← Back to home

Privacy Policy

Effective date: May 12, 2026

Calmy ("Calmy", "we", "us") provides a self-service appointment booking tool that integrates with Google Calendar. This Privacy Policy explains what information we collect, how we use it, and the choices you have.

By using Calmy you agree to this policy. If you do not agree, please do not use the service.

1. Who we are

Calmy is a service operated by Highintent ("Highintent", "Calmy", "we", "us"), the data controller for personal data processed through the Calmy service. For any privacy questions, contact us at hello@calmy.life.

1a. Legal basis for processing

For users in the EU/EEA and the UK, we rely on the following legal bases under the GDPR / UK GDPR:

  • Performance of a contract — to create your account, provide the booking service, sync your calendar, and process bookings.
  • Legitimate interests — to secure the service, prevent fraud and abuse, maintain server logs, and improve the product.
  • Consent — when you connect a Google account (which you may revoke at any time) and for any optional marketing communications.
  • Legal obligation — to comply with tax, accounting, and other applicable laws (e.g. retention of billing records by our Merchant of Record).

2. Information we collect

  • Account information. Email address, name, timezone, and your public booking-page settings (slug, title, intro, brand color).
  • Google account information. When you connect a Google Calendar, we receive your Google email address, an OAuth access token, and a refresh token from Google.
  • Google Calendar data. Busy/free intervals from the calendars you connect (used at request time to prevent double-booking) and events we create on your behalf when a guest books a meeting.
  • Booking data. Guest name, guest email, selected time, duration, and notes provided by guests on your booking page.
  • Technical data. Standard server logs (IP, user agent, timestamps) used to operate and secure the service.

3. How we use Google user data

Calmy's use and transfer of information received from Google APIs adheres to the Google API Services User Data Policy, including the Limited Use requirements.

  • calendar.readonly - to read busy/free time on your connected calendars so guests can only book free slots.
  • calendar.events - to create a single calendar event (with a Google Meet link) on your primary calendar when a guest confirms a booking.

We do not use Google user data to train AI models. We do not sell or share Google user data with third parties for advertising. We do not allow humans to read Google user data except (a) with your explicit consent, (b) for security investigations, or (c) when required by law.

4. How we store and protect data

Data is stored on managed cloud infrastructure (Lovable Cloud, powered by Supabase) with encryption at rest and in transit. Access is restricted using row-level security so you can only access your own account data. OAuth tokens are stored server-side and are never exposed to client browsers.

5. Data sharing

We do not sell your data. We share data only with the categories of recipients listed below:

  • Paddle.com Market Ltd. ("Paddle") — our Merchant of Record for all paid subscriptions. Paddle processes your payment, stores billing details (name, email, billing address, payment method), issues invoices and receipts, handles refunds, and is responsible for sales-tax and VAT compliance. Paddle is an independent data controller for the billing data it collects; see Paddle's privacy policy.
  • Google — to read calendar busy/free times and create events on calendars you have connected.
  • Infrastructure sub-processors — hosting, database, and email-delivery providers required to operate the service.
  • Authorities — where disclosure is required by law.

6. Data retention

Account, booking, and OAuth-token data is retained while your account is active. You can disconnect a Google Calendar at any time, which deletes the associated tokens. You can request deletion of your account and all associated data by emailing us.

7. Your rights

Depending on your location, you may have rights to access, correct, export, or delete your personal data, and to withdraw consent. Contact us at hello@calmy.life to exercise these rights.

You can also revoke Calmy's access to your Google account at any time from your Google Account permissions page.

8. Children

Calmy is not directed to children under 13 (or the equivalent minimum age in your jurisdiction) and we do not knowingly collect their data.

9. Changes to this policy

We may update this policy from time to time. Material changes will be communicated by updating the effective date above and, where appropriate, by email.

10. Contact

Questions? Email hello@calmy.life.