Does your website use third-party services? Get GDPR compliant in minutes.
Try FlowConsentFree plan · 10-min setup
TidyCal is a user preference and personalization service that helps websites deliver customized experiences based on individual visitor settings and choices. It manages preferences for content display, communication channels, and interaction styles. TidyCal integrates with website platforms to remember and apply user choices consistently across sessions. With privacy-compliant preference storage, TidyCal enhances satisfaction by ensuring tailored browsing experiences for every visitor.
TidyCal is a scheduling and appointment booking tool operated by AppSumo, an American software publisher. Site owners embed a TidyCal calendar on their site so visitors can pick a time slot and book a meeting. The integration loads JavaScript, fonts and an iframe from tidycal.com, which means the visitor browser contacts AppSumo servers in the United States as soon as the calendar appears.
By loading the TidyCal embed, the user shares technical metadata with AppSumo: IP address, user agent, referrer, time zone and pages where the calendar appears. If a booking is completed, TidyCal also processes name, email address, the meeting subject, custom answers and the timestamp of the appointment. TidyCal sets first party cookies on tidycal.com for session and analytics, and the booking confirmation email can include tracking pixels.
The TidyCal embed reads and writes information on the visitor terminal and triggers a cross border data transfer, which engages both article 5(3) of the ePrivacy Directive and chapter V of the GDPR. The integration is therefore not strictly necessary and must be loaded behind a consent gate. Loading it by default would be sanctioned by EU data protection authorities, including the CNIL.
Get GDPR compliant in 10 minutes
Free plan available · No credit card required
The legal basis for displaying the calendar and dropping cookies is article 6(1)(a) GDPR (consent). Once the user actually books, the processing of their name, email and meeting topic relies on article 6(1)(b) GDPR (performance of the meeting contract). The cookie banner should mention TidyCal by name in a marketing or functional category and let users keep using the site without booking.
Because AppSumo is based in the United States, TidyCal usage involves a transfer of personal data to a third country. AppSumo relies on the EU US Data Privacy Framework and Standard Contractual Clauses with supplementary measures. Operators should keep the relevant DPA and transfer documentation on file and include the transfer in the cookie policy and the record of processing activities.
Sign the AppSumo data processing addendum, gate the TidyCal embed behind your CMP, replace the default embed with a click to load placeholder, and offer at least one alternative booking channel (form or email). Document the integration, the cookies, the US transfer and the legal basis in the record of processing and update the cookie policy accordingly.
Websites using TidyCal must obtain user consent under GDPR regulations.
DPIA considerations
A DPIA is usually not required for embedding TidyCal on a marketing site, but is recommended when the calendar is used to schedule medical, legal or financial appointments, or when the volume of booker data is significant.
Sample consent text
Our booking calendar is provided by TidyCal (AppSumo, United States). Loading the calendar will share your IP address and booking data with TidyCal. You can accept the integration in our cookie banner or contact us by email instead.
Third-party domains contacted
tidycal.comappsumo.comasset.tidycal.comCookies placed
| Name | Type | Duration | Purpose |
|---|---|---|---|
| tidycal_session | first-party | session | Session cookie set in the TidyCal iframe to keep the booking state and authenticate the user during the booking flow. |
| XSRF-TOKEN | first-party | session | Cross site request forgery token used by TidyCal to validate booking form submissions. |
| _appsumo_session | first-party | 2 weeks | Session cookie of the AppSumo platform that hosts TidyCal, used for authentication and feature flags. |
TidyCal uses cookies for user preferences — inform visitors with a consent banner.
When the calendar is loaded on tidycal.com (in the iframe), TidyCal sets first party session cookies for authentication, CSRF protection and feature flags, plus analytics cookies tied to the AppSumo platform. On the embedding site itself, no TidyCal cookie is dropped until the visitor opens the iframe, so a click to load placeholder gives strong control.
Yes. Loading the TidyCal embed triggers a request to AppSumo in the United States, sets cookies in the iframe and transfers technical metadata. This is not strictly necessary, so article 5(3) of the ePrivacy Directive and article 6(1)(a) GDPR require prior consent from the visitor before the embed loads.
Loading the calendar relies on consent (article 6(1)(a) GDPR). Once a booking is confirmed, the processing of the bookers name, email, meeting topic and answers shifts to article 6(1)(b) GDPR (performance of the appointment contract). Optional analytics and marketing emails sent by TidyCal still require consent.
Yes. TidyCal is operated by AppSumo from the United States, so personal data is transferred to a third country. AppSumo relies on the EU US Data Privacy Framework and Standard Contractual Clauses. Operators should sign the AppSumo DPA, keep the transfer documentation and inform users in the privacy policy.
A DPIA is not generally required for a standard booking calendar embedded on a marketing site. It becomes relevant if TidyCal is used to schedule sensitive appointments (medical, psychological, legal, financial) or if a large volume of bookers is processed, especially with profiling or marketing follow ups.
Replace the default embed with a click to load placeholder behind your CMP, sign the AppSumo DPA, mention TidyCal in the privacy notice and cookie policy with the US transfer mechanism, and offer an alternative booking channel by email or form. Map cookies, retention periods and data flows in the record of processing.
EU based or self hosted alternatives include Cal.com (open source), SimplyBook.me, Calendso self hosted, Easy!Appointments and Crew Meet. Compared to TidyCal these options keep data inside the EEA or on the operator infrastructure and avoid systematic US transfers.
List the TidyCal embed as a functional or marketing integration, mention that the iframe sets first party cookies on tidycal.com, name AppSumo as the data processor, indicate the US transfer with the DPF and SCC mechanism, and link to the AppSumo and TidyCal privacy notices and to your CMP preference centre.