We collect the minimum. We sell none of it.

circleit is a booking widget. To do that job we need to know who you are (your email and name), when you're free (Google Calendar free/busy), and who's trying to book you (the attendee's email and name). That's the whole list. We don't sell, share, or trade any of it. We don't show your data to advertisers. We don't load tracking pixels on our site.

From you (the organizer)

• Email address (signup)
• Name (optional, shown on your public booking page)
• Username slug (yourname → circleit.app/u/yourname)
• Timezone (auto-detected from browser; you can override)
• Google OAuth tokens (encrypted at rest with a key separate from your session key; we use these only to read free/busy and write circleit-created events to your calendar)
• Your availability rules and event types (e.g., "Mon-Fri 9-5, 30-min intros")

From attendees (people who book you)

• Name
• Email
• Optional notes they type into the booking form
• Booking start and end timestamps (UTC)
• The chosen time slot and timezone

We don't ask for credit cards, phone numbers, addresses, or any other personal information. We don't collect IP addresses for analytics; we keep them briefly only for spam protection (Cloudflare Turnstile + per-IP rate limiting).

When you connect Google Calendar, circleit requests exactly two OAuth scopes:

• https://www.googleapis.com/auth/calendar.events.owned — lets circleit create, update, and delete the calendar events circleit itself creates on your calendar. circleit cannot see or modify events created by you or anyone else.
• https://www.googleapis.com/auth/calendar.freebusy — lets circleit see when you are busy (start time + end time only) so the booking widget hides slots that would conflict. circleit cannot see event titles, descriptions, attendees, or locations.

We do not request access to your contacts, files, photos, Gmail, Drive, or anything else in your Google account. We also don't track attendee browsing history or behavior on your site.

The minimum service providers required to run the product:

• Vercel — hosts the application. Sees standard HTTP request data.
• Neon — hosts the database. Encrypted at rest.
• Resend — sends confirmation, reminder, and password-reset emails on our behalf.
• Google — for the Calendar integration only.
• Cloudflare — DNS, CDN, and bot/spam protection (Turnstile).

No data is shared with advertisers, marketing networks, data brokers, or other third parties. We do not transfer attendee data to anyone for marketing.

We use one cookie: the session cookie that keeps you logged in. It's HTTP-only, SameSite=Strict, and prefixed with __Host-. There is no third-party analytics, no Facebook pixel, no Google Analytics, no advertising network. The privacy stance is the marketing.

You can:

• Download a copy of all your data from your dashboard settings.
• Delete your account from dashboard settings; bookings are retained 90 days for audit, then hard-deleted.
• Email privacy@circleit.app with any GDPR/CCPA request. We respond within 30 days.

Attendees who want their booking data deleted can email privacy@circleit.app — we'll verify the request via the attendee's email of record and delete within 30 days.

Servers are in the United States. By using circleit you consent to data transfer to and storage in the US. We honor GDPR data-subject-access and erasure requests for EU users.

If we update this policy, we'll email every organizer 7 days before the change takes effect. Older versions are kept on file; email privacy@circleit.app for a copy.