Last updated: 2026-03-14

Koalendar strictly applies GDPR principles to the processing of personal data and provides contractual, technical, and organisational measures designed to support customers subject to the General Data Protection Regulation (“GDPR”).

GDPR compliance depends on how the Service is configured and used, the types of personal data involved, and each customer’s own legal obligations. This page provides a high-level overview of how Koalendar supports GDPR-related requirements. It does not constitute legal advice.

Depending on the context, Koalendar may act either as a controller or a processor.

Koalendar generally acts as a processor when a customer uses the Service to collect and manage invitee, booking, and scheduling data on the customer’s behalf.

Koalendar may act as an independent controller for limited business purposes such as account administration, billing, security, fraud prevention, legal compliance, and certain direct communications related to the Service.

Koalendar provides the following measures to help customers manage personal data responsibly:

A Data Processing Addendum for processing carried out on behalf of customers
Contractual commitments regarding processing on instructions, confidentiality, security, subprocessor management, and deletion or return of customer personal data
Support for responding to data subject requests where Koalendar processes personal data on a customer’s behalf
Security measures such as encryption in transit, access controls, logging, monitoring, and secure development practices
Information about subprocessors and international transfer mechanisms in our DPA

3. Data subject rights

Where Koalendar processes personal data on behalf of a customer, the customer remains responsible for responding to data subject requests, including requests for access, rectification, erasure, restriction, portability, and objection.

Koalendar will provide reasonable assistance to customers with such requests to the extent required by applicable law and as described in our Data Processing Addendum.

For privacy requests relating to Koalendar’s own processing activities, contact us at dpo@koalendar.com.

4. Subprocessors and international transfers

Koalendar uses trusted service providers and subprocessors to operate the Service, such as hosting, email delivery, messaging, analytics, customer support, and payments providers.

Our Data Processing Addendum includes:

A list of current subprocessors
A summary of our subprocessor obligations
Information about international data transfers
The transfer mechanisms Koalendar uses where GDPR requires them, such as the EU Standard Contractual Clauses and, where applicable, the UK Addendum

5. Security and data handling

Koalendar maintains technical and organisational measures designed to protect personal data, including:

Encryption in transit
Encryption at rest for customer data stored in Koalendar databases
Access controls for production systems
Role-based permissions and multi-factor authentication for privileged access
Logging, monitoring, and change management practices

We also aim to limit data collection and retention to what is necessary for providing and securing the Service.

6. Customer responsibilities

Customers remain responsible for their own use of Koalendar under the GDPR, including:

Determining their lawful basis for collecting and using personal data
Providing required privacy notices to their end users
Configuring booking forms and workflows appropriately
Avoiding collection of unnecessary or sensitive personal data unless strictly needed and lawfully supported
Entering into the DPA where required for their use case
Responding to data subject requests where the customer is the controller

Whether a customer’s use of Koalendar is GDPR-compliant depends on the customer’s implementation and internal processes in addition to Koalendar’s contractual and technical measures.