Start free

Privacy Policy

Counsel-review draft. Effective date pending. Items flagged [COUNSEL] or [ENTITY TBD] require lawyer review before this policy goes live.

This policy explains what data Foyercal collects, why we collect it, how long we keep it, and the rights you have over it. We wrote it the way we would want a privacy policy written for us: plain language, concrete numbers, no boilerplate where a real sentence will do.

1. Who we are

Foyercal (“Foyercal,” “we,” “us”) is a hosted scheduling product. The legal entity operating Foyercal is [ENTITY TBD — pending counsel confirmation whether Foyercal trades under The Shadow Legacy or a separately formed entity]. Our principal contact for privacy matters is support@foyercal.com. Postal correspondence can be addressed to the entity above and we will provide a current mailing address on request.

For the purposes of the EU and UK General Data Protection Regulation, we are the data controller for the personal data of our account holders. We are a data processor for the personal data of the people who book time through pages our account holders host on Foyercal; in that case the account holder is the controller and we act on their instructions under a data processing agreement that we make available to paying customers on request.

We have not appointed a Data Protection Officer because we do not meet the GDPR threshold that requires one. We have not appointed an EU representative; [COUNSEL: confirm whether Article 27 applies given EU resident traffic and, if so, arrange representation].

2. What we collect

Account information

When you sign up we collect your name, email address, the password hash (only if you sign in with email and password), profile photo if you upload one, time zone, the username you choose for your booking page, and the organization details you add. If you sign in with Google or Microsoft, we receive the identifier and email those providers return; we do not receive your provider password.

On paid plans we also collect billing details: company name, billing email, country, and tax identifier where required. Card numbers are handled by Stripe; we receive only a token, an expiry month, and the last four digits. We never see or store full card numbers.

Calendar metadata

When you connect a Google Calendar, Microsoft Outlook calendar, or other supported provider, we store the OAuth refresh token and the metadata we need to read free and busy time. We do not store the title, location, attendees, or body of personal calendar events. Tokens are encrypted at rest with AES-256-GCM using application-layer envelope encryption with versioned keys (current version: ENCRYPTION_KEY_V1).

Booking data

When someone books time on one of your Foyercal pages we collect the booker’s name, email, time selection, answers to any custom questions you configured, an optional marketing-consent flag, and the booker’s IP address (see retention below). We pass this data to the calendar provider you connected and to our email provider, which sends booking confirmations.

The marketing-consent flag is captured per booking, stored next to the booking record, and surfaced to the host so any follow-up email is only sent to people who opted in. Consent can be withdrawn through the unsubscribe link in every marketing email and through a request to support@foyercal.com.

Security and operational data

For privileged actions inside an organization (invitations, role changes, billing actions, integration changes, calendar connections, booking edits, exports) we record an audit log entry containing the actor, the action, the time, the IP address, and the parameters of the action. We use this data to investigate suspicious activity, enforce rate limits, and support you when something breaks.

Product analytics

We do not run third-party advertising trackers. We do not load Google Analytics, Meta Pixel, or any cross-site profiling cookie. The lightweight usage signal we collect is internal, tied to an account identifier rather than an advertising profile, and is used to understand how the product is used and where it falls short.

Communications

When you write to support, we keep the email thread for as long as the conversation is open and for an additional twelve months afterwards so we can refer to it if you write back. Threads with billing or compliance content are kept under the legal-records retention window described below.

3. Why we collect it

We use personal data to deliver the service, to keep accounts secure, to comply with legal obligations, and to improve the product. The legal bases under GDPR are:

  • Performance of contract— for the data we need to actually run the service for you (account, calendar tokens, billing, bookings).
  • Legitimate interest— for security monitoring, fraud prevention, internal analytics, and the operational data we need to run a stable platform.
  • Consent— for marketing email to bookers who tick the consent box at booking time, and for any optional cookie or tracking technology a future feature might use.
  • Legal obligation— for tax records, compliance with lawful requests, and audit logs required by law.

4. How long we keep it

Concrete retention windows are documented in our Data Retention Policy. In summary:

  • Active accounts: indefinitely, while the account is in use.
  • Soft-deleted accounts: thirty days in a recoverable state, after which a daily cron at 02:00 UTC anonymizes personally-identifying fields and removes the user from primary storage.
  • Booking records: retained on behalf of the host organization until the host deletes them or closes the account; deletable on request.
  • Booker IP addresses: anonymized after the configured retention window (default: twelve months) by a daily cron at 03:00 UTC.
  • Audit logs: retained while the organization is active. [COUNSEL: confirm a maximum retention — we are comfortable shipping with twelve months written here if a cleanup job is added before public launch].
  • Encrypted database backups: provider default (Supabase point-in-time recovery, currently seven days for our plan).
  • Vercel access logs: thirty days, controlled by Vercel.
  • Google Workspace mail delivery logs: thirty days for transit logs, controlled by Google. Message bodies are retained only in the sender mailbox.
  • Billing and tax records: seven years, as required by US and EU tax law.
  • Marketing email logs: thirty-six months, so we can prove consent was given before each send.
  • Support email threads: twelve months after the thread is closed.

You can delete most data yourself from inside the app. The account-level export and delete buttons live at /app/settings/ account. Anything you cannot do yourself, email support@foyercal.com and we will respond within thirty days.

5. Your rights under GDPR

If you are in the European Economic Area, the United Kingdom, or Switzerland, you have the right to:

  • Access the personal data we hold about you.
  • Rectify data that is inaccurate or incomplete.
  • Erase your data, subject to legal retention requirements.
  • Port your data in a structured, commonly used, machine-readable format.
  • Object to processing based on legitimate interest, including direct marketing.
  • Restrict processing while a complaint is under review.
  • Withdraw consent at any time for the processing that relies on it.
  • Lodge a complaint with your local supervisory authority. We would prefer to hear from you first, but the right is yours.

Most rights are self-serve from inside the app. There is an export button and a delete button on every account page. The delete flow places the account into a thirty-day soft-delete window during which you can reactivate. After thirty days a daily cron permanently anonymizes the account: name, email, avatar, bio, and password hash are zeroed; bookings owned by the user are reassigned or anonymized in line with Article 17. Anything you cannot do yourself, email support@foyercal.com and we will respond within thirty days.

6. Your rights in California

If you are a California resident, you have rights under the California Consumer Privacy Act and the California Privacy Rights Act, including:

  • The right to know what personal information we collect and the purposes for which we collect it.
  • The right to delete personal information we have collected.
  • The right to correct inaccurate personal information.
  • The right to opt out of the sale or sharing of personal information. We do not sell or share personal information in the way these laws define those terms. There is nothing to opt out of.
  • The right not to be discriminated against for exercising your rights.

Requests can be made through the same channel as GDPR requests, and we use the same thirty-day response window.

7. Sub-processors

We use the following sub-processors to run the service. Each is contractually bound to handle personal data only on our instructions and to maintain confidentiality and security obligations consistent with this policy. Their own privacy policies are linked.

  • Vercel Inc.(United States) — application hosting, edge delivery, scheduled cron jobs. vercel.com/legal/privacy-policy.
  • Supabase Inc.(European Union, region: eu-west-3 / Paris) — managed Postgres database with point-in-time recovery. supabase.com/privacy.
  • Upstash Inc.(United States) — Redis for sessions, rate limits, and short-lived denylists. upstash.com/trust/privacy.
  • Stripe, Inc.(United States; EU entity for EEA payments) — payment processing for paid plans. Card data never reaches our servers. stripe.com/privacy.
  • Google LLC(United States) — OAuth identity, Google Calendar integration, Google Meet links if configured (used only when you connect your Google account), and Google Workspace SMTP for outbound transactional email delivery (always used). policies.google.com/privacy.
  • Microsoft Corporation(United States; EU data centers for European tenants) — OAuth identity, Outlook calendar integration, Teams links if configured. Used only when you connect your Microsoft account. privacy.microsoft.com/privacystatement.
  • Zoom Video Communications, Inc.(United States) — meeting URL generation. Used only when you connect your Zoom account. zoom.us/privacy.

We will give thirty days’ notice on this page before adding a sub-processor that handles personal data, and existing paying customers can object before the addition takes effect.

8. International transfers

Foyercal’s primary database is located in the European Union (Supabase eu-west-3 / Paris). Several sub-processors (Vercel, Upstash, Stripe, Google, Microsoft, Zoom) operate primarily from the United States. When personal data of EEA, UK, or Swiss residents is transferred to the United States or to any other country without an adequacy decision, we rely on the European Commission’s 2021 Standard Contractual Clauses, supplemented where required by additional safeguards (encryption in transit, application-layer encryption for the most sensitive material, access controls, audit logging). UK transfers use the UK Addendum to the SCCs. Copies of the executed SCCs are available on request to support@foyercal.com. [COUNSEL: confirm whether a transfer impact assessment needs to be appended.]

9. Sharing inside your organization

Foyercal is built for teams. When you join an organization, owners and admins of that organization can see your name, email, profile photo, role, the calendars and integrations you have connected for use in the organization, and the bookings you host on behalf of the organization. They cannot see your personal calendar event content, your password, your two-factor secret, or the sessions belonging to your other organizations.

When you leave an organization, your personal account remains yours. Bookings you hosted under that organization stay with the organization, since they belong to it; your private account data does not.

10. Founder support access

A small set of operator accounts (the founder team and named staff configured through environment variables) can impersonate tenants for support purposes. Impersonation is gated behind a per-organization opt-in and a magic-link confirmation; an in-app banner makes the impersonated state visible at all times. Every impersonation event is recorded in the audit log. Hard-deny operations (transfer of ownership, account deletion, billing changes, decryption of OAuth tokens) cannot be performed under impersonation.

11. Cookies and similar technologies

We use a small number of strictly necessary and functional cookies. We do not run advertising trackers, third-party analytics that build cross-site profiles, or any cookie that requires affirmative consent under EU law. The full list, including TTLs, is documented at foyercal.com/cookies.

12. Security

Security controls are described in detail at foyercal.com/security. In short: TLS 1.2 or greater in transit; AES-256-GCM application-layer encryption for OAuth tokens and similar credentials; bcrypt password hashes; optional TOTP two-factor; audit logs on every privileged action; rate-limiting on authentication endpoints; sub-processor backups under their respective retention schedules; a stated commitment to notify affected customers within seventy-two hours of a confirmed personal-data breach.

13. Children

Foyercal is not intended for children under sixteen. We do not knowingly collect personal data from anyone under sixteen. If you believe a child has created an account, write to support@foyercal.com and we will remove it.

14. Lawful requests

We respond to lawful requests from law enforcement and regulators. We require valid legal process (a subpoena, a court order, a search warrant, or the equivalent under the requesting jurisdiction) before producing customer data, and we narrow the response to the specific data the order requires. Where we are legally permitted to do so, we will notify the affected customer before producing data so they have a chance to challenge the request.

15. Automated decision-making

We do not make decisions that produce legal or similarly significant effects about individuals using purely automated means. The product surfaces aggregate analytics to help you run your business; it does not score, profile, or rank the people who book time with you.

16. Changes to this policy

We may update this policy as the product evolves. Material changes are emailed to account holders at least thirty days before the new version takes effect. Older versions are kept on request.

17. Contact

Privacy questions, requests to exercise rights, security disclosures, or anything else covered by this policy can be sent to support@foyercal.com. Mail flagged as legal or security is routed out-of-band to the founder team and acknowledged within one business day.

Effective date: pending counsel review. Draft prepared by the Foyercal team for legal review.