Calendly

calendly.com · facts updated 2 weeks ago

Privacy facts at a glance

Jurisdictions: US · CA · NL · IL · UK
Subprocessors: 24
Retention: Data retention is not explicitly stated in terms of a specific number of days in the excerpted documents.
Breach notification: The DPA defines a 'Security Breach' as a confirmed breach leading to accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Personal Data, but no specific notification hour SLA is stated in the excerpts.
Transfer mechanism: EU-US Data Privacy Framework, UK Extension to the EU-US Data Privacy Framework, Swiss-US Data Privacy Framework, and Standard Contractual Clauses (SCCs) with UK Addendum
DPA available: Yes
Certifications: SOC 2 Type 2 · SOC 3 · ISO/IEC 27001 · CSA STAR Level One · PCI Compliant
GDPR addressed: Yes
CCPA addressed: Yes

Named subprocessors

Ada Aiven Amazon Web Services Assembled Cloudflare Datadog E-HAWK Elasticsearch Google Hex Hyperdoc (a.k.a. Recall.ai) Intercom

Tracked documents

https://calendly.com/legal/privacy-notice checked 11 hours ago

https://calendly.com/legal/customer-terms-conditions checked 10 hours ago

Data processing agreement

https://calendly.com/legal/data-processing-addendum checked 10 hours ago

Subprocessor list

https://calendly.com/help/calendly-sub-processors-gdpr-ccpa checked 10 hours ago

Security / trust page

https://calendly.com/security checked 8 hours ago

Recent changes

Subprocessor list 2 weeks ago

Document updated.

moderate Data processing agreement 3 weeks ago

Calendly updated its DPA effective date from December 10, 2025 to June 1, 2026, removed the explicit CCPA definition and enumerated US state privacy law list (replacing with a general 'US State Privacy Laws' term), removed the Notetaker-specific update notice, added a new 'Instructions' definition, and renamed 'Invitee Terms' to 'Participant Terms' in navigation.

minor Terms of service 3 weeks ago

Calendly updated the Customer Terms effective date from December 10, 2025 to June 1, 2026, removed the Notetaker Limited Availability transition notice, changed the incorporated policy reference from 'most recent version of our Acceptable Use Policy' to 'all applicable Policies', and renamed 'Invitee Terms and Conditions' to 'Participant Terms and Conditions' in the navigation.

major Subprocessor list 3 weeks ago

Calendly updated its subprocessor list document title and introductory text for clarity, updated the document date from April 1, 2026 to May 28, 2026, and removed the 'IT Teams' processing activity category from the listed subprocessors.

Data processing agreement 3 weeks ago

Document updated.

minor Data processing agreement 3 weeks ago

Calendly's Data Processing Addendum diff shows only reformatting and structural/navigation changes with no material alterations to definitions, data processing terms, subprocessors, retention periods, or data subject rights.

minor Subprocessor list 1 month ago

Calendly's subprocessor list page shows only navigation/UI text changes with no actual subprocessor additions, removals, or data processing changes.

Public summary; per-account review history visible to subscribers tracking this vendor.

Track Calendly in your workspace.

Get notified when Calendly adds a subprocessor, changes retention, updates their DPA, or quietly amends their privacy posture.

Start tracking — 14-day trial

No card required.