When you use Calendly to collect information from people who book time with you, you are legally responsible for that data collection, including getting any required permissions from those individuals.
This analysis describes what Calendly's agreement states, permits, or reserves. It does not constitute a legal determination about enforceability. Regulatory applicability and practical outcomes may vary by jurisdiction, enforcement context, and individual circumstances. Read our methodology
Business users who share booking pages publicly are treated as the data controller for all information submitted by meeting invitees, meaning GDPR, CCPA, and other privacy obligations fall on the customer, not Calendly.
Interpretive note: The precise scope of customer controller obligations may vary by jurisdiction and the nature of data collected; GDPR and CCPA apply different standards for lawful basis and notice requirements.
This clause places full legal responsibility on the Calendly customer for any personal information collected from meeting invitees through their booking pages, including the obligation to have a lawful basis for collection and to obtain required consent under applicable privacy law.
How other platforms handle this
If you are in the 'Designated Countries', LinkedIn Ireland Unlimited Company ('LinkedIn Ireland') will be the controller of your personal data provided to, or collected by or for, or processed in connection with our Services. If you are outside of the Designated Countries, LinkedIn Corporation will ...
When Okta provides its products and services to its customers (e.g., organizations that use Okta to manage their workforce or Auth0 to manage their customer identity), Okta processes personal data on behalf of those customers as a data processor. In those cases, the customer is the data controller a...
When Glean provides services to an enterprise customer, we process personal data on behalf of that customer. In this context, the enterprise customer is the data controller and Glean acts as a data processor. If you are an employee or authorized user of one of our enterprise customers and have quest...
Monitoring
Calendly has changed this document before.
Receive same-day alerts, structured change summaries, and monitoring for up to 10 platforms.
"Customers may use the Services to collect information from Invitees. Customer is solely responsible for ensuring that any such collection, use, and disclosure of Invitee information complies with all applicable laws and regulations, including obtaining any required consents from Invitees. Calendly processes Invitee information on behalf of the Customer and in accordance with Customer's instructions.— Excerpt from Calendly's Calendly Terms of Use
(1) REGULATORY LANDSCAPE: This provision directly engages GDPR Articles 4, 24, and 28, which define controller and processor roles and obligations. By designating the customer as solely responsible for invitee data, the agreement positions Calendly as a processor and the customer as the controller for this data population. Under GDPR, controllers must establish a lawful basis for processing, provide notice to data subjects, and satisfy data subject rights requests for invitee personal data. CCPA similarly requires businesses acting as controllers to disclose collection practices and honor consumer rights requests. The FTC Act is also relevant where inadequate invitee disclosure constitutes an unfair or deceptive practice. (2) GOVERNANCE EXPOSURE: High. Customers operating in the EU/EEA or collecting data from EU residents through Calendly booking pages assume controller-level GDPR liability for an often-overlooked data population: external meeting participants who may not have Calendly accounts. Failure to provide adequate notice or establish lawful basis for invitee data collection may constitute a GDPR violation attributable to the customer. (3) JURISDICTION FLAGS: EU/EEA jurisdictions create the highest exposure given GDPR's extraterritorial scope and the explicit controller designation in these terms. California residents who are invitees may have CCPA rights that the customer must honor. Illinois BIPA may be implicated if scheduling flows collect biometric-adjacent data. Healthcare-adjacent invitee data may raise HIPAA questions independently. (4) CONTRACT AND VENDOR IMPLICATIONS: Enterprise customers should confirm that their own privacy policies and consent mechanisms cover invitee data collected through Calendly. A Data Processing Addendum with Calendly should be reviewed to confirm it accurately reflects the processor-controller relationship and includes appropriate sub-processor disclosures. B2B contracts that embed Calendly scheduling should allocate responsibility for invitee data compliance clearly. (5) COMPLIANCE CONSIDERATIONS: Legal teams should conduct a data mapping exercise to identify invitee personal data flows through Calendly and ensure these are reflected in the organization's Record of Processing Activities under GDPR Article 30. Privacy notices should be updated to reference scheduling-related data collection. Organizations should assess whether their booking page workflows include adequate notice to invitees at the point of data collection.
Full compliance analysis
Regulatory citations, enforcement risk, and due diligence action items.
Free: track 1 platform + weekly digest. Watcher: 10 platforms + same-day alerts. No credit card required.
We read the privacy policies and terms of service of 38 AI platforms. Here is what they say about training, retention, arbitration, and liability.
Professional Governance Intelligence
Need to monitor specific governance provisions?
Professional includes provision-level monitoring, governance timelines, regulatory mapping, and audit-ready analysis.
Built from archived source documents, structured governance mappings, and historical version tracking.
Business users who share booking pages publicly are treated as the data controller for all information submitted by meeting invitees, meaning GDPR, CCPA, and other privacy obligations fall on the customer, not Calendly.
This clause places full legal responsibility on the Calendly customer for any personal information collected from meeting invitees through their booking pages, including the obligation to have a lawful basis for collection and to obtain required consent under applicable privacy law.
No. ConductAtlas is an independent monitoring service. We are not affiliated with, endorsed by, or sponsored by Calendly.