kalendia

Privacy policy

Effective date: June 4, 2026

1. Who we are and how to contact us

Kalendia is a calendar-sync and scheduling service. This Privacy Policy explains what personal data Kalendia collects, why, how it is used, who it is shared with, and the rights you have over it.

The data controller responsible for your personal data is Enlion Services LLC, a limited liability company organized under the laws of the State of Delaware, USA, with registered address 131 Continental Dr, Suite 305, Newark, DE 19713, USA. In this policy, "Kalendia", "we", "us", and "our" refer to Enlion Services LLC.

Enlion Services LLC is established in the United States. If you are in the EU, the EEA, or the UK, you can contact us on any matter relating to the processing of your personal data at privacy@kalendia.io.

For any privacy question, or to exercise any of the rights described below, contact us at privacy@kalendia.io. For general support, contact support@kalendia.io.

2. Scope of this policy

This policy applies to personal data we process when you create a Kalendia account, connect your calendar or video-conferencing accounts, use cross-calendar sync, publish or use scheduling pages, book a time through someone's scheduling page, or pay for a subscription. It covers both account holders and people who book a meeting through a Kalendia scheduling page.

3. The personal data we collect

Account and identity data. When you sign up, our authentication provider (Clerk) processes your email address and basic profile information so we can create and secure your account.

Connected-account credentials. When you connect a calendar or video-conferencing account, we store the credentials needed to keep that connection working: the OAuth access and refresh tokens issued by Google, Microsoft, or Zoom, or, for Apple iCloud, the app-specific password you generate. These credentials are encrypted at rest.

Calendar event data. To provide sync and to compute your availability, we process event data from the calendars you connect: event start and end times, and event titles and details only to the level of visibility you choose for each source (busy-only, title-only, or full-details). For events you own, we also process the attendees of those events. For an ICS feed you supply, we process the contents of that read-only feed.

Scheduling and booking data. We store the configuration of your scheduling pages. When someone books a time through one of your scheduling pages, we store that invitee's name, email address, and chosen time.

Billing data. For paid plans, we store the Stripe customer and subscription identifiers associated with your account. Payment card numbers are handled entirely by Stripe and are never stored by Kalendia.

Operational data. We keep an audit log of security-relevant and account-relevant actions, and we process the technical data needed to operate and secure the service.

4. Google user data and the Restricted calendar scope

When you connect a Google account, Kalendia requests the following OAuth scopes:

  • openid and https://www.googleapis.com/auth/userinfo.email, to identify you and read the email address of the connected Google account;
  • https://www.googleapis.com/auth/calendar, a Restricted scope that lets Kalendia read and write the calendars in your Google account.

How we access it: we access your Google Calendar data only through these scopes, only after you grant consent, and only for as long as the connection is active.

How we use it: we use Google Calendar data solely to provide the user-facing features you ask for, namely cross-calendar sync and the availability calculations behind your scheduling pages, and, where you enable it, to create calendar events with auto-attached Google Meet links.

How we store it: Google Calendar data and the associated OAuth tokens are stored on our EU-based infrastructure, encrypted at rest, and retained as described in the Retention section.

How we share it: we do not sell Google user data. We share it only with the infrastructure sub-processors listed below that host and operate the service on our behalf, and only as needed to deliver the features above.

Limited Use affirmation. Kalendia's use and transfer to any other app of information received from Google APIs will adhere to the Google API Services User Data Policy, including the Limited Use requirements. Specifically: Google calendar data is used solely to provide the user-facing sync and scheduling features; it is not sold; it is not used for advertising; it is not used to train generalized or non-personalized artificial-intelligence or machine-learning models; and it is not accessed by humans except in the narrow cases the policy permits, namely with your explicit consent, where necessary for security or to investigate abuse, where required to comply with applicable law, or in aggregated and anonymized form for internal operations.

5. Other connected accounts and the data we access

Microsoft 365 / Outlook. When you connect Microsoft, we request the scopes openid, profile, email, offline_access, User.Read, and Calendars.ReadWrite. These let us identify you, keep the connection refreshed, read your basic profile, and read and write your Outlook calendars to provide sync, availability, and (where enabled) Microsoft Teams meeting links.

Apple iCloud. iCloud calendars are connected over CalDAV using an app-specific password that you generate at appleid.apple.com. There is no OAuth flow. We use the app-specific password to read and write your iCloud calendars for sync and availability. You can revoke the app-specific password at any time at appleid.apple.com.

ICS feeds. You may add a read-only ICS calendar feed URL that you supply. We read that feed to reflect its events in your availability.

Zoom (where available). When you connect Zoom, we request the scopes user:read:user and meeting:write:meeting. Zoom is a video-conferencing connection used to create meetings for auto-attached video links; it is not a calendar connection, and we do not read your Zoom calendar. Zoom may not be available at launch.

6. Why we process your data, and the legal bases

For users in the EU, EEA, and UK, we rely on the following legal bases under the GDPR and the UK GDPR:

Performance of a contract (Article 6(1)(b)). Creating and securing your account, synchronizing your connected calendars, computing availability, operating your scheduling pages, recording bookings, and providing paid plans and billing are all necessary to provide the service you sign up for.

Consent (Article 6(1)(a)). Connecting each individual third-party calendar or conferencing account (Google, Microsoft, Apple, Zoom, or an ICS feed) and granting Kalendia access to that account's data relies on your consent. You can withdraw that consent at any time by disconnecting the source, which revokes the connection's access and removes the synced copies of that source's data. Withdrawing consent does not affect the lawfulness of processing carried out before withdrawal.

Legitimate interests (Article 6(1)(f)). We rely on our legitimate interests in keeping the service available, secure, and free from abuse for the following: maintaining the audit log to detect and investigate security and account events; preventing fraud and abuse; ensuring sync and scheduling continue to function correctly; and protecting our users and our business. Where we rely on legitimate interests, we have assessed that these interests are not overridden by your interests or fundamental rights, and you may object as described in the Rights section.

For invitees who book through a scheduling page, we process the name, email, and chosen time on the basis of our legitimate interest, and that of the account holder, in operating the requested booking and confirming it.

7. Data we receive about people other than the account holder

Some of the data we process is not provided directly by the person it concerns. This includes the attendees of events you own on your connected calendars, the contents of any ICS feed you add, and the details of an invitee who books a time through your scheduling page. We obtain this data because an account holder has connected the relevant source or operated a scheduling page, and we use it only to provide sync, availability, and booking. If you are an attendee or invitee and have a question about your data, contact us at privacy@kalendia.io.

8. Who we share data with (sub-processors)

We do not sell your personal data. We share it only with the service providers (sub-processors) that host and operate Kalendia on our behalf, under contracts that require them to protect it and to process it only on our instructions. Our sub-processors are:

  • Railway, for application hosting, the PostgreSQL database, and Redis (EU region);
  • Vercel, for frontend hosting and content delivery;
  • Cloudflare, for DNS, TLS, and content delivery;
  • Clerk, for authentication and identity;
  • Stripe, for payment processing;
  • Postmark, for transactional email delivery.

The calendar and video-conferencing providers you choose to connect (Google, Microsoft, Apple, Zoom) are third parties that you authorize directly. They are not Kalendia sub-processors; your use of those accounts is governed by their own terms and privacy policies.

We may also disclose personal data where required to comply with applicable law, legal process, or an enforceable governmental request, or to protect the rights, safety, or security of our users, the public, or Kalendia.

9. Where your data is processed and international transfers

Our production systems run in the European Union (Frankfurt / EU-West region) on Railway. However, several of our sub-processors (including Railway, Vercel, Cloudflare, Clerk, Stripe, and Postmark) are organized in the United States, and Enlion Services LLC is established in the United States. As a result, your personal data may be transferred to, or accessed from, the United States and other countries outside the EEA and the UK.

Where we transfer personal data outside the EEA or the UK to a country that has not received an adequacy decision, we rely on the European Commission's Standard Contractual Clauses (and the UK International Data Transfer Addendum where applicable) as the safeguard under Article 46 GDPR, and on the EU-US Data Privacy Framework where the recipient is certified under it. You may request more information about the safeguard applied to a specific transfer by contacting privacy@kalendia.io.

10. How long we keep your data (retention)

We keep personal data only as long as we need it for the purposes described in this policy. Our retention practice is:

  • Connected-calendar mirror data (the synced copies of your events used for sync and availability): retained for about 13 months.
  • Audit logs: retained for about 24 months.
  • Booking personal data (an invitee's name, email, and chosen time): retained for about 24 months, then anonymized.
  • Connection credentials (OAuth tokens or the iCloud app-specific password): retained until you disconnect the source or delete your account.

When you use the in-app Delete account function, we purge your data and revoke the Google and Zoom OAuth grants Kalendia holds. iCloud app-specific passwords must be revoked by you at appleid.apple.com. When you disconnect a single calendar, we revoke that provider's token and remove the synced copies of that source.

11. Security

We take appropriate technical and organizational measures to protect your personal data. Data is encrypted in transit using TLS. Connection credentials (OAuth tokens and iCloud app-specific passwords) are encrypted at rest. Payment card data is handled by Stripe and is never stored by Kalendia. Access to production data is limited to what is needed to operate and secure the service.

12. Is providing your data necessary?

To use Kalendia you must provide an account email, and you must connect at least one calendar so that we can synchronize it and compute availability. Without this data we cannot provide the service. Connecting a video-conferencing account (such as Zoom) and providing additional calendar sources are optional and enable additional features. If you do not provide the required data, you will not be able to use Kalendia.

13. Automated decision-making

Kalendia does not make decisions about you based solely on automated processing that produce legal effects concerning you or similarly significantly affect you.

14. Your rights

You can connect or disconnect any calendar at any time, and you can delete your account at any time using the in-app Delete account function.

If you are in the EU, EEA, or UK, you have the following rights under the GDPR and the UK GDPR in relation to your personal data:

  • the right of access to your personal data;
  • the right to rectification of inaccurate or incomplete data;
  • the right to erasure of your data;
  • the right to restriction of processing;
  • the right to data portability;
  • the right to object to processing based on our legitimate interests;
  • the right to withdraw consent at any time, where processing is based on consent, without affecting processing carried out before withdrawal;
  • the right to lodge a complaint with a data protection supervisory authority in your country of residence, place of work, or the place of the alleged infringement.

To exercise any of these rights, contact us at privacy@kalendia.io. We will respond within the time limits required by applicable law.

15. Children

Kalendia is not directed to children under 16, and we do not knowingly collect personal data from anyone under 16. If you believe a child under 16 has provided us with personal data, contact us at privacy@kalendia.io and we will delete it.

16. Changes to this policy

We may update this policy from time to time, for example to reflect changes to the service, our sub-processors, or legal requirements. When we make material changes, we will update the effective date above and, where appropriate, notify you. The current version is always available within the service. Your continued use of Kalendia after an update takes effect means you accept the updated policy.

17. Contact

For privacy questions or to exercise your rights, contact privacy@kalendia.io. For general support, contact support@kalendia.io. You can also write to Enlion Services LLC at 131 Continental Dr, Suite 305, Newark, DE 19713, USA.