Does your website use third-party services? Get GDPR compliant in minutes.
Try FlowConsent
Free plan · 10-min setup
Calendly is a US-based scheduling platform that allows individuals and teams to share availability and let others book meetings. When embedded on a website or shared via link, Calendly collects invitee names, email addresses, meeting details, and answers to intake questions. This data is processed on US infrastructure requiring SCCs. Calendly provides a GDPR-compliant DPA. The core scheduling function can be lawfully based on contract performance without consent.
Calendly is the most widely used scheduling SaaS, operated by Calendly LLC (Atlanta, Georgia). It exposes a public booking page (calendly.com/your-name) or an embedded widget that lets invitees pick a slot from the host calendar. Calendly integrates with Google Workspace, Microsoft 365, iCloud, Zoom, Google Meet, Microsoft Teams, Stripe and Salesforce.
When the publisher embeds the Calendly widget, the iframe loads from calendly.com which sets the following cookies on its domain: __calendly_session (session, 30 days), _GRECAPTCHA (Google reCAPTCHA token for bot detection), ajs_anonymous_id (Segment analytics, 1 year), ajs_user_id (logged in identifier) and _gid plus _ga from the embedded Google Analytics 4 if not blocked. The publisher domain does not receive Calendly cookies because the iframe runs on the calendly.com origin.
Once the invitee confirms a slot, the legal basis is performance of contract or pre contract (GDPR art. 6(1)(b)). However, the loading of the Calendly iframe writes third party cookies and sends the visitor IP, user agent and page URL to Calendly before any contractual relationship exists; consent under ePrivacy art. 5(3) and GDPR art. 6(1)(a) is therefore required for the widget itself. The CJEU Fashion ID case (2019) confirms that the embedding website is joint controller for the data exchanged with the embedded iframe.
Get GDPR compliant in 10 minutes
Free plan available · No credit card required
Calendly LLC is certified under the EU US Data Privacy Framework since 11 October 2023. Customer data is hosted on AWS US East and US West by default. Calendly launched an EU region option (AWS Ireland) for Enterprise customers in 2023, available on request. The Calendly DPA incorporates the EU Standard Contractual Clauses (module 2) and lists Segment, Google Analytics, Stripe, Google reCAPTCHA, Sentry and Datadog as sub processors.
Gate the Calendly embed behind the productivity or marketing category of your CMP. Replace the iframe with a static button that loads the embed only after consent. Sign the Calendly DPA and activate the EU region if available on your plan. Disable the embedded Google Analytics 4 tracker in the Calendly settings. Document Calendly LLC and its sub processors in your records of processing (GDPR art. 30) and in the privacy notice. For paid consultations (right of withdrawal), comply with the EU consumer rights directive.
Privacy first European alternatives include Cal.com (open source, US headquartered with EU hosting option), Doodle (Switzerland), TidyCal (US), HubSpot Meetings (US, EU residency add on), Microsoft Bookings (Microsoft 365 EU Data Boundary), Mixmax and Chili Piper for sales teams.
Websites using Calendly must obtain user consent under GDPR regulations.
DPIA considerations
A DPIA is recommended for healthcare, recruitment or coaching contexts where Calendly may process sensitive metadata. Document the data flow to the US and the legal basis.
Sample consent text
We use Calendly, a US scheduling platform operated by Calendly LLC, to let you book a meeting with us. The Calendly widget is loaded only after you accept the productivity category in our cookie preferences; it then drops the cookies __calendly_session and _GRECAPTCHA on calendly.com. When you confirm a slot, your name, email, calendar choice and any custom answers are processed by Calendly in the United States under the EU US Data Privacy Framework and the EU Standard Contractual Clauses. You can withdraw your consent at any time.
Third-party domains contacted
calendly.comcalendly.comassets.calendly.comassets.calendly.comapi.calendly.comapi.calendly.comCookies placed
| Name | Type | Duration | Purpose |
|---|---|---|---|
| __calendly_session | Third party (calendly.com) | Session | Maintains the booking session on calendly.com while the invitee is choosing a slot. |
| __calendly_session | session | Session | Calendly functional session cookie required for scheduling widget operation |
| __cf_bm | Third party (calendly.com) | 30 minutes | Cloudflare bot management cookie used by Calendly to filter malicious traffic. |
| _ga_calendly | persistent | 2 years | Calendly analytics cookie tracking widget usage — requires consent |
| _ga | Third party (calendly.com) | 2 years | Google Analytics visitor identifier used by Calendly for product analytics. |
| _gid | Third party (calendly.com) | 24 hours | Google Analytics session identifier used by Calendly. |
| AWSALB | Third party (calendly.com) | 7 days | AWS Application Load Balancer sticky cookie used to route the invitee to the same backend. |
Calendly uses cookies for user preferences — inform visitors with a consent banner.
Calendly provides a GDPR DPA and SCCs for EU customers. The core scheduling function is compliant when used with a signed DPA, disclosed in your privacy policy, and with US transfer mechanisms in place. Analytics cookies on the widget require consent.
Calendly collects invitee name, email address, timezone, IP address, and any answers to intake form questions. If connected to video conferencing tools, it also creates meeting links. All this data is stored on Calendly's US infrastructure.
Contract performance (Art. 6(1)(b)) for scheduling meetings as part of a service or pre-contractual relationship. Legitimate interest (Art. 6(1)(f)) for internal scheduling. Consent required for any marketing use of collected email addresses.
Yes. All Calendly data is processed in the US. SCCs are required for EU personal data. Download and sign the Calendly DPA (which includes SCCs) from the Calendly Trust Centre at calendly.com/legal.
Yes. The embedded Calendly widget sets analytics and functional cookies. Analytics cookies track usage of the scheduling widget and require consent. Strictly necessary cookies for the scheduling session functionality may be exempt.
Only with separate consent. The legal basis for collecting the invitee's email via scheduling is contract performance or legitimate interest for the meeting. Using that email for marketing requires a separate consent, not implied from the booking.
Calendly provides tools in the admin portal to delete invitee data. Search for the invitee by email, then delete their booking records. Note that some data may be retained in Calendly automated email logs. Document the deletion for compliance records.
EU-hosted scheduling alternatives include Doodle (Switzerland), YouCanBook.me (EU option), and Cal.com (self-hostable, open source). These provide similar scheduling functionality with EU data residency options, eliminating the US transfer complexity.
Third party cookies on calendly.com: __calendly_session (session), __cf_bm (Cloudflare bot management, 30 minutes), _ga and _gid (Google Analytics), AWSALB (AWS load balancer routing, 7 days).
Yes. The embed sets non essential analytics, bot management and session cookies and loads scripts from calendly.com. Prior consent under Art. 5(3) ePrivacy is required before loading.
Consent (Art. 6(1)(a) GDPR + Art. 5(3) ePrivacy) for the embed cookies. Contract performance (Art. 6(1)(b)) for the booking data once the invitee selects a slot.
Yes. Default storage is on AWS US East. Enterprise customers can request EU residency in Frankfurt. Transfers covered by EU SCCs and the EU US Data Privacy Framework (Calendly LLC is certified).
A DPIA is recommended in healthcare, recruitment or coaching where Calendly may process sensitive metadata, or for high volume B2C bookings.
Sign the Calendly DPA, request EU data residency on Enterprise, list Calendly as a US processor in your Article 30 record, block the embed behind your CMP, minimise custom questions, disable default analytics integrations.
EU alternatives: Cal.com (open source, Switzerland), Skej (Estonia), Doodle (Switzerland), Microsoft Bookings (US/EU), TidyCal (US), SimplyBook.me (Estonia), Vyte (France), Youcanbook.me (UK), Acuity Scheduling (US, Squarespace).
List each Calendly cookie with name, purpose, retention and legal basis (consent). Mention calendly.com as the third party domain and the US transfer with the EU US Data Privacy Framework reference.