calendly.com privacy policy — score 65/100 (medium risk)
Sidst analyseret
Rapportindholdet (resumé, fund, citater) er genereret på engelsk og er ikke lokaliseret.
Calendly, LLC · calendly.com
Rapportdetaljer
medium risikoCalendly collects a wide range of personal and usage data, shares it with advertising partners, and while it offers standard EU rights and transfer mechanisms, its vague retention periods and silence on AI training for its Notetaker feature are concerning.
The privacy notice clearly distinguishes between Calendly's role as a data controller and processor, and provides robust mechanisms for international data transfers (DPF, SCCs) and user rights. However, it suffers from significant transparency issues regarding the use of highly sensitive data (meeting transcripts/recordings) for potential AI training, overly broad retention periods, and extensive tracking and sharing with third-party advertising networks.
Vurdering pr. kategori
Opdeling af politikken på vigtige compliance-områder. God = stærk, rimelig = blandet, dårlig = bekymrende.
Collects standard account and billing data, but also gathers extensive tracking data, third-party lead generation data, and sensitive meeting content which may exceed what is strictly necessary.
Clearly lists data types and sharing partners, but fails to clarify if sensitive meeting transcripts are used for AI training and uses overly vague language for data retention.
Extensive sharing with advertising and analytics partners (Facebook Pixel, Clearbit, MNTN, Google Analytics) and session replay tools, explicitly admitting to 'selling' or 'sharing' data under CCPA definitions.
Explicitly relies on the EU-U.S. Data Privacy Framework, Standard Contractual Clauses, and the UK Addendum, and provides EU/UK representative contact details.
The policy is completely silent on whether meeting transcripts, recordings, and summaries collected via the Notetaker feature are used to train AI models, which is a major transparency gap.
Comprehensively lists GDPR rights (access, deletion, portability, objection), provides a Privacy Center for requests, honors GPC signals, and offers cookie management tools.
Vigtige fund
Bemærkelsesværdige klausuler, problemer eller gode praksisser (kritiske først)
Silence on AI Training with Sensitive Meeting Data
The policy explicitly states that Calendly processes 'virtual meeting recordings, transcripts and summaries' as Customer Data. However, it is entirely silent on whether this highly sensitive data is used to train Calendly's AI models, representing a significant transparency failure under GDPR's purpose limitation and fairness principles.
Vague and Overly Broad Retention Periods
The policy states data is retained 'for so long as is reasonably necessary to fulfill the purposes... and for any applicable statute of limitations periods.' This generic clause fails to provide the specific retention timeframes required by GDPR Article 5(1)(e), leaving users unaware of how long their data persists.
Heavy Third-Party Tracking and Advertising
Calendly shares user identifiers and internet activity with targeted advertising and analytics partners like Facebook Pixel, Clearbit, and MNTN. The policy admits this constitutes a 'sale' or 'share' under CCPA, meaning EU users must rely strictly on cookie consent banners to prevent unauthorized tracking under GDPR.
Controller vs. Processor Blurring via Usage Data
While Calendly claims to be a processor for Customer Data, it also collects 'Usage Data' (e.g., 'how many meetings are scheduled each day', 'whether the meeting was recorded') to 'monitor and improve the Services.' This dual use of customer event data for Calendly's own product development blurs the controller/processor line and may exceed the original collection purpose.
Resumé til brugeren
Your meeting recordings and transcripts are collected, but it's unclear if Calendly uses them to train AI. You are tracked by third-party advertisers like Facebook and Google on their site, and your data is sent to the US, though safeguards are in place.
Compliance-stilling
Mixed compliance posture. Strong structural elements (DPF certification, SCC usage, EU/UK representatives) are undermined by vague retention policies, ambiguous AI usage, and heavy third-party tracking that may require strict consent management under GDPR.
EU-overførsler
Adequate safeguards stated. Relies on EU-U.S. Data Privacy Framework, UK Extension, Swiss-U.S. DPF, and Standard Contractual Clauses (SCCs) with a UK Addendum. EU and UK representatives are explicitly named.
Registrerede signaler
Specifikke datapunkter og praksisser identificeret i teksten
Bevisuddrag
Direkte citater fra politikken, der understøtter disse fund
When customers use our Services, they may process certain Personal Data, such as... virtual meeting recordings, transcripts and summaries, and other information about you.
We retain the Personal Data we collect for so long as is reasonably necessary to fulfill the purposes for which the data was collected... and for any applicable statute of limitations periods for the purposes of bringing and defending claims.
We may also disclose information or allow third parties to directly collect information using third party cookies and related tracking technologies... such as social media companies, advertising networks... We may sell or share information to the extent our use of Cookies and tracking technologies for targeted advertising or analytics purposes constitutes a “sale” or “share” under the CCPA.
We rely on the EU-U.S. Data Privacy Framework, Standard Contractual Clauses and the UK Addendum to legally transfer Personal Data submitted relating to individuals in the European Economic Area, the United Kingdom, and Switzerland.
Mangler eller uklart
- No explicit mention of whether meeting transcripts or recordings are used for AI model training.
- No specific retention schedules for different categories of personal data.
- No detail on Data Protection Impact Assessments (DPIAs) for the Notetaker feature which processes sensitive meeting content.
- No mention of automated decision-making or profiling with legal effects.
Spørgsmål at stille
- Are meeting transcripts and summaries collected via the Notetaker feature used to train Calendly's AI models, and if so, how can users opt out?
- What are the specific retention periods for account data, usage data, and meeting recordings/transcripts?
- How does Calendly ensure that its own usage analytics (processing as a controller) do not infringe on the rights of the data subjects whose data it processes strictly on behalf of customers?
- Does Calendly enforce the same standard contractual clauses and privacy obligations on the third-party advertising partners it shares user data with?
Del denne analyse
Alle med dette link kan se resultatet ovenfor.
Bygget af DentroChat
100 % europæisk AI-chat for alle
Chat med AI, arbejd med filer, generer billeder og søg på nettet. Data forbliver i Europa.