Does your website use third-party services? Get GDPR compliant in minutes.
Try FlowConsent
Free plan · 10-min setup
Calendly is a US-based scheduling platform that allows individuals and teams to share availability and let others book meetings. When embedded on a website or shared via link, Calendly collects invitee names, email addresses, meeting details, and answers to intake questions. This data is processed on US infrastructure requiring SCCs. Calendly provides a GDPR-compliant DPA. The core scheduling function can be lawfully based on contract performance without consent.
Calendly is a cloud-based scheduling automation platform that allows individuals, teams, and organisations to share their availability and let others book meetings without back-and-forth email. Users create scheduling links or embed booking widgets on websites. Invitees select available slots and provide their contact information. Calendly is widely used for sales demos, customer support calls, job interviews, consultations, and team coordination.
When an invitee books through Calendly, their name, email address, timezone, IP address, and any answers to intake form questions are collected. Event hosts'' calendar data, availability preferences, and meeting history are also stored. If Calendly is integrated with CRM systems, HubSpot, or Salesforce, booked meeting data flows into those systems, creating additional data flows requiring disclosure.
The primary legal basis for processing invitee data when booking a meeting is contract performance (Art. 6(1)(b)) — the meeting is part of the service relationship. Pre-contractual steps (a sales demo, an intake consultation) may also qualify. Legitimate interest (Art. 6(1)(f)) may apply for internal scheduling and calendar management. Consent is required for any marketing follow-up using the email address collected via Calendly booking.
Get GDPR compliant in 10 minutes
Free plan available · No credit card required
All Calendly data is processed in the US. SCCs are required for EU personal data. Calendly provides a GDPR Data Processing Agreement and SCCs at its trust centre. Sign the DPA before embedding Calendly on EU-facing websites or sharing Calendly links with EU contacts. Disclose the US transfer and SCC mechanism in your privacy policy.
Sign the Calendly DPA and SCCs from the Calendly Trust Centre. Add Calendly to your privacy policy with the US transfer disclosure. If using Calendly intake forms, only collect fields that are necessary for the meeting. Do not use booking email addresses for marketing without separate consent. Configure Calendly notification email settings to minimise data included in automated emails. Implement a process for responding to invitee erasure requests via Calendly''s data deletion tools.
Websites using Calendly must obtain user consent under GDPR regulations.
DPIA considerations
A DPIA is generally not required for standard meeting scheduling use cases. It may become relevant for healthcare or legal contexts where meeting topics reveal sensitive information, or for large-scale recruitment processing using Calendly intake forms.
Sample consent text
This scheduling tool is provided by Calendly (US). When you book a meeting, your name, email address, and any information you provide are sent to and processed by Calendly on US servers under Standard Contractual Clauses. See our privacy policy for full details.
Third-party domains contacted
calendly.comassets.calendly.comapi.calendly.comCookies placed
| Name | Type | Duration | Purpose |
|---|---|---|---|
| __calendly_session | session | Session | Calendly functional session cookie required for scheduling widget operation |
| _ga_calendly | persistent | 2 years | Calendly analytics cookie tracking widget usage — requires consent |
Calendly uses cookies for user preferences — inform visitors with a consent banner.
Calendly provides a GDPR DPA and SCCs for EU customers. The core scheduling function is compliant when used with a signed DPA, disclosed in your privacy policy, and with US transfer mechanisms in place. Analytics cookies on the widget require consent.
Calendly collects invitee name, email address, timezone, IP address, and any answers to intake form questions. If connected to video conferencing tools, it also creates meeting links. All this data is stored on Calendly's US infrastructure.
Contract performance (Art. 6(1)(b)) for scheduling meetings as part of a service or pre-contractual relationship. Legitimate interest (Art. 6(1)(f)) for internal scheduling. Consent required for any marketing use of collected email addresses.
Yes. All Calendly data is processed in the US. SCCs are required for EU personal data. Download and sign the Calendly DPA (which includes SCCs) from the Calendly Trust Centre at calendly.com/legal.
Yes. The embedded Calendly widget sets analytics and functional cookies. Analytics cookies track usage of the scheduling widget and require consent. Strictly necessary cookies for the scheduling session functionality may be exempt.
Only with separate consent. The legal basis for collecting the invitee's email via scheduling is contract performance or legitimate interest for the meeting. Using that email for marketing requires a separate consent, not implied from the booking.
Calendly provides tools in the admin portal to delete invitee data. Search for the invitee by email, then delete their booking records. Note that some data may be retained in Calendly automated email logs. Document the deletion for compliance records.
EU-hosted scheduling alternatives include Doodle (Switzerland), YouCanBook.me (EU option), and Cal.com (self-hostable, open source). These provide similar scheduling functionality with EU data residency options, eliminating the US transfer complexity.