Privacy Policy

Astrocal ("we", "us", "our") operates the Astrocal scheduling platform, including the REST API, MCP server, embeddable widget, developer dashboard, and the website at astrocal.dev.

This Privacy Policy explains what data we collect, how we use it, and your rights regarding your personal information. By using Astrocal, you agree to the collection and use of information in accordance with this policy.

Account data

When you create an account, we collect your email address, name, and organization name. This information is used to identify your account and deliver the service.

API usage data

We log API requests including endpoints accessed, timestamps, response status codes, and rate limit consumption. This data is used to enforce rate limits, monitor service health, and improve the platform.

Calendar data

When you connect a Google or Microsoft calendar, we store OAuth tokens (encrypted at rest) and access your calendar events to check availability. We read free/busy information and create events for confirmed bookings. We do not access or store the content of your existing calendar events beyond what is needed for availability checks.

Booking data

For each booking, we store the attendee's name, email address, meeting time, duration, and any notes provided. This data is necessary to deliver the scheduling service and send notifications.

Payment data

Payments are processed by Stripe. We never store credit card numbers, CVVs, or full card details. We store only the Stripe account ID needed to process payments on your behalf via Stripe Connect.

Website analytics

We use PostHog for website analytics, including page views, feature usage, and session recordings. This data is only collected if you consent to analytics cookies via our cookie banner.

Necessary cookies

• cookie_consent — Stores your cookie consent preferences. Expires after 1 year.
• Supabase auth session — Maintains your authenticated session when logged in to the dashboard.

Analytics cookies

• PostHog — Session recordings, page views, and feature usage analytics. Only set when you consent to analytics cookies.

Marketing cookies

We do not currently use any marketing cookies.

Managing your preferences

You can manage your cookie preferences at any time using the "Cookie Preferences" link in the footer of any page, or by interacting with the cookie banner when it appears.

• Service delivery — Processing bookings, syncing calendars, sending notifications, and enforcing rate limits.
• Billing — Processing payments and managing subscriptions via Stripe.
• Support — Responding to your questions and troubleshooting issues.
• Product improvement — Understanding how the platform is used to improve features and fix bugs (analytics data only, with your consent).
• Email notifications — Booking confirmations, cancellations, and service announcements.

We use the following third-party services to operate Astrocal. Each has its own privacy policy governing how they handle your data:

• Supabase — Database hosting and authentication.
• Resend — Transactional email delivery.
• Stripe — Payment processing.
• Google Calendar API — Calendar integration and availability checks.
• Microsoft Calendar API — Calendar integration and availability checks.
• PostHog — Website analytics and session recordings (consent-gated).
• Vercel — Website and dashboard hosting.

• Account data — Retained while your account is active. Deleted upon account closure.
• Booking data — Retained according to your organization's settings. You can delete individual bookings from the dashboard.
• API logs — Retained for 90 days.
• Analytics data — Retained according to PostHog's data retention policy.

Depending on your location, you may have the following rights regarding your personal data:

• Access — Request a copy of the personal data we hold about you.
• Correction — Request correction of inaccurate personal data.
• Deletion — Request deletion of your personal data.
• Portability — Request your data in a portable, machine-readable format.
• Objection — Object to the processing of your personal data.
• Withdrawal of consent — Withdraw consent for analytics cookies at any time via the cookie banner.

To exercise any of these rights, contact us at hello@astrocal.dev. We will respond within 30 days.

Astrocal does not sell your personal data. We do not share your data with third parties for their own marketing purposes.

We take the security of your data seriously and implement the following measures:

• All data is encrypted in transit using TLS (HTTPS).
• OAuth tokens are encrypted at rest.
• API keys are hashed before storage — we cannot retrieve your raw API key after creation.
• Database isolation using Row Level Security (RLS) ensures organizations can only access their own data.

Your data may be processed in the United States and the European Union depending on the infrastructure providers used (Supabase, Vercel). Where data is transferred outside your region, we rely on standard contractual clauses and provider certifications to ensure adequate data protection.

Astrocal is not intended for use by children under the age of 16. We do not knowingly collect personal data from children. If you believe a child has provided us with personal data, please contact us at hello@astrocal.dev and we will delete it promptly.

We may update this Privacy Policy from time to time. When we make material changes, we will update the "Last updated" date at the top of this page and notify affected users by email. We encourage you to review this policy periodically.

If you have questions about this Privacy Policy or want to exercise your data rights, contact us at:

hello@astrocal.dev