Caleta

Privacy Policy

Last updated: March 19, 2026

Caleta, Inc ("Caleta," "Company," "we," "us," or "our") provides a business-to-business (B2B) hotel operations platform that helps hospitality businesses manage guest communications, operational workflows, and service delivery (the "Service"). This Privacy Policy explains how we collect, use, disclose, and safeguard information when you interact with our Service, website (www.caleta.us), and related services.

This policy applies to our direct customers and their authorized users ("Customers"), visitors to our website ("Visitors"), and — to the extent described in this policy — individuals whose personal data is processed through our platform on behalf of our Customers, such as hotel guests ("End Users"). By using the Service, you agree to the collection and use of information in accordance with this Privacy Policy.

1. Interpretation and Definitions

Interpretation

Capitalized terms have the meanings defined below. These definitions apply regardless of whether the terms appear in singular or plural form.

Definitions

For the purposes of this Privacy Policy:

  • Account means a unique account created for You to access our Service or parts of our Service.
  • Affiliate means an entity that controls, is controlled by, or is under common control with a party, where "control" means ownership of 50% or more of the shares, equity interest, or other securities entitled to vote for election of directors or other managing authority.
  • Application refers to Caleta, the software platform provided by the Company.
  • CCPA/CPRA refers to the California Consumer Privacy Act as amended by the California Privacy Rights Act of 2020.
  • Company (referred to as "the Company," "We," "Us," or "Our" in this Privacy Policy) refers to Caleta, Inc, 1100 Bellevue Way NE 8a-683, Bellevue, WA 98004.
  • Cookies are small files placed on Your device by a website, containing details of Your browsing activity among other uses.
  • Country refers to Washington, United States.
  • Customer means the hotel, hospitality business, or other entity that has contracted with Caleta to use the Service.
  • Customer Data means all data — including Personal Data of End Users — that a Customer or its authorized users upload, submit, or otherwise transmit to the Service in the course of using the platform. Customer Data includes, but is not limited to, guest records, reservation details, guest communications, and operational data.
  • Data Controller, for the purposes of the GDPR, refers to the entity which determines the purposes and means of the processing of Personal Data. With respect to Customer Data, the Customer is the Data Controller. With respect to data we collect directly (e.g., Account information, Website usage), Caleta is the Data Controller.
  • Data Processor, for the purposes of the GDPR, refers to the entity which processes Personal Data on behalf of the Data Controller. Caleta acts as a Data Processor with respect to Customer Data.
  • Device means any device that can access the Service such as a computer, cell phone, or digital tablet.
  • End User means an individual whose Personal Data is contained within Customer Data, such as a hotel guest, prospective guest, or other person whose information a Customer processes through the Service.
  • GDPR refers to the EU General Data Protection Regulation (Regulation (EU) 2016/679) and, where applicable, the UK General Data Protection Regulation.
  • Personal Data (or "Personal Information") is any information that relates to an identified or identifiable individual. For the purposes of the CCPA/CPRA, Personal Data means any information that identifies, relates to, describes, or is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household. We use "Personal Data" and "Personal Information" interchangeably unless a specific law requires otherwise.
  • Service refers to the Application, the Website, or both.
  • Service Provider (also referred to as a "Sub-processor" under GDPR) means any third-party company or individual engaged by the Company to facilitate the Service, perform services related to the Service, or assist the Company in analyzing how the Service is used.
  • Usage Data refers to data collected automatically, either generated by the use of the Service or from the Service infrastructure itself.
  • Website refers to Caleta, accessible from https://www.caleta.us.
  • You means the individual accessing or using the Service, or the company or other legal entity on behalf of which such individual is accessing or using the Service, as applicable.

2. Our Role: Data Controller and Data Processor

Caleta operates as both a Data Controller and a Data Processor depending on the type of data involved. Understanding this distinction is important for knowing your rights and our obligations.

When Caleta Is the Data Controller

Caleta is the Data Controller for Personal Data we collect directly from Customers, Visitors, and prospective customers. This includes:

  • Account registration and profile information
  • Billing and payment information
  • Website usage and analytics data
  • Communications you send to us (e.g., support requests, contact form submissions)
  • Marketing preferences and interactions

For this data, Caleta determines the purposes and means of processing, and this Privacy Policy describes our practices in full.

When Caleta Is the Data Processor

Caleta acts as a Data Processor (or "Service Provider" under the CCPA/CPRA) when processing Customer Data on behalf of our Customers. This includes all data that Customers and their authorized users input into the platform, such as:

  • Guest records (names, contact information, preferences, loyalty program details)
  • Reservation and booking data
  • Guest communications (messages, requests, feedback)
  • Operational data related to hotel services

When acting as a Data Processor, we process Customer Data solely in accordance with our Customer's instructions and the terms of our Data Processing Agreement ("DPA"). Our Customers — as the Data Controllers — are responsible for ensuring they have the appropriate legal basis (such as consent, contractual necessity, or legitimate interest) for collecting and providing this data to us for processing, including any required notices to or consents from their guests and other End Users.

If you are an End User (e.g., a hotel guest) and wish to exercise your data protection rights regarding information processed through our platform, you should direct your request to the hotel or hospitality business that collected your data, as they are the Data Controller. We will cooperate with our Customers in responding to such requests as required by our DPA and applicable law. If you are unsure which entity controls your data, you may contact us and we will direct your inquiry to the appropriate party.

3. Information We Collect

Information You Provide Directly (Controller Data)

  • Account Information: Name, email address, company name, job title, and authentication credentials when you create an account or are invited as an authorized user.
  • Billing Information: Company billing details, billing address, and payment-related information. Credit/debit card details are processed directly by our payment processor (Stripe) and are not stored on our servers.
  • Contact Information: Name, email, company name, and message content when you submit our contact form, request a demo, or communicate with our sales team.
  • Communications: Feedback, support requests, survey responses, and other messages you send to us.

Information Collected Automatically (Controller Data)

  • Usage Data: Pages visited, features used, actions taken within the platform, session duration, and referral URLs.
  • Device Information: Browser type and version, operating system, device identifiers, screen resolution, and language preferences.
  • Log Data: IP addresses, access times, error logs, and server request data.
  • Cookies and Similar Technologies: As described in Section 7 below and in our Cookie Policy.

Customer Data (Processor Data)

Our Customers input data into the platform in the course of managing their hotel operations. While the specific data varies by Customer and use case, Customer Data may include:

  • Guest Personal Data: Names, email addresses, phone numbers, mailing addresses, nationality, identification document details, and loyalty/rewards program information.
  • Reservation Data: Booking dates, room preferences, rate information, special requests, and group/event details.
  • Guest Communications: Messages exchanged between the hotel and guests (e.g., via SMS, email, or messaging platforms integrated with the Service), guest feedback, surveys, and reviews.
  • Operational Data: Housekeeping assignments, maintenance requests, service tickets, and internal notes.
  • Minor Guest Data: Hotels routinely include children's names, ages, and related details in guest records as part of standard reservation and hospitality operations. See Section 12 (Children's Privacy) for details on how we handle this data.

Caleta processes Customer Data strictly on behalf of and under the instructions of our Customers. We do not access Customer Data except as necessary to provide and maintain the Service, to comply with applicable law, or as otherwise instructed by the Customer.

4. How We Use Your Information

Controller Data (Data We Control)

We use the Personal Data we collect as a Data Controller for the following purposes:

  • Service delivery: To provide, operate, maintain, and improve the Service, including account management, feature development, and technical support.
  • Contract performance: To fulfill our contractual obligations to Customers, including billing, invoicing, and subscription management.
  • Communications: To respond to your inquiries, send service-related notifications (e.g., maintenance windows, product updates, security alerts), and, with your consent or as permitted by law, to send marketing communications about our products and services.
  • Analytics and improvement: To monitor and analyze usage patterns, measure feature adoption, diagnose technical issues, and improve the user experience.
  • Security and fraud prevention: To detect, investigate, and prevent security incidents, unauthorized access, and fraudulent or illegal activity.
  • Legal compliance: To comply with applicable laws, regulations, legal processes, or enforceable governmental requests.
  • Business transfers: To evaluate or conduct a merger, acquisition, reorganization, or sale of assets.

We do not use Controller Data to deliver targeted advertising to individual users. Any marketing we conduct is limited to promoting Caleta's own products and services to business contacts, and you may opt out at any time.

Customer Data (Data We Process on Behalf of Customers)

We process Customer Data solely for the following purposes:

  • Providing and operating the Service as contracted with the Customer
  • Processing data through AI and machine-learning features as described in Section 5 and as enabled by the Customer
  • Providing technical support and troubleshooting at the Customer's request
  • Maintaining the security, integrity, and availability of the platform
  • Complying with applicable law or responding to valid legal process

We do not use Customer Data for advertising, marketing, profiling for our own benefit, or any purpose unrelated to providing the Service. We do not sell, rent, or otherwise commercialize Customer Data.

5. Artificial Intelligence and Automated Processing

Caleta incorporates artificial intelligence (AI) and machine-learning (ML) capabilities to enhance the Service. We believe in transparency about how these technologies are used and how they interact with your data.

How We Use AI/ML

AI and ML features within the Service may include:

  • Suggested responses: Generating draft replies to guest messages for review and approval by hotel staff before sending.
  • Sentiment analysis: Analyzing guest communications to surface tone indicators (e.g., positive, negative, urgent) that help staff prioritize and respond appropriately.
  • Operational alerts: Identifying patterns in operational data to surface potential issues or opportunities (e.g., recurring maintenance requests, service delays).
  • Summarization and classification: Categorizing and summarizing guest feedback, reviews, and communications to assist with reporting and operational decision-making.

AI Infrastructure and Data Handling

  • AI processing is performed using third-party AI infrastructure providers. These providers process data in accordance with our Data Processing Agreements and applicable data protection law.
  • Your data is not used to train third-party AI models. Data processed through AI features is used solely to generate outputs for the Customer within the Service and is not shared with AI providers for their own model training, improvement, or any other independent purpose.
  • AI-generated outputs (e.g., suggested responses) are presented to authorized hotel staff for human review. The Service does not send AI-generated communications to guests without human approval unless the Customer has explicitly configured an automated workflow to do so.

Automated Decision-Making

Caleta does not use AI or automated processing to make decisions that produce legal effects or similarly significant effects on End Users without human involvement. AI features are designed as decision-support tools for hotel staff, not as autonomous decision-makers. Customers retain full control over whether to act on AI-generated suggestions.

Under the GDPR (Article 22), individuals have the right not to be subject to decisions based solely on automated processing that produce legal or similarly significant effects. If you believe an automated decision has been made about you through our Service, please contact the hotel or hospitality business that manages your data, or contact us for assistance.

6. Data Sharing and Disclosure

We do not sell Personal Data. We may share information as described below:

Service Providers and Sub-processors

We engage third-party Service Providers (Sub-processors under GDPR) to assist in operating the Service. These providers process data on our behalf and are contractually obligated to protect Personal Data and use it only for the purposes we specify. Categories of Sub-processors include:

  • Cloud infrastructure and hosting: For data storage, computing, and platform operations
  • AI infrastructure: For processing data through AI/ML features (currently AWS Bedrock)
  • Payment processing: For billing and subscription management (Stripe)
  • Authentication services: For secure user login and identity verification
  • Email delivery: For transactional and service-related communications
  • Analytics: For website and platform usage analytics (Google Analytics). On our marketing website, analytics are consent-gated. Within the authenticated platform, analytics are limited to aggregate usage patterns (e.g., page navigation) and are never applied to Customer Data or End User data.
  • Security and monitoring: For application performance monitoring, error tracking, and security

A current list of Sub-processors is available upon request. We will notify Customers of any material changes to our Sub-processor list in accordance with our DPA.

Customer-Directed Integrations

Our Service integrates with third-party systems that Customers choose to connect, such as Property Management Systems (PMS), messaging services (e.g., Twilio), collaboration tools (e.g., Microsoft Teams, Slack), and other hospitality technology providers. Data shared with these third-party services is governed by the Customer's configuration choices and the privacy policies of those services. Caleta acts as a conduit for these integrations at the Customer's direction.

Legal Requirements

We may disclose Personal Data if required to do so by law or in good faith belief that such action is necessary to:

  • Comply with a legal obligation, court order, or governmental request
  • Protect and defend the rights or property of the Company
  • Prevent or investigate possible wrongdoing or security incidents in connection with the Service
  • Protect the personal safety of users of the Service or the public
  • Protect against legal liability

Where permitted by law, we will notify the affected Customer before disclosing Customer Data in response to legal process, so the Customer may seek a protective order or other remedy.

Business Transfers

In the event of a merger, acquisition, or sale of all or a portion of our assets, Personal Data may be among the assets transferred. We will provide notice before Personal Data is transferred and becomes subject to a different privacy policy.

Affiliates

We may share Personal Data with our affiliates, in which case we will require them to honor this Privacy Policy.

7. Cookies and Tracking Technologies

We use Cookies and similar tracking technologies on our Website and within the Service. The types and purposes of cookies we use differ between our public marketing website and the authenticated platform.

Marketing Website (www.caleta.us)

On our public website, we use:

  • Essential Cookies (Session)
    Required for site functionality, security, and fraud prevention. These cannot be disabled.
  • Functionality Cookies (Persistent)
    Remember your preferences such as language and region.
  • Analytics Cookies (Persistent, Third Party)
    We use Google Analytics to understand how Visitors interact with our marketing website. These cookies collect information such as pages visited, time on site, and referral sources. This data is used to improve our website and is not linked to Customer Data or End User data. You can opt out by installing the Google Analytics Opt-out Browser Add-on.
  • Cookie Consent Cookies (Persistent)
    Record whether you have accepted or declined non-essential cookies.

Where required by law, non-essential cookies are used only with your consent. You can withdraw or change your consent at any time using our cookie preferences tool or through your browser settings.

Authenticated Platform

Within the authenticated Caleta platform, we use essential cookies necessary for session management, authentication, security, and platform functionality. We also use Google Analytics to collect aggregate usage data (e.g., pages visited within the platform) to improve the product experience. This analytics data is not linked to Customer Data or End User data. We do not use third-party advertising or remarketing cookies within the platform, and we do not track Customer or End User behavior for advertising purposes.

For full details, please visit our Cookie Policy.

Do Not Track Signals

Some browsers transmit "Do Not Track" (DNT) signals. There is currently no uniform standard for interpreting DNT signals. We do not currently respond to DNT signals, but we do not engage in cross-site tracking of our platform users.

8. Data Retention

We retain Personal Data only for as long as necessary to fulfill the purposes described in this Privacy Policy, unless a longer retention period is required or permitted by law. Where possible, we apply shorter retention periods and reduce identifiability by deleting, aggregating, or anonymizing data. Unless otherwise stated, the periods below are maximums ("up to").

Controller Data

  • Account Information: Retained for the duration of your account relationship plus up to 24 months after account closure to handle post-termination issues or resolve disputes.
  • Customer Support Data: Support tickets, correspondence, and chat transcripts retained up to 24 months from closure to resolve follow-up inquiries, track service quality, and defend against potential legal claims.
  • Website Analytics Data: Cookies, IP addresses, and device identifiers retained up to 24 months from collection.
  • Application Usage Statistics: Up to 24 months to understand feature adoption and improve the Service.
  • Server Logs: IP addresses, access times, and error logs retained up to 24 months for security monitoring and troubleshooting.
  • Financial and Transaction Data: Transaction records (invoice details, purchase history, amounts) retained up to 10 years from the date of transaction to comply with tax laws and financial regulations. Credit/debit card details are not stored on our servers.

Customer Data

We retain Customer Data for the duration of our contractual relationship with the Customer. Upon termination or expiration of a Customer agreement, we will delete or return Customer Data in accordance with our DPA, typically within 90 days, unless retention is required by applicable law. Residual copies in encrypted backups are purged according to our routine backup retention schedule.

After Retention Periods Expire

When retention periods expire, we securely handle Personal Data through one of the following procedures:

  • Deletion: Personal Data is removed from our active systems and is no longer processed.
  • Backup Retention: Residual copies may remain in encrypted backups for a limited period consistent with our backup schedule. Backup data is not restored except where necessary for security, disaster recovery, or legal compliance.
  • Anonymization: In some cases, we convert Personal Data into anonymous statistical data that cannot be linked back to any individual. Anonymized data may be retained indefinitely for analytics and product improvement.

9. Data Security

We implement industry-standard technical and organizational security measures to protect Personal Data against unauthorized access, alteration, disclosure, or destruction. These measures include:

  • Encryption: Data encrypted in transit (TLS 1.2+) and at rest
  • Credential management: Secrets and credentials stored via AWS Secrets Manager
  • Multi-tenant isolation: Row-level security ensuring Customers can only access their own data
  • Access controls: Role-based access controls (RBAC) for platform users and internal staff
  • Infrastructure security: Hosted on enterprise-grade cloud infrastructure with SOC 2 compliant providers
  • Monitoring: Continuous security monitoring, intrusion detection, and audit logging
  • Incident response: Documented security incident response procedures with Customer notification as required by our DPA and applicable law

No method of transmission over the Internet or electronic storage is 100% secure. While we strive to protect your Personal Data, we cannot guarantee absolute security. We encourage Customers to implement strong access controls on their end, including enforcing strong passwords and limiting account access to authorized personnel.

10. International Data Transfers

Your information, including Personal Data, may be transferred to and processed in countries other than the country in which you are located, including the United States, where our primary infrastructure is hosted. Data protection laws in these countries may differ from those in your jurisdiction.

Where we transfer Personal Data outside the European Economic Area ("EEA") or the United Kingdom ("UK") to a country that has not been recognized as providing an adequate level of data protection, we rely on appropriate safeguards, including:

  • The European Commission's Standard Contractual Clauses ("SCCs") and/or the UK International Data Transfer Agreement ("IDTA") or the UK Addendum to the SCCs, as applicable
  • Supplementary measures where appropriate, such as encryption in transit and at rest, access controls, data minimization, and vendor security assessments

We transfer Personal Data internationally only as needed to provide the Service and to work with our Sub-processors. You may contact us to request further information about the safeguards we use for international transfers, including copies of relevant contractual protections (redacted where necessary).

11. Third-Party Services

Analytics

We use Google Analytics on our marketing website (with your consent) and within the authenticated platform (for aggregate usage patterns) to improve the user experience. Google Analytics data is not combined with Customer Data or End User data. For more information, visit the Google Privacy & Terms page. You can opt out via the Google Analytics Opt-out Browser Add-on.

Payments

We use Stripe for payment processing. Your payment card details are provided directly to Stripe and are not stored on our servers. Stripe adheres to PCI-DSS standards. View Stripe's Privacy Policy at https://stripe.com/us/privacy.

Security Services

We may use Google reCAPTCHA to protect forms on our website from automated abuse. reCAPTCHA may collect device and usage information for security purposes in accordance with Google's Privacy Policy.

12. Children's Privacy

Our Service Is Not Directed at Children

The Caleta platform is a B2B tool designed for use by hotel staff and hospitality professionals. It is not directed at, marketed to, or intended for use by children (individuals under the age of 16, or under the age of 13 in jurisdictions where that threshold applies). Children do not create accounts on, log in to, or directly interact with the Service.

Children's Data in Guest Records

We recognize that hotels routinely include information about minor guests — such as children's names, ages, and special requirements — as part of standard reservation and hospitality operations. This data is entered into the platform by hotel staff acting on behalf of the Customer (the hotel), and Caleta processes it strictly as a Data Processor under the Customer's instructions and our DPA.

Our Customers are responsible, as Data Controllers, for ensuring they have the appropriate legal basis for collecting and processing children's Personal Data, including any consents required from parents or guardians under applicable law (e.g., COPPA in the United States, GDPR Article 8 in the EU).

Safeguards for Children's Data

When processing Customer Data that includes information about minors, Caleta applies the following safeguards:

  • Children's data is processed solely for the operational purposes specified by the Customer (e.g., managing reservations, fulfilling special requests, ensuring safety and compliance)
  • We do not use children's data for marketing, advertising, profiling, or any purpose unrelated to providing the Service
  • Children's data is not processed through AI/ML features for sentiment analysis or behavioral profiling
  • Children's data is subject to the same security measures, access controls, and data retention policies as all Customer Data
  • Upon termination of the Customer relationship, children's data is deleted or returned along with all other Customer Data in accordance with our DPA

Concerns About Children's Data

If you are a parent or guardian and believe that a hotel has provided your child's personal information through our platform inappropriately, please contact the hotel directly, as they are the Data Controller for that information. You may also contact us and we will assist in directing your inquiry to the appropriate Customer or take action as required by applicable law.

COPPA Compliance

Caleta does not knowingly collect Personal Information directly from children under 13. Our platform does not permit children to create accounts or submit data directly to us. The Children's Online Privacy Protection Act (COPPA) applies to operators that collect information directly from children or operate services directed at children; Caleta does neither. However, we cooperate with our Customers to support their compliance with COPPA and other child-protection laws as they apply to the Customer's own collection and use of children's data.

13. Your Rights under the GDPR

If you are located in the European Economic Area (EEA) or the United Kingdom, you have certain rights under the GDPR regarding your Personal Data.

Legal Basis for Processing

We process Personal Data under the following legal bases:

  • Consent: You have given consent for processing for one or more specific purposes (e.g., marketing communications).
  • Contract performance: Processing is necessary for the performance of our agreement with you or pre-contractual steps.
  • Legal obligation: Processing is necessary for compliance with a legal obligation.
  • Legitimate interests: Processing is necessary for the legitimate interests pursued by the Company (e.g., service improvement, security, fraud prevention), provided such interests are not overridden by your rights.

Your Rights

You have the right to:

  • Access the Personal Data we hold about you and obtain a copy
  • Rectification of inaccurate or incomplete Personal Data
  • Erasure ("right to be forgotten") of your Personal Data where there is no compelling reason for continued processing
  • Restriction of processing in certain circumstances (e.g., while we verify accuracy or consider an objection)
  • Data portability — receive your data in a structured, commonly used, machine-readable format
  • Object to processing based on legitimate interests or for direct marketing purposes
  • Withdraw consent at any time, without affecting the lawfulness of processing based on consent before its withdrawal
  • Not be subject to solely automated decision-making that produces legal or similarly significant effects

How to Exercise Your Rights

For Controller Data (your account, website activity, communications with us): Please contact us directly. We will verify your identity and respond within one month, which may be extended by up to two additional months for complex requests in accordance with applicable law.

For Customer Data (guest records, reservation data, communications processed on behalf of a hotel): Please contact the hotel or hospitality business that collected your data. As Data Processor, we will assist our Customers in responding to valid requests as required by our DPA and applicable law.

You have the right to lodge a complaint with your local Data Protection Authority. A list of EU data protection authorities is available at https://edpb.europa.eu.

14. CCPA/CPRA Privacy Notice (California Privacy Rights)

This section supplements the rest of this Privacy Policy and applies to California residents ("Consumers") as defined under the California Consumer Privacy Act as amended by the California Privacy Rights Act (collectively, "CCPA/CPRA").

Our Dual Role under CCPA/CPRA

Caleta acts as a "Business" under the CCPA/CPRA with respect to data we collect directly from Customers, Visitors, and prospective customers (Controller Data). Caleta acts as a "Service Provider" under the CCPA/CPRA with respect to Customer Data, which we process solely on behalf of and under the direction of our Customers.

If you are an End User (e.g., a hotel guest) and a California resident, your CCPA/CPRA rights with respect to data in guest records should be exercised by contacting the hotel directly, as they are the "Business" responsible for that data.

Categories of Personal Information Collected

In the last twelve (12) months, we have collected the following categories of Personal Information in our capacity as a Business (Controller Data):

  • Category A: Identifiers. Name, email address, account name, IP address, and other similar identifiers. Collected: Yes.
  • Category B: California Customer Records categories (Cal. Civ. Code § 1798.80(e)). Name, address, telephone number, financial information (billing details). Collected: Yes.
  • Category D: Commercial information. Products or services purchased, subscription history. Collected: Yes.
  • Category F: Internet or similar network activity. Browsing history on our Website, interaction with our Service. Collected: Yes.
  • Categories C, E, G, H, I, J, K, L: (Protected classifications, biometric data, geolocation, sensory data, professional information, education information, inferences, sensitive personal information.) Collected: No.

Sources of Personal Information

  • Directly from you: Forms, account registration, purchases, communications.
  • Automatically: Cookies, usage data, device information collected during website or platform use.
  • From Service Providers: Analytics providers, payment processors, and other vendors assisting in Service delivery.

Use and Disclosure of Personal Information

We use Personal Information for the business purposes described in Section 4 of this Privacy Policy. We may disclose Categories A, B, D, and F to our Service Providers for business purposes. When we disclose Personal Information for a business purpose, we enter a contract requiring the recipient to keep the information confidential and use it only for the contracted purpose.

Sale and Sharing of Personal Information

We do not sell Personal Information in the traditional sense — we do not disclose Personal Information in direct exchange for monetary compensation.

Our marketing website uses cookies and similar tracking technologies (e.g., Google Analytics) that may constitute "sharing" of Personal Information for "cross-context behavioral advertising" as defined by the CCPA/CPRA. This applies only to Visitor data collected on our marketing website and may involve the following categories:

  • Category A: Identifiers (e.g., online identifiers, IP addresses)
  • Category F: Internet or similar network activity

Customer Data is never sold or shared. We process Customer Data exclusively as a Service Provider under the CCPA/CPRA and do not sell, share, or use it for cross-context behavioral advertising or any purpose other than providing the Service.

You may opt out of the "sharing" of your website data by adjusting your cookie preferences or by enabling Global Privacy Control (GPC) in your browser.

Personal Information of Minors

We do not knowingly collect Personal Information directly from minors under 16 through our website or marketing activities. We do not sell the Personal Information of Consumers we actually know are less than 16 years of age. For information about minors' data processed within Customer Data (guest records), see Section 12.

Your CCPA/CPRA Rights

As a California resident, you have the right to:

  • Know/Access: Request disclosure of the categories and specific pieces of Personal Information we have collected about you.
  • Delete: Request deletion of your Personal Information, subject to certain exceptions.
  • Correct: Request correction of inaccurate Personal Information.
  • Opt-out of sharing: Direct us not to share your Personal Information for cross-context behavioral advertising.
  • Limit use of sensitive Personal Information: We do not collect sensitive Personal Information as defined by the CCPA/CPRA.
  • Non-discrimination: You will not be discriminated against for exercising your rights.

To exercise your rights, please contact us or email support@caleta.us. Only you, or an authorized agent registered with the California Secretary of State, may make a verifiable consumer request. We will verify your identity and respond within the timeframes required by applicable law.

15. Data Processing Agreements

Where required by applicable law (including the GDPR), we enter into Data Processing Agreements (DPAs) with our Customers. Our DPA governs our processing of Customer Data and includes provisions on:

  • The scope, nature, and purpose of processing
  • Obligations regarding data security, confidentiality, and breach notification
  • Sub-processor management and approval procedures
  • Data return and deletion upon contract termination
  • Assistance with data subject rights requests
  • International transfer mechanisms (SCCs/IDTA)

Customers may request a copy of our DPA by contacting us.

16. Changes to This Privacy Policy

We may update this Privacy Policy from time to time. We will notify you of material changes by posting the updated policy on this page and updating the "Last updated" date at the top. For material changes that affect how we process Customer Data, we will also notify Customers through the Service or by email. We encourage you to review this policy periodically.

17. Contact Us

If you have questions or concerns about this Privacy Policy, our data practices, or wish to exercise your data protection rights, please contact us:

For data protection inquiries related to GDPR, you may also contact us at the address above, marked to the attention of our data protection team. If you are in the EEA and believe we have not adequately addressed your concerns, you have the right to lodge a complaint with your local Data Protection Authority.