Privacy Policy

Table of Contents

• 1. Controller Identity
• 2. Definitions
• 3. Data We Collect
• 4. How We Use Your Data
• 5. Legal Bases for Processing
• 6. Calendinho's Role in Data Processing
• 7. Third-Party Sharing
• 7.1 Compliance with Google API Services User Data Policy
• 8. International Data Transfers
• 9. Cookies
• 10. Data Retention
• 11. Your Rights as a Data Subject
• 12. Security
• 13. Children's Data
• 14. Changes to This Policy
• 15. Contact

1. Controller Identity

Calendinho is operated by Axiom Technologies ("we", "our"), based in São Paulo, Brazil. We are responsible for the processing of your personal data as described in this Privacy Policy and in accordance with Brazil's General Data Protection Law (LGPD — Law No. 13,709/2018).

Privacy contact: legal@calendinho.com

As a small-scale processing agent under ANPD Resolution CD/ANPD No. 2/2022, Calendinho is exempt from the obligation to appoint a Data Protection Officer (DPO). All requests related to personal data may be directed to the email above.

2. Definitions

• Data Subject: The natural person to whom the personal data relates (you).
• Controller: The person or entity responsible for decisions regarding personal data processing.
• Processor (Operador): The person or entity that processes data on behalf of the controller.
• Personal Data: Information related to an identified or identifiable natural person.
• ANPD: Brazil's National Data Protection Authority, responsible for overseeing LGPD compliance.
• Professional: A registered Calendinho user who creates scheduling pages.
• Guest: A person who books an appointment through a Professional's public page.

3. Data We Collect

3.1 Professional Data (Registered Users)

When you create a Calendinho account, we collect:

• Registration data: name, email address, profile photo, bio, profile slug, timezone
• Authentication data: credentials managed by Clerk (our authentication provider); Google OAuth tokens when you connect your Google account
• Configuration data: event types, availability schedules, schedule overrides, custom booking fields, team settings
• Integration data: Google Calendar ID, access and refresh tokens for calendar sync

3.2 Guest Data (People Who Book)

When a Guest books an appointment, we collect:

• Booking data: name, email address, optional notes
• Custom fields: responses to fields configured by the Professional (may include additional information such as phone number, reason for appointment, etc.)
• Reservation data: appointment date/time, event type, location, meeting link, status, cancellation reason (if applicable)

3.3 Automatically Collected Data

• Technical data: IP address, browser type, operating system, device type
• Cookies: session cookies, language preference, and analytics cookies (when consented). See section 9 for details.

4. How We Use Your Data

5. Legal Bases for Processing

In accordance with Art. 7 of the LGPD, we process your data based on the following legal grounds:

• Contract performance (Art. 7, V): For data necessary to provide the scheduling service — registration, schedule configuration, booking processing, calendar sync, and notifications.
• Consent (Art. 7, I): For analytics cookies (PostHog) and marketing communications. You may revoke your consent at any time.
• Legitimate interest (Art. 7, IX): For platform security, fraud prevention, and service improvement based on aggregated data.

6. Calendinho's Role in Data Processing

Calendinho plays two distinct roles under the LGPD:

• Controller of Professional data: We determine the purposes and means of processing Professionals' registration, authentication, and configuration data.
• Processor of Guest data: When a Guest books an appointment, the Professional is the Controller of that data, and Calendinho acts as a Processor, handling the data solely as instructed by the Professional and to facilitate the booking.

Professionals using Calendinho are responsible for ensuring they have an adequate legal basis for collecting their Guests' data, especially when configuring custom fields that may involve sensitive data (e.g., health information).

7. Third-Party Sharing

We share personal data with the following service providers (processors):

We do not sell, rent, or trade your personal data to third parties for marketing purposes.

7.1 Compliance with Google API Services User Data Policy

Calendinho's use and transfer to any other app of information received from Google APIs adheres to the Google API Services User Data Policy, including the Limited Use requirements.

Specifically, Calendinho:

• Uses Google user data only to provide the user-facing features described in this policy — namely creating events on the user's primary calendar for confirmed bookings, generating Google Meet links via the Calendar API's conferenceData field, reading existing events to prevent double-booking on public booking pages, and displaying the email of the connected Google account so the user can confirm the right account is linked.
• Does not use Google user data for serving advertisements, including retargeting, personalized, or interest-based advertising.
• Does not allow humans to read Google user data except (a) with the user's affirmative agreement for specific messages, (b) when necessary for security purposes such as investigating abuse, (c) to comply with applicable law, or (d) for internal operations where the data has been aggregated and anonymized.
• Does not transfer Google user data to third parties except as necessary to provide or improve the user-facing features described in this policy, to comply with applicable law, or as part of a merger, acquisition, or sale of assets with notice to users.

The Google scopes Calendinho requests are:

• https://www.googleapis.com/auth/calendar.events — to create, read, update, and delete events on the connected calendar
• https://www.googleapis.com/auth/userinfo.email — to display the email of the connected Google account
• openid — to identify the connecting account via the OAuth ID token

8. International Data Transfers

Your personal data may be transferred to and processed in the United States by the service providers listed in section 7. These transfers are carried out based on:

• Standard contractual clauses entered into with each provider
• Appropriate technical and organizational measures for data protection

You may request additional information about the applicable safeguards by contacting us at legal@calendinho.com.

9. Cookies

Essential Cookies (always active)

Analytics Cookies (with consent)

Analytics cookies are only activated after your explicit consent. You can manage your cookie preferences at any time.

10. Data Retention

• Professional account data: Retained while the account is active. After a deletion request, data is removed within 30 days, except where legal retention obligations apply.
• Booking data: Retained as needed for service provision and for up to 6 months after account closure, for audit and legal compliance purposes.
• Technical logs: Retained for up to 12 months for security purposes.
• Analytics data: Aggregated and anonymized — not personal data after aggregation.

11. Your Rights as a Data Subject

Under Art. 18 of the LGPD, you have the right to:

1. Confirmation of the existence of data processing
2. Access to the personal data we hold about you
3. Correction of incomplete, inaccurate, or outdated data
4. Anonymization, blocking, or deletion of unnecessary or excessive data
5. Portability of data to another service provider
6. Deletion of data processed based on consent
7. Information about public and private entities with whom we share your data
8. Information about the possibility of withholding consent and its consequences
9. Revocation of consent at any time

To exercise any of these rights, contact us at legal@calendinho.com. We will respond to your request in simplified form immediately or in detailed form within 15 days.

Guests: If you booked an appointment through Calendinho, your data is controlled by the Professional who set up the booking page. To exercise your rights regarding that data, please contact the Professional directly. If needed, we can also assist you — email legal@calendinho.com.

If you believe that the processing of your data does not comply with the LGPD, you may file a complaint with the ANPD (National Data Protection Authority) at https://www.gov.br/anpd.

Revoking Google access: You can disconnect Calendinho from your Google account at any time from Settings → Integrations in your dashboard. Disconnecting immediately deletes the stored OAuth access and refresh tokens from our servers. You can additionally revoke Calendinho's access from your Google Account at https://myaccount.google.com/permissions.

12. Security

We adopt technical and administrative measures to protect your personal data:

• Encryption in transit (TLS/HTTPS) for all communications
• Encryption at rest for our PostgreSQL database, including OAuth access and refresh tokens
• Role-based access controls for internal data
• Authentication managed by a specialized provider (Clerk)

No system is 100% secure. In the event of a security incident that may pose a relevant risk or harm to data subjects, we will notify the ANPD and affected individuals as required by the LGPD.

13. Children's Data

Calendinho is not directed at individuals under 18 years of age. We do not knowingly collect data from minors. If we become aware that we have collected data from a minor, we will take steps to delete it.

14. Changes to This Policy

We may update this Privacy Policy from time to time. In the event of material changes:

• We will notify registered Professionals by email at least 30 days in advance
• The "last updated" date at the top of this page will be updated
• Continued use of the service after the changes take effect constitutes acceptance of the updated policy

15. Contact

For questions, requests, or complaints about this Privacy Policy or the processing of your personal data:

Email: legal@calendinho.com

Axiom Technologies São Paulo, SP — Brazil