Privacy Policy
Last Updated: July 4, 2026
At Book Your Calendar ("we," "our," or "us"), we respect your privacy and are committed to protecting the personal information you share with us. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you visit our website or use our services.
1. Information We Collect
We may collect the following types of information:
- Personal Information (PII): Name, email address, phone number, billing address, timezone, and any other information you provide when signing up or using our services.
- Account Information: Username, profile image, subscription plan, billing cycle, payment history, and account preferences.
- Event & Booking Data: Event details (title, description, duration, location), booking information (attendee name, email, phone, notes), custom questions and answers, and meeting recordings (if enabled).
- Team Data: Team membership, team roles, team events, invitations, and team settings (if you are part of a team).
- Payment Information: Payment transaction records, subscription details, billing addresses. Note: We do not store credit card numbers or payment card data. All payment processing is handled by Razorpay (PCI-DSS Level 1 certified).
- Usage Data: Information about your interactions with our website such as IP address, browser type, device information, pages visited, and features used.
- Cookies and Tracking Technologies: We use cookies and similar tracking technologies to improve user experience, maintain session state, and analyze website traffic. See our Cookie Policy for details.
- Google User Data: If you choose to integrate with Google services (e.g., Google Calendar, Google Drive), we may access your Google account information per your authorization. We only access data necessary for calendar synchronization and meeting management.
- Microsoft/Outlook User Data: If you choose to integrate with Microsoft services (e.g., Outlook Calendar), we may access your Microsoft account information per your authorization. We only access data necessary for calendar synchronization.
- Integration Data: Credentials and tokens for third-party integrations (Zoom, Google Meet, Microsoft Teams, etc.) that you authorize. These are stored securely and encrypted.
- Portfolio Data: If you create a portfolio, we collect your bio, skills, experience, projects, certifications, and testimonials.
2. How We Use Your Information
We use your information for the following purposes:
- Service Delivery: Provide and manage our scheduling services, process bookings, send meeting reminders, and manage your calendar.
- Calendar Integration: Sync with Google Calendar, Microsoft Outlook, and other calendar services if authorized by you.
- Payment Processing: Process subscription payments, manage billing, and handle payment-related communications (processed securely by Razorpay).
- Communication: Send you service updates, feature announcements, support communications, and important account notifications. You can opt-out of marketing emails at any time.
- Account Management: Manage your account, authenticate your identity, enforce security measures (including MFA), and provide customer support.
- Team Collaboration: Enable team features, manage team memberships, and facilitate team-based scheduling (if you are part of a team).
- Analytics & Improvement: Analyze usage patterns, improve platform performance, fix bugs, and develop new features. This data is aggregated and anonymized where possible.
- Security & Compliance: Monitor for security threats, prevent fraud, enforce our terms of service, comply with legal obligations, and maintain audit logs.
- Legal Compliance: Comply with applicable laws, regulations, and legal processes, including tax reporting and financial record-keeping requirements.
Legal Basis for Processing (GDPR): We process your personal data based on:
- Contract: To fulfill our service agreement with you
- Consent: For marketing communications and optional features (you can withdraw consent at any time)
- Legal Obligation: For tax compliance and financial record-keeping
- Legitimate Interest: For security, fraud prevention, and service improvement
3. Sharing Your Information
We do not sell your personal information. However, we may share information with:
- Service Providers (Data Processors): Third-party vendors that help us operate our platform:
- Clerk: Authentication and user management
- Razorpay: Payment processing (PCI-DSS Level 1 certified - handles all payment card data)
- Vercel: Application hosting and CDN
- MongoDB Atlas: Database hosting
- Email Service Providers: Transactional email delivery
- Payment Processors: Book Your Calendar (BYC) is not a payment gateway. All financial transactions, refunds, chargebacks, and disputes are securely handled by Razorpay (PCI-DSS Level 1 certified). BYC only facilitates scheduling-related payment workflows between users. We do not store credit card numbers or payment card data. Razorpay handles all payment processing and card data storage in compliance with PCI-DSS standards.
- Calendar Services: If you authorize integration, we share meeting data with Google Calendar, Microsoft Outlook, or other calendar services you connect. We only share data necessary for calendar synchronization.
- Video Conferencing Services: If you use integrated video conferencing (Zoom, Google Meet, Microsoft Teams), we share meeting details necessary to create video meetings.
- Team Members: If you are part of a team, your team owner and administrators may have access to team-related data, including team events and bookings.
- Legal Authorities: When required by law, court order, or to protect our rights, property, or safety, or that of our users or others. We will notify you of such requests unless prohibited by law.
- Business Transfers: If our business is sold, merged, or acquired, your data may be transferred to the new owner. We will notify you of any such change in ownership.
International Data Transfers: Some of our service providers may process your data outside your country of residence. We ensure appropriate safeguards are in place, including:
- Standard Contractual Clauses (SCCs) for EU data transfers
- Vendor compliance with GDPR and applicable data protection laws
- Encryption of data in transit and at rest
4. Data Retention and Security
We retain your information only as long as necessary for the purposes outlined in this policy and as required by law. We take appropriate security measures to protect against unauthorized access, alteration, or disclosure.
Data Storage Location: Your data is stored securely using Vercel (hosting, global CDN) and MongoDB Atlas (database, encrypted at rest). All data is encrypted in transit (TLS 1.2+) and at rest.
Data Retention Periods: We retain different types of data for different periods:
- User Account Data: 7 years after account deletion or last activity (for financial record-keeping and tax compliance)
- Payment & Billing Data: 7 years after last transaction (required by tax authorities)
- Booking & Event Data: 2 years after event date or booking cancellation
- Audit Logs: 7 years (for security compliance and incident investigation)
- Communication Data: 3 years after last interaction
- Marketing & Analytics Data: 2 years after last activity
Security Measures: We follow industry-standard security practices including:
- Encryption in transit (TLS 1.2+) and at rest
- Multi-factor authentication (MFA) for sensitive operations
- Role-based access control (RBAC)
- Comprehensive audit logging
- Regular security updates and patches
- Input validation and sanitization
- Rate limiting and DDoS protection
Formal Certifications: We implement enterprise-grade security controls at the application layer. Formal compliance certifications (SOC 2, ISO 27001) are planned and will be pursued based on customer demand.
Data Deletion: After the retention period expires, data is automatically deleted. You can also request immediate deletion via our API or by contacting us. Financial records may be retained longer if required by tax authorities or financial regulations.
5. Your Rights and Choices (GDPR / DPDP)
You have the following rights regarding your data:
- Right to Access (Article 15 - GDPR): Request a complete copy of all your personal data. You can export your data at any time via our API endpoint:
/api/users/export-dataor by contacting us at bookyourcalendar@gmail.com. The export includes all events, bookings, payments, teams, and portfolio data in JSON format. - Right to Rectification: Update your personal information at any time through your account settings or by contacting us.
- Right to Erasure (Right to be Forgotten - Article 17 - GDPR): Request deletion of your account and all associated data. You can delete your account via our API endpoint:
/api/users/deleteor by contacting us. You can choose between anonymization (soft delete) or complete deletion (hard delete). Note: Team owners must transfer ownership before deleting their account. Financial records may be retained for 7 years as required by tax laws. - Right to Data Portability: Export your data in a machine-readable format (JSON) at any time using the data export API.
- Right to Object: Object to processing of your personal data for marketing purposes. You can opt-out of marketing emails at any time.
- Right to Restrict Processing: Request restriction of processing in certain circumstances by contacting us.
- Cookie Preferences: Manage cookie preferences through your browser settings or our cookie policy page.
- Manage Google Permissions: Revoke access to Google user data at any time via your Google account settings.
- Manage Microsoft Permissions: Revoke access to Microsoft/Outlook calendar data at any time via your Microsoft account settings.
How to Exercise Your Rights: To exercise any of these rights, you can:
- Use our self-service APIs:
/api/users/export-data(for data export) or/api/users/delete(for account deletion) - Contact us at bookyourcalendar@gmail.com
- We will respond to your request within 30 days (GDPR requirement)
6. Third-Party Services and Links
Our website may contain links to third-party websites. We are not responsible for their privacy practices and we encourage you to review their policies.
7. Children's Privacy
Our services are not intended for individuals under 13 years old. We do not knowingly collect information from children.
8. Compliance with Google API Services User Data Policy
To comply with Google's API Services User Data Policy, we ensure:
- Limited Use: We access Google user data only for the purposes described in this policy and as authorized by you.
- Clear Data Collection Practices: We disclose the data we collect and why.
- User Consent & Control: Users can manage data collection preferences and revoke access at any time.
- Secure Data Handling: We use industry-standard security practices to protect your Google user data.
- Transparency: We provide a contact method for privacy concerns.
- Prominent Display: This policy is linked on our homepage and accessible within our app interface.
- Updates and Notifications: Users will be notified of any changes in our use of Google user data.
- Verified Hosting: This privacy policy is hosted on a verified domain that we own.
9. Updates to This Policy
We may update this Privacy Policy from time to time. Changes will be posted on this page with an updated effective date. Users will be notified of any significant changes regarding Google user data usage.
10. Contact Us
If you have any questions, concerns, or wish to exercise your data protection rights, contact us at:
Book Your Calendar
Email: bookyourcalendar@gmail.com
Website: https://bookyourcalendar.com
Data Export API: /api/users/export-data
Account Deletion API: /api/users/delete
Response Time: We will respond to your privacy inquiries and data protection requests within 30 days as required by GDPR. For urgent matters, please mark your email as "URGENT" in the subject line.
Supervisory Authority: If you are located in the EU and believe we have not addressed your privacy concerns, you have the right to lodge a complaint with your local data protection supervisory authority.
