booking data (1:1): 1:1 booking pages and their associated data are retained until you delete them or after 90 days of inactivity, whichever comes first.
• Attendee data (group events and webinars): Group event and webinar pages, including attendee names and email addresses, are retained until the host explicitly deletes the event, removes the host email from their Kloq account, or deletes their Kloq account. Hosts can delete cancelled or past events at any time from the Past tab in the app or web dashboard. Deletion is permanent and immediately removes all attendee data for that event.
• Account data: Deleted immediately upon account deletion request, including all booking pages and group/webinar attendee data across all connected emails.

7. Data Security

We protect your data using:

• End-to-end encryption (X25519 + AES-256-GCM) for all booking details.
• Ed25519 digital signatures for critical operations.
• TLS 1.3 for all network communication.
• Secure credential storage (iOS Keychain, Android EncryptedSharedPreferences).

8. Your Rights

As a host, you have the right to:

• Access your data — all your data is accessible within the app.
• Delete your account and all associated data at any time from Settings.
• Disconnect calendar accounts at any time.

As a group event or webinar attendee, you have the right to:

• Cancel your registration at any time using the manage link in your confirmation email.
• Request deletion of your attendee data by contacting the event host or emailing privacy@analogmutations.com. When a host deletes an event, removes their host email, or deletes their Kloq account, all attendee data for events they owned is removed.

9. Children's Privacy

Kloq is not directed at children under 13. We do not knowingly collect information from children under 13.

10. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of significant changes through the app.

11. Contact Us

If you have questions about this Privacy Policy, contact us at privacy@analogmutations.com or write to Analog Mutations Ltd.