Last updated: March 21, 2026
The data controller for CalMesh (calmesh.xyz) is:
Berliner Softwareschmiede UG (haftungsbeschränkt)
In der Gasse 6
14550 Groß Kreutz, Germany
E-Mail: hello@calmesh.xyz
We have not appointed a Data Protection Officer as we do not meet the thresholds under Art. 37 GDPR. For data protection inquiries, contact us at the email address above.
| Data | Purpose | Legal Basis (GDPR) |
|---|---|---|
| Email address, name | Account creation, authentication | Art. 6(1)(b) — contract performance |
| OAuth tokens (Google, Microsoft, and other connected providers) | Calendar sync, authentication | Art. 6(1)(b) — contract performance |
| Calendar event metadata (titles, times, attendees) | Availability computation, scheduling | Art. 6(1)(b) — contract performance |
| Billing information (via Mollie) | Payment processing | Art. 6(1)(b) — contract performance |
| Email address for newsletter | Product updates and marketing | Art. 6(1)(a) — consent |
| Contact form submissions (email, subject, message) | Responding to your inquiry | Art. 6(1)(b) — pre-contractual measures / Art. 6(1)(f) — legitimate interest |
| IP address, user agent | Security, abuse prevention, error logging | Art. 6(1)(f) — legitimate interest |
Providing your email address and name is a contractual requirement for using CalMesh. If you do not provide this data, we cannot create an account for you. Newsletter subscription is entirely voluntary.
Where we process data based on legitimate interest (Art. 6(1)(f)), our interest is in maintaining the security, integrity, and availability of our service. We log IP addresses and user agents to detect and prevent abuse, investigate security incidents, and diagnose technical errors. We have assessed that this interest does not override your fundamental rights, given that this data is processed only for security purposes, is not shared with third parties for other purposes, and is automatically purged after 90 days.
CalMesh does not use tracking cookies, analytics cookies, advertising cookies, or third-party cookies of any kind.
We set the following strictly necessary cookies for authentication:
| Cookie | Purpose | Duration |
|---|---|---|
| authjs.session-token | JWT session — keeps you signed in | 30 days |
| authjs.csrf-token | CSRF protection for form submissions | Session |
| authjs.callback-url | Redirect target after sign-in | Session |
These cookies are exempt from consent requirements under Art. 5(3) of the ePrivacy Directive because they are strictly necessary for the service to function. No cookie consent banner is required.
When you connect a calendar provider, we access event metadata (start/end times, titles, attendees, and free/busy status) necessary to compute availability and deliver the service. We do not read event descriptions, attachments, or other content beyond what is required for scheduling.
OAuth tokens for calendar providers are encrypted at rest using AES-256-GCM. We do not store calendar provider passwords.
If you subscribe to our newsletter via the website, we collect your email address based on your consent (Art. 6(1)(a) GDPR). We use a double opt-in process: after submitting your email, you will receive a confirmation email and your subscription is only activated once you click the confirmation link.
You may withdraw your consent and unsubscribe at any time by clicking the unsubscribe link in any newsletter email or by contacting us at hello@calmesh.xyz. Withdrawal does not affect the lawfulness of processing prior to withdrawal.
| Processor | Purpose | Location |
|---|---|---|
| Vercel Inc. | Hosting, edge functions | USA (DPF certified) |
| Neon Inc. | PostgreSQL database | EU (aws-eu-central-1) |
| Mollie B.V. | Payment processing | Netherlands (EU) |
| Resend Inc. | Transactional email | USA (SCCs) |
| Sentry (Functional Software Inc.) | Error monitoring | USA (DPF certified) |
Where sub-processors are located outside the EU/EEA, transfers rely on the EU–US Data Privacy Framework (where the processor is certified) or Standard Contractual Clauses (SCCs) as indicated above. You may request copies of the applicable SCCs by contacting us.
Under the GDPR you have the right to:
To exercise any of these rights, email hello@calmesh.xyz. We will respond within one month (Art. 12(3) GDPR), extendable by two further months for complex requests.
We do not use automated decision-making or profiling (Art. 22 GDPR) that produces legal effects or similarly significantly affects you.
We implement industry-standard security measures including TLS encryption in transit, AES-256-GCM encryption at rest for OAuth credentials, parameterized database queries, rate limiting on public endpoints, and regular dependency audits.
CalMesh is not directed at anyone under the age of 16. We do not knowingly collect personal data from children. If you believe a child has provided us with personal data, contact us and we will delete it promptly.
We may update this policy from time to time. Material changes will be communicated via email at least 30 days before taking effect.
You have the right to lodge a complaint with a data protection supervisory authority (Art. 77 GDPR). The competent authority for us is:
Die Landesbeauftragte für den Datenschutz und für das Recht auf Akteneinsicht Brandenburg
Stahnsdorfer Damm 77
14532 Kleinmachnow
For any privacy-related questions, contact hello@calmesh.xyz.