Skip to content

Security

Last updated: June 2026

CalenTick handles your calendar, your customers' contact details, and the conversations behind every booking. Secure scheduling is a core requirement of that job, not an afterthought. This page explains our security posture in plain language so you can evaluate CalenTick with confidence.

This page describes our general security approach and is provided for informational purposes only. It is not a contractual commitment, audit report, or certification. For specific compliance documentation, a security questionnaire, a Data Processing Addendum, or sub-processor disclosures, please contact us and we will help.

Our security philosophy

Trust is the product. People only let an AI assistant read their messages, answer their phone, and write to their calendar if they believe that data is handled carefully. We design CalenTick to collect the minimum data needed to book a meeting, to request the narrowest possible permissions, and to make it easy to delete what we hold. The sections below describe how that plays out across encryption, calendar access, infrastructure, access controls, and data lifecycle.

Data encryption

In transit

All traffic between your browser, your customers' devices, and CalenTick is encrypted using TLS (HTTPS). Our public marketing site, booking pages, and application endpoints are served only over secure connections, and we disable insecure protocol versions and weak cipher suites. Integrations with calendar and messaging providers are likewise made over encrypted channels.

At rest

Data stored by CalenTick — including booking records, contact details, and integration tokens — is encrypted at rest using strong, industry-standard algorithms (such as AES-256). Access tokens and other secrets are stored encrypted and are never exposed in logs or to the browser.

Calendar access and least-privilege OAuth

CalenTick connects to Google Calendar and Microsoft Outlook through OAuth, so you authorise access from your provider and can revoke it at any time without sharing a password with us. We request the narrowest scopes that still let us do the job:

  • Read your free/busy availability so we never double-book you.
  • Create, update, and cancel the specific events that result from a CalenTick booking.
  • Read attendee and time-zone details needed to send accurate reminders.

We avoid requesting broad mailbox, contact-export, or admin-level permissions that are not required for scheduling. You can disconnect a calendar from CalenTick or revoke the grant directly in your Google or Microsoft account, and we stop accessing it immediately.

Infrastructure and hosting

CalenTick runs on reputable cloud infrastructure operated by established providers with their own physical, environmental, and network security controls. We rely on managed services for compute, databases, and networking so that patching and underlying hardening benefit from provider-grade operations. Our static marketing site is served from a content delivery network, while the booking application and AI services run in a separate, access-controlled environment.

  • Network segmentation between public, application, and data tiers.
  • Firewalling and restricted inbound access to production systems.
  • Automated dependency and platform updates to address known vulnerabilities.

Access controls

Internally, access to production systems and customer data is limited to the people who need it to operate and support the service, and is granted on a least-privilege basis. We protect administrative access with strong authentication, and we log and review access to sensitive systems.

  • Role-based access so staff only reach the data their role requires.
  • Multi-factor authentication on administrative and infrastructure accounts.
  • Prompt revocation of access when a team member changes roles or leaves.

Data retention and deletion

We keep personal and booking data only for as long as it is needed to provide the service, meet legal obligations, or resolve disputes. When you delete a booking, disconnect an integration, or close your account, we delete or de-identify the associated data within a reasonable period, except where we are required to retain it. You can also request deletion of your data at any time.

  • Disconnecting a calendar revokes our access and removes stored tokens.
  • Closing your account triggers deletion of your workspace data.
  • Backups are retained for a limited window and then expire automatically.

For details on what categories of data we collect and why, and on your rights as a data subject, see our Privacy Policy.

Sub-processors

To deliver scheduling across web, WhatsApp, and voice, CalenTick uses a small set of trusted third-party sub-processors — for example, cloud hosting, messaging and telephony providers, calendar APIs, email and SMS delivery, and AI model providers. We choose vendors with their own security commitments and share only the data each one needs to perform its function.

A current sub-processor list is available on request. The way these third parties handle data is also governed by our Terms of Service.

Responsible disclosure

We welcome reports from security researchers and customers. If you believe you have found a vulnerability in CalenTick, please contact us at anooppalaz@gmail.com with enough detail to reproduce the issue. Please give us a reasonable opportunity to investigate and remediate before any public disclosure, and avoid accessing, modifying, or deleting data that is not your own while testing. We will acknowledge valid reports and keep you updated on our progress.

Questions and compliance documentation

Security is an ongoing program, and we continue to improve our controls as CalenTick grows. If your organisation needs a security questionnaire completed, a Data Processing Addendum, or specific compliance details, please reach out via our contact page and we will work with you.