Privacy Policy

1. Who We Are

SahlCal is a scheduling platform operated by Vantage Technologies LLC, a limited-liability company organised under the laws of the State of Qatar, with its principal place of business in Doha, Qatar (“Vantage Technologies”, “SahlCal”, “we”, “us”, “our”). This Privacy Policy describes how we collect, use, share, and protect personal data when you use SahlCal (the “Service”) at www.sahlcal.com and related subdomains.

For purposes of Qatar's Personal Data Privacy Protection Law (Law No. 13 of 2016 — “PDPPL”), the EU General Data Protection Regulation (“GDPR”), the Saudi Personal Data Protection Law, the UAE Data Protection Law, and similar regimes, Vantage Technologies LLC acts as a data controller for the personal data of account holders (our customers) and as a data processorfor the personal data of meeting bookers (the customers' end users) on behalf of those customers.

2. Information We Collect

Information you provide directly:

• Account profile: name, email address, profile photo, timezone, language preference
• Scheduling configuration: event types, availability windows, booking forms, branding settings
• Payment information (where applicable): processed by our payment provider — we do not store card numbers
• Communications: messages you send to support or feedback channels

Information collected via connected services (with your authorisation):

• Google Calendar: busy/free times, event creation, Google Meet links — when you connect a Google account
• Microsoft Outlook / Office 365: busy/free times, event creation, Microsoft Teams links — when you connect a Microsoft account
• Account identity: the email address of the connected calendar account

Information from meeting bookers:

• Name, email address, and any answers to custom intake-form questions you configure
• Time-zone and language preferences submitted at booking
• Optional vote selections in group polls (if booking via polls)

Information collected automatically:

• Device and browser information: user-agent, screen size, IP address
• Usage data: pages visited, features used, timestamps
• Security logs: authentication events, failed login attempts, suspected abuse

3. Lawful Bases for Processing

Where Qatar PDPPL (Law No. 13 of 2016), GDPR, the Saudi Personal Data Protection Law, the UAE Data Protection Law, or similar regulations apply, we rely on these lawful bases:

• Contract — to provide the Service you signed up for
• Consent — for optional calendar integrations, marketing emails, and AI features (you can withdraw consent at any time)
• Legitimate interests — for service security, fraud prevention, and product improvement (we balance these against your rights)
• Legal obligation — to comply with tax, accounting, and law-enforcement requirements

4. How We Use Your Information

• Provide, maintain, and improve the scheduling service
• Send booking confirmations, reminders, cancellations, and reschedule notifications
• Sync events with your connected calendar (Google or Microsoft)
• Generate video-meeting links (Google Meet / Microsoft Teams) for bookings
• Operate cultural features such as prayer-time blocking and Hijri calendar display
• Provide AI-assisted features (intake-form generation, meeting brief summaries) — see Section 8
• Detect and prevent fraud, abuse, and security incidents
• Communicate with you about service updates, security alerts, and (with consent) product news
• Comply with legal obligations and respond to lawful requests

5. How We Share Your Information

We do not sell, rent, or trade your personal data. We share information only with the following categories of recipients, and only as needed to operate the Service:

• Calendar providers — Google LLC, Microsoft Corporation (only when you connect a calendar, and only the data needed to read availability and create events on your behalf)
• Authentication provider — Clerk, Inc. (for sign-in, account management, password reset)
• Hosting and database — Vercel (application hosting), Neon (PostgreSQL database)
• Email delivery — Maileroo (transactional emails: confirmations, reminders, system notifications)
• AI service providers — Groq, Inc. (for AI-assisted form generation and meeting brief summaries, where you choose to use these features)
• Translation services — Google Cloud (only when auto-translation is enabled)
• Payment processors — where applicable, for paid features (we do not store card details)
• Legal authorities — when required by law, court order, or to protect rights, safety, or property
• Business transfers — in the event of a merger, acquisition, or asset sale, your data may transfer to the successor entity under equivalent protections

Each third-party processor is bound by a data-processing agreement requiring appropriate safeguards.

6. International Data Transfers

Some of our service providers operate outside the GCC (including in the United States and European Union). When we transfer personal data across borders, we rely on appropriate safeguards such as Standard Contractual Clauses, adequacy decisions, or your explicit consent. You may request copies of the relevant transfer mechanisms by contacting us.

7. Google API Services User Data Policy

SahlCal's use and transfer of information received from Google APIs adheres to the Google API Services User Data Policy, including the Limited Use requirements. Specifically:

• We only use Google user data to provide the user-facing features that the user has authorised
• We do not transfer Google user data to third parties except as necessary to provide or improve user-facing features, comply with law, or as part of a merger or acquisition
• We do not use Google user data for advertising
• We do not allow humans to read your Google user data unless we have your explicit consent, or it is necessary for security purposes, to comply with law, or for the data is aggregated and anonymised

You can revoke SahlCal's access to your Google account at any time at myaccount.google.com/permissions.

8. Microsoft Graph Data Use

When you connect a Microsoft account, we access Microsoft Graph calendar and online-meeting APIs solely to provide the scheduling features you have authorised. We do not use Microsoft user data for advertising, do not allow humans to read your Microsoft data outside of the conditions described in Section 7, and do not transfer Microsoft data to third parties except as necessary to provide the Service.

You can revoke SahlCal's access to your Microsoft account at any time at myaccount.microsoft.com/privacy/app-access.

9. AI-Assisted Features

Certain optional features use large-language-model providers (currently Groq, Inc.) to generate intake-form questions and meeting brief summaries. When you use these features:

• The event name, description, and (for briefs) booker-provided answers are sent to the AI provider to generate output
• We do not send your calendar contents, contact lists, or other personal data to the AI provider
• The AI provider processes inputs in accordance with its own privacy terms; we do not permit AI providers to train models on your data
• AI-generated output may be inaccurate — you are responsible for reviewing it before relying on it
• You can avoid AI processing entirely by not using these optional features

10. Data Security

We implement administrative, technical, and physical safeguards designed to protect personal data, including:

• Encryption in transit (TLS / HTTPS) for all traffic
• Encryption at rest for OAuth tokens (AES-256-GCM) and database storage
• Secure authentication via Clerk with optional multi-factor authentication
• CSRF protection on state-changing operations
• Input sanitisation to prevent injection attacks
• Database row locking to prevent race conditions on bookings and votes
• Security logging and monitoring for anomaly detection
• Regular dependency updates and security reviews

No system is perfectly secure. If we discover a personal data breach affecting your data, we will notify you and the relevant authorities as required by applicable law.

11. Data Retention

• Account data — retained while your account is active and for up to 30 days after deletion request, then permanently removed (some backups retained up to 90 days)
• Meeting and booking records — retained for 12 months after the meeting date, then removed (you may request earlier deletion)
• OAuth tokens — retained until you disconnect the integration; encrypted at rest
• Security and audit logs — retained up to 24 months for fraud-prevention and legal purposes
• Backups — automatically purged on a rolling 90-day schedule

12. Your Rights

Subject to applicable law, you have the right to:

• Access — request a copy of personal data we hold about you
• Rectification — correct inaccurate or incomplete data
• Erasure — request deletion of your account and associated data
• Restriction — limit how we process your data
• Portability — receive a machine-readable export of your data
• Objection — object to processing based on legitimate interests, including direct marketing
• Withdraw consent — where processing relies on consent, withdraw it at any time
• Lodge a complaint — with your local data-protection authority, including the National Cyber Security Agency (NCSA) Compliance & Data Protection Department in Qatar, the Saudi Data and Artificial Intelligence Authority (SDAIA), the UAE Data Office, or a relevant EU supervisory authority

To exercise these rights, contact us at privacy@sahlcal.com. We will respond within 30 days (or sooner if required by law).

13. Cookies and Similar Technologies

We use a small number of strictly necessary cookies (authentication session, language preference, CSRF protection). We do not set advertising cookies and do not allow third-party advertising trackers. We use minimal first-party analytics to understand aggregate usage patterns. You can manage cookies through your browser settings; disabling strictly necessary cookies may prevent you from signing in.

14. Children's Privacy

The Service is not directed to children under 16. We do not knowingly collect personal data from children. If you believe a child has provided us with personal data, please contact us and we will delete it.

15. Changes to This Policy

We may update this Privacy Policy from time to time. If we make material changes, we will notify you by email (where we have your address) or by prominent notice in the Service before the changes take effect. The “Last updated” date at the top of this page indicates when the policy was last revised.

16. Contact Us

For privacy questions, data-subject requests, or to report a concern, contact us at:

• Privacy enquiries: privacy@sahlcal.com
• General support: support@sahlcal.com

Postal address:
Vantage Technologies LLC
Doha, State of Qatar