calendly.com privacy policy — score 65/100 (medium risk)
Dernière analyse
Le contenu du rapport (résumé, constats, citations) a été généré en anglais et n'est pas localisé.
Calendly, LLC · calendly.com
Détails du rapport
medium risqueCalendly collects a wide range of personal and usage data, shares it with advertising partners, and while it offers standard EU rights and transfer mechanisms, its vague retention periods and silence on AI training for its Notetaker feature are concerning.
The privacy notice clearly distinguishes between Calendly's role as a data controller and processor, and provides robust mechanisms for international data transfers (DPF, SCCs) and user rights. However, it suffers from significant transparency issues regarding the use of highly sensitive data (meeting transcripts/recordings) for potential AI training, overly broad retention periods, and extensive tracking and sharing with third-party advertising networks.
Évaluation par catégorie
Répartition de la politique selon les principaux domaines de conformité. Bon = solide, moyen = mitigé, faible = préoccupant.
Collects standard account and billing data, but also gathers extensive tracking data, third-party lead generation data, and sensitive meeting content which may exceed what is strictly necessary.
Clearly lists data types and sharing partners, but fails to clarify if sensitive meeting transcripts are used for AI training and uses overly vague language for data retention.
Extensive sharing with advertising and analytics partners (Facebook Pixel, Clearbit, MNTN, Google Analytics) and session replay tools, explicitly admitting to 'selling' or 'sharing' data under CCPA definitions.
Explicitly relies on the EU-U.S. Data Privacy Framework, Standard Contractual Clauses, and the UK Addendum, and provides EU/UK representative contact details.
The policy is completely silent on whether meeting transcripts, recordings, and summaries collected via the Notetaker feature are used to train AI models, which is a major transparency gap.
Comprehensively lists GDPR rights (access, deletion, portability, objection), provides a Privacy Center for requests, honors GPC signals, and offers cookie management tools.
Constats clés
Clauses notables, problèmes ou bonnes pratiques identifiées (critiques en premier)
Silence on AI Training with Sensitive Meeting Data
The policy explicitly states that Calendly processes 'virtual meeting recordings, transcripts and summaries' as Customer Data. However, it is entirely silent on whether this highly sensitive data is used to train Calendly's AI models, representing a significant transparency failure under GDPR's purpose limitation and fairness principles.
Vague and Overly Broad Retention Periods
The policy states data is retained 'for so long as is reasonably necessary to fulfill the purposes... and for any applicable statute of limitations periods.' This generic clause fails to provide the specific retention timeframes required by GDPR Article 5(1)(e), leaving users unaware of how long their data persists.
Heavy Third-Party Tracking and Advertising
Calendly shares user identifiers and internet activity with targeted advertising and analytics partners like Facebook Pixel, Clearbit, and MNTN. The policy admits this constitutes a 'sale' or 'share' under CCPA, meaning EU users must rely strictly on cookie consent banners to prevent unauthorized tracking under GDPR.
Controller vs. Processor Blurring via Usage Data
While Calendly claims to be a processor for Customer Data, it also collects 'Usage Data' (e.g., 'how many meetings are scheduled each day', 'whether the meeting was recorded') to 'monitor and improve the Services.' This dual use of customer event data for Calendly's own product development blurs the controller/processor line and may exceed the original collection purpose.
Synthèse pour l'utilisateur
Your meeting recordings and transcripts are collected, but it's unclear if Calendly uses them to train AI. You are tracked by third-party advertisers like Facebook and Google on their site, and your data is sent to the US, though safeguards are in place.
Posture de conformité
Mixed compliance posture. Strong structural elements (DPF certification, SCC usage, EU/UK representatives) are undermined by vague retention policies, ambiguous AI usage, and heavy third-party tracking that may require strict consent management under GDPR.
Transferts UE
Adequate safeguards stated. Relies on EU-U.S. Data Privacy Framework, UK Extension, Swiss-U.S. DPF, and Standard Contractual Clauses (SCCs) with a UK Addendum. EU and UK representatives are explicitly named.
Signaux détectés
Données et pratiques spécifiques identifiées dans le texte
Extraits probants
Citations directes de la politique à l'appui de ces constats
When customers use our Services, they may process certain Personal Data, such as... virtual meeting recordings, transcripts and summaries, and other information about you.
We retain the Personal Data we collect for so long as is reasonably necessary to fulfill the purposes for which the data was collected... and for any applicable statute of limitations periods for the purposes of bringing and defending claims.
We may also disclose information or allow third parties to directly collect information using third party cookies and related tracking technologies... such as social media companies, advertising networks... We may sell or share information to the extent our use of Cookies and tracking technologies for targeted advertising or analytics purposes constitutes a “sale” or “share” under the CCPA.
We rely on the EU-U.S. Data Privacy Framework, Standard Contractual Clauses and the UK Addendum to legally transfer Personal Data submitted relating to individuals in the European Economic Area, the United Kingdom, and Switzerland.
Manquant ou flou
- No explicit mention of whether meeting transcripts or recordings are used for AI model training.
- No specific retention schedules for different categories of personal data.
- No detail on Data Protection Impact Assessments (DPIAs) for the Notetaker feature which processes sensitive meeting content.
- No mention of automated decision-making or profiling with legal effects.
Questions à poser
- Are meeting transcripts and summaries collected via the Notetaker feature used to train Calendly's AI models, and if so, how can users opt out?
- What are the specific retention periods for account data, usage data, and meeting recordings/transcripts?
- How does Calendly ensure that its own usage analytics (processing as a controller) do not infringe on the rights of the data subjects whose data it processes strictly on behalf of customers?
- Does Calendly enforce the same standard contractual clauses and privacy obligations on the third-party advertising partners it shares user data with?
Partager cette analyse
Toute personne disposant de ce lien peut consulter le résultat ci-dessus.
Conçu par DentroChat
Chat IA 100 % européen pour tous
Discutez avec l'IA, travaillez avec des fichiers, générez des images et cherchez sur le web. Les données restent en Europe.