Privacy Notice

1. Who This Notice Covers

This Privacy Notice explains how PepoCloud LLC (“PepoCloud LLC,” “we,” “us,” or “our”) handles personal data for our websites, applications, widgets, and scheduling services (collectively, the “Services”). It applies to:

• Users: account owners and team members who create event types, host meetings, or embed booking pages.
• Invitees: people who book, attend, or receive invitations to meetings created through the Services.
• Visitors: anyone who browses our sites or interacts with our marketing and support materials.

By using the Services, you consent to the practices described here. If you do not agree, please discontinue use of the Services.

2. Personal Data We Collect

Data you provide to us

We collect the personal data you choose to share, including:

• Account and profile details such as name, email address, password, photo, role, organization details, and time zone.
• Scheduling and meeting details, including event types you create, questions you ask invitees, availability preferences, invitee responses, and communications related to an event.
• Content you upload or submit through the Services, including notes, chat, attachments, and feedback.
• Payment and billing information (e.g., billing contact details, billing address, VAT or tax IDs). Payment card data is processed by our payment processors and not stored in full by Peposmart.
• Support requests, survey responses, and any other information you provide when you contact us.

Data we collect automatically

When you use the Services, we automatically collect certain information, including:

• Usage and log data such as the pages you view, features you use, actions you take, timestamps, referring/exit pages, and session IDs.
• Device and network information including IP address, browser type, operating system, device identifiers, language settings, and approximate location derived from your IP address.
• Diagnostic and security data including error logs, performance metrics, crash data, and identifiers associated with cookies or similar technologies.

Data from third parties and integrations

We may receive personal data about you from others, such as:

• Calendar, conferencing, CRM, or productivity tools you connect to the Services, which may share meeting details, availability, attendee lists, and contact information.
• Authentication and identity providers (for example, single sign-on services), fraud-prevention partners, analytics providers, and marketing or advertising partners.
• Other users who invite you to events or share information about you through the Services.

Sensitive data

We do not require sensitive personal data (such as health, biometric, or precise location data) to provide the Services. Please do not include sensitive information unless it is necessary for a meeting you create or attend; if you do, you direct us to process it consistent with this Notice and applicable law.

3. How We Use Personal Data

We use personal data for the following purposes:

• Provide, operate, and maintain the Services, including scheduling, reminders, meeting creation, and integrations you enable.
• Create and manage accounts, authenticate users, and process payments or subscription charges.
• Send confirmations, invitations, updates, service announcements, and support responses.
• Personalize experiences, recommend configurations, and remember your preferences.
• Monitor and analyze usage, trends, and activities to improve the Services and develop new features.
• Detect, investigate, and prevent fraud, abuse, security incidents, and other harmful activity.
• Comply with legal obligations, enforce our agreements, and protect our rights, users, and the public.
• Market and promote the Services in accordance with your preferences and applicable law.

Where required by law, we will obtain your consent before using personal data for certain purposes, and you may withdraw consent at any time.

4. Legal Bases for EEA/UK/Swiss Personal Data

When the GDPR, UK GDPR, or Swiss data protection laws apply, we process personal data under these legal bases:

• Contract: To provide the Services and fulfill our agreements with you.
• Legitimate interests: To secure and improve the Services, respond to inquiries, market to business contacts, and prevent misuse, provided these interests are not overridden by your rights.
• Consent: For certain marketing, analytics, or optional integrations; you may withdraw consent at any time.
• Legal obligations: To comply with applicable laws, regulations, and lawful requests.
• Vital interests: To protect someone’s safety in rare emergency situations.

5. How We Share Personal Data

We do not sell personal data. We may share personal data in these circumstances:

Service providers

Vendors and subprocessors that help us deliver the Services (for example hosting, email delivery, analytics, customer support, and payment processing) access personal data only to perform work on our behalf.

Integrations you connect

When you enable integrations (such as calendars, conferencing, CRM, or productivity tools), we share relevant information with those partners to complete the connection and facilitate scheduling. Those parties’ use of data is governed by their own policies.

Administrators and teams

For enterprise or team accounts, administrators and authorized team members may access, manage, or export data associated with the workspace, including event types and invitee information.

Business transfers

If we engage in a merger, acquisition, financing, or sale of all or part of our business, personal data may be transferred as part of that transaction, subject to appropriate confidentiality protections.

Legal compliance and protection

We may disclose information if required by law, subpoena, or governmental request, or when we believe in good faith that disclosure is necessary to protect our rights, your safety, the safety of others, investigate fraud, or respond to a government request.

With your direction or consent

We share personal data with third parties when you ask us to, such as when you send an invitation, publish a booking link, or request that we share information with a partner. We may also share aggregated or de-identified data that does not identify you.

6. Cookies and Similar Technologies

We use cookies, pixel tags, local storage, and similar technologies to operate and improve the Services. These technologies help us remember preferences, keep you signed in, understand usage, and deliver relevant content.

Types of cookies we use

• Essential: Required for core functionality and security.
• Performance and analytics: Help us understand how the Services are used to improve performance.
• Functional: Enable enhanced features, such as remembering preferences or availability settings.
• Advertising and targeting: Used to deliver relevant marketing and measure campaigns, where permitted.

Managing preferences

You can manage cookies through your browser settings, our cookie banner (where available), or industry opt-out tools for advertising cookies. Blocking some cookies may affect how the Services function.

Some browsers offer a Do Not Track (DNT) signal. Because there is no common DNT standard, we do not currently respond to DNT, but we honor applicable opt-out choices described above.

7. Data Retention

We keep personal data only as long as needed for the purposes described in this Notice, including to provide the Services, comply with legal obligations, resolve disputes, and enforce our agreements. Retention periods vary based on the type of data, the nature of our relationship with you, and our legal or contractual obligations.

When data is no longer needed, we will delete or de-identify it in accordance with our retention policies, unless we need to keep it to comply with legal or regulatory requirements.

8. Data Security

We implement technical, administrative, and organizational measures designed to protect personal data, including encryption in transit, access controls, network safeguards, regular monitoring, and employee training. Despite these efforts, no security controls are infallible, and we cannot guarantee absolute security.

If you have reason to believe your account or interaction with us is no longer secure, please contact us immediately using the details in Section 21.

9. International Data Transfers

PepoSmart is operated by PepoCloud LLC in the United States. Your personal data may be transferred to and processed in countries other than where you live, primarily in the United States. These countries may have data protection laws that differ from those in your jurisdiction.

When transferring personal data internationally, we use appropriate safeguards such as Standard Contractual Clauses, reliance on adequacy decisions, or other lawful transfer mechanisms, and we take additional measures as needed to protect personal data.

10. Your Privacy Rights and Choices

Depending on where you live, you may have rights regarding your personal data, including the right to request access, correction, deletion, restriction, portability, or to object to certain processing. You may also withdraw consent where processing is based on consent.

You can exercise these rights by contacting us at privacy@peposmart.com or using in-product settings where available. We may request information to verify your identity before fulfilling your request. If you are an invitee, your data may also be controlled by the user who invited you, and we may direct you to that organizer to fulfill certain requests.

We will respond consistent with applicable law. You may have the right to appeal our decision if we decline to act on a request (see Section 17 for state appeal rights).

11. Marketing and Communication Preferences

You can opt out of marketing emails at any time by clicking the unsubscribe link in the email or contacting us. Even if you opt out, we may still send you non-promotional messages about your account, transactions, or service updates.

You can adjust cookie-based advertising preferences through our cookie banner (where available), your browser settings, or industry opt-out tools.

12. Third-Party Services and Integrations

The Services may contain links to or integrations with third-party sites, tools, or services. Your use of those services is subject to their terms and privacy policies, which we do not control. We encourage you to review those policies to understand how they handle your data.

If you connect a third-party integration, data may flow between Peposmart and that provider as directed by you or your organization. Disconnecting an integration will stop new data sharing but may not delete data already shared with that provider.

13. Use of Google Calendar and Google Meet Data (Google API Services Disclosure)

When you connect your Google account and enable Google Calendar and/or Google Meet in the Services, PepoCloud LLC accesses and processes certain data through Google APIs. This section explains how we handle that information in compliance with the Google API Services User Data Policy, including the Limited Use requirements.

Data we access

Depending on the permissions you grant, we may access:

• Google Calendar data: calendar lists, event metadata (titles, times, attendees, descriptions), and availability needed to provide scheduling.
• Google Meet data: meeting links, meeting IDs, conferencing settings, and related metadata required to generate and attach Google Meet details to events.

We do not access or store the contents of your meetings (such as audio, video, screen shares, or in-meeting chat) through Google APIs.

How we use Google Calendar and Google Meet data

We use this data solely to:

• Read existing calendar events to determine your availability and prevent double-booking.
• Create, update, or delete events created through the Services on your Google Calendar.
• Generate and attach Google Meet links to events scheduled via the Services.
• Display meeting details (including Google Meet links) to you and your invitees.

We do not use Google Calendar or Google Meet data for advertising, profiling, or analytics unrelated to providing and improving the scheduling features.

Sharing of Google API data

We do not sell Google user data. We only share Google Calendar and Google Meet data with service providers that help us operate the Services (such as hosting and infrastructure providers), under appropriate confidentiality and security obligations, and as otherwise described in this Notice. We do not share your Google meeting details with third parties for their own marketing or advertising.

Storage and security

OAuth tokens and related credentials are encrypted and stored securely. We store only what is necessary to maintain your integration (for example, a Google Meet link associated with an event). If you disconnect your Google account, we revoke and delete associated tokens and cease accessing Google data.

User control and disconnection

You can disconnect Google integrations at any time from within the Services or from your Google Account (“Security” → “Third-party access”). Once disconnected, we no longer access your Google Calendar or Google Meet data via Google APIs.

Limited Use compliance

PepoCloud LLC’s use and transfer of information received from Google APIs adheres to the Google API Services User Data Policy, including the Limited Use requirements. We access and use Google user data only as necessary to provide and improve features directly related to scheduling and meeting management, and not for any other unrelated purposes.

14. Use of Zoom Meeting Data (Zoom API Disclosure)

If you connect your Zoom account to generate or attach Zoom meetings in the Services, we access and process data via Zoom APIs solely to deliver scheduling and meeting functionality in line with Zoom’s API policies.

Data we access

• Meeting details such as meeting IDs, join links, settings (e.g., waiting room, passcode), and start/end times needed to create or attach Zoom meetings.
• Basic profile metadata necessary to associate meetings with your account and display host information.

We do not access or store meeting content (audio, video, screen share, chat) through Zoom APIs.

How we use Zoom data

• Create and update Zoom meetings tied to scheduled events.
• Attach Zoom join links and meeting details to calendar events and invites.
• Display meeting details to you and your invitees.

We do not use Zoom data for advertising, profiling, or unrelated analytics.

Sharing, storage, and control

We do not sell Zoom data. We share it only with service providers under appropriate confidentiality and security obligations. OAuth tokens are encrypted and stored securely; if you disconnect Zoom, we revoke and delete tokens and stop accessing Zoom data. You can disconnect via the Services or your Zoom account permissions.

15. Use of Outlook Calendar and Microsoft Teams Data

When you connect Microsoft 365/Outlook Calendar and/or Microsoft Teams, we access data through Microsoft APIs (including Microsoft Graph) solely to provide scheduling and meeting capabilities, consistent with Microsoft’s terms and privacy requirements.

Data we access

• Outlook calendar data: calendar lists, event metadata (titles, times, attendees, descriptions), and availability for scheduling.
• Microsoft Teams meeting data: meeting links, IDs, conferencing settings, and related metadata required to generate and attach Teams details to events.

We do not access or store Teams meeting content (audio, video, screen share, or in-meeting chat) through these APIs.

How we use Outlook and Teams data

• Read existing events to determine availability and avoid double-booking.
• Create, update, or delete events you schedule through the Services on your Outlook calendar.
• Generate and attach Microsoft Teams meeting links to scheduled events and display details to you and invitees.

We do not use this data for advertising, profiling, or analytics unrelated to providing and improving scheduling features.

Sharing, storage, and control

We do not sell Microsoft user data. We share Outlook and Teams data only with service providers supporting the Services under confidentiality and security obligations. OAuth tokens and related credentials are encrypted and stored securely; disconnecting your Microsoft account revokes tokens and stops further access. You can disconnect via the Services or your Microsoft account permissions.

16. California Privacy Rights

If you are a California resident, the California Consumer Privacy Act (CCPA), as amended by the CPRA, provides specific rights regarding your personal information.

Categories of personal information we collect

Depending on how you interact with us, we may collect identifiers (like name, email, IP address), customer records (billing details), commercial information (purchase history), internet or electronic network activity (usage data, device data), approximate geolocation (derived from IP), professional or employment information (if provided), and inferences drawn from other personal information. We also collect limited sensitive personal information such as account login credentials and payment card token data handled by processors.

Sources and purposes

We collect personal information directly from you, automatically from your use of the Services, from your organization, and from third parties or integrations you enable. We use it for the business and commercial purposes described in Section 3, including providing the Services, security, analytics, support, and marketing consistent with your preferences.

Disclosure of personal information

We disclose personal information to service providers and contractors who process data on our behalf, to integration partners you choose, to affiliates, and for legal or business transfer purposes as described in Section 5. We do not sell personal information. We may “share” personal information for cross-context behavioral advertising through cookies or similar technologies; you can opt out via our cookie banner (where available) or by contacting us.

Your California rights

• Request to know the categories or specific pieces of personal information we collect, use, disclose, or share.
• Request correction of inaccurate personal information.
• Request deletion of personal information, subject to legal exceptions.
• Opt out of the “sharing” of personal information for cross-context behavioral advertising.
• Limit the use and disclosure of sensitive personal information to what is necessary to perform our services.
• Be free from discrimination for exercising your rights.

To exercise your rights, contact us at privacy@peposmart.com. We will verify your request and respond as required by law. You may use an authorized agent to submit a request; we may require proof of authorization and confirmation of your identity.

17. U.S. State Privacy Rights (Virginia, Colorado, Connecticut, Utah, and Similar Laws)

Residents of certain U.S. states have rights such as confirming whether we process personal data, accessing and obtaining a copy of personal data, requesting deletion, correcting inaccuracies, and opting out of targeted advertising, the sale of personal data, or certain profiling.

You can exercise these rights by contacting privacy@peposmart.com and specifying your state of residence. If we decline to act on a request, you may appeal by replying to our decision with “Appeal” in the subject line. We will respond to appeals within the timeframe required by applicable law.

To opt out of targeted advertising via cookies, adjust your browser settings or use our cookie banner (where available).

18. EEA, UK, and Swiss Residents

If you are located in the EEA, UK, or Switzerland, PepoCloud LLC (United States) is the controller of your personal data unless we process it on behalf of a customer as their processor. You may contact our Data Protection Officer at dpo@peposmart.com.

You have the right to lodge a complaint with your local data protection authority, and you may request information about cross-border transfer safeguards (see Section 9). Where we act as a processor on behalf of a customer, please direct your request to that customer for fulfillment.

If we rely on consent, you may withdraw it at any time without affecting the lawfulness of processing before withdrawal.

19. Children’s Privacy

The Services are not directed to children under 13, and we do not knowingly collect personal data from children. If you believe a child has provided us with personal data, please contact us so we can take appropriate steps to delete it.

If we learn that we have collected personal data from a child without appropriate consent, we will delete that information promptly.

20. Changes to This Privacy Notice

We may update this Notice to reflect changes in our practices, technologies, legal requirements, or other factors. When we do, we will update the “Last updated” date at the top of the Notice. In some cases, we may provide additional notice (such as a banner or email).

Your continued use of the Services after an update means you acknowledge the revised Notice.

21. Contact Us

If you have questions about this Privacy Notice or our privacy practices, please contact us: