Privacy Policy

Last updated: May 2026

The short version: We collect the minimum data needed to make scheduling work (your name, email, calendar access). We don't sell it, we don't share it with advertisers, and we don't use it for anything other than Calendo.

What We Collect

When you create a Calendo account, we collect:

Account information: your name, email address, and password (stored as a secure hash). If you sign in with Google, we receive your name, email, and profile picture from Google — we never see your Google password.
Scheduling data: event types, availability preferences, and bookings you create or receive.
Calendar data: if you connect a Google or Microsoft (Outlook) calendar, we read your existing calendar events so we can hide already-busy time slots from invitees, and we create, update, and delete events on your calendar that correspond to Calendo bookings. Details of exactly which Google and Microsoft data we touch, how long we keep it, and how to revoke access are in the next section.

When Others Book With You

When an invitee books a meeting through your booking page, we collect their name and email. This data is stored to facilitate the booking and is visible to you as the host.

How We Use Google Calendar Data

If you connect Google Calendar, Calendo requests two OAuth scopes from Google: https://www.googleapis.com/auth/calendar.readonly and https://www.googleapis.com/auth/calendar.events. We use them only as follows.

Reading events (calendar.readonly): Calendo queries your calendar to find events that overlap with the time windows you've set as available. Overlapping events cause Calendo to mark those time slots as unavailable on your public booking page so invitees cannot double-book you. We may read event start/end times, status (confirmed / tentative / cancelled), and whether the event is marked as "free" or "busy." We do not display, index, or send event titles, descriptions, attendees, or attachments to any third party.
Writing events (calendar.events): When an invitee books, reschedules, or cancels a meeting through Calendo, we create, update, or delete the corresponding event on your Google Calendar. The events we write contain the meeting title, invitee name and email, conference link, and any answers to your custom booking questions. We only modify events that Calendo itself created — we never edit or delete events created by you or any other application.
Storage and retention: Calendo stores your Google OAuth access token and refresh token, encrypted at rest using AES-256-GCM. Calendar event contents fetched for conflict detection are held in memory only for the duration of a single availability query and are never written to durable storage. The events Calendo creates on your calendar are tracked in our database (by Google event ID) so we can later update or cancel them.
No secondary use: Calendar data is not used to train or improve any AI or machine-learning model, to target advertising, to build profiles, or for any purpose unrelated to scheduling. It is not sold, rented, or shared with any party other than the Google APIs themselves.
Revoking access: You can disconnect Google Calendar at any time from Settings → Integrations in Calendo — this deletes the stored tokens immediately. You can also revoke Calendo's access from your Google account at myaccount.google.com/permissions.

Limited Use compliance: Calendo's use and transfer of information received from Google APIs to any other app will adhere to the Google API Services User Data Policy, including the Limited Use requirements.

How We Use Microsoft Calendar Data

If you connect a Microsoft (Outlook) calendar, Calendo requests the following Microsoft Graph scopes: offline_access, Calendars.ReadWrite, and (for Teams meeting links) OnlineMeetings.ReadWrite. We use them in parallel to the Google flow above:

Calendars.ReadWrite lets Calendo read your existing Outlook events for conflict detection, and create, update, and cancel the events that correspond to Calendo bookings.
OnlineMeetings.ReadWrite is used only to create a Microsoft Teams meeting link for bookings where you have chosen Teams as the location.
offline_access allows Calendo to refresh the access token without prompting you to re-authenticate.

Storage, retention, and secondary-use restrictions are identical to the Google section above. You can disconnect Microsoft from Settings → Integrations, or revoke Calendo's access in your Microsoft account at account.live.com/consent/Manage (personal) or myapps.microsoft.com (work / school).

How We Use Your Data

To provide scheduling functionality (bookings, availability, reminders).
To send transactional emails (booking confirmations, reminders, cancellations).
To power the AI assistant (your scheduling data is sent to our AI provider to answer your questions and take actions).
To improve the service.

We do not sell your data. We do not show you ads. We do not share your data with third parties except as needed to operate the service (e.g., email delivery, payment processing, AI processing).

Third-Party Services

Cloudflare — hosting, database, and content delivery
Google / Microsoft — calendar sync and OAuth login
Anthropic (Claude) — AI assistant processing
Stripe — payment processing (Pro tier only)

Data Storage and Security

Your data is stored on Cloudflare's global network using Cloudflare D1 (a serverless SQLite database). Data is encrypted in transit over HTTPS. OAuth access and refresh tokens for Google and Microsoft are encrypted at rest using AES-256-GCM with a key held outside the database. Calendar event contents fetched for conflict checking are kept only in memory for the duration of a single request — they are never written to D1 or any persistent log.

Your Rights

You can delete your Calendo account at any time from Settings or by asking the AI assistant. Deletion is permanent — all your data (event types, bookings, availability, stored calendar tokens) is removed immediately. There is no recovery.

To revoke just the calendar connection without deleting your Calendo account, disconnect it from Settings → Integrations, or revoke it directly with the provider: Google at myaccount.google.com/permissions, Microsoft at account.live.com/consent/Manage or myapps.microsoft.com.

Cookies

We use a single session cookie to keep you logged in. It is HTTP-only, secure, and same-site. We do not use tracking cookies, analytics cookies, or any third-party tracking scripts.

Contact

Calendo is built by one developer. For privacy questions, email ravikant0909@gmail.com.