Legal · Policy

Privacy Policy

Last updated: 5 May 2026

1. Introduction

Vennio ("we," "us," or "our") is a demand-side scheduling infrastructure platform that helps businesses and individuals coordinate meetings by aggregating calendar availability. This Privacy Policy explains how we collect, use, store, and protect your personal information when you use our service at vennio.app.

We are committed to protecting your privacy and handling your data transparently. Please read this policy carefully to understand our practices regarding your personal data.

2. Data Controller

For the purposes of UK GDPR and EU GDPR, the data controller is:

Whisker One Ltd (trading as Vennio)

Company number: 16270781

Registered office: 34 The Broadway, North Shields NE30 2LQ

Email: matt@vennio.app

Website: https://vennio.app

3. Information We Collect

3.1 Account Information

When you create an account, we collect:

Name: Your full name as provided by your authentication provider
Email address: Used for account identification and communications
Profile picture: If provided by your authentication provider (optional)
Authentication tokens: Encrypted OAuth tokens to maintain your calendar connections

You may authenticate using Google OAuth or Microsoft OAuth.

3.2 Calendar Data

With your explicit permission, we access calendar data from your connected accounts.

What we read and store:

Free/busy status (available, busy, tentative)
Event start and end times
Calendar timezone settings
The list of calendars in your connected account (so you can choose which calendar Vennio uses)

What we do not read or store:

Event titles or descriptions
Attendee lists or email addresses
Event locations
Meeting notes or attachments
Private or sensitive event details

The OAuth scopes we request technically permit access to event titles, attendees, descriptions, and locations. In line with Google's Limited Use requirements and our own data minimisation principles, Vennio reads and stores only the timing and free/busy fields listed above. We do not read, store, log, or transmit event content fields, even when the API returns them.

The only exception is when Vennio creates a calendar event on your behalf in response to a confirmed booking. In that case, we write a title (e.g. "Meeting with [customer name]"), the booking time, and the customer's email address as an attendee. We do not modify any of your existing events.

If additional calendar permissions are required for specific features in future, we will clearly explain what data is needed and request your explicit consent before accessing it.

3.3 Scheduling Data

When you use our scheduling features, we collect:

Proposed meeting times and responses
Scheduling preferences and settings
Booking confirmations and history
Communications related to scheduling

3.4 Usage Data

We automatically collect certain information when you use the Service:

Pages and features accessed
Time spent on the Service
Actions taken (clicks, form submissions)
Device information (browser type, operating system)
IP address (anonymised for analytics)
Referring website or source

3.5 Communications Data

When you contact us, we collect:

Email correspondence
Support requests and feedback
Any information you choose to provide

4. How We Use Your Information

We use your information for the following purposes and legal bases:

Purpose	Legal Basis (UK/EU GDPR)
Provide scheduling and calendar coordination services	Performance of contract
Display your availability to parties you authorise	Performance of contract
Send booking confirmations, reminders, and service notifications	Performance of contract
Maintain and secure your account	Performance of contract / Legitimate interests
Process payments and manage subscriptions	Performance of contract
Respond to your enquiries and support requests	Performance of contract / Legitimate interests
Improve and develop new features	Legitimate interests
Analyse usage patterns and service performance	Legitimate interests
Send product updates and announcements	Legitimate interests (with opt-out)
Comply with legal obligations	Legal obligation
Protect against fraud and abuse	Legitimate interests

We will never use your calendar data to:

Serve you advertisements
Build advertising profiles
Sell to third parties
Train machine learning models unrelated to providing you the Service

5. Google API Services Disclosure

Vennio's use and transfer to any other app of information received from Google APIs will adhere to the Google API Services User Data Policy, including the Limited Use requirements.

We request the following Google OAuth scopes:

https://www.googleapis.com/auth/calendar.events — used to read event start and end times for availability calculation, to create calendar events when bookings are confirmed (with the booker added as an attendee), and to register webhooks that notify Vennio of changes to your calendar so availability stays accurate. We do not read or store event titles, descriptions, attendees of your existing events, or event locations.
https://www.googleapis.com/auth/calendar.calendarlist.readonly — used to display the list of your calendars so you can choose which one Vennio reads availability from and writes booking events to.
openid, email, profile — used to identify your Vennio account and display your name and email in the application.

We do not request access to your full Google Calendar, the ability to share or modify calendars themselves, or any scope outside the list above.

Specifically, we confirm that:

Limited Use: We only use Google user data to provide and improve the scheduling features you have requested. We do not use Google user data to serve advertisements, build advertising profiles, or train machine learning models unrelated to providing the Service.
No unauthorised sharing: We do not transfer Google user data to third parties except:
- As necessary to provide the Service (for example, infrastructure providers listed in Section 7.2)
- With your explicit consent
- As required by law
- In connection with a merger, acquisition, or sale of assets, with notice to you
No human access without consent: We do not allow humans to read your Google user data unless:
- You have given us affirmative agreement for specific messages (for example, when you submit a support request that references your calendar)
- It is necessary for security purposes (for example, investigating abuse or a security incident)
- It is required to comply with applicable law
- The data has been aggregated and anonymised, and is being used for internal operations
Security: We implement appropriate security measures to protect Google user data from unauthorised access, alteration, disclosure, or destruction. OAuth tokens are encrypted at rest using AES-256-GCM. Access controls and authentication apply to all systems handling Google user data.

6. Microsoft API Services Disclosure

When you connect a Microsoft account, we access your calendar data through the Microsoft Graph API. We request the Calendars.ReadWrite scope to read your calendar events for availability calculation and create events when bookings are confirmed. We comply with Microsoft's API Terms of Use and the Microsoft Privacy Statement.

We apply the same data minimisation and security principles to Microsoft data as we do to Google data, as described in this Privacy Policy.

7. Data Sharing

We do not sell, rent, or trade your personal information.

We share your data only in the following circumstances:

7.1 With Your Consent

Availability sharing: We display your free/busy times to parties you explicitly choose to share with through the Service
Integration partners: When you connect third-party services (HubSpot, Salesforce, etc.), we share necessary data to enable the integration

7.2 Service Providers

We use trusted third-party service providers to help operate the Service:

Provider	Purpose	Data Shared	Location
Google Cloud / Google Calendar API	Calendar integration	Calendar data, OAuth tokens	USA/Global
Microsoft Graph API	Calendar integration	Calendar data, OAuth tokens	USA/Global
Supabase	Database and authentication	Account data, application data	USA (AWS)
Azure	Hosting (API, docs, marketing)	Usage data, application data	West Europe
Resend	Transactional email delivery	Email address, name	USA
HubSpot (optional)	CRM integration	Contact data, scheduling data	USA
Salesforce (optional)	CRM integration	Contact data, scheduling data	USA

All service providers are contractually obligated to protect your data and use it only for the purposes we specify.

7.3 Legal Requirements

We may disclose your information if required to do so by law or in response to valid requests by public authorities (e.g., court order, government request).

7.4 Business Transfers

If Vennio is involved in a merger, acquisition, or sale of assets, your information may be transferred. We will provide notice before your data is transferred and becomes subject to a different privacy policy.

7.5 Protection of Rights

We may disclose information to protect the rights, property, or safety of Vennio, our users, or others.

8. International Data Transfers

Your information may be transferred to and processed in countries outside the United Kingdom and European Economic Area, including the United States, where our service providers are located.

When we transfer data internationally, we ensure appropriate safeguards are in place:

Standard Contractual Clauses (SCCs): We use EU/UK-approved standard contractual clauses with our service providers
Adequacy decisions: Where applicable, we rely on adequacy decisions by the UK or EU
Supplementary measures: We implement additional technical and organisational measures as needed

You can request more information about these safeguards by contacting us at matt@vennio.app.

9. Data Retention

We retain your data for as long as necessary to provide the Service and fulfil the purposes described in this policy:

Data Type	Retention Period
Account information	Until you delete your account, plus 30 days
Calendar data (cached)	Real-time sync; deleted within 30 days of disconnection
OAuth tokens	Until you disconnect the calendar or delete your account
Scheduling history	2 years from the scheduled event date
Usage analytics	26 months (anonymised/aggregated)
Support correspondence	3 years from last contact
Payment records	7 years (legal requirement)
Backup copies	Up to 90 days after deletion from active systems

When you delete your account:

Your personal data is deleted from active systems within 30 days
Backup copies are purged within 90 days
Anonymised, aggregated data may be retained indefinitely

10. Data Security

We implement appropriate technical and organisational measures to protect your data:

Technical measures:

Encryption in transit (TLS/HTTPS)
Encryption at rest for sensitive data
Secure OAuth token storage (encrypted, not plain text)
Regular security assessments
Access controls and authentication
Automated vulnerability scanning

Organisational measures:

Limited access to personal data on a need-to-know basis
Security training and awareness
Incident response procedures
Regular review of security practices

While we strive to protect your data, no method of transmission or storage is 100% secure. If you become aware of any security issues, please contact us immediately at matt@vennio.app.

11. Data Breach Notification

In the event of a personal data breach that is likely to result in a risk to your rights and freedoms, we will:

Notify the Information Commissioner's Office (ICO) within 72 hours of becoming aware of the breach
Notify affected users without undue delay if the breach is likely to result in a high risk to your rights and freedoms
Document the breach and remediation steps taken

12. Your Rights

Under UK GDPR and EU GDPR, you have the following rights regarding your personal data:

12.1 Right of Access

You can request a copy of the personal data we hold about you.

12.2 Right to Rectification

You can request that we correct inaccurate or incomplete data.

12.3 Right to Erasure ("Right to be Forgotten")

You can request that we delete your personal data in certain circumstances, such as when the data is no longer necessary for the purposes for which it was collected.

12.4 Right to Restrict Processing

You can request that we limit how we use your data in certain circumstances.

12.5 Right to Data Portability

You can request your data in a structured, commonly used, machine-readable format and have it transferred to another controller.

12.6 Right to Object

You can object to processing based on legitimate interests. We will stop processing unless we have compelling legitimate grounds.

12.7 Rights Related to Automated Decision-Making

We do not currently make decisions based solely on automated processing that produce legal or similarly significant effects.

12.8 Right to Withdraw Consent

Where processing is based on consent, you can withdraw consent at any time without affecting the lawfulness of processing before withdrawal.

To exercise your rights:

Email us at matt@vennio.app
Use the self-service options in your account settings (where available)

We will respond to your request within one month. This period may be extended by two further months for complex requests, in which case we will inform you.

We may ask you to verify your identity before processing your request.

12.9 Right to Complain

If you believe your data protection rights have been violated, you have the right to lodge a complaint with a supervisory authority. In the UK, this is:

Information Commissioner's Office (ICO)

Website: https://ico.org.uk

Helpline: 0303 123 1113

13. Children's Privacy

The Service is not intended for children under 16 years of age. We do not knowingly collect personal information from children under 16.

If you are a parent or guardian and believe your child has provided us with personal information, please contact us at matt@vennio.app. If we discover that we have collected personal information from a child under 16, we will delete that information promptly.

14. Cookies and Similar Technologies

14.1 What We Use

We use cookies and similar technologies for the following purposes:

Type	Purpose	Duration
Essential cookies	Session management, authentication, security	Session / 30 days
Preference cookies	Remember your settings and choices	1 year
Analytics cookies	Understand how users interact with the Service	26 months

14.2 What We Don't Use

We do not use:

Third-party advertising cookies
Cross-site tracking cookies
Social media tracking pixels

14.3 Managing Cookies

You can control cookies through your browser settings. Note that disabling essential cookies may prevent you from using certain features of the Service.

15. Third-Party Links

The Service may contain links to third-party websites or services. We are not responsible for the privacy practices of these third parties. We encourage you to read the privacy policies of any third-party services you access.

16. Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices or for legal, operational, or regulatory reasons.

How we will notify you:

Material changes: Email notification and prominent notice on the Service
Minor changes: Updated "Last updated" date on this page

We encourage you to review this policy periodically. Your continued use of the Service after changes become effective constitutes acceptance of the revised policy.

17. Contact Us

If you have any questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us:

Email: matt@vennio.app

Website: https://vennio.app

We aim to respond to all enquiries within 5 business days.

By using Vennio, you acknowledge that you have read and understood this Privacy Policy.