calendly.com privacy policy — score 65/100 (medium risk)
Último análisis
El contenido del informe (resumen, hallazgos, citas) se generó en inglés y no está localizado.
Calendly, LLC · calendly.com
Detalles del informe
medium riesgoCalendly collects a wide range of personal and usage data, shares it with advertising partners, and while it offers standard EU rights and transfer mechanisms, its vague retention periods and silence on AI training for its Notetaker feature are concerning.
The privacy notice clearly distinguishes between Calendly's role as a data controller and processor, and provides robust mechanisms for international data transfers (DPF, SCCs) and user rights. However, it suffers from significant transparency issues regarding the use of highly sensitive data (meeting transcripts/recordings) for potential AI training, overly broad retention periods, and extensive tracking and sharing with third-party advertising networks.
Evaluación por categoría
Desglose de la política en las principales áreas de cumplimiento. Bueno = sólido, regular = mixto, deficiente = preocupante.
Collects standard account and billing data, but also gathers extensive tracking data, third-party lead generation data, and sensitive meeting content which may exceed what is strictly necessary.
Clearly lists data types and sharing partners, but fails to clarify if sensitive meeting transcripts are used for AI training and uses overly vague language for data retention.
Extensive sharing with advertising and analytics partners (Facebook Pixel, Clearbit, MNTN, Google Analytics) and session replay tools, explicitly admitting to 'selling' or 'sharing' data under CCPA definitions.
Explicitly relies on the EU-U.S. Data Privacy Framework, Standard Contractual Clauses, and the UK Addendum, and provides EU/UK representative contact details.
The policy is completely silent on whether meeting transcripts, recordings, and summaries collected via the Notetaker feature are used to train AI models, which is a major transparency gap.
Comprehensively lists GDPR rights (access, deletion, portability, objection), provides a Privacy Center for requests, honors GPC signals, and offers cookie management tools.
Hallazgos clave
Cláusulas destacadas, problemas o buenas prácticas detectadas (críticos primero)
Silence on AI Training with Sensitive Meeting Data
The policy explicitly states that Calendly processes 'virtual meeting recordings, transcripts and summaries' as Customer Data. However, it is entirely silent on whether this highly sensitive data is used to train Calendly's AI models, representing a significant transparency failure under GDPR's purpose limitation and fairness principles.
Vague and Overly Broad Retention Periods
The policy states data is retained 'for so long as is reasonably necessary to fulfill the purposes... and for any applicable statute of limitations periods.' This generic clause fails to provide the specific retention timeframes required by GDPR Article 5(1)(e), leaving users unaware of how long their data persists.
Heavy Third-Party Tracking and Advertising
Calendly shares user identifiers and internet activity with targeted advertising and analytics partners like Facebook Pixel, Clearbit, and MNTN. The policy admits this constitutes a 'sale' or 'share' under CCPA, meaning EU users must rely strictly on cookie consent banners to prevent unauthorized tracking under GDPR.
Controller vs. Processor Blurring via Usage Data
While Calendly claims to be a processor for Customer Data, it also collects 'Usage Data' (e.g., 'how many meetings are scheduled each day', 'whether the meeting was recorded') to 'monitor and improve the Services.' This dual use of customer event data for Calendly's own product development blurs the controller/processor line and may exceed the original collection purpose.
Resumen para el usuario
Your meeting recordings and transcripts are collected, but it's unclear if Calendly uses them to train AI. You are tracked by third-party advertisers like Facebook and Google on their site, and your data is sent to the US, though safeguards are in place.
Postura de cumplimiento
Mixed compliance posture. Strong structural elements (DPF certification, SCC usage, EU/UK representatives) are undermined by vague retention policies, ambiguous AI usage, and heavy third-party tracking that may require strict consent management under GDPR.
Transferencias en la UE
Adequate safeguards stated. Relies on EU-U.S. Data Privacy Framework, UK Extension, Swiss-U.S. DPF, and Standard Contractual Clauses (SCCs) with a UK Addendum. EU and UK representatives are explicitly named.
Señales detectadas
Datos y prácticas específicas identificadas en el texto
Fragmentos de evidencia
Citas directas de la política que respaldan estos hallazgos
When customers use our Services, they may process certain Personal Data, such as... virtual meeting recordings, transcripts and summaries, and other information about you.
We retain the Personal Data we collect for so long as is reasonably necessary to fulfill the purposes for which the data was collected... and for any applicable statute of limitations periods for the purposes of bringing and defending claims.
We may also disclose information or allow third parties to directly collect information using third party cookies and related tracking technologies... such as social media companies, advertising networks... We may sell or share information to the extent our use of Cookies and tracking technologies for targeted advertising or analytics purposes constitutes a “sale” or “share” under the CCPA.
We rely on the EU-U.S. Data Privacy Framework, Standard Contractual Clauses and the UK Addendum to legally transfer Personal Data submitted relating to individuals in the European Economic Area, the United Kingdom, and Switzerland.
Ausente o poco claro
- No explicit mention of whether meeting transcripts or recordings are used for AI model training.
- No specific retention schedules for different categories of personal data.
- No detail on Data Protection Impact Assessments (DPIAs) for the Notetaker feature which processes sensitive meeting content.
- No mention of automated decision-making or profiling with legal effects.
Preguntas que hacer
- Are meeting transcripts and summaries collected via the Notetaker feature used to train Calendly's AI models, and if so, how can users opt out?
- What are the specific retention periods for account data, usage data, and meeting recordings/transcripts?
- How does Calendly ensure that its own usage analytics (processing as a controller) do not infringe on the rights of the data subjects whose data it processes strictly on behalf of customers?
- Does Calendly enforce the same standard contractual clauses and privacy obligations on the third-party advertising partners it shares user data with?
Compartir este análisis
Cualquiera con este enlace puede ver el resultado anterior.
Creado por DentroChat
Chat de IA 100 % europeo para todos
Chatea con la IA, trabaja con archivos, genera imágenes y busca en la web. Los datos permanecen en Europa.