Privacy Policy
Pre-launch draft. This policy is being finalized before launch and is pending review. Items in [brackets] — our legal entity, registered address, and the relevant jurisdiction — will be completed by ZagCal before going live.
ZagCal is built so that we hold as little of your information as possible. The heart of the product only ever processes your calendars' busy/free status — never your event details.
1. Who we are
ZagCal ("ZagCal", "we", "us") operated by [ZagCal legal entity], [registered address], is the data controller for the personal data described here. Questions? Email privacy@zagcal.com.
2. The data we process
- Account data: your email address, display name, and a securely hashed password.
- Connected-calendar credentials: OAuth tokens (Google, Microsoft) or an app-specific password (Apple), stored encrypted at rest. We request only the access needed for free/busy.
- Availability data: the busy/free time ranges we read to compute your schedule, and the generic "Busy" placeholder events we create. We do not store your event titles, guests, notes, or locations.
- Organization data: the organizations you create or join and your membership/role.
- Booking data: if you publish a booking page, the name, email, and any notes a booker provides when they book time with you.
- Billing data: for paid plans, a Stripe customer identifier and subscription status. Payments are processed by Stripe; we never receive or store your card details.
- Technical data: limited log and request metadata (such as IP address) used for security, rate-limiting, and reliability.
3. How and why we use it (legal bases)
- To provide the service — syncing availability, booking pages, account management (performance of a contract).
- Security and abuse prevention — authentication, rate-limiting, threat mitigation (legitimate interests).
- Billing — managing subscriptions via Stripe (performance of a contract).
- Legal compliance — where we must retain or disclose data by law (legal obligation).
4. Sharing and sub-processors
We do not sell your personal data. We share it only with providers that help us run ZagCal:
- Your calendar providers (Google, Microsoft, Apple) — we access your data there at your direction.
- Stripe — payment processing for paid plans.
- Our hosting/infrastructure provider — to operate the service.
5. Retention
We keep your data for as long as your account is active. When you delete your account we remove your data and tear down the placeholders ZagCal created on your providers; routine backups cycle out thereafter. To export your data or delete your account, contact privacy@zagcal.com and we'll action your request.
6. Your rights
Subject to applicable law (including the GDPR), you have the right to access, rectify, erase, restrict, or object to processing of your personal data, to data portability, and to withdraw consent. To exercise any of these, contact privacy@zagcal.com and we'll action your request. You may also lodge a complaint with your local data-protection supervisory authority.
7. International transfers
Where data is processed outside your region, we rely on appropriate safeguards [transfer mechanism — to be confirmed based on hosting location].
8. Cookies & analytics
We use a single essential cookie to keep you signed in. We do not use third-party advertising or cross-site tracking cookies.
Our website analytics are first-party and cookieless: we measure aggregate traffic (page views, a daily count of unique visitors, and which calls-to-action are clicked) without setting any cookie or storing your IP address or a cross-site identifier. Unique visitors are counted with a salted hash that rotates every day, so a visitor cannot be tracked across days, and we never link an anonymous visitor to a specific account. We honour Do Not Track and Global Privacy Control, and aggregate marketing data is kept for at most 90 days. Because no personal data is stored and nothing is read from or written to your device, this needs no cookie banner.
9. Children
ZagCal is not directed to children and is not intended for anyone under 16.
10. Changes
We'll post any changes here and update the effective date above; material changes will be communicated to account holders.
11. Contact
privacy@zagcal.com · [ZagCal legal entity], [registered address]. Governing law: [jurisdiction — to be confirmed].