Calendly and Data Protection – What Belongs in the Privacy Policy

When a website operator uses Calendly, loading a page with the embedded booking widget triggers processing of web server log data, device data, and browser information; if a visitor actually completes a booking, the entries from the booking form (name, email, optionally phone number, answers to questions, the chosen slot) are processed for the preparation and performance of the appointment. The legal basis for loading the embedded widget is typically a third-party content consent; the booking itself is typically based on pre-contractual measures or contract performance (Art. 6 (1) (b) GDPR), supplemented by legitimate interests (Art. 6 (1) (f) GDPR). This entry page on Calendly privacy sets out which data the service processes and which mandatory information must appear in the website's privacy policy.

A. Purpose and Functionality of Calendly

Calendly is an online appointment scheduling service that allows website visitors to view a provider's available time slots and book a binding appointment. According to the publicly available information, the provider is Calendly, LLC, headquartered in Atlanta/Buford, Georgia, USA.

Calendly offers several functions: a back-end for calendar management, integrations with Google Calendar, Microsoft 365, Zoom, and other services, and dispatch of invitations and reminders. This page focuses on the integration function that is most relevant to website operators: embedding a Calendly booking widget on the operator's own website. Calendly provides three embed variants:

• Inline embed – the booking widget is embedded directly as an <iframe> and is visible without user action.
• Popup widget – a script from assets.calendly.com places a button or trigger; clicking opens the booking form as an overlay.
• Popup text/popup button – a text or button element that opens the Calendly booking overlay on click.

In all variants, a script from a Calendly domain (assets.calendly.com) and an iframe (calendly.com) are loaded. The visitor's browser thereby establishes a direct connection to Calendly servers. This page does not address Calendly functions that run exclusively in the website operator's back-end (e.g., internal routing rules, reporting), since they do not trigger any data processing in the visitor's browser.

B. Mandatory Information in the Privacy Policy When Using Calendly

In addition to general information about the website operator, data subject rights, and the supervisory authority, the GDPR requires tool-specific mandatory information in privacy policies. This includes the purposes of processing and the legal bases (Art. 13 (1) (c) GDPR), and where reliance is placed on Art. 6 (1) (f) GDPR, the specific legitimate interests pursued (Art. 13 (1) (d) GDPR), the recipients or categories of recipients (Art. 13 (1) (e) GDPR), information about third-country transfers and the safeguards relied upon (Art. 13 (1) (f) GDPR), and the storage period or the criteria for determining it (Art. 13 (2) (a) GDPR). Where data is not collected directly from the data subject, the categories of personal data processed (Art. 14 (1) (d) GDPR) are also required.

These mandatory items are addressed concretely for Calendly in sections C–H below.

In practice, it has become customary to insert a separate, often lawyer-drafted text block for every tool – including Calendly – into the privacy policy. This "boilerplate-per-tool" approach has established itself as a bad habit: it produces long, repetitive policies that are hard to maintain and barely readable for visitors. The transparency principle of Art. 12 (1) GDPR – privacy information must be concise, transparent, intelligible, and easily accessible – is undermined.

A more appropriate approach is topic-oriented: processing activities are described across the board (server operation, third-party content, newsletter, tracking, sales …), while the specific service providers used – such as Calendly – are listed in a recipients appendix. This is precisely the methodology of the matterius generator.

C. Provider of Calendly

According to the publicly available information, the contracting party for German website operators is:

• Calendly, LLC
• 115 E Main St., Ste A1B, Buford, GA 30518, USA
• Country of seat: United States of America

Calendly does not publicly identify a separate EU establishment for contracting with European customers; it has named an EU representative under Art. 27 GDPR: DPO Centre Europe, Friedrichstraße 88, 10117 Berlin, Germany (contact: eurep@calendly.com).

Third-country transfer and DPF. According to the listings at dataprivacyframework.gov, Calendly, LLC is certified under the EU-U.S. Data Privacy Framework, the UK Extension, and the Swiss-U.S. Data Privacy Framework. An adequacy decision of the European Commission therefore applies to transfers from the EU to the US (Implementing Decision (EU) 2023/1795). Calendly additionally offers Standard Contractual Clauses (SCCs) within its DPA.

Calendly's privacy notice for this service is available at calendly.com/legal/privacy-notice. The Data Processing Addendum is available at calendly.com/legal/data-processing-addendum; the sub-processor list at calendly.com/help/calendly-sub-processors-gdpr-ccpa.

D. Data Processing in Calendly – Step by Step

E. Data Collected When Using Calendly

When using Calendly in the typical website embed scenario, the following personal data is processed in particular: IP address, date/time of the request, requested URL and referrer, user agent, language setting, derived coarse location, and – upon actual booking – name, email address, optionally phone number, answers to booking questions, chosen date/time, time zone, and any note to the provider.

This data falls into the following standardised data categories:

• Web server log data: data the provider's web server receives with each request, in particular IP address, date/time, URL of the requested resource, referrer, browser/operating system/device information, and supplementary technical metadata.
• Device data: information about the user's device, e.g., device type, operating system, screen resolution, touch support.
• Browser information: browser name and version, language settings.
• Coarse location data: rough location derived from the IP address at city or regional level.
• User content: content entered by the visitor in the booking form, e.g., name, email address, phone number, answers to mandatory and additional questions, free-form notes.
• Conversion events: user interactions relevant to performance analysis, here in particular the completed appointment booking.

F. Purposes of Use When Using Calendly

The website operator uses Calendly to offer visitors a simple, asynchronous way to book appointments without manual coordination by email or phone. The data is used to display available time slots, complete bookings, send confirmations and reminders, and prepare and follow up on appointments.

The purposes fall into the following standardised purpose categories:

• Provision of functionality: providing the booking widget, including the display of available slots, rendering of the iframe content, and error handling.
• Contract performance: preparing, performing, and processing the appointment-based relationship initiated by the booking, including reminders, cancellations, and rescheduling.
• Security and abuse prevention: detecting and preventing bot and spam bookings, general abuse prevention, authentication of users with the provider.
• Communication: communicating with the booker in connection with appointment initiation and execution, e.g., confirmation and reminder emails.
• General product improvement: non-individualised analysis, e.g., to optimise the booking flow and conversion rates based on aggregated metrics.

G. Legal Bases for Using Calendly

Tool category. In the website context, Calendly primarily falls into the category third-party content (appointment scheduling): the booking widget is loaded as external content from Calendly, LLC servers.

Legal bases that may apply. For the loading of the embedded widget itself, a third-party content consent (Art. 6 (1) (a) GDPR in conjunction with Section 25 (1) TDDDG) is typically a relevant legal basis, as data is transferred to a third-country provider on page load and storage in the end device may be used. For the appointment booking triggered through the form, Art. 6 (1) (b) GDPR (initiation/performance of a contract or contract-like relationship with the booker) may apply. In addition, legitimate interests under Art. 6 (1) (f) GDPR may apply – in efficiency (efficient appointment channel), security and abuse prevention (bot/spam protection), and business management (capacity planning). For popup and popup-button variants, where the iframe is loaded only after an active user click, it can be argued that the content is requested at the user's initiative.

The applicable legal basis depends on the specific circumstances (embed variant, presence of a consent banner, cookie use) and must be assessed by the website operator on a case-by-case basis.

H. Special Features and Notes on Calendly

• Third-country transfer / DPF. According to the U.S. Department of Commerce, Calendly, LLC is certified under the EU-U.S. Data Privacy Framework. Transfers to the US can be based on the adequacy decision. Calendly additionally provides Standard Contractual Clauses through its DPA.
• DPA. Calendly provides a Data Processing Addendum. Where Calendly acts as a processor for the website operator's appointment data, conclusion of a DPA under Art. 28 GDPR is required. The exact role (processor for appointment data, independent controller for its own back-end processing) must be assessed on a case-by-case basis.
• Sub-processors. Calendly publishes an up-to-date sub-processor list which includes cloud infrastructure providers in particular.
• Choosing the embed variant. From a data minimisation perspective, a popup button (iframe loaded only after the click) is generally more data-sparing than the inline embed; with the inline embed, the third-party request happens on every page load.
• Consent banner. Operators using inline embedding should typically tie loading of the widget to a valid third-party content consent in the consent banner and display only a placeholder before consent.
• Booking form fields. Mandatory fields in the booking form should be limited to what is necessary for the appointment (data minimisation, Art. 5 (1) (c) GDPR). Sensitive data should not be in mandatory questions.
• EU representative. For data subject requests from the EU, the EU representative eurep@calendly.com (DPO Centre Europe, Berlin) is available.
• Security information. Calendly publishes information on technical and organisational measures, including SOC 2 / ISO 27001, at calendly.com/security.

I. FAQ on Calendly and Data Protection

J. Conclusion on Calendly and Recommendation

Calendly is a widely used appointment scheduling service, typically embedded as a widget or popup on the website. Both when the embedding page is loaded and when a booking takes place, personal data is transferred to Calendly, LLC in the USA; the provider is certified under the EU-U.S. Data Privacy Framework and provides a DPA and a sub-processor list. The privacy policy must transparently address purpose, legal basis, recipients, third-country transfer, and storage period.

It is generally not advisable for a website operator to insert a long, separate boilerplate solely for Calendly into the privacy policy. A privacy policy that contains a separate, fully lawyer-drafted block for every tool – hosting, CDN, newsletter system, tracking, Calendly, payment provider – inevitably becomes long, repetitive, and barely readable for visitors. This conflicts with the transparency principle of Art. 12 (1) GDPR.

A structured, topic-oriented approach is more appropriate: processing activities are described across topic blocks (server operation, third-party content, appointment scheduling, newsletter, tracking, sales …); the recipients appendix then names Calendly specifically as a service provider. The matterius generator implements precisely this methodology.

K. Curator

Authorship

This knowledge article is provided by matterius GmbH. matterius is not a law firm and does not provide legal advice.

matterius is editorially accompanied by Dr. Thomas Helbing, a German-based lawyer specialised as Fachanwalt für IT-Recht (certified specialist for IT law) in Munich.

Dr. Helbing has been continuously recognised by Handelsblatt since 2020 through to today (2026) as one of "Germany's best lawyers" in the fields of IT law and data protection law.

According to Kanzleimonitor.de (editions 2024–2026), he ranks among the leading lawyers for data protection and IT law and is listed in the Top 100 lawyers in Germany. Kanzleimonitor is regarded as a particularly meaningful market study, as it is based exclusively on personal recommendations from in-house counsel.

Dr. Helbing has many years of advisory experience in data protection and IT law and advises clients of all sizes — from startups to high-growth SaaS companies and unicorns through to international corporations.

His professional background covers the full spectrum of practice in IT and technology law. He began his career at an international major law firm, subsequently gained in-house experience at a DAX corporation, and is himself an entrepreneur and founder of several digital projects. He also has hands-on programming experience, allowing him to understand technical systems, software architectures, and digital business models not only from a legal but also from a technical perspective.

For many years his clients have included technology companies and SaaS providers, leading German research institutions, and a systemically important German major bank. His advisory focus lies in particular in the areas of GDPR compliance, the data economy, SaaS, AI regulation, and IT contract law.

More about Dr. Helbing: www.thomashelbing.com