Privacy Policy
Last updated: March 6, 2026
1. Data Controller
mahakala.app is operated by IAIG. We are the data controller for the personal data we process through our service.
Contact: [email protected]
Service is for users 16+ only. If you are under 16, you may not use mahakala.app.
2. Information We Collect
2.1 Information You Provide
- Account information: Name, email address, profile picture (via Google Sign-In)
- Profile settings: Username, timezone, branding preferences, availability schedules
- Event types: Meeting titles, descriptions, durations, locations, pricing
- Booking preferences: Screening questions, custom fields, booking confirmation settings
- Integration data: Calendar access tokens, webhook URLs, API configurations
2.2 Information from Bookings
- Guest information: Names, email addresses, contact details provided by people who book meetings
- Meeting details: Scheduled times, notes, responses to screening questions
- Payment information: Billing details (processed by Stripe, not stored by us)
2.3 Technical Information
- Usage analytics: Page views, booking completion rates, feature usage (via Google Analytics when consented)
- Error tracking: Application errors and performance data (via Sentry)
- Security logs: Login attempts, API usage, account changes (audit trail)
- Device information: Browser type, operating system, IP address, referrer URLs
2.4 Calendar Data
- Google Calendar: Event times, free/busy status, availability (read-only access)
- Calendar events: We create events in your calendar when bookings are confirmed
- We do NOT read event titles, descriptions, attendees, or other sensitive calendar content
3. Legal Basis for Processing
Under GDPR, we process your personal data based on the following legal grounds:
Contract Performance (Article 6(1)(b))
Core scheduling features, account management, booking processing, calendar integration
Legitimate Interest (Article 6(1)(f))
Security monitoring, fraud prevention, service improvement, error tracking
Consent (Article 6(1)(a))
Marketing analytics, conversion tracking, non-essential cookies, email marketing
Legal Obligation (Article 6(1)(c))
Tax reporting for paid subscriptions, response to legal requests, compliance audits
4. How We Use Your Information
- Provide scheduling services: Display availability, process bookings, send confirmations
- Calendar integration: Check availability, create/update events, prevent double-bookings
- Account management: Authentication, profile updates, subscription billing
- Communications: Booking notifications, service updates, support responses
- Service improvement: Anonymous usage analytics, error monitoring, feature development
- Security: Fraud prevention, abuse detection, audit logging
- Marketing (with consent): Conversion tracking, campaign effectiveness, user journey analysis
We never sell, rent, or share your personal data with advertisers or data brokers.
5. Third-Party Services & International Transfers
We use trusted service providers located in the United States and other countries. All transfers are protected by standard contractual clauses:
πΊπΈ Infrastructure
- Railway: Application hosting
- Neon: Database hosting
- Cloudflare: CDN, DNS, DDoS protection
π§ Services
- Google: Authentication, calendar sync, analytics
- Resend: Email delivery (US)
- Stripe: Payment processing
π Analytics (Consent Required)
- Google Analytics: Usage analytics
- Meta Pixel: Conversion tracking
- Sentry: Error monitoring
π€ AI Integration
- MCP Protocol: AI agent access (user-controlled)
- Claude/ChatGPT: Only with explicit API keys
6. Data Retention
Active Accounts
Data retained while your account is active and for 30 days after deletion request
Booking Data
12 months after meeting date, then anonymized for statistical purposes
Analytics Data
6 months for detailed logs, 24 months for aggregated statistics
Security Logs
12 months for audit trails, fraud prevention, and security monitoring
Payment Records
7 years for tax compliance (anonymized after account deletion)
7. Your Rights Under GDPR
As a data subject, you have the following rights:
Right to Withdraw Consent (Article 7)
Revoke consent for analytics and marketing
Right to Lodge a Complaint (Article 77)
File a complaint with your data protection authority
Find Your DPA βTo exercise any of these rights, contact us at [email protected]. We will respond within 30 days and may ask for identity verification.
8. Guest Data Rights
If you've booked a meeting but don't have a mahakala.app account, you can still access and delete your data:
Access Your Booking Data
Enter your email to see all bookings associated with it and request deletion.
Access Guest Data β9. Cookies & Tracking
We use cookies and similar technologies to provide and improve our service. You can control these preferences:
Essential Cookies
Authentication, session management, security
Analytics Cookies
Google Analytics, Cloudflare Analytics, usage tracking
Marketing Cookies
Conversion tracking, Meta Pixel, campaign measurement
10. Data Security
- Encryption: All data encrypted in transit (TLS 1.3) and at rest (AES-256)
- Access controls: Role-based access, multi-factor authentication for admin accounts
- Monitoring: 24/7 security monitoring, intrusion detection, audit logging
- Infrastructure: SOC 2 Type II certified hosting providers (Railway, Neon)
- Regular audits: Quarterly security assessments and penetration testing
- Incident response: Documented procedures for data breach notification within 72 hours
11. Changes to This Policy
We may update this privacy policy from time to time. Significant changes will be communicated via email or through our service 30 days before taking effect. Continued use of mahakala.app after changes constitutes acceptance of the updated policy.
12. Contact & Data Protection Officer
For any privacy-related questions or to exercise your rights:
Email: [email protected]
Subject: "GDPR Data Request" or "Privacy Inquiry"
Response Time: Within 30 days
Social: @mahakalaapp on X