Legal

Privacy Policy

Effective: 17 June 2026. support@openavail.com

This Privacy Policy describes how Openavail ("we", "our", or "us") collects, uses, and shares information about you when you use our scheduling API, web dashboard, and related products (the "Services"). It also describes your rights regarding your personal data.

01

Information We Collect

Account information. When you create an account we collect your name, email address, and identity fields returned by your sign-in provider, such as name, email, provider account ID, and profile image. Openavail currently uses OAuth sign-in and does not collect or store a password for dashboard accounts.

Calendar OAuth credentials. When you connect a calendar provider (e.g., Google Calendar), we receive an OAuth access token and refresh token. We store only the refresh token, encrypted at rest using AES-256-GCM. We do not store calendar event content — event data is fetched on demand during an availability check and discarded once the check is complete.

Booking and arbitration records. We store booking records and arbitration outcomes — the meeting class, requested time slot, agent reference ID, calendar owner identifier, decision result, and correlation ID. We do not store meeting titles, attendee names, video links, or other event body fields from your calendar provider.

API keys. We store an Argon2id-derived hash of each agent API key. Plaintext key material is shown exactly once at creation and is not stored by us.

Usage data. We collect API request logs (endpoint, HTTP response code, latency), dashboard activity events, and error reports. These are used to operate and improve the Services and to enforce our Terms of Service.

Billing information. Billing is handled by Stripe. We store a Stripe customer ID and subscription status. We do not store payment card numbers or bank account details.

Support communications. If you contact us for support we store the content of that communication and any information you provide to resolve your issue.

02

How We Use Information

We use the information we collect to:

  • provide, operate, secure, and improve the Services;
  • process and record booking and arbitration decisions;
  • send transactional notifications — preemption emails, undo confirmations, booking receipts;
  • respond to support requests;
  • send product and billing communications (you may opt out of non-transactional emails at any time);
  • detect and prevent abuse, fraud, and violations of our Terms of Service; and
  • meet legal and regulatory obligations.

We do not use your calendar content to train machine learning models. We do not sell or rent your personal data to third parties.

03

Data Sharing

We share data only as described below.

  • Calendar providers — we interact with providers such as Google Calendar on your behalf, using only the OAuth scope you explicitly grant.
  • Stripe — for payment processing. Stripe's own privacy policy governs data processed by Stripe.
  • Cloud infrastructure — we use cloud providers for hosting, database, and object storage. These providers process data only on our documented instructions.
  • Professional advisors — accountants, lawyers, and auditors, under appropriate confidentiality obligations.
  • Law enforcement — when required by law or to protect the rights, property, or safety of Openavail, our users, or the public.
  • Business transfers — in connection with a merger, acquisition, or sale of assets, subject to confidentiality requirements.

A complete and current list of our subprocessors is available at openavail.com/legal/subprocessors.

04

Data Retention

  • Account data — retained while your account is active, and for 90 days after account deletion, after which it is permanently deleted.
  • OAuth refresh tokens — deleted immediately when you disconnect a calendar.
  • Audit log records — retained for 365 days by default. Team and Enterprise plans may configure a longer or shorter retention window.
  • API request logs — retained for 30 days, then deleted.
  • Support communications — retained for 3 years, or shorter if you request deletion.
05

Your Rights

Depending on where you are located, you may have the following rights regarding your personal data:

  • Access — request a copy of the personal data we hold about you.
  • Rectification — correct inaccurate or incomplete data.
  • Erasure — request deletion of your personal data, subject to legal retention requirements.
  • Restriction — ask us to limit processing in certain circumstances.
  • Portability — receive your data in a structured, machine-readable format.
  • Objection — object to processing based on our legitimate interests.
  • Withdraw consent — where processing is based on your consent, you may withdraw it at any time without affecting the lawfulness of prior processing.

To exercise any of these rights, email support@openavail.com. We will respond within 30 days. If you believe we have not adequately addressed your request, you may lodge a complaint with the data protection supervisory authority in your country of residence.

06

Legal Basis for Processing (GDPR)

If you are located in the European Economic Area, United Kingdom, or Switzerland, we process your personal data on the following legal bases:

  • Contract performance — processing your account data and calendar credentials to deliver the Services you have signed up for.
  • Legitimate interests — operating and securing our infrastructure, preventing abuse, and improving the Services.
  • Legal obligation — complying with applicable laws and responding to lawful government requests.
  • Consent — sending optional marketing communications. You may withdraw consent at any time.
07

International Data Transfers

Openavail's infrastructure is hosted in the United States. If you access the Services from outside the United States, your data may be transferred to and processed in the US or other countries with different data protection laws.

For transfers of personal data from the EEA, UK, or Switzerland to the United States, we rely on Standard Contractual Clauses approved by the European Commission, or another legally recognized transfer mechanism. Enterprise customers may request a Data Processing Addendum at support@openavail.com.

08

Cookies

We use session cookies to maintain your authenticated state in the dashboard. Session cookies are HttpOnly, Secure, SameSite=None, and expire after 30 days.

We do not use third-party advertising, cross-site tracking cookies, or session-replay scripts. We may use aggregate, privacy-preserving analytics that do not identify individual users. You can disable cookies in your browser settings, but the dashboard will not function without session cookies.

09

Security

We use TLS 1.3 for data in transit, AES-256-GCM encryption for OAuth tokens at rest, Argon2id hashing for API keys, and HttpOnly session cookies. See our Security page for a full description of our architecture.

No transmission method or storage system is 100% secure. To report a suspected security vulnerability, email security@openavail.com.

10

Children

The Services are not directed to children under 16. We do not knowingly collect personal data from children. If we become aware that we have collected personal data from a child under 16 without parental consent, we will take steps to delete it promptly.

11

Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you by email and in-product notice at least 14 days before material changes take effect. The "Effective" date at the top of this page reflects the most recent update.


Contact

For privacy requests or questions:

support@openavail.com