Privacy Policy

• Org.nr: 559504-0444
• Registered address: Bäckaskiftsvägen 68, 122 42 Enskede, Sweden
• Contact: hello@heldly.io
• Privacy / data subject requests: hello@heldly.io

Host account. When you sign in with Google we receive your email, name, and Google account ID. If your workspace administrator has configured Single Sign-On on the Business plan, we additionally store the SSO subject identifier returned by your identity provider (used to recognize you on subsequent sign-ins). We also store your profile defaults (default picker expiration window, default message to the invitee, default message kept on the meeting record) and billing identifiers (Stripe customer and subscription IDs — never card data).

Workspace (Business plan). For Business workspaces we store the workspace name, plan, seat count, members (user IDs and roles), the data residency region (default EU), the workspace-configured retention period in days (default 400 days, configurable per workspace by request to hello@heldly.io), the claimed company email domain (where the workspace administrator has verified it via DNS TXT), and — once SSO is configured — the WorkOS organization identifier, SSO connection identifier, and (where SCIM is enabled) the SCIM directory identifier used to provision and de-provision members.

Google Calendar access. Heldly stores Google OAuth access + refresh tokens server-side (scopes: calendar.events + calendar.readonly) so the service can read your availability, place tentative holds, confirm the chosen slot, and clean up unpicked ones automatically. Tokens are never returned to clients and are deleted when you disconnect calendar access or delete your account.

Meeting data. When you propose a meeting from Claude we store the meeting topic, the meeting agenda, the host(s), the invitee's name and email (either as supplied by the host at propose time, or as entered by the invitee on the picker page when the host chose paste-anywhere mode), the slot times, the host's intended booking window, the Google Calendar event ids Heldly created on each host's calendar (so we can confirm / delete them on booking, cancel, or expiry), any personal note included in the picker email, and the booking outcome. When an invitee requests a reschedule from the booking confirmation email, we additionally store their preferred window and free-text note so that the host can follow up.

Audit log (Business plan). Significant workspace events — meetings proposed and cancelled, members invited and revoked, SSO configured, SCIM-driven deactivations, exports — are written to an append-only audit log retained for the workspace retention period. Each entry records the actor (user identifier and email — invitee emails are redacted to their domain), the action, the affected resource, and (where the action originated from a browser) the actor's IP address and user agent. Workspace administrators can export the log as CSV from Settings → Audit log.

Technical data. A session JWT cookie (heldly_session, 30-day expiry); your IP address (used for rate limiting and abuse detection, persisted only in the audit log on workspace-significant actions); and standard server logs (paths, status codes, timestamps), retained 90 days. We do not use Google Analytics, advertising pixels, or any third-party tracking cookies.

Error reports. When Heldly's server or client code throws an exception, we capture a stack trace, the route path, and your anonymous user identifier via Sentry (EU, Frankfurt). Before any event leaves our runtime a redaction hook strips email-shaped strings, drops the request body for booking-flow routes, and removes auto-captured user fields — Sentry never receives invitee email addresses, meeting topics, agendas, or the booking POST body. Error events are retained per Sentry's default schedule (90 days for the standard plan).

Product analytics. Heldly uses PostHog (EU, Frankfurt) to understand how the Service is used — anonymous funnel counts (e.g. signups that reach a confirmed booking), page-view totals, and a small set of event properties such as meeting duration or co-host count. PostHog runs in cookieless mode: the per-session anonymous identifier is held in browser memory only and is cleared the moment the tab closes. We do not send invitee email addresses, meeting topics, or meeting agendas to PostHog. Once you sign in, we associate your account's stable identifier and email address with subsequent events so we can analyse cross-session activity for the signed-in surface. You can opt out at any time by clicking Reject analytics in the cookie banner shown on Heldly's public pages — that sets the heldly_analytics_opt_out cookie which prevents the analytics SDK from initializing on every subsequent page load. You can also email hello@heldly.io to object server-side.

All cookies set by Heldly are strictly necessary for the service to function. We do not set analytics, marketing, or third-party tracking cookies; under the EU ePrivacy Directive no prior consent is required for the cookies below, but we surface them here so you can see exactly what gets stored on your device.

You can clear any of these from your browser settings at any time. Clearing heldly_session signs you out.

We do not sell your data, share it for advertising, or use it to train machine-learning models.

Heldly's use and transfer of information received from Google APIs adheres to the Google API Services User Data Policy, including the Limited Use requirements.

We request the following Google OAuth scopes:

• userinfo.email, userinfo.profile — to identify your account at sign-in.
• calendar.readonly — to read your availability when you ask Claude to schedule a meeting.
• calendar.events — to place tentative holds, confirm the chosen one, and delete unpicked ones on your behalf.

Heldly reads/writes only the calendar events directly related to meetings you initiate through the Service. We do not read, store, or expose your other calendar content beyond busy/free intervals needed to find common availability.

Specifically:

• We do not transfer Google user data to third parties except as necessary to provide the service (e.g., emailing the invitee via Resend), to comply with applicable law, or with your explicit consent.
• We do not use Google user data for advertising, advertising profiling, credit-worthiness, or any unrelated purpose.
• We do not allow humans to read Google user data unless we have your explicit consent, it is required for security purposes (e.g., investigating abuse) or by law, or the data has been aggregated and anonymized.
• We do not use Google user data to develop, improve, or train generalized AI or ML models.

To revoke Heldly's Google sign-in access at any time, visit your Google Account permissions page.

We share data only with the subprocessors needed to run the service. Each is bound by a Data Processing Agreement.

Where personal data is transferred outside the EEA, we rely on Standard Contractual Clauses (SCCs) issued by the European Commission. We do not sell personal data and have not done so in the preceding 12 months.

Heldly is published as a Claude connector — Heldly's entire user experience runs inside Claude (Claude.ai, Claude Desktop, or Claude Code). Connecting Heldly to Claude is an opt-in setup step on the Connect page; until you do, no data flows to Anthropic from us.

When you ask Claude to call a Heldly tool (for example, “is the Acme meeting booked?”), Heldly returns the requested data — meeting details, host and invitee names and emails, slot times — to Claude. That response becomes part of your conversation and is visible to Anthropic under their own privacy policy. Anthropic becomes a separate data controller for that conversation context.

Heldly's MCP tools only operate on meetings you own; we never read Claude's chat history, memory, system prompts, attachments, or other tools. We never query Claude's memory or files (per Anthropic's Software Directory Policy §1.F).

To stop the data flow, disconnect Heldly from Claude's Connectors page (Customize → Connectors → remove). Access is revoked immediately. You should also review Anthropic's privacy policy before connecting — Anthropic Privacy Policy.

With your permission (granted via §9 of our Terms of Service), Heldly may display your Organization's name and logo on Heldly's public marketing surfaces — heldly.io, public decks, investor materials, blog posts, social posts — to identify the Organization as a Heldly user. This is organization-level information about a legal entity, not personal data about you or your invitees: we do not display invitee names, invitee employer logos, or aggregated invitee data on our marketing surfaces.

Your Organization may withdraw this permission at any time by emailing hello@heldly.io. We remove the reference from all Heldly-controlled marketing surfaces within five (5) business days.

You have the right to:

• Access the personal data we hold about you
• Rectify inaccurate data
• Erasure (“right to be forgotten”) — use the Account page or email us
• Restrict processing
• Portability — request a structured export of your data
• Object to processing based on legitimate interest
• Withdraw consent at any time (does not affect prior lawful processing)
• Lodge a complaint with a supervisory authority. In Sweden this is the Integritetsskyddsmyndigheten (IMY).

To exercise any right, email hello@heldly.io from the address associated with your account. We respond within 30 days (extendable by 60 days for complex requests, per Art. 12(3)).

Transport is TLS-only. OAuth tokens are encrypted at rest. MCP access tokens and authorization codes are stored as SHA-256 hashes — never plaintext. Authentication is via Google OAuth; Heldly does not store passwords.

Reporting vulnerabilities. Send security reports to security@heldly.io. Our advisory is at /.well-known/security.txt (RFC 9116). We acknowledge reports within 5 business days.

• General: hello@heldly.io
• Privacy / data subject requests: hello@heldly.io
• Data controller: Capable Agents AB, Bäckaskiftsvägen 68, 122 42 Enskede, Sweden — Org.nr 559504-0444