Data Processing & Compliance

This page provides detailed information about how Calpace (operated by Calpace Ltd.) ("we", "us") processes personal data in compliance with data protection regulations, including the General Data Protection Regulation (GDPR). This information is intended to supplement our Privacy Policy and serves as a Data Processing Agreement (DPA) for our customers.

Understanding the roles of "Data Controller" and "Data Processor" is key to understanding our respective responsibilities.

• You, the Customer (Data Controller): When you use Calpace to schedule meetings with your clients, employees, or other individuals (the "End-Users"), you are the Data Controller. You determine the purposes and means of processing the personal data of your End-Users.
• Calpace (Data Processor): We are the Data Processor. We process the personal data of your End-Users on your behalf and according to your instructions to provide the Calpace Service.

• Subject Matter: The processing of personal data to facilitate automated scheduling services.
• Duration: For the duration of your subscription to the Calpace Service, and as described in our Data Retention policy.
• Nature and Purpose: To enable you and your End-Users to view availability, schedule meetings, send notifications and reminders, and manage appointments.
• Types of Personal Data Processed: Name, email address, calendar availability, event details (title, time, location), IP addresses, meeting links, payment information (when using payment integrations), contact data from CRM integrations, and any custom information you collect in your booking forms.
• Categories of Data Subjects: Your End-Users, which may include your clients, customers, colleagues, and prospects.

When you connect third-party integrations, additional data processing activities occur:

Calendar Service Integrations

• Google Calendar, Microsoft Outlook, iCloud: We process calendar events, availability windows, attendee information, and event metadata to provide scheduling services.
• Legal Basis: Legitimate interest and your explicit consent when connecting these services.

Video Conferencing Integrations

• Zoom, Google Meet, Microsoft Teams: We generate and store meeting URLs and may access basic meeting information for scheduling purposes.

CRM and Business Tool Integrations

• Salesforce, HubSpot, Pipedrive: We synchronize contact information, lead data, and meeting activities between systems.
• Slack: We send notifications containing booking information to designated channels.

Payment Processing Integrations

• Stripe, PayPal: Payment data is processed directly by these services as data processors on your behalf. We receive confirmation data but do not store sensitive payment information.

Marketing and Analytics Integrations

• Mailchimp: Contact information may be synchronized to your mailing lists.
• Google Analytics: Anonymized usage data may be shared for performance tracking.

Automation Integrations

• Zapier, Custom Webhooks: Booking and event data may be transmitted to automation platforms or custom endpoints you specify.

Data Controller Relationships: For most integrations, you remain the data controller and Calpace acts as your data processor. Third-party services may act as sub-processors under their own data processing agreements with you.

To provide our Service, we use third-party service providers ("Sub-processors") for functions like cloud infrastructure and payment processing. We maintain a list of our Sub-processors and conduct due diligence to ensure they have adequate security and privacy safeguards in place. We remain responsible for the data processing activities of our Sub-processors.

Core Sub-processors

• Cloud hosting and infrastructure providers
• Payment processing services (Stripe, PayPal)
• Email delivery services
• Analytics and monitoring tools

Integration-Specific Sub-processors

When you connect third-party integrations, those services become sub-processors for the specific data shared through the integration:

• Google (Calendar, Meet, Analytics)
• Microsoft (Outlook, Teams)
• Apple (iCloud Calendar)
• Zoom Video Communications
• Salesforce, HubSpot, Pipedrive
• Slack Technologies
• Mailchimp (Intuit)
• Zapier

You can review and manage your connected integrations at any time through your account settings.

We have implemented appropriate technical and organizational measures to ensure a level of security appropriate to the risk, including but not limited to:

• Encryption of data in transit (using TLS) and at rest.
• Strict access controls to limit access to personal data to authorized personnel only.
• Regular security assessments and vulnerability scanning.
• A formal incident response plan to address any potential data breaches.
• Secure authentication protocols for third-party integrations (OAuth 2.0, API keys with limited scope).
• Regular security audits of integration endpoints and data transmission processes.

As the Data Controller, you are responsible for responding to requests from your End-Users regarding their data subject rights (e.g., access, rectification, erasure). Calpace will provide you with the tools and support necessary to help you fulfill these requests. If we receive a request directly from one of your End-Users, we will notify you without undue delay.

Integration-Related Rights: When processing data subject rights requests that involve integrated third-party services, you may need to coordinate with those services directly. We will assist in identifying which integrations may contain the requested data.

Personal data may be processed in countries outside of the European Economic Area (EEA). Where this occurs, we ensure that such transfers are lawful and that the data is adequately protected by relying on mechanisms such as the European Commission's Standard Contractual Clauses (SCCs).

Third-Party Integration Transfers:When you connect integrations with services that operate globally (such as Google, Microsoft, Zoom, Salesforce), data may be transferred to and processed in various countries. These transfers are covered by the respective companies' international data transfer safeguards and their own adequacy decisions or appropriate safeguards.

For any questions related to data protection, compliance, or this DPA, please contact our privacy team or our designated Data Protection Officer (DPO):

• By email: privacy@calpace.app
• By mail: Attn: Data Protection Officer, 71-75 Shelton Street, London, WC2H 9JQ, United Kingdom