Lucas Weiper
CEO
Why keeping GDPR in mind matters
Scheduling tools like Cal.com or Calendly are extremely practical: customers can book appointments directly on your website, internal coordination is reduced, and leads are automatically assigned to the right team member.
But many businesses overlook one problem: data protection.
With third-party embeds like Cal.com, the GDPR requires that no data may be collected without the user’s active consent.
What data does Cal.com collect?
If Cal.com is embedded into a website via an iFrame, data is automatically collected – even before the user interacts with the tool. This includes:
- IP address
- Browser and device information
- Date and time of access
- Cookies / session data for calendar functionality
This data flow happens before a booking takes place – which is a GDPR issue.
The GDPR-compliant way
To remain legally compliant, you need a consent mechanism.
Our recommended solution:
- Add a button informing the user:
“To view the booking tool, we load content from Cal.com. More information in the Cal.com Privacy Policy.” - Only when the user clicks does the Cal.com embed load – meaning they have actively agreed.
- The booking tool then opens in a popup or overlay, without data being sent beforehand.
This way, the user experience remains smooth and GDPR compliance is ensured.
What about self-hosting Cal.com?
Cal.com is also available as open source software and can be self-hosted. In this case, all bookings and data run through your own infrastructure – not Cal.com’s servers.
Advantages:
- Full data control (IP addresses, logs, booking data remain internal)
- Easier GDPR compliance (no third-party transfers)
- Flexibility (privacy policy tailored to your setup)
- Direct embed possible (consent can be handled via your cookie banner, saving the user an extra click)
Note: Even with self-hosting, GDPR still applies – users must be informed that data is processed and stored by you.
For companies with high privacy and sovereignty requirements, self-hosting is an attractive option.
Does this approach work with other tools?
Yes – the consent-button mechanism also applies to other booking tools:
- Calendly: Same issue as Cal.com → consent required.
- Microsoft Bookings: Integrates with Microsoft 365, but still transfers data → consent advisable.
- Zoho Bookings: Also collects data when embedded → consent button needed.
- SimplyBook.me: Some built-in GDPR features, but consent is still the safer route.
Conclusion
Calendar booking tools are a central part of modern websites – but data protection must not be overlooked.
Cal.com is a strong alternative to Calendly, provided the integration is GDPR-compliant.
With a consent button + clear user information, you can ensure that your site remains both user-friendly and legally sound.
