Legal

Privacy Policy

Last updated: May 28, 2026

This Privacy Policy describes how Appointy (“we”, “our”, or “us”) collects, uses, and protects information when you use our scheduling service at appointy.xyz (the “Service”). By using the Service you agree to the practices described here.

1. Information we collect

Information you provide directly

• Account information: name, email address, workspace name, username, password (stored hashed with bcrypt), and timezone.
• Booking information: meeting details, guest name, guest email, guest phone (optional), guest company (optional), purpose, notes, custom form answers, and any files attached to bookings (up to 5 MB).
• Availability: the weekly hours and event types you choose to make bookable.

Information from third-party integrations

• Google account: if you connect Google Meet/Calendar, we receive an email address, OAuth access token, and refresh token. These are stored encrypted at rest and used solely to create calendar events and Meet links for your confirmed bookings.

Automatic information

• Session cookies: a single httpOnly cookie (“appointy_session”) used to keep you signed in. No advertising or tracking cookies are used.
• Server logs: standard request logs (IP, user-agent, timestamp) retained for up to 30 days for security and debugging.

2. How we use your information

• To operate, maintain, and provide the Service.
• To send transactional emails: account verification, password reset, booking confirmations to you and your guests, invite emails, and (when you opt in) reminders.
• To create Google Calendar events and Meet links on your behalf, only when you explicitly grant access through OAuth.
• To detect, prevent, and respond to abuse, fraud, or security incidents.

We do notuse your data for advertising, do not sell it, and do not share it with third parties except as strictly required to operate the Service (see “Service providers” below).

3. Service providers (subprocessors)

The Service relies on these third parties to function:

• Vercel — application hosting. Privacy policy.
• Turso (libSQL) — database storage. Privacy policy.
• Resend — transactional email delivery. Privacy policy.
• Google — optional Calendar/Meet integration when you connect a Google account. Privacy policy.

Each processor receives only the data necessary to perform its function (e.g., Resend receives the email address and message body to deliver booking confirmations).

4. Google API Services compliance

Appointy's use and transfer of information received from Google APIs adheres to the Google API Services User Data Policy, including the Limited Use requirements. Specifically:

• We only request the minimum scopes needed (calendar.events and userinfo.email).
• Google user data is used solely to provide user-facing features of the Service (creating calendar events and Meet links).
• We do not transfer Google user data to third parties except as necessary to provide or improve user-facing features, and never for advertising.
• We do not use Google user data to develop, improve, or train generalised AI/ML models.

5. Data retention

• Account data is retained while your account is active.
• Booking data is retained while your account is active so you can review past meetings.
• OAuth tokens are kept while you have an active integration; deleted immediately when you disconnect.
• Session records expire after 30 days of inactivity.
• Verification & password-reset tokens are single-use and expire automatically (48 hours and 2 hours respectively).
• Server logs are retained for up to 30 days.

6. Your rights

You have the right to:

• Access the data we hold about you — request a copy by emailing us.
• Correct inaccurate information through your account settings.
• Delete your account and all associated data — email us to request deletion (we'll honour it within 30 days).
• Export your bookings — request an export by emailing us.
• Disconnect third-party integrations at any time from Admin → Integrations.
• Withdraw consent for Google integration by revoking access at myaccount.google.com/permissions.

7. Security

• Passwords are stored using bcrypt with cost factor 10. We never see or store your plaintext password.
• Session tokens are 64-character cryptographically random strings; cookies are httpOnly, SameSite=Lax, and Secure in production.
• OAuth tokens are stored server-side only and never exposed to the browser.
• All traffic uses HTTPS.
• The full source code is open-source under AGPL-3.0 at github.com/rajpundkar/Appointy — you can audit our security practices directly.

8. Children's privacy

Appointy is not directed at children under 13 (or 16 in some jurisdictions). We do not knowingly collect data from children. If you believe a child has provided us with information, contact us and we'll delete it.

9. Changes to this policy

We may update this Privacy Policy. Material changes will be announced via email to active account holders and reflected here with an updated “Last updated” date.

10. Contact

For privacy questions or data requests, email privacy@appointy.xyz.