Last update: October 18, 2022
We are Readdle Limited ("we") and we provide you services under these Terms of Service. In the Calendars Application ("App" or "Calendars") you can manage your schedule together with events and tasks.
We understand that you care about your privacy and we appreciate the trust you place in us. To justify your trust, we embed the latest data security standards, improve our awareness of privacy matters, and comply with the General Data Protection Regulation and other privacy laws.
This Privacy Notice describes which of your personal data the App collects, how it stores and processes it, and what happens when you use Calendars. Such treatment may include without limitation the following:
We do not collect, track or store any personal data over what we need to provide and improve our product and services, perform our marketing campaigns as described in this policy, and comply with our legal obligations. Please note that we:
The users of the App are divided into two categories depending on their subscription plan:
You own and control the personal data we collect about you. We do not collect and process personal data about you without being transparent about it in this Privacy Notice.
You can choose not to provide certain information or disable and prevent us from collecting, storing, and processing it by changing your App settings on your device (e.g., by revoking consent or opt-out checkboxes), by sending a data subject request to our email address dpo@readdle.com or by any means of communication available for you, Please be aware that you may not be able to enjoy some of the Calendars’ features in such a case.
When processing your personal data Calendars acts as a data controller under the GDPR. We are the controller of the personal data for Free Users and Pro Users from the moment of the User’s consent to the Terms of Service. This means that we determine the amount, purpose, and means of personal data processing when you use the App, and all this information is contained in this Privacy Notice.
For more details about our role as a controller of personal data, please contact us at dpo@readdle.com.
This Privacy Notice applies to the App compatible with macOS and iOS, accessible through Mac App Store and AppStore. You can download the App on our Website <https://readdle.com/calendars>, too (click the “Free download” button).
We collect and process your personal data in accordance with the provisions of the GDPR, the CCPA and other data protection laws applicable to us. We are serious in our commitment to adhere to the data protection laws and regulations, as we value your trust and comfort.
We process two categories of data: technical and personal data you provide to us. Some of it can be seen on the client-side (interface), and some of it is processed on the backend:
We may collect personal data either directly from you (for example, via the registration page or exchange of technical information between your device and our server), or from third parties on your behalf (for example, when you log in to the third party service and give us permissions to use the credentials of your third-party service account) or by assigning you identifiers or creating tokens that enable you to obtain access to and use Calendars’s features. Certain data is transmitted by your mobile device (such as your IP address, the periods of time in which you use the App and the type of device you use (e.g. iPhone, iPad), as well as events within the App). We may transfer such data to third parties such as Amplitude for analytical purposes. Please refer to the Amplitude’s Privacy Notice for the additional information.
Under the GDPR, we may process your personal data only where and to the extent required by the purposes for which we collect your data and the applicable legal basis of processing. The GDPR provides an exclusive list of lawful bases allowing us to process your personal data. During personal data processing we usually rely only on four of them, namely:
Examples of consent:
"Calendars" Would Like to Send You Notifications
Notifications may include alerts, sounds and icon badges. These can be configured in Settings.
Don’t Allow / Allow
Example of legitimate interest:
When we collect the history of your requests made on the App in order to customize services we propose to you. Sometimes, we will write emails to our registered users to inform them of our new features and products.
This section explains our approach and practices for processing personal data. We process your personal data for purely business purposes: to enable you to use our services, to notify you of our new products and features, to invite you to participate in our special programs and offers, and to use parts of your data (usually pseudonymized) to monitor the trends and develop our product and business.
Email address. We may ask you for your email address in order to:
Depending on the particular situation, we may rely on your consent to receive further communications in case of marketing communications, our contractual obligation to notify you of any changes to the App, this Privacy Notice, the Terms of Service and legal obligation imposed by law when we receive a law enforcement request or court order or our legitimate interest to keep the personal data and App safe and secure.
Your email is safe and we do not use it for profiling or targeting. We will not use your email longer than necessary to achieve the particular purpose unless we need to store it for a longer period due to the security policies or legal obligation imposed by applicable law.
OAuth login or server credentials. Calendars require your credentials to log into your email service provider’s calendar in order to plan calendar events, share the invitation to them with other persons, receive and respond to other event participation requests, and set notifications. Without such access, Calendars will not be able to provide you with the ability to manage the events in your email service provider’s calendar. We request your permission to access your Gmail, Outlook, or iCloud account, and you are free to revoke the access rights at any time by either changing the settings of the App on your device or the email account provided by Gmail, Outlook or iCloud. Please read the Google User Data section of this policy to learn more about the permissions we may ask for.
Event information. When you plan an event, we may store and process the event name, attendee’s data (name, email address, profile picture), location data, video call data, notes, to-do lists, recurring events, smart reminders data, invites and other data necessary to plan the event. We only process this information based on your consent (when you use these data to create an event, instruct us to sync the calendars you have and ask us to notify you about this event by push notifications) and store them based on our contractual duty to provide you with the service. We do not have any data on our servers because our App exchanges the data directly with the chosen calendar. You may store the calendar events on your device. Given that you have to accept a calendar event, to create one or otherwise make a recording in your calendar, we rely on your consent. Consent can be withdrawn by deleting the event and/or disabling the specific Calendar. Your event information is stored on your device for offline access and performance purposes. By deleting the App from your device you delete all related data. To learn more about the retention periods applied by your calendars’ providers, please refer to their privacy notices: Google Calendar, Outlook, iCloud, etc.
IP address and technical information. The core functionality of Calendars is based on a connection to the Internet. That is why our App won’t properly function without an Internet connection. For example, we may process particular technical information:
APNS device token (Apple Push Notification Service): Push notifications allow you to get immediate updates about new or planned events or changes in the events you’ve already saved. You’re free to enable or disable them during the initial App setup or later using your device’s system preferences.
Billing data and Subscription management. You may need to subscribe to the Pro subscription plan in order to use certain premium functionalities, and in this case we will need to process your payment data. We also use an in-house developed data aggregation tool to get the record of the subscription transaction and to store the non-sensitive payment data, such as pseudonymized user ID in our system, subscription plan type and expiration date. We process this data to perform the contract you’ve entered into with us (Terms of Service), and some of this data can be processed by us to comply with the applicable law or to pursue our legitimate interests (such as the App security protection and monitoring of the invoicing procedures). We keep this data as long as you have the active App on your device.
App Store: We need to read the AppStore receipt data to get the purchase date (install date in this case) for the analytics purpose. We will pass the receipt data to the backend to get purchase details to build personal billing. In case the payment has been made through the AppStore, the payment data is processed by Apple, we only read it on the subscription payment date. The AppStore in-app purchase rules and policies will also apply.
Important: the App does not have access to your sensitive payment data, such as credit card info and does not store it. Your credit card is passed directly to our payment processor (Apple) and does not ever go through our servers.
Logs. Some information about your use of the App services can be stored either by us or by your device:
Customer Support communication. We may process a record of communication including your name, email address, device type, message and attachments and information you voluntarily decide to share with us for troubleshooting purposes whenever you communicate with our support team. We process this information for the investigation and troubleshooting, and we may use the de-identified information from the communication and attachments to further analyze and enhance the App.
Analytics and statistics. In order to better understand general app usage patterns, improve the App and its user experience, the App may collect general statistical information about the usage of the Website. Collecting such data helps us optimize the Website and App in future updates and such usage does not affect your rights and freedoms and does not disclose any personal data of yourself or your contacts. We may collect information about your device (such as model, series, manufacturer, OS update, screen parameters, Internet connection data), App version, iOS version information, non-precise location data (such as country), cookies and other web tracking technologies so we may understand which (web)pages are most useful for you and which ones should be added or deleted. Such usage does not affect your rights and freedoms and does not disclose any personal data of yourself or your contacts: we work with pseudonymized or anonymized data, including in the aggregated form. We do not use these data to reverse identify a particular user. We usually process such data in a pseudonymized or anonymized form where possible, and our processing is based on either your consent, legal obligation, or our legitimate interest. More information about analytics and statistics subcontractors we engage is available in the “Analytics Tools We Use” section of this notice.
Apps and websites may use cookies and other tracking technologies for a variety of purposes: for analytics, marketing activities, remembering your preferences, and other purposes such as security of data. Such use may involve the transmission of information from us to you and from you to a third-party website or us.
A website or app may use cookies to the following extent:
We do not use cookies in our App. As to the Website, you may find the information about the cookies that we use in our cookies policy. Cookies are small text files that are stored on your hard disk of the computer with which you visit a website and which are allocated to your browser and through which certain information is submitted to the cookies user that sets the cookie (in this case us). To delete them, you may clear the cache of your browser; to find out how you can delete the cookies, please visit the Help Center or Settings of your browser.
Calendars' use of information received from Google APIs will adhere to Google API Services User Data Policy, including the Limited Use requirements. We may receive information about notifications, creation of new events from Google APIs, as well as in the process of event syncing with Google. Information about events and tasks, together with the information related to features with access to company's emails is stored on your device. This section may be helpful for you if you use Calendars in conjunction with your Gmail / Google Calendar account.
Permissions. When seeking access to your Google user data, all permission requests are being sent by the Calendars’ app. Your authorized client credentials to access your Gmail account provided to us will be kept confidential. We request access only to the information we need (namely, about the events in the calendar); we will prompt you to refresh the access permissions if we implement new features. Where possible, we will use incremental auth.
Revocation of access and Deletion of Google User Data. You may revoke the App’s access to your Gmail account by going to Google Account > Security > Third parties. You can also revoke such access in App settings. However, Google may keep the record of granting such access, and you may need to log in to your Gmail account to remove it. If you decide to do so, we will lose access to your Google account and will no longer be able to provide you with event syncing and creation, tasks syncing and creation, rooms, organization directory, push notifications, event creating features. Upon your request, we will delete all data collected from your Google account (such as events stored in your Google Calendar); however, in such a case, we may not be able to provide you with the ability to use the App’s features to work with your Google Calendar events. Please note that the data collected before your revocation of access will remain, but you still can delete the App from your device. Therefore, by deleting the App you delete your data.
Types of data requested. We will list the types of data being requested on the webpage of the permission request. If we need more (or less) permissions to run our Service, we will prompt a new permission request for you to review and consent (or reject). Not all Google User Data may contain personal data. Some statistical data will be anonymized.
Request purpose. The purpose for which the App requests your user data is to enable you to use Calendar’s features when you are working with your Google Calendar. Without access to the Google Calendar, we cannot provide you with the features that include viewing, creating, changing, deleting, storing, sharing, filtering, whitelisting and other manipulations with the events that are performed on your behalf (in other words, pursuant to your instructions issued by manipulating the App’s interface). We do not use your Google User Data for any other purposes but to provide you with access and ability to use the App.
Disclaimer. We do not use Google User Data to display, sell, or otherwise distribute this data to a third party conducting surveillance. The App does not have hidden features, services or actions that are not mentioned in this Privacy Notice or Terms of Service. We take reasonable and appropriate steps to protect all applications or systems that make use of Google User Data against unauthorized or unlawful access, use, destruction, loss, alteration, or disclosure.
With regard to the access to Google User Data as specified above, we will:
In order to better understand general app usage patterns, improve the App and its user experience, we collect general statistical information about the usage of our App. Collecting such data helps us optimize the App in future updates and such usage does not affect your rights and freedoms and does not disclose any personal data of yourself or your contacts.
We use the Amplitude service to gather statistics on the App usage. As a User, you will not see how this service operates. The Amplitude projects (statistics per specific User after being combined into general groups via several criteria) are fully anonymized. This process does not involve personal data that we can access. Amplitude sends us an anonymized report, it collects team names and domains only.
Please read Amplitude’s Privacy Policy to learn more about their processing of personal data.
Please pay attention. We knowingly do not process the data from Users below 16 years of age without a legal representative’s consent. If you are such a User or the user’s legal representative, please inform us by email at dpo@readdle.com.
The App is designed to store as little data as possible. Events and calendar dates are either stored on your third-party calendar service (Gmail, Outlook, iCloud Calendar) or your device calendar. You may keep a copy of your calendar accounts to access them while you are offline, but once the device is connected to the Internet, your events and dates will be synchronized with your calendars. We store your personal data until you delete the App.
In short, we use the following retention periods:
Unless no shorter storage period is indicated in this Privacy Notice, we, in general, store personal data as long (i) as required for the provision of the Services to you, and/or (ii) as it is necessary with regard to the contractual relationship with you, thereafter only if and to the extent that we are obliged to do so by mandatory statutory retention obligations. If we no longer require the respective personal data for the purposes described above, such personal data will only be stored during the respective legal retention period and not processed for other purposes.
Consent. We process the data based on your consent during the general term unless you withdraw it. After you withdraw your consent, it will take us up to 30 calendar days to erase your data after the completion of our information security procedures.
Deletion. Where possible, we will delete the data we process as a controller under GDPR within 1 (one) month following the request. In case the request is complex or we have received a number of requests from the same individual, we may extend the time to respond to it by a further 2 (two) months. We will inform you of any such extension within one month of receipt of the request, together with the reasons for the delay.
Backup of the database on the App Store Receipts is conducted once a day.
We use Google Cloud SQL service for backup purposes. You can learn more about the procedure in their guide here.
We use your personal data based on the performance of the contract to provide services and communicate with the Users.
We share your personal data with our contractors in the scope we need to provide services, technical and customer support. In addition, we can share your data on the following grounds: consent, compliance with the law (or legal obligation), and legitimate interest. Also, we have implemented organizational and technical measures to ensure the security of personal data during data transfer to third-party.
Consent. We share your personal data based on your explicit consent.
Compliance with the law. We will disclose your personal data to third parties to the extent that it is necessary:
Legitimate interest or performance of the contract. We may share your personal data with third parties based on a public offer for processing on our behalf, subject to technical and organizational measures to protect your personal data. We may transfer your personal data to our related parties subject to conducting legitimate interest assessment. We may transfer your personal data to certain companies, consultants, and contractors hired to provide certain services on our behalf.
Subcontractors. We partly use service providers who process personal data on behalf of us to operate the technical platform for the Services. These service providers process the data exclusively according to our instructions. The legal basis for the data processing described in this section is our contractual duty and processors’ obligations imposed by Article 28 GDPR (order processing) and our contractual agreement with them (service agreement, confidentiality agreement, data processing agreement, etc.).
We will ask for your consent unless data transfer is part of the contract performance. Here is the list of the 3rd parties we may engage in the processing of personal data:
We may share your personal data with other subcontractors, such as auditors, lawyers, accountants, software engineers and other specialists and experts that we may engage on a contractual basis.
The personal data we collect is stored on servers in the USA. The data is stored in the USA by default, but we may need to process your personal data in another country. We also share some data with our service providers in Ukraine. International transfers are subject to strict data protection safeguards, including technical and organizational measures and contractual relationships.
There is no adequacy decision by the European Commission regarding neither the USA nor Ukraine. Therefore, we have prepared a data processing agreement based on the standards of the Standard Contractual Clauses and carried out the legislation assessments for data protection during transfer and storage which takes place in third countries under the GDPR, such as the USA and Ukraine.
You can read detailed information on measures we take to protect your personal data in the “Security measures” section below.
We regularly perform Data Protection Impact Assessments to ensure that we use an appropriate level of technical and organizational measures to prevent accidental or unlawful destruction, loss, alteration, unauthorized disclosure of or access to personal data transmitted, stored, or otherwise processed. We follow ISO 27001 Standard to put all security controls in place as a basis.
To be more specific, to protect your personal data we use HTTPS and encryption, divided group and individual access (where appropriate), alarm system, corporate VPN, written approved internal policies (like password policy and physical access policy).
Moreover, we systematically monitor our technologies’ state of the art and never forget about the backups. All our contractors are under contractual obligations which are compliant with the GDPR requirements.
Here you can find information about the steps we mentioned above:
Our team is competent in the matter of the protection of your personal data. Company regularly performs training in order to ensure that every member of the team has enough knowledge to keep your data safe and protect it in accordance with the best practices prescribed by European and U.S. laws on data protection.
We ensure that all transmission is secured with HTTPS so that no one else can access your data. Your email and account credentials are stored on secure cloud-based servers using symmetric and asymmetric encryption: private and public keys.
We currently use Hetzner and Google ("Hosting providers"). These Hosting providers have various international security certificates that ensure the safety of your data with them.
App Center. You can read more on the security measures via the link.
Google. You can read more on the security measures via the link.
1. Physical access control: group access and alarm system
We secure access to the premises via ID readers, so only authorized persons have access to them. The ID cards can be blocked individually; access is also logged.
An alarm system is installed on the premises, preventing infiltration by unauthorized persons. The alarm system is linked to a locking mechanism for the doors.
2. System access control: individual access and password policy
Each employee has access to the systems/services only via his/her employee access. The access rights involved are limited to the responsibilities of the respective employee and/or team.
Password policy. We regulate access to our systems via password procedures and the use of SSH keys of at least 4096 bits in length. The SSH keys strengthen the productive systems against attacks that target weak passwords, as password-based access to the relevant systems is disabled.
We have, in addition, a regulation for the creation of passwords. This guarantees higher security also for systems that offer password-based access.
Passwords must meet specific requirements. It must be at least:
Our systems are protected by firewalls that reject all incoming connections by default. Only connection types defined by exception are accepted.
3. Data access control: monitoring and physical access policy.
All servers and services are subject to continuous monitoring. This includes the logging of personal access in the user interface.
Due to the proximity of the employees, a visual inspection is possible at any time.
Locking and/or logging off when leaving work is prescribed and practiced.
4. Transfer control: contractual obligations and corporate VPN
Before transferring any data, we specify organizational and security requirements in Data Processing and Data Transfer Agreements (if applicable).
Furthermore, the handling of local data storage devices, e.g., USB sticks, is regulated via agreements.
Access to the systems outside the company network is possible only via secure VPN access.
5. Input control: general restriction
Our employees do not work directly at the database level, but instead, use applications to access the data.
IT employees access the system via individual access and use a common login.
6. Availability control: backups and division
We ensure the availability of data in several ways. For example, there is a regular backup of the entire system. This can be used if the other availability measures fail.
Critical services are operated redundantly in multiple data centers and controlled by a high-availability system.
Our workstations are also protected with the usual measures. For example, virus scanners are installed and laptops are encrypted.
We would like to specify that we use MDM-solution to protect employee devices with security settings.
7. Separation control: limited access.
We use logically separate databases to prevent unauthorized persons from accidentally reading data to separate data.
Access to the data is also restricted because employees use services (applications) that control access.
You, as subjects of personal data, have the following rights:
| Right | Description |
|---|---|
| Right to access | You can request an explanation of the processing of your personal data. |
| Right to rectification | You can change the information if it is inaccurate or incomplete. |
| Right to erasure | You can send us a request to delete your personal data from our systems. |
| Right to data portability | You can request all the data that you provided to us, as well as request to transfer data to another controller. |
| Right to object | You can object to the processing of your data. |
| Right to restriction | You may partially or wholly prohibit us from processing your personal data. |
| Right to withdraw consent | You can withdraw your consent at any time. |
| Right to lodge a complaint | If your request was not satisfied, you can file a complaint to the regulatory body. |
To exercise your rights, write us an email at dpo@readdle.com
Also, you have a right to file a complaint to the Data Protection Commission (DPC) regulatory body by post at 21 Fitzwilliam Square, South, Dublin 2, D02 RD28, Ireland or using webforms. Please note that you can contact your local supervisory authority. Your local authority will then contact the Irish supervisory authority to communicate your complaint or request.
As the owner of personal data, you have specific privacy rights. To exercise them, please write us an email at dpo@readdle.com
Your rights vary depending on the laws that apply to you but may include:
Please see more detailed information about some state-specific laws in a separate section; you can find it in the navigation on the right of the page.
| The Virginia’s Consumer Data Protection Act | The Consumer Privacy Act and California Privacy Rights Act | The Colorado Privacy Act | The Nevada Privacy Law | The Delaware Online Privacy and Protection Act |
|---|---|---|---|---|
| Right to Know whether the controller is processing a customer’s personal data. | Right to Know what personal information is collected and Right to Access personal information. | Right of Access. | Right to Know whether the controller is processing the customer’s personal data. | Right of Access. |
| Right to Access personal data processed by the controller. | Right to Know if Personal Information is Sold. | The right to confirm the processing of personal data. | Right to Opt-Out of Sale. | Right to withdraw consent. |
|
Right to Correct. Right to Delete. Right to Data Portability. Right to Opt-Out of targeted advertising, the sale of personal data, or profiling. |
Right to Delete. Subject to certain exceptions. Right to Data Portability. Right to Correct. Right to Opt-Out of Sale. Right to Limit Use and Disclosure of Sensitive Personal Information. |
Right to Access. Right to Correction. Right to Deletion. Right to Data Portability. Right to Opt-Out of targeted advertising, the sale of personal data, or profiling via a universal Opt-Out mechanism. |
Right to Correct. |
Right to Correction. Right for "do not track" request Right to Opt-Out of Sale. |
What do these rights mean?
Depending on the state and legislative requirements, we have from 30 to 60 days to exercise your request with the right to postpone it for 30 days more.
The GDPR regulates this Privacy Notice and the relationships falling under its effect. Existing laws and requirements for the processing of personal data are subject to change. In this case, we will publish a new version of the Privacy Notice on our website.
If we make significant material changes that affect your privacy and confidentiality, we will notify you by email or display information in the App and ask you to read it.
Here you can find the definitions of the terms used throughout the Privacy Notice.
“Calendars”, “App”, “we”, “our”, “us”: Readdle Limited, an Ireland-based technology company that maintains and operates Calendars (“App”).
“Controller”, “data controller”: the natural or legal person who (either alone or jointly or in common with other persons) determines the purposes for which and the manner in which any personal data is processed.
“Data protection officer”, “DPO”: an employee or a contractor who is designated by Readdle Limited to help it comply with the GDPR and other data protection laws and who is assigned to help you protect your personal data rights. You may contact DPO at dpo@readdle.com.
“Data subject”: a natural person about whom the App holds personal data (an identified or identifiable natural person).
“GDPR”: European Union’s General Data Protection Regulation.
“Personal data”: any information relating to you and helping identify you (directly or indirectly) such as your name, last name, email, location data, etc.
“Processing”: any operation or set of operations which is performed on personal data or sets of personal data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
“Processor”, “data processor”: the natural or legal person who processes personal data on behalf of the data controller.
“Services”, “Features” (either capitalized or not): the Calendars’ features are available through the use of the App, either Free or Pro, together or separately.
“Subprocessor”: anyone other than us who we have appointed to process personal data of our clients. Subprocessors can see no more data than we can see (unless you supply them with your personal data outside the App). Examples include our data hosting providers and payment processors.
“Supervisory authority”: a local regulator under the GDPR which has the job of seeing that we protect your data properly.