Your privacy is important to us. It is Koalendar’s policy to respect your privacy regarding any information we may collect from you across our website, https://koalendar.com, and other sites we own and operate.
Koalendar strictly applies GDPR principles to the processing of personal data and is designed to support customers subject to the GDPR and similar privacy laws.
For a high-level overview of how Koalendar supports GDPR-related requirements, see our GDPR page. For additional background, see our help article: What’s Koalendar EU GDPR compliance status?.
We only ask for personal information when we truly need it to provide a service to you. We collect it by fair and lawful means, with your knowledge and consent. We also let you know why we’re collecting it and how it will be used.
We only retain collected information for as long as necessary to provide you with your requested service. What data we store, we’ll protect within commercially acceptable means to prevent loss and theft, as well as unauthorised access, disclosure, copying, use or modification.
We don’t share any personally identifying information publicly. We may share personal data with trusted service providers and subprocessors who process data on our behalf to operate and improve the Service, or when required to by law. If you are a customer using Koalendar as a processor, our Data Processing Addendum provides more details.
Our website may link to external sites that are not operated by us. Please be aware that we have no control over the content and practices of these sites, and cannot accept responsibility or liability for their respective privacy policies.
You are free to refuse our request for your personal information, with the understanding that we may be unable to provide you with some of your desired services.
Your continued use of our website will be regarded as acceptance of our practices around privacy and personal information. If you have any questions about how we handle user data and personal information, feel free to contact us.
Google User Data Access and Usage
Our application accesses Google user data only with your explicit consent through OAuth scopes, and only for the purposes necessary to provide our scheduling services. We comply with the Google API Services User Data Policy, including its Limited Use requirements.
What Google User Data We Access
We request access to the following Google user data via these optional services and scopes:
- Gmail: Access to send emails (scope: https://www.googleapis.com/auth/gmail.send). This does not include reading your inbox or message contents.
- Google Calendar: Access to calendar availability and events (scopes: https://www.googleapis.com/auth/calendar.readonly, https://www.googleapis.com/auth/calendar.events). This includes free/busy information and event details for bookings made via Koalendar.
- Google Drive: Access to files in a dedicated folder (scope: https://www.googleapis.com/auth/drive.file). This includes file IDs and metadata for storing form uploads or attachments.
- Google Sign-In: Access to basic profile information (scopes: openid, email, profile). This includes your name, email address, and profile picture for authentication.
No other Google user data is accessed, and you can use Koalendar without granting these permissions.
How We Use Google User Data
We use the accessed Google user data solely to enable the following features in our application:
- Gmail: To send booking-related emails (e.g., confirmations, reminders, reschedules, or cancellations) on your behalf.
- Google Calendar: To check availability (free/busy) to prevent double-bookings and to create, update, or delete events booked through Koalendar.
- Google Drive: To store and manage form uploads or attachments in your own Drive folder, ensuring you retain ownership.
- Google Sign-In: To authenticate your account and pre-fill your profile information for a seamless login experience.
We do not use Google user data for any other purposes, such as advertising, analytics, or sharing with third parties (except as required by law). Data is encrypted in transit and at rest, and access can be revoked at any time via your Google Account settings or Koalendar’s integrations page.
Storage & retention
| Data element | Stored? | Retention policy |
|---|---|---|
| Gmail – message bodies | No | n/a |
| Gmail – message ID, recipients, subject | Yes | 30 days (delivery logs) |
| Google Calendar – event IDs & metadata | Yes | Until the event or your account is deleted |
| Google Drive – file IDs & metadata | Yes | Until you delete the file or your account |
| OAuth refresh tokens (all services) | Encrypted at rest | Deleted instantly when you disconnect or close your account |
| Google Sign-In – basic profile (name, email, picture) | Yes | Until you delete your Koalendar account |
Your controls
- Disconnect / revoke at any time → Google Account ▸ Security ▸ “Third-party apps” or Koalendar ▸ Integrations ▸ My Apps
- Delete all data → Koalendar ▸ Settings ▸ Delete Account
Security Measures
- All data in transit is encrypted with TLS 1.2+.
- Customer data stored in Koalendar databases is encrypted at rest.
- OAuth tokens, event metadata and file IDs are encrypted at rest using AES‑256.
- Access to production systems is protected by enforced multi‑factor authentication and is role‑based.
Other Third‑Party Integrations
Koalendar also lets you connect to non‑Google services (e.g. Microsoft Outlook, Apple Calendar, Zoom, Microsoft Teams). Each integration is optional and governed by the same principles: minimal access, purpose limitation, encryption and user‑controlled revocation. Details for each integration are available in their respective subsections in our full privacy policy.
FERPA for Education Customers
For education customers that use Koalendar to process student scheduling data, see our FERPA / COPPA Privacy Notice for additional information about student invitees, school responsibilities, and Koalendar’s role as a service provider to educational institutions.
Customers remain responsible for determining whether FERPA applies to their use of the Service, configuring user access appropriately, and obtaining any notices or consents required under applicable law.
California Privacy Rights (CCPA)
This section applies to California residents and supplements our privacy policy with disclosures required under the California Consumer Privacy Act (CCPA) and the California Privacy Rights Act (CPRA).
We do not sell or share your personal information. Koalendar does not sell personal information to third parties and does not share personal information for cross-context behavioral advertising.
Categories of personal information we collect
We collect the following categories of personal information, as described in this policy and our GDPR article:
- Identifiers: Name, email address, phone number, IP address
- Account and profile data: Sign-in credentials, profile picture, job role, preferences
- Commercial information: Booking history, payment and billing information
- Internet or network activity: Usage data, session information, device and browser metadata
- Geolocation data: Approximate location (e.g. from IP) where applicable
- Professional or employment-related information: Job role, workspace membership (where provided)
Purposes of collection
We collect personal information to provide and operate the scheduling service, process bookings, send notifications, provide customer support, prevent fraud and abuse, improve our service, and comply with legal obligations.
Categories of third parties we disclose data to
We disclose personal information to service providers and subprocessors who process data on our behalf, including: hosting and infrastructure (Google Cloud Platform, Amazon Web Services), email and SMS delivery (Twilio, AWS SES), analytics (Mixpanel, Microsoft Clarity), customer support (Help Scout), sales and contact management (HubSpot), payments (Stripe), and other vendors necessary to operate the service. We do not sell or share this data for advertising purposes.
Your California privacy rights
If you are a California resident, you have the right to:
- Right to Know: Request access to the personal information we have collected about you in the preceding 12 months. Contact us to submit a request.
- Right to Delete: Request deletion of your personal information. You can delete your account at any time via Koalendar ▸ Settings ▸ Delete Account.
- Right to Correct: Request correction of inaccurate personal information. You can update your profile and account details in Settings.
- Right to Non-Discrimination: We will not discriminate against you for exercising your privacy rights.
To exercise your Right to Know or to submit other privacy requests, contact us at dpo@koalendar.com or through our contact form. We will verify your identity and respond within 45 days as required by law.
Data retention
We retain personal information only as long as necessary to provide the service, as described in the Storage & retention section above and in our full privacy policy.
