Privacy Policy

The controller responsible for the processing of personal data in connection with CaleyAI is:

Thomas Bechtold
Sole Proprietor (Einzelunternehmer)
Nikolaus-Fey-Straße 6
97241 Bergtheim
Germany

Email: info@caleyai.com
Phone: +49 (0) 1525 9870943
Website: https://caleyai.com
Contact form: https://caleyai.com/contact

Our legal notice is available at: https://caleyai.com/legal-notice

The competent supervisory authority is:

Bavarian State Office for Data Protection Supervision
Promenade 18
91522 Ansbach
Germany
https://www.lda.bayern.de

We are currently not required to appoint a Data Protection Officer under Article 37 GDPR. We review this assessment regularly and whenever our processing activities materially change. For privacy-related inquiries, please use the contact details above.

This Privacy Policy explains how we process personal data when you use CaleyAI, including our website, web application, account system, AI calendar assistant, calendar functions, file upload and sharing features, subscription features, email reminders, marketing emails, and support channels.

CaleyAI is operated from Germany. This Privacy Policy is provided in English because CaleyAI is intended for international use. The processing of personal data is governed primarily by the General Data Protection Regulation (GDPR), German data protection law, the German Telecommunications Digital Services Data Protection Act (TDDDG), and, where applicable, other mandatory privacy laws.

We process personal data only where we have a legal basis.

We process data for contract performance under Article 6(1)(b) GDPR where this is necessary to provide CaleyAI. This includes account registration, login, email verification, onboarding, calendar features, ICS import and export, AI chat, reminders, file uploads, private dashboard access to files, public file links, subscription management, plan limits, billing-related account status, and transactional emails.

We process data to comply with legal obligations under Article 6(1)(c) GDPR, especially tax, accounting, commercial, legal record-keeping, and compliance obligations.

We process data based on legitimate interests under Article 6(1)(f) GDPR where necessary to maintain security, prevent abuse, detect fraud, operate and improve the service, enforce plan limits, process content reports, protect public file sharing, log technical events, and maintain reliable infrastructure.

We process data based on consent under Article 6(1)(a) GDPR where required, especially for optional marketing emails, optional analytics and advertising technologies in the EU/EEA, and optional personalization settings.

For cookies and similar technologies, we apply Section 25 TDDDG. Strictly necessary technologies are used without consent where legally permitted. Non-essential analytics, advertising, and remarketing technologies are used in the EU/EEA only with consent.

Where we process special categories of personal data under Article 9(1) GDPR because you voluntarily enter or upload such data, we do so only where a legal exception applies, especially your explicit consent under Article 9(2)(a) GDPR or where processing is necessary for the establishment, exercise, or defense of legal claims. Please do not upload sensitive data unless necessary.

When you create and use a CaleyAI account, we may process the following data:

Account data:

• Email address
• Password, stored only in hashed form
• Email verification status
• Account creation date
• Login and security-related information
• Acceptance of Terms and Privacy Policy
• Subscription status and plan information

Profile and personalization data:

• Display name, if provided
• Onboarding answers
• Settings and preferences
• Custom instructions for the AI assistant
• Whether the AI assistant may use your name
• Reminder preferences
• Email notification preferences
• Marketing email preferences

Calendar and productivity data:

• Calendar events
• Event titles, descriptions, dates, start and end times
• Reminder settings
• Daily, weekly, or other summaries where enabled
• Imported and exported ICS data
• Calendar-related instructions you give to the AI assistant

Chat and AI data:

• AI chat messages
• Uploaded images sent to the AI assistant
• User instructions and context needed to answer requests
• AI-generated responses
• Actions requested from or performed through the AI assistant

File data:

• Uploaded files
• File names
• File metadata, such as size, type, upload time, storage status, and owner account
• Whether a file is public or private
• Public file links, where enabled
• Download or access-related technical metadata where necessary
• Reports, appeals, and decisions related to public files

Payment-related account data:

• Stripe customer identifier
• Subscription identifier
• Plan status
• Payment status
• Webhook events needed to activate, change, cancel, or verify subscriptions

We do not store full payment card details on our own systems.

To use CaleyAI, you need to create an account with an email address and password. We use an internal authentication system based on our own platform infrastructure.

Email verification is required. After registration, we send you a verification email. If you do not verify your email address within 3 days after account creation, your unverified account is deleted automatically.

During registration and onboarding, you may provide optional information such as your name, preferences, and AI personalization settings. You can change many of these settings later in your account settings.

You must be at least 16 years old to create an account. Users under 16 may not create an account without valid parental consent where such consent is legally required.

CaleyAI processes calendar data to provide calendar management, reminders, AI assistance, summaries, and related productivity features.

This may include event titles, dates, start and end times, descriptions, imported ICS data, exported ICS data, reminders, and user instructions relating to calendar events.

You can export calendar data through the ICS export function in your settings. General account data can be exported separately through the data export feature. Calendar data may not be included in the general data export where it is separately available through ICS export.

Depending on your settings and plan, CaleyAI may send reminder emails, daily summaries, weekly summaries, AI-generated calendar summaries, or other transactional calendar-related emails.

CaleyAI uses AI functionality to help you interact with your calendar, settings, files, reminders, and other supported parts of the platform.

The AI assistant may process:

• Your messages and prompts
• Calendar data required to answer your request
• Settings and preferences
• Custom instructions
• Your name, if you allow this in your settings or during onboarding
• Uploaded images sent for AI processing
• Relevant account and plan context
• File report and appeal information where the AI is used for content review

The AI assistant can retrieve data and perform actions inside CaleyAI where this is necessary to provide the requested functionality. For example, it may read calendar events, create or modify entries, generate summaries, process instructions, review public file reports, or help with reminders.

You can disable whether the AI assistant may use your name in the settings. Some AI features may require access to relevant calendar, settings, or content data to work properly.

CaleyAI no longer uses OpenAI for AI processing. AI processing is provided through Cloudflare services, including Cloudflare Workers AI and Cloudflare AI Gateway. There is no external MCP server for AI processing. Data is processed within the CaleyAI platform infrastructure and Cloudflare services used by CaleyAI.

Uploaded images sent to the AI assistant are stored only for processing and are not intended for long-term storage unless they are separately uploaded as files through the file upload feature.

The legal basis for AI processing is usually Article 6(1)(b) GDPR, where processing is necessary to provide requested AI functionality. For security, abuse prevention, and service integrity, the legal basis may also be Article 6(1)(f) GDPR. Optional personalization settings are processed based on consent or your active configuration of the service.

CaleyAI allows users to upload files.

Files are stored on Cloudflare R2. Files remain stored until they are deleted by the user, deleted due to a plan change, deleted due to a content report or enforcement decision, or deleted for another operational or legal reason.

Files may be stored as private or public, depending on how you use the feature.

Private files are available only inside the logged-in dashboard of the account that uploaded them, unless another sharing feature is explicitly added or enabled.

Public files are accessible through a public link. Anyone with the public link may be able to access the file. Do not upload a file as public if it contains confidential, personal, sensitive, copyrighted, unlawful, or otherwise restricted content that you are not allowed to share publicly.

Public files may be cached by technical systems. After deletion or restriction, a public file may in exceptional cases remain temporarily accessible through caches or technical propagation delays.

CaleyAI provides a reporting system for public files. If a public file is reported, AI may review the report and the relevant file or metadata to decide whether the file should remain available, be restricted, or be scheduled for deletion.

If a file is scheduled for deletion, for example after a report, the account holder may receive a notice where technically and legally appropriate. In certain cases, the file may be scheduled for deletion after a period such as 3 days. During this period, the user may submit an appeal in the app by clicking "Appeal" and explaining why the file should not be deleted.

Appeals may be reviewed by AI and/or manually where necessary. We may delete, restrict, or preserve files depending on applicable law, our Terms and Conditions, platform safety, third-party rights, and the information available to us.

Reports and appeals may include personal data such as account identifiers, file metadata, report text, appeal text, timestamps, and decision records.

The legal bases are Article 6(1)(b) GDPR for providing file storage and sharing, Article 6(1)(f) GDPR for moderation, abuse prevention, security, platform integrity, and rights protection, and Article 6(1)(c) GDPR where processing is necessary to comply with legal obligations.

Where the EU Digital Services Act applies, reports and actions concerning public files may also be processed to operate notice-and-action, statement-of-reasons, and appeal mechanisms.

Paid plans are processed through Stripe.

You can manage upgrades, downgrades, cancellations, invoices, and billing details through the Stripe Customer Portal, accessible from:

https://app.caleyai.com/subscription by using the "Manage Billing" link.

Stripe may process your name, email address, billing address, payment method details, tax information, transaction data, invoices, and other payment-related information. Stripe is responsible for processing payment details in its own systems.

CaleyAI stores only the data needed to connect your account to Stripe and to apply the correct subscription status. This may include Stripe customer IDs, subscription IDs, plan identifiers, payment status, invoice status, and webhook events.

The legal basis is Article 6(1)(b) GDPR for paid subscriptions and Article 6(1)(c) GDPR for tax and accounting obligations. Fraud prevention and subscription abuse prevention may also rely on Article 6(1)(f) GDPR.

Stripe may act as an independent controller for parts of its payment processing and as a processor or joint controller where applicable, depending on the specific processing activity.

CaleyAI sends transactional and optional marketing emails.

Transactional emails may include:

• Email verification messages
• Login and security emails
• Password or account-related messages
• Subscription and billing-related notices
• Reminder emails
• Calendar-related notifications
• Daily or weekly AI summaries, depending on plan and settings
• File report, deletion, and appeal notifications
• Account deletion confirmation emails
• Service, legal, and security notices

Some login security emails may be disabled voluntarily in your settings, where the app provides this option. Essential security, account, legal, and service emails may still be sent even if optional emails are disabled.

Marketing emails are sent only where legally permitted. In the EU/EEA, marketing emails are generally sent only after consent. In other jurisdictions, such as the United States, marketing emails may be sent where legally permitted, provided that an unsubscribe option is available.

Every marketing email contains an unsubscribe option. You may also unsubscribe by contacting: info@caleyai.com

Unsubscribing from marketing emails does not stop necessary transactional emails.

CaleyAI uses Amazon Web Services Simple Email Service (AWS SES) to send emails.

When you contact us by email, contact form, or another support channel, we process the data you provide, such as your name, email address, message content, account information, and any attachments or technical context.

The legal basis is Article 6(1)(b) GDPR where the request relates to your account or our services, and Article 6(1)(f) GDPR for general support, documentation, and issue resolution. Where we are legally required to retain or process the communication, the legal basis is Article 6(1)(c) GDPR.

Support and contact messages may be retained for up to 6 years where required or justified for legal, accounting, or documentation purposes.

When you use CaleyAI, technical data may be processed automatically. This may include:

• IP address
• Date and time of access
• Requested URL or resource
• HTTP status codes
• Browser and device information
• Referrer information
• Login events
• Security events
• API and worker execution logs
• Error logs
• File access and report-related logs where necessary
• Payment webhook logs
• Email delivery metadata

We process this data to operate the service, detect errors, secure accounts, prevent abuse, investigate misuse, enforce limits, protect public file sharing, and maintain platform reliability.

The legal basis is Article 6(1)(f) GDPR. Where logs are needed for legal compliance or legal claims, Article 6(1)(c) GDPR or Article 6(1)(f) GDPR may also apply.

CaleyAI uses cookies and similar technologies.

Strictly necessary technologies are used to provide login sessions, account security, CSRF protection, service routing, bot protection, subscription state, user preferences, and other essential functionality. These technologies are used under Section 25(2) TDDDG and, where personal data is processed, Article 6(1)(b) or Article 6(1)(f) GDPR.

Analytics and marketing technologies are used in the EU/EEA only with consent under Article 6(1)(a) GDPR and Section 25(1) TDDDG.

Outside the EU/EEA, analytics and marketing technologies may load immediately where this is permitted by applicable law. Users may still have opt-out rights depending on their jurisdiction.

We may use the following analytics and advertising tools:

Cloudflare Web Analytics: Used for privacy-friendly reach and performance measurement. In the EU/EEA, it is used only where consent is required and has been given. Outside the EU/EEA, it may load without a prior consent banner where permitted by law.

Google Tag / Google Ads: Used for conversion tracking, advertising performance measurement, audience building, and ad optimization. In the EU/EEA, it loads only after consent.

Meta Pixel: Used for advertising analytics, conversion tracking, remarketing, and ad optimization on Meta services such as Facebook and Instagram. In the EU/EEA, it loads only after consent.

You can change your privacy choices through the privacy settings or cookie settings link provided in the website or app footer, where available.

We use analytics and advertising tools to understand service usage, measure ad performance, improve campaigns, and reach users who may be interested in CaleyAI.

In the EU/EEA, Google Ads, Meta Pixel, and Cloudflare Web Analytics are used only after consent where legally required.

Outside the EU/EEA, these tools may be activated without prior opt-in where local law allows this.

Advertising providers may process information such as IP address, browser data, device identifiers, page views, conversion events, referrer data, and interaction events. Depending on your consent and region, these providers may use data for measurement, personalization, remarketing, and their own purposes according to their privacy terms.

The legal basis in the EU/EEA is consent under Article 6(1)(a) GDPR. You can withdraw consent at any time with future effect.

We use service providers to operate CaleyAI. These providers process personal data only where necessary to provide their services to us or where they act as independent controllers for their own legally defined purposes.

Main providers include:

Cloudflare, Inc. and affiliated Cloudflare entities: Used for Cloudflare Workers, Cloudflare R2, Cloudflare D1, Cloudflare AI Gateway, Workers AI, DNS, security, routing, caching, analytics, storage, and platform infrastructure.

Stripe Technology Europe, Ltd. and affiliated Stripe entities: Used for payment processing, subscriptions, billing, invoices, tax-related payment information, and the customer billing portal.

Amazon Web Services, Inc. and affiliated AWS entities: Used for Amazon Simple Email Service (AWS SES) to send transactional and marketing emails.

Google Ireland Ltd. / Google LLC: Used for Google Tag and Google Ads, where enabled.

Meta Platforms Ireland Ltd. / Meta Platforms, Inc.: Used for Meta Pixel, advertising analytics, and remarketing, where enabled.

We enter into data processing agreements with processors where required by Article 28 GDPR. For Cloudflare, we use Cloudflare's standard Data Processing Addendum. International transfers are protected as described in this Privacy Policy.

CaleyAI is operated from Germany, but some service providers may process data outside the European Economic Area, including in the United States.

Where personal data is transferred to countries without an adequacy decision, we use appropriate safeguards such as the EU Standard Contractual Clauses, transfer impact assessments, and additional technical and organizational measures where required.

Where providers are certified under the EU-U.S. Data Privacy Framework, transfers may also rely on that framework where applicable. If a framework or adequacy mechanism no longer applies, we rely on other valid transfer safeguards where available.

We retain personal data only for as long as necessary for the purposes described in this Privacy Policy, unless legal retention obligations require longer storage.

General retention principles:

• Unverified accounts are deleted 3 days after account creation if the email address has not been verified.
• If you request full account deletion, we send a confirmation email.
• After a deletion request, there is a 14-day period during which you can stop deletion by logging in again.
• After the 14-day period, the account and associated data are irreversibly deleted, unless legal retention obligations or legitimate legal reasons require limited further retention.
• Calendar data remains stored while your account exists or until you delete it.
• Files remain stored until deleted by you, removed due to plan limits, removed following a report or enforcement decision, or otherwise deleted for legal or operational reasons.
• Public files may remain temporarily accessible through caches after deletion in exceptional cases.
• Payment, invoice, tax, and accounting records may be retained for up to 10 years where required by German tax and commercial law.
• Contact and support messages may be retained for up to 6 years where needed for documentation or legal purposes.
• Security logs are retained only as long as necessary for security, troubleshooting, abuse prevention, and legal defense.

Backups may retain deleted data for a limited rolling period until overwritten. Backup data is used only for restoration, security, and continuity purposes and is not actively used as live account data.

You can export your user data in the settings.

The general data export contains account-related user data, but it may not include calendar data if calendar data is available through the separate ICS export function.

Calendar data can be exported through ICS export in the settings.

If you need additional access to your personal data, you may contact us at: info@caleyai.com

We use technical and organizational measures to protect personal data. These may include:

• Encryption in transit
• Encryption at rest where technically supported
• Access controls
• Administrative access restrictions
• Authentication and security logging
• Separation of production systems where appropriate
• Cloudflare security features
• Regular review of access and platform configuration
• Abuse prevention and rate limiting
• Backup and recovery measures
• Internal confidentiality obligations

No internet-based service can be guaranteed to be completely secure. Users are responsible for choosing strong passwords, protecting account access, and keeping public file links confidential where they do not want broad access.

If the GDPR applies to you, you have the following rights:

• Right of access under Article 15 GDPR
• Right to rectification under Article 16 GDPR
• Right to erasure under Article 17 GDPR
• Right to restriction of processing under Article 18 GDPR
• Right to data portability under Article 20 GDPR
• Right to object under Article 21 GDPR
• Right to withdraw consent under Article 7(3) GDPR
• Right to lodge a complaint with a supervisory authority under Article 77 GDPR

To exercise your rights, contact: info@caleyai.com

We usually respond within one month, unless the GDPR allows an extension.

If you withdraw consent, this does not affect the lawfulness of processing before withdrawal.

Where we process personal data based on Article 6(1)(f) GDPR, you may object to the processing on grounds relating to your particular situation.

If you object, we will stop processing the data unless we have compelling legitimate grounds that override your interests, rights, and freedoms, or unless processing is necessary for the establishment, exercise, or defense of legal claims.

You may object to direct marketing at any time. If you object to direct marketing, we will stop using your personal data for that purpose.

Where processing is based on consent, you may withdraw your consent at any time with future effect.

This applies especially to:

• Marketing emails
• Analytics and advertising technologies in the EU/EEA
• Optional personalization settings
• Optional use of your name by the AI assistant, where controlled by settings

You can withdraw consent through the available settings, unsubscribe links, privacy settings, or by contacting us.

We do not use automated decision-making under Article 22 GDPR that produces legal effects concerning you or similarly significantly affects you.

The AI assistant may generate recommendations, summaries, calendar actions, file report decisions, or other outputs. These outputs are part of the service functionality, but they do not replace your own judgment.

For public file reports, automated or AI-assisted decisions may lead to restriction, deletion scheduling, or other platform actions. Where available, affected users may submit an appeal in the app. We may review appeals automatically and/or manually depending on the case.

CaleyAI is intended for users aged 16 or older.

Users under 16 may not create an account unless valid parental consent is provided where legally required. If we become aware that an account was created in violation of this requirement, we may delete the account.

CaleyAI is operated from Germany but may be used internationally.

Users outside the EU/EEA may have additional rights under local laws, including rights to access, delete, correct, opt out of certain advertising uses, or limit certain processing.

Where such laws apply, we will honor applicable mandatory rights. You can contact us at: info@caleyai.com

For users in the United States, marketing emails include an unsubscribe mechanism. Advertising and analytics tools may be used as described in this Privacy Policy, subject to applicable law and available opt-out options.

We may update this Privacy Policy when our services, technology, legal obligations, providers, or data processing practices change.

The current version is available on our website and in the app. If changes are material, we may notify registered users by email or in-app notice.

This Privacy Policy is provided in English. We currently publish one English version for international use.

Where mandatory German or EU law applies, this Privacy Policy shall be interpreted in a way that complies with those mandatory legal requirements.