Privacy Notice

Introduction #

Cronofy Limited and/or Cronofy B.V. (we, us, our, Cronofy) is committed to protecting your privacy and personal data. Your privacy is critically important to us. We have a few fundamental principles:

  • We don’t ask you for personal data unless we truly need it.
  • We don’t share your personal data with anyone except to comply with the law, develop our products, or protect our rights.
  • We don’t store personal data on our servers unless required for the on-going operation of one of our services.

Below is our Privacy Notice (Privacy Notice) which incorporates these goals and details the steps we take to protect your personal data when you access our site and use our app (together, Platform). It describes (i) the services we offer and the according legal status, (ii) what personal we collect, (iii) how we use your data, (iv) your choices regarding our use of it, (v) the steps we take to protect your personal data and (vi) how you can review and correct your personal data.

We reserve the right to modify this Privacy Notice at any time and the version that will apply to your use of the Platform will be the version that is current and displayed on the Platform on the date on which you access it, so please ensure that you check this page periodically for any updates. Where we make material changes to this Privacy Notice we will notify you directly.

What services do we provide? #

Cronofy Scheduler #

For Cronofy Scheduler users, Cronofy is both a controller and a processor. We collect (and control) the information of users who want to schedule events via Cronofy, and process the information of their end-users with whom they’re scheduling the event.

Cronofy API #

For the Cronofy API, integrators (who are Cronofy customers who integrate with Cronofy’s APIs) are the controller, whilst Cronofy processes their, and their end-users’, data as part of providing the service.

As controller we have registered with the UK Information Commissioner’s Office with registration number ZA146473 and notified the Netherlands Autoriteit Persoonsgegevens with details of our Data Protection Officer.

What personal data do we collect and process? #

The personal data we collect about you generally relates to your calendar and your use of the Platform. This will include:

In the Cronofy Scheduler #

  • your name;
  • company/organisation name;
  • email address;
  • calendar appointment data;
  • any information contained within your calendar(s).

For the Cronofy API #

  • your name;
  • company/organisation name;
  • email address;
  • phone number;
  • address;
  • calendar appointments;
  • any information contained within your calendar(s).

You are not required to provide any of this information, but if you do not, we may not be able to provide you the requested services.

From third parties #

In using our Platform, we may also collect personal data of your contacts and other third parties that are included in your use of the Platform. We process this personal data only to provide you with the services that you have requested. We shall always ensure that such third-party personal data is kept secure. If you or any of the third parties that you connect with have any questions about our processing of their personal data, please email us at privacy@cronofy.com.

Via Cookies and web beacons #

Our Company uses cookies in a range of ways to improve your experience on our website, including:

  • Keeping you signed in
  • Understanding how you use our website
  • Providing training content The cookies we use, which includes analytics cookies, are used solely in relation to our service and to better understand how you interact with the Platform.

You can set your browser not to accept cookies. However, in a few cases, some of our website features may not function as a result.

How is your personal data used? #

On a lawful basis #

In accordance with data protection laws, we will only process personal data where we have a lawful basis for doing so. In respect of your personal data, these lawful bases are:

  1. Where it is necessary to provide services to you under the performance of the contract we have with you (contract necessity);
  2. Where we are required to do so in accordance with legal or regulatory obligations (legal necessity);
  3. Where you have given your consent (consent); and,
  4. Where it is in our (or a third party’s) legitimate interests to process your personal data and these interests do not prejudice your own interests or fundamental rights and freedoms (legitimate interests)

Please see the annex for a complete list of purposes for which we process your personal data and the lawful basis.

For a limited amount of time #

How long we retain your Personal Data depends on the type of data and the purpose for which we process the data. We will retain your Personal Information for the period necessary to fulfil the purposes outlined in this Privacy Notice unless a longer retention period is required by law. Generally, we remove end-user data 90 days after the calendar is disconnected from Cronofy. You can request more information concerning Data Management by emailing privacy@cronofy.com.

Only in the data centre of your choice #

Cronofy does not transfer customer or end user data outside of the data centre that the data is hosted in - other than for the reasons listed above. Cronofy offers all customers the choice to host their data in the data centre most appropriate for them and their information security requirements.

With whom is your data disclosed? #

We will disclose your personal data only to third party service providers whom you already have an existing relationship with (such as your calendar provider). We will ensure that contractual obligations are imposed on such service providers to keep your personal data secure. We may disclose personal data to our professional advisors when seeking advice.

We may occasionally be required by law enforcement, law, court order, governmental authority, or public authority to disclose certain types of personal data, for example in the administration of justice or where we must defend ourselves legally. We may also need to disclose personal data in the event of a reorganisation, sale, or takeover.

When Cronofy receives a legally binding request to disclose PII, Cronofy will, where legally permitted, notify the Data Subject via email. Cronofy will reject any non-legally binding requests for PII, or Data Subjects will be consulted where appropriate.

Cronofy maintains a DPA (Data Protection Addendum) with customers who so require it. The DPA is based on the June 2021 template published by the European Commission, and can be viewed by contacting privacy@cronofy.com. You can also contact privacy@cronofy.com with any queries in relation to our DPA.

What are your rights? #

Data protection laws grant you certain rights in relation to your personal data and our processing. You have the following rights in relation to your personal data:

  • a right to request confirmation from us as to whether we are processing your personal data and, if so, a copy of such personal data;
  • a right to request that inaccurate personal data is rectified;
  • a right to request to receive your personal data in machine-readable format and to request that we provide this to a third party controller;
  • a right to object to processing where the lawful basis is that it is in our legitimate interests, but please note that we may still process your personal data where there are other relevant lawful bases or where we have compelling grounds to continue processing your personal data in our interests which are not overridden by your rights, interests or freedoms;
  • a right to request that certain personal data is erased where it is no longer necessary for us to process it, where you have withdrawn your consent (as described immediately below), or where you have objected (as described immediately above), where your personal data has been unlawfully processed, or where erasing your personal data is required in accordance with a legal obligation;
  • a right to withdraw your consent where this is the lawful basis on which we process your personal data;
  • a right to request an explanation of the logic involved where we make decisions about you solely through automated means;
  • a right to complain to your national data protection supervisory authority; and
  • a right to object to direct marketing.

If you are unsure about your rights or are concerned about how your personal data may be processed, please feel free to contact us at privacy@cronofy.com.

If you would like to exercise any of your rights, then you can do so by contacting us as described above. Please be aware that while we will try to accommodate any request you make in respect of your rights, they are not absolute rights. This means that we may have to refuse your request or may only be able to comply with it in part.

Where you make a request in respect of your rights, we will require proof of identification. We may also ask that you clarify your request. We will aim to respond to any request within one month of verifying your identity. If we receive repeated requests or have reason to believe requests are being made unreasonably, we reserve the right not to respond.

Use of Sub-Processors #

Cronofy only uses sub-processors that adhere to the same, applicable level of security and data privacy protection that we do. In the event that data is processed by a sub-processor, Cronofy remains responsible for the security of that data, unless Cronofy can prove the sub-processor is at fault.

Cronofy uses the following sub-processors:

  • AWS in all Data Centres
  • Cronofy Ltd for business support to all Data Centres
  • Cronofy BV for business support to all Data Centres
  • Airbrake in the US only

Cronofy will notify Data Subjects via email if a new sub-processor who processes PII is engaged.

And of course, always secure! #

We are committed to protecting the security of your personal data. We use a variety of security technologies and procedures to help protect your personal data from unauthorised access, use, or disclosure. For example, we store the personal data you provide on computer systems with limited access that are located in facilities to which access is limited. It is your responsibility to ensure the security of your password and not to reveal this information to others. API request logs are available for analysis to application integrators at all times via the developer dashboard. More information about security at Cronofy can be found on our Privacy and Security hub.

How to reach out to us? #

If you have questions or complaints regarding this notice or our handling of your personal data, please email us at privacy@cronofy.com.

Last updated #

This Privacy Notice was last updated on 12th June 2023.

Annex #

PurposeLawful Basis
To provide you with our services which you have signed up for, including to administer and manage your calendar.Contract necessity
To provide information about your calendar to third party service providers with whom you already have a pre-existing relationship and have given your consent for them to process your personal data.Contract necessity
To provide you with personalised visits to our Platform.Legitimate interests (to allow us to make the Platform tailored to you)
To better understand how you interact with and use our Platform.Legitimate interests (to allow us to better understand the Platform)
To develop our offering and the layout of our Platform.Legitimate interests (to allow us to better understand the Platform)
To prepare statistics relating to the use of our Platform.Legitimate interests (to allow us to better understand the Platform)
To respond to communications from you.Consent
To record telephone calls to and from, and live chats with, our customer services representatives for training and identification purposes.Consent; legitimate interest (to improve our customer service)
To contact you with important information regarding our Platform and/or service.Contract necessity
To send you email alerts you may have signed up for.Consent
To send you information about recommended goods, services or promotions which may be of interest to you (but only where you have consented to be contacted for such purposes).Consent
To carry out market research campaigns.Legitimate interest (to better understand our Platform)
To share your personal data with our partners (detailed below).Contract necessity; legitimate interests (to allow us to manage our business and offer you the Platform in the most effective way possible)
To investigate, and assist with the investigation of, suspected unlawful, fraudulent or other improper activity connected with our Platform (including, where applicable, dealing with requests from law enforcement agencies).Legal necessity; Legitimate interests (to ensure our users are protected from potential fraud or crime)

Cookies #

PurposeLawful Basis
Cookies: Those that are necessary for the operation of the Platform, including allowing you to interact with our Platform and to recall selections move through the Platform.Necessary for the performance of the contract
Cookies: Those that analyse your use of our Platform, monitor our audience and populate certain content on our Platform in line with your usage.Legitimate interest so we can continue to analyse and improve our Platform and services
Cookies: Those that track your journey to and from our Platform.Legitimate interest so we can understand how users come to and from our Platform and give effect to any commercial arrangements
Cookies: Those that are used for third party marketing.Consent

Provider attestations #

Google #

Cronofy’s use and transfer to any other app of information received from Google APIs will adhere to Google API Services User Data Policy, including the Limited Use requirements.