m
Start
Now liveBe one of the first 50 founders of Malleable. Founding members keep a lifetime discount.

Legal

Privacy Policy

Last updated: June 23, 2026

Introduction

Malleable ("we," "our," or "us") operates the website malleable.cloud and the Malleable application (collectively, the "Service"). This Privacy Policy explains how we collect, use, disclose, and protect your personal information when you use our AI-powered calendar management and scheduling assistant service.

By using the Service, you agree to the collection and use of information in accordance with this Privacy Policy. If you do not agree with our practices, please do not use the Service.

Google API Services User Data Policy

Malleable's use and transfer to any other app of information received from Google APIs will adhere to the Google API Services User Data Policy, including the Limited Use requirements.

Information We Collect

Information You Provide

  • Account Information: Email address, password (encrypted), and profile details
  • Calendar Data: Events, meetings, appointments, attendees, descriptions, and locations
  • Contact Information: Names, emails, phone numbers, companies, and notes in your CRM
  • Time Tracking Data: Time entries, duration, billable status, and hourly rates
  • Booking Page Data: Page configurations, event types, availability settings
  • Natural Language Input: Text you submit for AI-powered scheduling
  • Communications: Messages, feedback, and support requests you send us

Information from Third-Party Integrations

  • Google Account: When you connect Google, we access your Google Calendar data, including events, attendees, and calendar settings. We store OAuth tokens to maintain the connection.
  • Notion: When enabled, we access your Notion workspace to create meeting notes pages. We store integration tokens to maintain the connection.
  • GitHub: We use GitHub OAuth for sign-in and for the repository and board connector. We request the repo, read:user, and user:emailscopes to read your profile, verified email address, and the repositories and activity needed for the connector. We store an OAuth access token to maintain the connection.

Information Collected Automatically

  • Usage Data: Features used, actions taken, frequency of use, and interaction patterns
  • Device Information: Browser type, operating system, device type, and screen resolution
  • Log Data: IP address, access times, pages viewed, and referring URLs
  • API Usage: Request counts, error rates, and response times for service monitoring

Information from Bookings

When third parties book appointments through your public booking pages, we collect their name, email address, and any information they provide in response to custom questions. This information is associated with your account.

How We Use Your Information

To Provide the Service

  • Process natural language scheduling requests using AI
  • Create, update, and manage calendar events
  • Synchronize data with Google Calendar
  • Create meeting notes in Notion (when enabled)
  • Manage contacts and time tracking
  • Operate public booking pages
  • Send appointment confirmations and reminders

To Improve and Maintain the Service

  • Monitor and analyze usage patterns and trends
  • Identify and fix bugs, errors, and performance issues
  • Develop new features and improve existing ones
  • Ensure service reliability and security

To Communicate with You

  • Send service-related notifications and updates
  • Respond to your inquiries and support requests
  • Notify you of changes to our Terms or Privacy Policy
  • Send important security alerts

For Safety and Compliance

  • Prevent fraud, abuse, and unauthorized access
  • Enforce our Terms of Service
  • Comply with legal obligations
  • Protect the rights and safety of users

Third-Party Services & Data Sharing

We share your information with the following categories of third parties:

Infrastructure Providers

  • Supabase: Database hosting, authentication, and data storage (PostgreSQL)
  • Vercel: Application hosting and content delivery

AI & Machine Learning

  • Google Gemini AI: To power natural-language scheduling and the AI assistant, we send your request text and the calendar context needed to fulfill it (for example, relevant event titles, times, and availability, and where applicable contact details) to Google's Gemini API. We use the paid Gemini API tier, under which Google does not use your prompts or responses to train or improve its models. Google retains limited request data for a short period solely for abuse monitoring. Google-provided data is never used for advertising or to train generalized AI models, consistent with the Google API Services User Data Policy Limited Use requirements.

User-Initiated Integrations

  • Google Calendar: When you connect your Google account, we read and write calendar events on your behalf using Google's Calendar API.
  • Notion: When you enable Notion integration, we create pages in your specified Notion database for meeting notes.
  • GitHub: When you sign in with or connect GitHub, we access only the data needed for the features you enable, such as your profile, verified email, and the repository and board activity used by the connector.

Payments & Communications

  • Stripe: Processes subscription payments. Your card details are handled by Stripe and never stored on our servers.
  • Resend: Delivers transactional and notification emails (for example, booking confirmations and account messages).

The providers listed above act as our sub-processors. We keep this list current and will provide reasonable advance notice of material changes to the sub-processors that handle your personal data.

We do not sell or share your personal information. We do not disclose your data to advertisers or data brokers. We only share data as described above or when required by law.

Legal Basis for Processing (GDPR)

If you are in the European Economic Area (EEA), we process your data based on:

  • Contract Performance: Processing necessary to provide the Service you requested
  • Consent: When you explicitly consent, such as connecting third-party integrations
  • Legitimate Interests: Improving our Service, preventing fraud, ensuring security
  • Legal Obligation: Compliance with applicable laws and regulations

Data Storage & Security

Security Measures

  • Passwords are hashed using industry-standard algorithms (bcrypt)
  • All data is encrypted in transit using HTTPS/TLS 1.2+
  • Data at rest is encrypted in our database infrastructure
  • Row-Level Security (RLS) ensures users can only access their own data
  • OAuth tokens for third-party services are stored securely
  • Regular security monitoring and updates
  • Access controls limit employee access to user data

Data Location

Your data is stored on servers located in the United States. If you are located outside the United States, your information will be transferred to and processed in the United States. By using the Service, you consent to this transfer.

Your Rights & Choices

Depending on your location, you may have the following rights:

Access & Portability

You can access your data through the Service. You can export your calendar events, contacts, and time entries using the export features in your account settings.

Correction

You can update or correct your profile information and data through the Service at any time.

Deletion

You can delete individual events, contacts, and time entries. You can also delete your entire account, which will permanently remove all your data from our systems within 30 days.

Disconnect Integrations

You can disconnect Google Calendar, Notion, or any other integration at any time through your account settings. This will stop data synchronization but will not automatically delete data already in the Service.

Opt-Out

You can opt out of non-essential emails through your account settings or by clicking "unsubscribe" in any email. Note that you cannot opt out of service-critical communications.

GDPR Rights (EEA Residents)

If you are in the EEA, you also have the right to: object to processing, restrict processing, withdraw consent, and lodge a complaint with your local data protection authority.

CCPA / CPRA Rights (California Residents)

California residents have the right to know what personal information we collect, access it, request correction or deletion, and opt out of the sale or sharing of personal information. We do not sell or share your personal information, so there is nothing to opt out of, but we honor Global Privacy Control (GPC) browser opt-out signals where applicable. Because calendar contents can reveal sensitive personal information, we limit our use of that information to operating and improving the Service for you and do not use it for any other purpose. To exercise any of these rights, contact us at ryan.organically@gmail.com.

Data Retention

Active Accounts: We retain your data for as long as your account is active and as needed to provide the Service.

Account Deletion: When you delete your account, we will delete or anonymize your personal information within 30 days, except where we are legally required to retain it (e.g., for tax, legal, or audit purposes).

Backup Retention: Deleted data may persist in backups for up to 90 days before being permanently removed.

Usage Analytics: Aggregated, anonymized usage data may be retained indefinitely for analytics and service improvement purposes.

Cookies & Tracking

Essential Cookies

We use essential cookies for authentication, session management, and security (CSRF protection). These cookies are necessary for the Service to function and cannot be disabled.

Analytics & Advertising

We use privacy-friendly, cookieless analytics (Vercel Analytics) to understand aggregate, anonymized usage of the Service. This does not set tracking cookies and does not follow you across other websites.

If advertising measurement is enabled (a Google Ads tag, used to measure the effectiveness of our advertising), it may set cookies on the marketing pages where it loads. This is gated and limited to that purpose, and it is not used to profile you or track you across unrelated sites. We do not participate in broad ad networks and we do not sell or share your personal information for cross-context behavioral advertising.

Children's Privacy

The Service is not intended for users under 18 years of age. We do not knowingly collect personal information from children under 18. If you are a parent or guardian and believe your child has provided us with personal information, please contact us immediately. If we discover that we have collected personal information from a child under 18, we will delete that information promptly.

International Data Transfers

Your information may be transferred to and processed in countries other than your country of residence, including the United States. These countries may have different data protection laws. By using the Service, you consent to the transfer of your information to these countries. We take steps to ensure your data is protected in accordance with this Privacy Policy regardless of where it is processed.

Beta/Development Notice

IMPORTANT: BETA SERVICE

Malleable is currently in development and beta testing. While we implement reasonable security measures, features may change and the service is provided "as-is." We recommend using caution with highly sensitive information and maintaining your own backups of important data.

Third-Party Links

The Service may contain links to third-party websites or services. We are not responsible for the privacy practices of these third parties. We encourage you to review the privacy policies of any third-party sites you visit.

Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors. When we make material changes, we will update the "Last updated" date at the top of this page and may notify you by email or through the Service. Your continued use of the Service after any changes constitutes acceptance of the revised Privacy Policy.

Contact Us

If you have questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us at:

Email: ryan.organically@gmail.com

Website: malleable.cloud

We will respond to your inquiry within 30 days. For data access, correction, or deletion requests, we may need to verify your identity before processing your request.

BY USING MALLEABLE, YOU ACKNOWLEDGE THAT YOU HAVE READ AND UNDERSTOOD THIS PRIVACY POLICY AND AGREE TO THE COLLECTION, USE, AND DISCLOSURE OF YOUR INFORMATION AS DESCRIBED HEREIN.