Privacy Policy

Caly · clo (the “Service”) is operated by 2DSOFT d.o.o., a company registered in Slovenia, with its seat at Brodišče 25, 1236 Trzin, Slovenia (“we”, “us”). For the purposes of the EU General Data Protection Regulation (“GDPR”), 2DSOFT d.o.o. is the data controller of personal data processed through the Service.

You can reach us about anything in this Policy at info@2dsoft.eu.

Caly · clo is a free scheduling tool. A host connects one or more Google Calendars; the Service reads availability, displays a personal booking page, accepts bookings from invitees, writes the resulting events back to the host’s calendar, and can send confirmation emails and WhatsApp reminders.

From hosts (the people who connect Google)

• Google account identity: your Google email, display name and profile picture, returned by the openid, email and profile OAuth scopes when you sign in.
• Google Calendar data: the list of your calendars, and the events on calendars you choose to connect (titles, start/end times, attendees, location, description). We use these only to compute your free/busy windows and to create, update or delete the booking events you authorise. Access is via the https://www.googleapis.com/auth/calendar scope.
• OAuth tokens: a Google refresh token and short-lived access tokens, stored encrypted at rest.
• Account preferences: your host slug, event types, working hours, date overrides, time zone, and similar configuration you enter into the Service.

From bookers (the people who book a slot)

• Booking details: the name and email you submit, optionally your phone number (if you opt in to WhatsApp reminders), the slot you chose, and any answers to questions the host has configured.

Automatic

• Session cookies strictly necessary to keep you signed in, and minimal server logs (IP, user agent, request path) kept for security and abuse prevention.

• Performance of a contract (GDPR Art. 6(1)(b)) — to provide the Service you signed up for: syncing your calendars, displaying availability, recording bookings, delivering confirmations and reminders.
• Legitimate interests (GDPR Art. 6(1)(f)) — to keep the Service secure, prevent abuse, debug problems, and improve reliability. We balance this against your rights and freedoms.
• Consent (GDPR Art. 6(1)(a)) — for WhatsApp reminders to a phone number you provide. You can withdraw consent at any time.

Caly · clo’s use and transfer of information received from Google APIs adheres to the Google API Services User Data Policy, including the Limited Use requirements. Specifically:

• We use Google user data only to provide the user-facing scheduling features described in section 2.
• We do not transfer Google user data to third parties except as strictly necessary to provide the Service (see section 7), to comply with applicable law, or as part of a merger, acquisition, or sale of assets with notice to users.
• We do not use Google user data for serving advertisements, including remarketing or personalised ads.
• We do not allow humans to read Google user data, except: (i) with the user’s explicit consent for specific messages, (ii) when strictly necessary for security purposes (such as investigating abuse), (iii) to comply with applicable law, or (iv) where the data is aggregated and used for internal operations in compliance with the Limited Use requirements.
• We do not use Google user data to develop, improve, or train generalised AI or machine-learning models.

• Active accounts: as long as your account is open. You can delete your account from the dashboard, which revokes our Google tokens and deletes your data within 30 days.
• Bookings:kept while the corresponding event exists on the host’s calendar, plus up to 12 months for the host’s own records, then deleted.
• Server logs: up to 30 days.
• Backups: overwritten on a rolling 30-day cycle.

We rely on a small number of providers to run the Service:

• Google LLC — Calendar API and OAuth (your connected account).
• Vercel Inc. — application hosting (United States; processes data under EU SCCs).
• Neon Inc. — managed PostgreSQL database (EU region).
• Intuit Mailchimp (Mandrill / Transactional Email) — sending booking confirmation emails.
• Twilio Inc. — WhatsApp reminders, only when a booker provides a phone number and opts in.

We do not sell personal data. Where a provider is outside the EEA we rely on the EU Standard Contractual Clauses and equivalent safeguards.

We transport data over TLS, encrypt OAuth refresh tokens at rest, and restrict production database access to a small number of authorised maintainers. No service is perfectly secure; if you spot a problem, please email info@2dsoft.eu.

Under the GDPR you have the right to:

• access the personal data we hold about you;
• have inaccurate data corrected;
• have your data erased (“right to be forgotten”);
• restrict or object to processing;
• receive your data in a portable format;
• withdraw consent where processing is based on consent (without affecting prior processing);
• lodge a complaint with the Slovenian Information Commissioner (Informacijski pooblaščenec) or another supervisory authority.

To exercise any of these rights, email info@2dsoft.eu. You can also revoke our access to your Google account at any time from myaccount.google.com/permissions.

The Service is not directed to children under 16 and we do not knowingly collect their data.

We may update this Policy from time to time. Material changes will be announced in-app or by email at least 14 days before they take effect. The current version is always at calyclo.com/privacy.

2DSOFT d.o.o.
Brodišče 25, 1236 Trzin, Slovenia
info@2dsoft.eu