Calendars Privacy Notice

Last update: October 18, 2022

We are Readdle Limited ("we") and we provide you services under these Terms of Service. In the Calendars Application ("App" or "Calendars") you can manage your schedule together with events and tasks.

We understand that you care about your privacy and we appreciate the trust you place in us. To justify your trust, we embed the latest data security standards, improve our awareness of privacy matters, and comply with the General Data Protection Regulation and other privacy laws.

This Privacy Notice describes which of your personal data the App collects, how it stores and processes it, and what happens when you use Calendars. Such treatment may include without limitation the following:

  • collection;
  • recording;
  • organization;
  • storage;
  • structuring;
  • alteration;
  • retrieval;
  • consultation;
  • use;
  • disclosure by transmission;
  • restriction; and
  • erasure or destruction.

We do not collect, track or store any personal data over what we need to provide and improve our product and services, perform our marketing campaigns as described in this policy, and comply with our legal obligations. Please note that we:

  • DO NOT sell your data;
  • DO NOT use automated decision-making and profiling which produces legal effects concerning Calendars users or creates similarly significant effects that affect Calendars Users.

Context

  1. Definition of “User”
  2. Controller details
  3. Applicability
  4. Personal Data in Calendars
    1. Before We Start
    2. Personal Data We Process
      1. Email address
      2. OAuth login or server credentials
      3. Event information
      4. Fax
      5. IP address and technical information
      6. APNS device token (Apple Push Notification Service)
      7. Billing data and Subscription management.
      8. Logs
      9. Customer Support communication
      10. Analytics and statistics
    3. Cookies Information
    4. Google User Data
    5. Analytics
    6. Age Limitation
  5. Term of Storage and Retention Periods
  6. Backup storage
  7. Data sharing with 3rd parties
  8. Data transfer outside the European Economic Area
  9. Security measures
  10. Privacy rights
    1. EU privacy rights
    2. The USA citizens’ privacy rights
  11. Privacy Notice Update
  12. Definitions

Definition of "User"

The users of the App are divided into two categories depending on their subscription plan:

  • User Free is a natural person that uses the App free of charge;
  • Pro User is a natural person that upgraded the App to Calendars Pro (and therefore, obtained access to more features of the App).

You own and control the personal data we collect about you. We do not collect and process personal data about you without being transparent about it in this Privacy Notice.

You can choose not to provide certain information or disable and prevent us from collecting, storing, and processing it by changing your App settings on your device (e.g., by revoking consent or opt-out checkboxes), by sending a data subject request to our email address dpo@readdle.com or by any means of communication available for you, Please be aware that you may not be able to enjoy some of the Calendars’ features in such a case.

Controller details

When processing your personal data Calendars acts as a data controller under the GDPR. We are the controller of the personal data for Free Users and Pro Users from the moment of the User’s consent to the Terms of Service. This means that we determine the amount, purpose, and means of personal data processing when you use the App, and all this information is contained in this Privacy Notice.

For more details about our role as a controller of personal data, please contact us at dpo@readdle.com.

Contact details:

  • Company: Readdle Limited
  • Address: 6 Harcourt Terrace, Dublin 2, D02P210, Ireland
  • Email: dpo@readdle.com

Applicability

This Privacy Notice applies to the App compatible with macOS and iOS, accessible through Mac App Store and AppStore. You can download the App on our Website <https://readdle.com/calendars>, too (click the “Free download” button).

Personal Data in Calendars

We collect and process your personal data in accordance with the provisions of the GDPR, the CCPA and other data protection laws applicable to us. We are serious in our commitment to adhere to the data protection laws and regulations, as we value your trust and comfort.

Before We Start

We process two categories of data: technical and personal data you provide to us. Some of it can be seen on the client-side (interface), and some of it is processed on the backend:

  • client side is the part of the App displayed or takes place on the users’ devices;
  • backend is an invisible crucial part of the App where algorithms operate on the variables and data points. In the majority of cases, it is crucial to process such data in order to provide our services to you. For example, we keep backend data taking into account organizational and technical measures to ensure the security of your data.

We may collect personal data either directly from you (for example, via the registration page or exchange of technical information between your device and our server), or from third parties on your behalf (for example, when you log in to the third party service and give us permissions to use the credentials of your third-party service account) or by assigning you identifiers or creating tokens that enable you to obtain access to and use Calendars’s features. Certain data is transmitted by your mobile device (such as your IP address, the periods of time in which you use the App and the type of device you use (e.g. iPhone, iPad), as well as events within the App). We may transfer such data to third parties such as Amplitude for analytical purposes. Please refer to the Amplitude’s Privacy Notice for the additional information.

Under the GDPR, we may process your personal data only where and to the extent required by the purposes for which we collect your data and the applicable legal basis of processing. The GDPR provides an exclusive list of lawful bases allowing us to process your personal data. During personal data processing we usually rely only on four of them, namely:

  • performance of the contract: for processing that is strictly necessary for service provision as written in the Terms of Service, such as your ability to use the features provided in your subscription or technical and customer support;
  • legitimate interest: for processing that is reasonable for the user and required for the development of the service (such as processing operations that are required to protect the App from security incidents);
  • consent: for additional processing for specific purposes (for example, marketing communications);
  • legal obligation: for complying with the applicable laws and regulations (such as tax regulations or law enforcement requests).

Examples of consent:
"Calendars" Would Like to Send You Notifications
Notifications may include alerts, sounds and icon badges. These can be configured in Settings.
Don’t Allow / Allow


Example of legitimate interest:
When we collect the history of your requests made on the App in order to customize services we propose to you. Sometimes, we will write emails to our registered users to inform them of our new features and products.

Personal Data We Process

This section explains our approach and practices for processing personal data. We process your personal data for purely business purposes: to enable you to use our services, to notify you of our new products and features, to invite you to participate in our special programs and offers, and to use parts of your data (usually pseudonymized) to monitor the trends and develop our product and business.

Email address. We may ask you for your email address in order to:

  • obtain access to the calendar of events provided by your Gmail, iCloud or Outlook account (synchronization is based on your choice and consent);
  • communicate with you in case you need our advice or assistance, have a suggestion or inquiry, or we need to contact you pursuant to the Terms of Service, applicable law, law enforcement request or court order, etc.;,
  • begin your free trial period (App Store will store and process your email as described in App Store’s privacy policy);
  • respond to your data subject requests filed at dpo@readdle.com (as required by the data protection laws applicable to us), and
  • send you notifications and newsletters (to tell you about our updates, recommendations and your subscription status).

Depending on the particular situation, we may rely on your consent to receive further communications in case of marketing communications, our contractual obligation to notify you of any changes to the App, this Privacy Notice, the Terms of Service and legal obligation imposed by law when we receive a law enforcement request or court order or our legitimate interest to keep the personal data and App safe and secure.

Your email is safe and we do not use it for profiling or targeting. We will not use your email longer than necessary to achieve the particular purpose unless we need to store it for a longer period due to the security policies or legal obligation imposed by applicable law.

OAuth login or server credentials. Calendars require your credentials to log into your email service provider’s calendar in order to plan calendar events, share the invitation to them with other persons, receive and respond to other event participation requests, and set notifications. Without such access, Calendars will not be able to provide you with the ability to manage the events in your email service provider’s calendar. We request your permission to access your Gmail, Outlook, or iCloud account, and you are free to revoke the access rights at any time by either changing the settings of the App on your device or the email account provided by Gmail, Outlook or iCloud. Please read the Google User Data section of this policy to learn more about the permissions we may ask for.

Event information. When you plan an event, we may store and process the event name, attendee’s data (name, email address, profile picture), location data, video call data, notes, to-do lists, recurring events, smart reminders data, invites and other data necessary to plan the event. We only process this information based on your consent (when you use these data to create an event, instruct us to sync the calendars you have and ask us to notify you about this event by push notifications) and store them based on our contractual duty to provide you with the service. We do not have any data on our servers because our App exchanges the data directly with the chosen calendar. You may store the calendar events on your device. Given that you have to accept a calendar event, to create one or otherwise make a recording in your calendar, we rely on your consent. Consent can be withdrawn by deleting the event and/or disabling the specific Calendar. Your event information is stored on your device for offline access and performance purposes. By deleting the App from your device you delete all related data. To learn more about the retention periods applied by your calendars’ providers, please refer to their privacy notices: Google Calendar, Outlook, iCloud, etc.

IP address and technical information. The core functionality of Calendars is based on a connection to the Internet. That is why our App won’t properly function without an Internet connection. For example, we may process particular technical information:

  • your IP address: it is a unique identifier that lets you connect to the Internet and our service will log connections for security and troubleshooting purposes;
  • certain data that is also transmitted by your mobile device: your IP address, the periods of time in which you use the App and the type of device you use (e.g. iPhone, iPad), as well as events within the application recorded with Amplitude analytics in order to give us the possibility to continuously improve the App;
  • App token assigned by us: this token allows us to identify your device in our system and troubleshoot potential issues you might experience, and this data is stored and processed along with the data from the App on your device;
  • calendar identifiers (push tokens): these tokens are initiated by the calendar service provider and help to update the events, create events and provide information about events (Google, Microsoft (Outlook));
  • device, App version, iOS version information: we collect these data on the basis of our contractual duty to ensure that the App functions properly on your specific device.

APNS device token (Apple Push Notification Service): Push notifications allow you to get immediate updates about new or planned events or changes in the events you’ve already saved. You’re free to enable or disable them during the initial App setup or later using your device’s system preferences.

Billing data and Subscription management. You may need to subscribe to the Pro subscription plan in order to use certain premium functionalities, and in this case we will need to process your payment data. ​​We also use an in-house developed data aggregation tool to get the record of the subscription transaction and to store the non-sensitive payment data, such as pseudonymized user ID in our system, subscription plan type and expiration date. We process this data to perform the contract you’ve entered into with us (Terms of Service), and some of this data can be processed by us to comply with the applicable law or to pursue our legitimate interests (such as the App security protection and monitoring of the invoicing procedures). We keep this data as long as you have the active App on your device.

App Store: We need to read the AppStore receipt data to get the purchase date (install date in this case) for the analytics purpose. We will pass the receipt data to the backend to get purchase details to build personal billing. In case the payment has been made through the AppStore, the payment data is processed by Apple, we only read it on the subscription payment date. The AppStore in-app purchase rules and policies will also apply.

Important: the App does not have access to your sensitive payment data, such as credit card info and does not store it. Your credit card is passed directly to our payment processor (Apple) and does not ever go through our servers.

Logs. Some information about your use of the App services can be stored either by us or by your device:

  • We may collect the information necessary to prevent fraud and potential unauthorized access to your personal information, ensuring the technical availability and security of the App. We use App Center Analytics for analytical purposes (please read Microsoft Privacy Statement to learn more). The server that hosts the App may record requests your device makes to the server, the details on the device and browser you use, your IP address, date and time of access, city and country, operating system, browser type, mobile network information. This data is used only for technical purposes – that is, to ensure the proper functioning and security of the App and to investigate possible security incidents. We keep this data for up to 28 days and then either delete or anonymize them.
  • Your own device may store the information about your events and App, such as event’s contents, actions with them, date and time of such actions. Unless you send this information to us, we cannot process it. We will process it only for the investigation of issues you have with using the App and only on the basis of your consent. Storage of these data is based on your device settings and device manufacturer’s policies.

Customer Support communication. We may process a record of communication including your name, email address, device type, message and attachments and information you voluntarily decide to share with us for troubleshooting purposes whenever you communicate with our support team. We process this information for the investigation and troubleshooting, and we may use the de-identified information from the communication and attachments to further analyze and enhance the App.

Analytics and statistics. In order to better understand general app usage patterns, improve the App and its user experience, the App may collect general statistical information about the usage of the Website. Collecting such data helps us optimize the Website and App in future updates and such usage does not affect your rights and freedoms and does not disclose any personal data of yourself or your contacts. We may collect information about your device (such as model, series, manufacturer, OS update, screen parameters, Internet connection data), App version, iOS version information, non-precise location data (such as country), cookies and other web tracking technologies so we may understand which (web)pages are most useful for you and which ones should be added or deleted. Such usage does not affect your rights and freedoms and does not disclose any personal data of yourself or your contacts: we work with pseudonymized or anonymized data, including in the aggregated form. We do not use these data to reverse identify a particular user. We usually process such data in a pseudonymized or anonymized form where possible, and our processing is based on either your consent, legal obligation, or our legitimate interest. More information about analytics and statistics subcontractors we engage is available in the “Analytics Tools We Use” section of this notice.

Cookies Information

Apps and websites may use cookies and other tracking technologies for a variety of purposes: for analytics, marketing activities, remembering your preferences, and other purposes such as security of data. Such use may involve the transmission of information from us to you and from you to a third-party website or us.

A website or app may use cookies to the following extent:

  • Transient / Session cookies (are automatically deleted when you close your browser). This includes in particular the session cookies. These may store a so-called session ID, which identifies user sessions in the browser. Session cookies are deleted when you log out or close your browser.
  • Persistent / Setting cookies (help the Website remember your information and settings when you visit them in the future). They are automatically deleted after a specified period, which may differ depending on the cookie.

We do not use cookies in our App. As to the Website, you may find the information about the cookies that we use in our cookies policy. Cookies are small text files that are stored on your hard disk of the computer with which you visit a website and which are allocated to your browser and through which certain information is submitted to the cookies user that sets the cookie (in this case us). To delete them, you may clear the cache of your browser; to find out how you can delete the cookies, please visit the Help Center or Settings of your browser.

Google User Data

Calendars' use of information received from Google APIs will adhere to Google API Services User Data Policy, including the Limited Use requirements. We may receive information about notifications, creation of new events from Google APIs, as well as in the process of event syncing with Google. Information about events and tasks, together with the information related to features with access to company's emails is stored on your device. This section may be helpful for you if you use Calendars in conjunction with your Gmail / Google Calendar account.

Permissions. When seeking access to your Google user data, all permission requests are being sent by the Calendars’ app. Your authorized client credentials to access your Gmail account provided to us will be kept confidential. We request access only to the information we need (namely, about the events in the calendar); we will prompt you to refresh the access permissions if we implement new features. Where possible, we will use incremental auth.

Revocation of access and Deletion of Google User Data. You may revoke the App’s access to your Gmail account by going to Google Account > Security > Third parties. You can also revoke such access in App settings. However, Google may keep the record of granting such access, and you may need to log in to your Gmail account to remove it. If you decide to do so, we will lose access to your Google account and will no longer be able to provide you with event syncing and creation, tasks syncing and creation, rooms, organization directory, push notifications, event creating features. Upon your request, we will delete all data collected from your Google account (such as events stored in your Google Calendar); however, in such a case, we may not be able to provide you with the ability to use the App’s features to work with your Google Calendar events. Please note that the data collected before your revocation of access will remain, but you still can delete the App from your device. Therefore, by deleting the App you delete your data.

Types of data requested. We will list the types of data being requested on the webpage of the permission request. If we need more (or less) permissions to run our Service, we will prompt a new permission request for you to review and consent (or reject). Not all Google User Data may contain personal data. Some statistical data will be anonymized.

Request purpose. The purpose for which the App requests your user data is to enable you to use Calendar’s features when you are working with your Google Calendar. Without access to the Google Calendar, we cannot provide you with the features that include viewing, creating, changing, deleting, storing, sharing, filtering, whitelisting and other manipulations with the events that are performed on your behalf (in other words, pursuant to your instructions issued by manipulating the App’s interface). We do not use your Google User Data for any other purposes but to provide you with access and ability to use the App.

Disclaimer. We do not use Google User Data to display, sell, or otherwise distribute this data to a third party conducting surveillance. The App does not have hidden features, services or actions that are not mentioned in this Privacy Notice or Terms of Service. We take reasonable and appropriate steps to protect all applications or systems that make use of Google User Data against unauthorized or unlawful access, use, destruction, loss, alteration, or disclosure.

With regard to the access to Google User Data as specified above, we will:

  • only use access to read, write, modify, or control Google Calendar events, metadata, headers, and settings to provide an app client that allows users to compose, send, read, accept, reject and otherwise process events and will not transfer this Google data to others unless doing so is necessary to provide and improve these features, comply with applicable law, or as part of a merger, acquisition, or sale of assets;
  • not use this Google data for serving advertisements, including retargeting, personalized, or interest-based advertising;
  • not allow humans to read this data unless we have your affirmative agreement (consent) to view specific messages, doing so is necessary for security purposes such as investigating a bug or abuse, complying with applicable law, investigating an issue and even then only when the data have been aggregated and anonymized;
  • ensure that your employees, agents, contractors, and successors comply with this Google API Services: User Data Policy.

Analytics

In order to better understand general app usage patterns, improve the App and its user experience, we collect general statistical information about the usage of our App. Collecting such data helps us optimize the App in future updates and such usage does not affect your rights and freedoms and does not disclose any personal data of yourself or your contacts.

We use the Amplitude service to gather statistics on the App usage. As a User, you will not see how this service operates. The Amplitude projects (statistics per specific User after being combined into general groups via several criteria) are fully anonymized. This process does not involve personal data that we can access. Amplitude sends us an anonymized report, it collects team names and domains only.

Please read Amplitude’s Privacy Policy to learn more about their processing of personal data.

Age Limitation

Please pay attention. We knowingly do not process the data from Users below 16 years of age without a legal representative’s consent. If you are such a User or the user’s legal representative, please inform us by email at dpo@readdle.com.

Term of Storage and Retention Periods

The App is designed to store as little data as possible. Events and calendar dates are either stored on your third-party calendar service (Gmail, Outlook, iCloud Calendar) or your device calendar. You may keep a copy of your calendar accounts to access them while you are offline, but once the device is connected to the Internet, your events and dates will be synchronized with your calendars. We store your personal data until you delete the App.

In short, we use the following retention periods:

  • receipt data: we may keep the App Store receipts data for the period necessary to comply with the applicable law (for example, tax regulations);
  • log data: we may keep some log data collected by us for 28 days before anonymizing or deleting it;
  • customer support data: we may retain the data you’ve sent to us as long as it is necessary to investigate and troubleshoot the issue, and then we destroy the received files or anonymize them.

Unless no shorter storage period is indicated in this Privacy Notice, we, in general, store personal data as long (i) as required for the provision of the Services to you, and/or (ii) as it is necessary with regard to the contractual relationship with you, thereafter only if and to the extent that we are obliged to do so by mandatory statutory retention obligations. If we no longer require the respective personal data for the purposes described above, such personal data will only be stored during the respective legal retention period and not processed for other purposes.

Consent. We process the data based on your consent during the general term unless you withdraw it. After you withdraw your consent, it will take us up to 30 calendar days to erase your data after the completion of our information security procedures.

Deletion. Where possible, we will delete the data we process as a controller under GDPR within 1 (one) month following the request. In case the request is complex or we have received a number of requests from the same individual, we may extend the time to respond to it by a further 2 (two) months. We will inform you of any such extension within one month of receipt of the request, together with the reasons for the delay.

Backup storage

Backup of the database on the App Store Receipts is conducted once a day.

We use Google Cloud SQL service for backup purposes. You can learn more about the procedure in their guide here.

Data sharing with 3rd parties

We use your personal data based on the performance of the contract to provide services and communicate with the Users.

We share your personal data with our contractors in the scope we need to provide services, technical and customer support. In addition, we can share your data on the following grounds: consent, compliance with the law (or legal obligation), and legitimate interest. Also, we have implemented organizational and technical measures to ensure the security of personal data during data transfer to third-party.

Consent. We share your personal data based on your explicit consent.

Compliance with the law. We will disclose your personal data to third parties to the extent that it is necessary:

  • to comply with a government request, court order, or applicable law;
  • to prevent unlawful use of our App or violation of the Terms of Service and our policies;
  • to protect against claims of third parties;
  • to help prevent or investigate fraud.

Legitimate interest or performance of the contract. We may share your personal data with third parties based on a public offer for processing on our behalf, subject to technical and organizational measures to protect your personal data. We may transfer your personal data to our related parties subject to conducting legitimate interest assessment. We may transfer your personal data to certain companies, consultants, and contractors hired to provide certain services on our behalf.

Subcontractors. We partly use service providers who process personal data on behalf of us to operate the technical platform for the Services. These service providers process the data exclusively according to our instructions. The legal basis for the data processing described in this section is our contractual duty and processors’ obligations imposed by Article 28 GDPR (order processing) and our contractual agreement with them (service agreement, confidentiality agreement, data processing agreement, etc.).

We will ask for your consent unless data transfer is part of the contract performance. Here is the list of the 3rd parties we may engage in the processing of personal data:

  • Google Cloud (Google LLC, USA). Here we store our databases, push tokens, logs, and backups. Please see more details here.
  • Appsflyer (AppsFlyer Ltd., Israel). provides us with measurement, analytics, fraud protection, and engagement technologies. For more details, please refer to the Subcontractor’s Privacy Policy.
  • Braze (Braze, Inc., USA). This service is used to process your data for sending some marketing communications and analytics. For more details, please refer to the Subcontractor’s Privacy Policy.
  • CampaignMonitor (Campaign Monitor Pty Ltd., USA). We send a list of all accounts there for statistics. To see more details about data processing, please see Privacy Notice.
  • Postmark (Wildbit LLC, USA). This service is used to process your data for sending transactional emails. Transactional emails are emails about transactions, for example, the purchase of pro, about the start or the end of the trial. To see more details about data processing, please see Privacy Notice.
  • Google Analytics (Google LLC, USA). This service is used for analytical purposes.
  • Google (Google LLC, USA). We use your data for the synchronization of accounts. To see more details about data processing, please see Privacy Notice.
  • Apple Inc (Apple Inc, USA). We receive the technical data about the iOS systems and general statistics. To see more details about data processing, please see Privacy Notice.
  • Amplitude (Amplitude, Inc., USA) is an analytics tool we use to understand how users experience our App. Their Privacy Policy can be accessed here.
  • AppCenter (Microsoft-provided tool, USA): we use them to monitor crash logs. You may read about their privacy practices in this article.
  • Appfigures (Appfigures, Inc., USA). This service is used to analyze revenue from app downloads and in-app purchases and subscriptions to see the complete picture and benchmark growth. Their Privacy Policy is accessible here.
  • Apptweak (AppTweak S.A., Belgium). This service is used for analytical purposes, namely to monitor an app or game’s visibility in an app store. You may read their Privacy Policy on their website.
  • Data.ai (DATA.AI INC., USA). This service is used for analytical purposes. You may read their Privacy Policy on their website.
  • MailChimp (The Rocket Science Group LLC d/b/a Mailchimp, USA): This service is used to process your data for sending some of our marketing communications and analytics. For more details, please refer to the Subcontractor’s Privacy Policy.
  • Media Toolkit (Mediatoolkit d.o.o., the Republic of Croatia). For more details, please refer to the Subcontractor’s Privacy Policy.
  • Schedjoules (Schedjoules BV, The Netherlands). For more details, please refer to the Subcontractor’s Privacy Policy.

We may share your personal data with other subcontractors, such as auditors, lawyers, accountants, software engineers and other specialists and experts that we may engage on a contractual basis.

Data transfer outside the European Economic Area

The personal data we collect is stored on servers in the USA. The data is stored in the USA by default, but we may need to process your personal data in another country. We also share some data with our service providers in Ukraine. International transfers are subject to strict data protection safeguards, including technical and organizational measures and contractual relationships.

There is no adequacy decision by the European Commission regarding neither the USA nor Ukraine. Therefore, we have prepared a data processing agreement based on the standards of the Standard Contractual Clauses and carried out the legislation assessments for data protection during transfer and storage which takes place in third countries under the GDPR, such as the USA and Ukraine.

You can read detailed information on measures we take to protect your personal data in the “Security measures” section below.

Security measures

We regularly perform Data Protection Impact Assessments to ensure that we use an appropriate level of technical and organizational measures to prevent accidental or unlawful destruction, loss, alteration, unauthorized disclosure of or access to personal data transmitted, stored, or otherwise processed. We follow ISO 27001 Standard to put all security controls in place as a basis.

To be more specific, to protect your personal data we use HTTPS and encryption, divided group and individual access (where appropriate), alarm system, corporate VPN, written approved internal policies (like password policy and physical access policy).

Moreover, we systematically monitor our technologies’ state of the art and never forget about the backups. All our contractors are under contractual obligations which are compliant with the GDPR requirements.

Here you can find information about the steps we mentioned above:

Trained team

Our team is competent in the matter of the protection of your personal data. Company regularly performs training in order to ensure that every member of the team has enough knowledge to keep your data safe and protect it in accordance with the best practices prescribed by European and U.S. laws on data protection.

HTTPS and encryption

We ensure that all transmission is secured with HTTPS so that no one else can access your data. Your email and account credentials are stored on secure cloud-based servers using symmetric and asymmetric encryption: private and public keys.

We currently use Hetzner and Google ("Hosting providers"). These Hosting providers have various international security certificates that ensure the safety of your data with them.

App Center. You can read more on the security measures via the link.

Google. You can read more on the security measures via the link.

Security measures (detailed explanation):

1. Physical access control: group access and alarm system

We secure access to the premises via ID readers, so only authorized persons have access to them. The ID cards can be blocked individually; access is also logged.

An alarm system is installed on the premises, preventing infiltration by unauthorized persons. The alarm system is linked to a locking mechanism for the doors.

2. System access control: individual access and password policy

Each employee has access to the systems/services only via his/her employee access. The access rights involved are limited to the responsibilities of the respective employee and/or team.

Password policy. We regulate access to our systems via password procedures and the use of SSH keys of at least 4096 bits in length. The SSH keys strengthen the productive systems against attacks that target weak passwords, as password-based access to the relevant systems is disabled.

We have, in addition, a regulation for the creation of passwords. This guarantees higher security also for systems that offer password-based access.

Passwords must meet specific requirements. It must be at least:

  • 12 characters long
  • 1 letter in upper-case
  • 1 letter in lower-case
  • 1 number
  • 1 non-alphanumeric character

Our systems are protected by firewalls that reject all incoming connections by default. Only connection types defined by exception are accepted.

3. Data access control: monitoring and physical access policy.

All servers and services are subject to continuous monitoring. This includes the logging of personal access in the user interface.

Due to the proximity of the employees, a visual inspection is possible at any time.

Locking and/or logging off when leaving work is prescribed and practiced.

4. Transfer control: contractual obligations and corporate VPN

Before transferring any data, we specify organizational and security requirements in Data Processing and Data Transfer Agreements (if applicable).

Furthermore, the handling of local data storage devices, e.g., USB sticks, is regulated via agreements.

Access to the systems outside the company network is possible only via secure VPN access.

5. Input control: general restriction

Our employees do not work directly at the database level, but instead, use applications to access the data.

IT employees access the system via individual access and use a common login.

6. Availability control: backups and division

We ensure the availability of data in several ways. For example, there is a regular backup of the entire system. This can be used if the other availability measures fail.

Critical services are operated redundantly in multiple data centers and controlled by a high-availability system.

Our workstations are also protected with the usual measures. For example, virus scanners are installed and laptops are encrypted.

We would like to specify that we use MDM-solution to protect employee devices with security settings.

7. Separation control: limited access.

We use logically separate databases to prevent unauthorized persons from accidentally reading data to separate data.

Access to the data is also restricted because employees use services (applications) that control access.

Privacy rights

EU privacy rights

You, as subjects of personal data, have the following rights:

Right Description
Right to access You can request an explanation of the processing of your personal data.
Right to rectification You can change the information if it is inaccurate or incomplete.
Right to erasure You can send us a request to delete your personal data from our systems.
Right to data portability You can request all the data that you provided to us, as well as request to transfer data to another controller.
Right to object You can object to the processing of your data.
Right to restriction You may partially or wholly prohibit us from processing your personal data.
Right to withdraw consent You can withdraw your consent at any time.
Right to lodge a complaint If your request was not satisfied, you can file a complaint to the regulatory body.

To exercise your rights, write us an email at dpo@readdle.com

Also, you have a right to file a complaint to the Data Protection Commission (DPC) regulatory body by post at 21 Fitzwilliam Square, South, Dublin 2, D02 RD28, Ireland or using webforms. Please note that you can contact your local supervisory authority. Your local authority will then contact the Irish supervisory authority to communicate your complaint or request.

The USA citizens’ privacy rights

As the owner of personal data, you have specific privacy rights. To exercise them, please write us an email at dpo@readdle.com

Your rights vary depending on the laws that apply to you but may include:

  • The right to be informed about the personal data we collect and/or process about you;
  • The right to learn the source of personal data about you we process;
  • The right to access, modify, and correct personal data about you;
  • The right to know with whom we have shared your personal data, for what purposes, and what personal data has been shared (including whether personal data was disclosed to third parties for their direct marketing purposes);
  • The right to withdraw your consent, where the processing of personal data is based on your consent; and
  • The right to lodge a complaint with a supervisory authority located in the jurisdiction of your habitual residence, place of work, or where an alleged violation of law occurred.

Please see more detailed information about some state-specific laws in a separate section; you can find it in the navigation on the right of the page.

The Virginia’s Consumer Data Protection Act The Consumer Privacy Act and California Privacy Rights Act The Colorado Privacy Act The Nevada Privacy Law The Delaware Online Privacy and Protection Act
Right to Know whether the controller is processing a customer’s personal data. Right to Know what personal information is collected and Right to Access personal information. Right of Access. Right to Know whether the controller is processing the customer’s personal data. Right of Access.
Right to Access personal data processed by the controller. Right to Know if Personal Information is Sold. The right to confirm the processing of personal data. Right to Opt-Out of Sale. Right to withdraw consent.
Right to Correct.
Right to Delete.
Right to Data Portability.
Right to Opt-Out of targeted advertising, the sale of personal data, or profiling.
Right to Delete. Subject to certain exceptions.
Right to Data Portability.
Right to Correct.
Right to Opt-Out of Sale.
Right to Limit Use and Disclosure of Sensitive Personal Information.
Right to Access.
Right to Correction.
Right to Deletion.
Right to Data Portability.
Right to Opt-Out of targeted advertising, the sale of personal data, or profiling via a universal Opt-Out mechanism.
Right to Correct.
Right to Correction.
Right for "do not track" request
Right to Opt-Out of Sale.

What do these rights mean?

  1. The right to access information. You can request an explanation of the processing of your personal data: what data exactly we process and how.
  2. The right to withdraw consent. After you once give us any consent, you can withdraw it at any time without any consequences for you.
  3. The right to portability. You can request all the data you provided to us and request to transfer data to another controller in a machine-readable format.
  4. The right to file complaints. If your request was not satisfied, you can file a complaint to the regulatory body. But please first contact us, and we will do our best to help you.
  5. Right to delete (Right to Deletion). You can send us a request to delete your personal data from our systems.

Depending on the state and legislative requirements, we have from 30 to 60 days to exercise your request with the right to postpone it for 30 days more.

Privacy Notice Update

The GDPR regulates this Privacy Notice and the relationships falling under its effect. Existing laws and requirements for the processing of personal data are subject to change. In this case, we will publish a new version of the Privacy Notice on our website.

If we make significant material changes that affect your privacy and confidentiality, we will notify you by email or display information in the App and ask you to read it.

Definitions

Here you can find the definitions of the terms used throughout the Privacy Notice.

“Calendars”, “App”, “we”, “our”, “us”: Readdle Limited, an Ireland-based technology company that maintains and operates Calendars (“App”).

“Controller”, “data controller”: the natural or legal person who (either alone or jointly or in common with other persons) determines the purposes for which and the manner in which any personal data is processed.

“Data protection officer”, “DPO”: an employee or a contractor who is designated by Readdle Limited to help it comply with the GDPR and other data protection laws and who is assigned to help you protect your personal data rights. You may contact DPO at dpo@readdle.com.

“Data subject”: a natural person about whom the App holds personal data (an identified or identifiable natural person).

“GDPR”: European Union’s General Data Protection Regulation.

“Personal data”: any information relating to you and helping identify you (directly or indirectly) such as your name, last name, email, location data, etc.

“Processing”: any operation or set of operations which is performed on personal data or sets of personal data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.

“Processor”, “data processor”: the natural or legal person who processes personal data on behalf of the data controller.

“Services”, “Features” (either capitalized or not): the Calendars’ features are available through the use of the App, either Free or Pro, together or separately.

“Subprocessor”: anyone other than us who we have appointed to process personal data of our clients. Subprocessors can see no more data than we can see (unless you supply them with your personal data outside the App). Examples include our data hosting providers and payment processors.

“Supervisory authority”: a local regulator under the GDPR which has the job of seeing that we protect your data properly.

Back