CitaCal Legal

Privacy Statement

Effective date: March 11, 2026

1. Overview

This Privacy Statement explains how CitaCal, operated by Vivekananda Bharathi, Chennai, India ("CitaCal", "we", "us", or "our"), collects, uses, stores, and shares personal data when you use our scheduling platform, booking pages, dashboard, and related services.

CitaCal serves users worldwide. We comply with applicable privacy laws including India's Information Technology Act 2000, the Digital Personal Data Protection Act 2023 (DPDP Act), and, where applicable to our users, the EU General Data Protection Regulation (GDPR) and other regional privacy frameworks.

By using CitaCal, you acknowledge this Privacy Statement. If you do not agree, please do not use the service.

2. Who This Applies To

This statement covers two categories of individuals:

  • Users (account holders): People who sign up for CitaCal to create scheduling pages, manage bookings, and access the dashboard. CitaCal is the data controller for user data.
  • Invitees (bookers): People who book meetings through a CitaCal scheduling page created by an account holder. For invitee data, the account holder is the data controller and CitaCal acts as a data processor on their behalf. Invitees should contact the account holder (the person whose booking page they used) with questions about their data.

3. Data We Collect

We may collect the following categories of personal data:

  • Account data: Name, email address, authentication identifiers, and profile settings provided during registration.
  • Booking data: Attendee name, attendee email, optional custom fields, event details, meeting metadata, and booking status.
  • Attribution and analytics data: UTM parameters (utm_source, utm_medium, utm_campaign, utm_term, utm_content) and advertising click identifiers (including gclid, li_fat_id, fbclid, ttclid, and msclkid when present in booking page URLs), booking conversion events, and referral source information.
  • Integration data: Calendar account connections (Google, Microsoft), selected calendar IDs, OAuth tokens and refresh tokens required to provide calendar sync functionality, and Zoom account credentials where configured.
  • Technical data: IP address, browser and device information, and identifiers stored in cookies or browser local storage used for session management, attribution continuity, and security purposes.

4. How We Use Data

  • Provide, maintain, operate, and secure the CitaCal service.
  • Create and manage bookings and calendar events on behalf of account holders.
  • Preserve and report attribution information associated with bookings.
  • Operate integrations including calendar sync, video conferencing, and webhooks.
  • Send transactional communications related to your account or bookings.
  • Prevent abuse, fraud, spam, and unauthorized access.
  • Comply with legal obligations and enforce our Terms of Service.
  • Improve and develop the service using aggregated and anonymized data.

We do not use your data to serve third-party advertising, and we do not sell personal data to any third party.

5. Legal Bases for Processing

Where required by applicable law (including GDPR for EU/EEA users and the DPDP Act for Indian users), we process personal data on one or more of the following bases:

  • Performance of a contract: Processing necessary to provide the service you have signed up for.
  • Legitimate interests: Processing for security, fraud prevention, product improvement, and service communications, where our interests do not override your rights.
  • Consent: Where you have given explicit consent, such as for optional features or marketing communications.
  • Legal compliance: Processing required to meet our obligations under applicable law.

6. Sharing and Sub-Processors

We do not sell personal data. We share data only with service providers ("sub-processors") who process data on our behalf under appropriate data processing terms. Current sub-processors include:

  • Clerk — identity and authentication
  • Supabase — database and data storage
  • Vercel — application hosting and infrastructure
  • Google — Google Calendar integration and Google OAuth
  • Microsoft — Outlook Calendar integration and Microsoft OAuth
  • Zoom — video meeting creation (where configured)
  • Analytics and ad platforms — configured by the account holder (e.g. Google Analytics, Mixpanel) to receive attribution events

We may also disclose personal data where required by law, court order, or governmental authority.

If you are an EU/EEA business and require a Data Processing Agreement (DPA) to use CitaCal in compliance with GDPR, please contact us at support@citacal.com and we will provide one on request.

7. Cookies and Local Storage

CitaCal uses cookies and browser local storage to operate sessions, preserve attribution data across the booking flow (stored under the key citacal_utm with a 30-day expiry), remember preferences, and support security controls.

You can control cookies through your browser settings. Disabling cookies may affect session management. Disabling local storage may affect attribution features.

8. Data Retention

We retain personal data only as long as necessary to provide the service, meet legal obligations, resolve disputes, and enforce agreements:

  • Account data is retained for the duration of your account and for up to 90 days after deletion.
  • Booking data is retained for as long as your account is active, or as required by law.
  • Attribution data (UTM parameters, click IDs) stored in browser local storage expires after 30 days.
  • OAuth tokens are retained only as long as the integration is active.

9. Security

We use reasonable technical and organizational safeguards to protect personal data, including encrypted data transmission (TLS), access controls, and authentication security. No method of transmission or storage is completely secure, and we cannot guarantee absolute security.

In the event of a personal data breach that is likely to result in a risk to your rights, we will notify affected users and, where required, the appropriate supervisory authority within the timeframe required by applicable law.

10. Your Rights

Depending on your location, you may have the following rights regarding your personal data:

  • Access: Request a copy of the personal data we hold about you.
  • Correction: Request correction of inaccurate or incomplete data.
  • Deletion: Request erasure of your personal data, subject to legal retention requirements.
  • Restriction: Request that we limit processing of your data in certain circumstances.
  • Portability: Receive your data in a structured, machine-readable format.
  • Objection: Object to processing based on legitimate interests.
  • Withdraw consent: Where processing is based on consent, withdraw it at any time without affecting prior processing.

To exercise any of these rights, contact us at support@citacal.com. We will respond within 30 days of receiving your request. We may need to verify your identity before processing your request.

If you are an EU/EEA resident and believe we have not addressed your concern, you have the right to lodge a complaint with your local data protection supervisory authority.

11. International Data Transfers

CitaCal is operated from India and uses infrastructure providers (Vercel, Supabase, Clerk) that may process data in the United States or other countries. Where your data is transferred outside your home country, we rely on appropriate safeguards such as standard contractual clauses, adequacy decisions, or our sub-processors' own compliance frameworks to protect your data.

12. Children's Privacy

CitaCal is not directed to children under 18 and we do not knowingly collect personal data from minors. If we become aware that we have collected personal data from a minor, we will delete it promptly. Please contact us at support@citacal.com if you believe a minor's data has been submitted.

13. Changes to This Statement

We may update this Privacy Statement from time to time. For material changes, we will notify you by email or by posting a prominent notice within the service at least 14 days before the changes take effect. We will revise the effective date at the top of this page.

14. Grievance Officer

In accordance with the Information Technology Act, 2000, the IT (Intermediary Guidelines and Digital Media Ethics Code) Rules, 2021, and the Digital Personal Data Protection Act, 2023, the designated Grievance Officer is:

Name: Vivekananda Bharathi
Email: support@citacal.com
Response time: Complaints will be acknowledged within 48 hours and resolved within 30 days of receipt.

15. Contact

Privacy questions can be sent to support@citacal.com.

You may also review our Terms of Service.