Privacy Policy

Last updated: June 12, 2026

1. Controller

The data controller for CalMesh (calmesh.xyz) is:

Berliner Softwareschmiede UG (haftungsbeschränkt)
In der Gasse 6
14550 Groß Kreutz, Germany
E-Mail: hello@calmesh.xyz

We have not appointed a Data Protection Officer as we do not meet the thresholds under Art. 37 GDPR. For data protection inquiries, contact us at the email address above.

2. What We Collect

Data	Purpose	Legal Basis (GDPR)
Email address, name	Account creation, authentication	Art. 6(1)(b) — contract performance
OAuth tokens (Google, Microsoft, and other connected providers)	Calendar sync, authentication	Art. 6(1)(b) — contract performance
Calendar free/busy data (event start/end times, busy/free status)	Availability computation, scheduling	Art. 6(1)(b) — contract performance
Billing information (via Mollie)	Payment processing	Art. 6(1)(b) — contract performance
Email address for newsletter	Product updates and marketing	Art. 6(1)(a) — consent
Contact form submissions (email, subject, message)	Responding to your inquiry	Art. 6(1)(b) — pre-contractual measures / Art. 6(1)(f) — legitimate interest
IP address, user agent	Security, abuse prevention, error logging	Art. 6(1)(f) — legitimate interest
Anonymized usage statistics (page views, aggregated events — no cookies, no persistent identifiers)	Understanding how the product is used	Art. 6(1)(f) — legitimate interest

Providing your email address and name is a contractual requirement for using CalMesh. If you do not provide this data, we cannot create an account for you. Newsletter subscription is entirely voluntary.

3. Legitimate Interest

Where we process data based on legitimate interest (Art. 6(1)(f)), our interest is in maintaining the security, integrity, and availability of our service. We log IP addresses and user agents to detect and prevent abuse, investigate security incidents, and diagnose technical errors. We have assessed that this interest does not override your fundamental rights, given that this data is processed only for security purposes, is not shared with third parties for other purposes, and is automatically purged after 90 days.

We also have a legitimate interest in understanding how our product is used. For this we use Pirsch Analytics, a cookieless, EU-hosted analytics service that does not store IP addresses or any persistent identifiers and does not track you across sites. Only aggregated, anonymized statistics are produced; no profile of you is created.

4. Cookies & Browser Storage

CalMesh does not use tracking cookies, analytics cookies, advertising cookies, or third-party cookies of any kind. Our web analytics (Pirsch) works entirely without cookies and without storing personal data in your browser.

We set the following strictly necessary cookies for authentication:

Cookie	Purpose	Duration
authjs.session-token	JWT session — keeps you signed in	30 days
authjs.csrf-token	CSRF protection for form submissions	Session
authjs.callback-url	Redirect target after sign-in	Session

These cookies are exempt from consent requirements under Art. 5(3) of the ePrivacy Directive because they are strictly necessary for the service to function. No cookie consent banner is required.

5. Calendar Data

When you connect a calendar provider, we store only what is needed to compute your availability: event start/end times and busy/free/tentative status. We do not store event titles, descriptions, locations, attendees, attachments, or any other event content on our servers. Attendee information is never read from your calendar.

If you actively use the iCal feed or data export features, event titles, descriptions, and locations are read from your calendar provider at the moment of your request and passed through to you directly. They are not stored by us.

OAuth tokens for calendar providers are encrypted at rest using AES-256-GCM. We do not store calendar provider passwords.

6. Newsletter

If you subscribe to our newsletter via the website, we collect your email address based on your consent (Art. 6(1)(a) GDPR). We use a double opt-in process: after submitting your email, you will receive a confirmation email and your subscription is only activated once you click the confirmation link.

You may withdraw your consent and unsubscribe at any time by clicking the unsubscribe link in any newsletter email or by contacting us at hello@calmesh.xyz. Withdrawal does not affect the lawfulness of processing prior to withdrawal.

7. Sub-Processors

Processor	Purpose	Location
Vercel Inc.	Hosting, edge functions	US provider (DPF certified); compute pinned to EU regions
Neon Inc.	PostgreSQL database	EU (aws-eu-central-1)
Mollie B.V.	Payment processing	Netherlands (EU)
Resend Inc.	Transactional email	USA (SCCs)
Sentry (Functional Software Inc.)	Error monitoring	USA (DPF certified)
Pirsch Analytics GmbH	Cookieless web analytics	Germany (EU)

Where sub-processors are located outside the EU/EEA, transfers rely on the EU–US Data Privacy Framework (where the processor is certified) or Standard Contractual Clauses (SCCs) as indicated above. You may request copies of the applicable SCCs by contacting us.

8. Data Retention

Account data: retained for the duration of your account plus 30 days after deletion
Calendar data: cached only as long as needed for sync; deleted immediately upon disconnecting a calendar or deleting your account
Billing records: retained for 10 years as required by German tax law (§ 147 AO)
Server logs: automatically purged after 90 days
Contact form messages:forwarded to our inbox and not stored separately; retained per our email provider's retention policy
Newsletter email: retained until you unsubscribe

9. Your Rights (GDPR)

Under the GDPR you have the right to:

Access (Art. 15) — request a copy of all personal data we hold about you
Rectification (Art. 16) — correct inaccurate data
Erasure(Art. 17) — request deletion of your data ("right to be forgotten")
Restriction (Art. 18) — restrict processing under certain conditions
Data portability (Art. 20) — receive your data in a machine-readable format
Objection (Art. 21) — object to processing based on legitimate interest
Withdraw consent (Art. 7(3)) — withdraw consent at any time where processing is based on consent (e.g. newsletter), without affecting the lawfulness of processing prior to withdrawal

To exercise any of these rights, email hello@calmesh.xyz. We will respond within one month (Art. 12(3) GDPR), extendable by two further months for complex requests.

10. Automated Decision-Making

We do not use automated decision-making or profiling (Art. 22 GDPR) that produces legal effects or similarly significantly affects you.

11. Security

We implement industry-standard security measures including TLS encryption in transit, AES-256-GCM encryption at rest for OAuth credentials, parameterized database queries, rate limiting on public endpoints, and regular dependency audits.

12. Children

CalMesh is not directed at anyone under the age of 16. We do not knowingly collect personal data from children. If you believe a child has provided us with personal data, contact us and we will delete it promptly.

13. Changes

We may update this policy from time to time. Material changes will be communicated via email at least 30 days before taking effect.

14. Supervisory Authority

You have the right to lodge a complaint with a data protection supervisory authority (Art. 77 GDPR). The competent authority for us is:

Die Landesbeauftragte für den Datenschutz und für das Recht auf Akteneinsicht Brandenburg
Stahnsdorfer Damm 77
14532 Kleinmachnow

15. Contact

For any privacy-related questions, contact hello@calmesh.xyz.