Guides Tool check
Calendly & GDPR: Appointment booking with consent & AV contract
Calendly makes appointment booking convenient - but is a US service with data transmission and cookies. What you need to watch out for.
What Calendly means in terms of data protection law
Calendly processes names, email addresses and appointment details; it is based in the US and uses cookies in its embedded widget.
If the widget is embedded directly, it loads from Calendly’s servers – which involves the transfer of data to the US. This requires a legal basis.
Conditions for use
You need an AV agreement (DPA) with Calendly, consent for the embedded widget, and a statement in the privacy policy.
- Sign an AV contract/DPA with Calendly.
- Load the widget only after consent has been given (or link to it via a button).
- Specify data transfer to the USA in the privacy policy.
EU alternatives
If you want to avoid data being transferred to the US, you should use EU-based or self-hosted solutions.
Cal.com (which can be self-hosted) or other EU-based calendar tools store data in Europe – ideal for strict requirements.
Check the integration
Does your Calendly widget load before consent is given?
The free BlueOcean scan displays Calendly and other third-party requests before consent is given.
Let's take a quick look at your sites
In a 15-minute call you’ll see where your client sites stand — and how to secure them effortlessly.
FAQ
Can Calendly be used in compliance with the GDPR?
Yes, with an AV contract, consent for the embedded widget, and transparency regarding data transfers to the US in the privacy policy.
Do I have to show a cookie notice for the Calendly widget?
Yes, if it sets cookies or loads before consent is given. It is safer to load it only after consent has been given, or simply to link to it.
Is there a European alternative?
Yes, for example Cal.com (which is also self-hosted) or other EU appointment booking tools that do not involve data transfers to the US.