data_privacy_h1

Last updated: 2026-04-22 · Version: 2.0

1. About this policy

meetergo GmbH (“meetergo”, “we”, “us”) provides a scheduling and customer-communication platform. This policy explains how we process personal data when you visit our websites, use the meetergo application, or book a meeting through a meetergo booking page.

Read the general information in sections 1–7 and then the section that applies to you:

• Section 8 — you are visiting our public website or help center.
• Section 9 — you are a meetergo account holder (or a team member of an account).
• Section 10 — you are booking a meeting with someone who uses meetergo.

Processing that is common to all three contexts — subprocessors, transfers, retention, rights, security, complaints — is set out in sections 11–18.

2. Controller and contact

The controller for the processing described in this policy is:

meetergo GmbH
Hauptstr. 44, 40789 Monheim am Rhein, Germany
Phone: +49 221 16 12 239
Email: privacy@meetergo.com

For data-protection inquiries or to exercise your rights, contact privacy@meetergo.com. Inquiries are handled by the managing director together with our privacy team.

3. Who this policy addresses

We distinguish three groups:

meetergo users. You hold a meetergo account or act on behalf of an account. We are the controller for your account data (login, billing, preferences, usage of the application). For the personal data of people who book with you or fill in forms you own, we act as your processor under Art. 28 GDPR — see section 4.

meetergo guests. You are interacting with meetergo through a meetergo user’s invitation — for example by booking a meeting, submitting a form or joining a meetergo Connect call — without a meetergo account of your own. The meetergo user who invited you is the controller for the data you supply and for what happens with it afterwards. We operate the underlying infrastructure and act on that user’s instruction, with a small set of processing activities for which we are ourselves controller (infrastructure delivery, abuse prevention, consent audit logs).

Website visitors. You are browsing our public website or help center without being logged in. We are the controller for the limited processing this involves.

Example: when ACME GmbH uses meetergo to let prospects book demo calls, ACME is the controller for the booking data; meetergo is ACME’s processor; the prospect is a meetergo guest.

No automated decisions with legal or similarly significant effect. Where automated logic makes decisions without human involvement — for example routing a booking to an available host, applying round-robin assignment, or evaluating a qualifying form — those decisions do not produce legal effects concerning you or similarly significantly affect you within the meaning of Art. 22(1) GDPR. The service does not carry out automated individual decision-making subject to Art. 22(1) GDPR. The optional AI features described in section 9 generate suggestions for you to accept, edit or discard and likewise do not make Art. 22(1) decisions.

4. Our role as processor for customer data

As a meetergo user you process personal data about your contacts, bookers and form respondents through meetergo. For that data we are your processor under Art. 28 GDPR. You are the controller. You are responsible for informing those data subjects under Art. 13/14 GDPR and, where required, for establishing the lawful basis for the processing. A data processing agreement (Auftragsverarbeitungsvertrag) is available for download from your meetergo admin area.

5. Legal bases

We rely on the following legal bases under Art. 6 GDPR:

Where we rely on legitimate interest we name the specific interest in the relevant processing activity below. You can object to such processing at any time under Art. 21 GDPR.

6. Cookies and similar technologies

We distinguish between cookies and similar storage that are strictly necessary to deliver a service you have requested, and those that are not.

• Strictly necessary cookies and storage (session cookie, CSRF token, consent-state storage, UI preferences) are set without consent under § 25(2) TDDDG.
• All other cookies, local-storage entries and similar technologies — in particular analytics and marketing identifiers — are set only after you grant consent via our consent banner, in line with § 25(1) TDDDG and Art. 6(1)(a) GDPR.

You can change or withdraw your consent at any time using the “Cookie settings” link in the footer.

Our consent banner is provided by Digital Data Solutions B.V. (CookieFirst) (Plantage Middenlaan 42A, 1018DH Amsterdam, Netherlands), which stores your consent record under Art. 6(1)(c) GDPR. No data is transferred outside the EEA for this purpose.

7. Product analytics in the authenticated application

Inside the meetergo application we use PostHog Inc. (EU region) to understand how the product is used so we can operate, support and improve it. Processing is limited to explicit product events and page-level telemetry; we do not use automatic DOM recording or session replay.

Legal basis: your consent under § 25(1) TDDDG and Art. 6(1)(a) GDPR, given through the in-app cookie settings. You can withdraw consent at any time through the same settings. On withdrawal we stop capturing further events about you and delete your existing PostHog profile without undue delay, in line with Art. 7(3) and Art. 17(1)(b) GDPR.

PostHog hosts this data in the European Union. Transfers to the United States, where they may occur for support purposes through the PostHog group, are covered by the EU-US Data Privacy Framework and Standard Contractual Clauses (2021/914) as a fallback.

8. Website visitors — meetergo.com, help.meetergo.com and developer.meetergo.com

8.1 Server access data

When you visit one of our public websites our server logs the request IP, timestamp, user-agent, URL, response status and response size. We use these logs for the secure and reliable operation of the service and for abuse prevention (Art. 6(1)(f) GDPR — our legitimate interest in defending our infrastructure). Access logs are retained for up to 14 days.

8.2 Google Analytics 4

Subject to your consent we use Google Analytics 4 to measure aggregate website usage and to improve content and advertising. The service is provided by Google Ireland Limited (Ireland), with onward transfers to Google LLC in the United States. Data includes pages viewed, events triggered, approximate geo-location, anonymised IP, referrer, user-agent and a random client identifier stored in a cookie. Legal basis: § 25(1) TDDDG and Art. 6(1)(a) GDPR. Transfer mechanism: EU-US Data Privacy Framework and Standard Contractual Clauses (2021/914). Data is retained in Google Analytics for up to 14 months. You can withdraw consent at any time via our cookie banner.

8.3 Google Tag Manager

We use Google Tag Manager (same provider as above) to load tags in a way that honours your consent settings. Same legal basis and transfer mechanism as section 8.2.

8.4 Embedded YouTube

Some pages embed YouTube video players. Subject to your consent they load in privacy-enhanced mode (youtube-nocookie.com) where technically possible. Provider: Google Ireland Limited; onward transfers to Google LLC. Data includes device information, IP address, referrer URL and which videos you viewed. Legal basis: § 25(1) TDDDG and Art. 6(1)(a) GDPR. Transfer mechanism: EU-US Data Privacy Framework and Standard Contractual Clauses.

8.5 Content delivery

Static assets (images, fonts, scripts) are served through BunnyWay d.o.o. (bunny.net), an EU-established CDN with primarily EU edge nodes. Serving a static asset unavoidably discloses the requester’s IP address and user-agent to the CDN. Legal basis: Art. 6(1)(f) GDPR — our legitimate interest in the security, abuse protection (including mitigation of denial-of-service attacks) and operational integrity of our services, which a CDN provides more reliably than origin-only delivery.

8.6 Anti-spam

Selected forms — in particular forms on which we, or a meetergo user, have enabled anti-spam protection — use Friendly Captcha GmbH (Germany) to verify that the submission is made by a human. Friendly Captcha is not loaded on forms where this protection has not been activated. Data processed when it is loaded: anonymised IP, referrer URL, URL, user-agent, timestamp. Legal basis: Art. 6(1)(f) GDPR — our legitimate interest in preventing automated misuse. No third-country transfer.

8.7 Webinar registration

When you register for a webinar we process your email address, first name and last name to register you, send the join link, and send any follow-up materials you opted in to receive. Legal basis: Art. 6(1)(b) GDPR (pre-contractual measures) and, where applicable, Art. 6(1)(a) GDPR (consent for follow-up materials). Registration records are deleted when the follow-up is complete.

8.8 Contact form and email

When you contact us we process your contact details and the contents of your message to respond. Legal basis: Art. 6(1)(f) GDPR — our legitimate interest in answering inquiries — and Art. 6(1)(b) GDPR where the inquiry leads to a contract. Statutory retention applies to commercial correspondence where it is received or sent.

8.9 Applications

When you apply for a job with us, we process the documents you submit (CV, cover letter, references, contact details) to evaluate your application. Legal basis: Art. 6(1)(b) GDPR in conjunction with § 26 BDSG. If we do not hire you, we retain your application for up to six months after the decision to defend against claims under the General Equal Treatment Act (§ 15 Abs. 4 AGG) and then delete it.

Application data is processed through HeyJobs GmbH (Join) as our processor.

9. Account holders — the meetergo application

9.1 Who this section addresses

This section describes processing about you as a meetergo user — the person holding or using a meetergo account. For personal data you process about your own contacts, bookers and form respondents through meetergo, see section 4 (processor role) and the separate data processing agreement available in your admin area.

9.2 Categories of personal data we process about you

Account identity and profile. Name, email, password hash, locale, timezone, profile picture, optional phone number, sign-in timestamps and account-level preferences. Used to authenticate you, operate the service and contact you about your account. Legal basis: Art. 6(1)(b) GDPR.

Company and workspace data. Company name, billing address, VAT number, branding settings and team configuration. Provided by you or another administrator of your company. Legal basis: Art. 6(1)(b) GDPR.

Appointments, meeting types and availability. Bookings created on your booking pages, your meeting types, availability schedules, buffer rules, routing logic, forms attached to a meeting type. Legal basis: Art. 6(1)(b) GDPR.

CRM contacts and deals. Contact records, deals and pipeline state. Where these contain personal data about other people we act as your processor under Art. 28 GDPR (see section 4); you are the controller. We do not enrich contact data from third-party data brokers.

Forms and form submissions. Form definitions you created and the submissions received through them. Processor relationship as above for respondent data.

Integration connection metadata. Which integrations you connected, the scopes granted, the connected account identifier and connection timestamps. We do not disclose OAuth access and refresh tokens, API keys, SMTP passwords or comparable credentials in any data export, because disclosure would compromise the security of your account and of the integrated third-party services — we withhold them as a security measure under Art. 5(1)(f) and Art. 32 GDPR, and in reliance on Art. 15(4) GDPR where the credentials would also grant access to the data of others (for example other attendees of a synced calendar). Legal basis for processing the metadata: Art. 6(1)(b) GDPR.

Calendar and conferencing integrations. Where you connect Google Calendar, Microsoft Outlook, Apple iCloud, Zoom, Microsoft Teams, Google Meet or a similar provider, meetergo reads your calendar to determine your availability and to create, update and delete the events you book through meetergo and the conferencing links attached to them. We do not use calendar data for any purpose other than providing the scheduling service you configured.

meetergo Connect — built-in video and audio conferencing. When you use meetergo Connect for a video or audio call, the audio and video streams and the associated session metadata are processed on meetergo-operated media servers hosted at AWS Frankfurt (eu-central-1), including the TURN relay used to traverse restrictive networks. Streams are not routed through a third-party conferencing provider such as Zoom, Google Meet or Microsoft Teams. Legal basis: Art. 6(1)(b) GDPR.

CRM Email Sync (optional). If — and only if — you explicitly enable the CRM Email Sync feature, meetergo additionally requests read-only access to your mailbox (the gmail.readonly Google scope) to match incoming and outgoing email with contacts in your meetergo CRM. This feature is opt-in, disabled by default, and can be revoked at any time from the integration settings. Outside of this opt-in feature, meetergo does not access your mailbox.

Notifications and reminders. In-app notifications generated by meetergo in response to events on your account, and scheduled reminder records derived from reminder configurations you created. Legal basis: Art. 6(1)(b) GDPR.

Uploaded files and video assets. Files and videos you uploaded, plus metadata (filename, MIME type, hash, timestamps). Legal basis: Art. 6(1)(b) GDPR.

Subscription and billing. Your plan, billing cycle, subscription status, invoice records and a Stripe customer identifier. We do not store your card details ourselves; payment card data is processed by Stripe on Stripe’s PCI-DSS-certified infrastructure under our contract with Stripe Payments Europe Ltd. Legal basis: Art. 6(1)(b) GDPR combined with Art. 6(1)(c) GDPR for records subject to statutory retention.

Double opt-in audit logs. Where a double-opt-in confirmation is required, we record the minimum information necessary to evidence consent: timestamp, event type, truncated user-agent, IP address and the confirmation token. The raw IP address is retained for 30 days and then cleared; a salted one-way hash of the IP is kept for the remainder of the audit record to preserve evidentiary integrity without storing the raw identifier. Legal basis: Art. 6(1)(c) GDPR in conjunction with Art. 7(1) GDPR — our obligation to demonstrate consent.

Product analytics. See section 7.

Server access logs. Request IP, timestamp, user-agent, URL, status and response size. Used for security, abuse prevention and operational integrity. Legal basis: Art. 6(1)(f) GDPR. Retained for up to 14 days.

Customer support conversations. Where you contact us through our in-app chat or support email we process your profile and session identifiers and the contents of the conversation. Provider: Crisp IM SAS (France), acting as our processor. Legal basis: Art. 6(1)(b) GDPR for account holders; Art. 6(1)(f) GDPR for other inquiries (our legitimate interest in responding). Conversations are retained for 90 days in Crisp.

Transactional email. Booking confirmations, reminders and account notifications are delivered through Resend, Inc. (provider) under our instruction. No engagement metrics (opens, clicks) are collected by us for this category.

Customer-communication email. Where you have opted in to receive newsletters, product updates or outreach, the delivery provider is Brevo SAS (formerly Sendinblue SAS) (France). Legal basis: Art. 6(1)(a) GDPR — consent given at the point of subscription, revocable at any time via the unsubscribe link in every such email or by contacting privacy@meetergo.com. Engagement metrics (opens, clicks) are processed only to the extent you have consented.

AI-assisted features. meetergo offers optional AI features — for example the Calgent booking assistant and AI-assisted creation of meeting types and forms. These features are meetergo’s own features, built on Microsoft Azure OpenAI; Calgent is not a separate third-party product. They are invoked only when you use them. The prompt or content you submit is transmitted to Microsoft Corporation (Azure OpenAI) to generate a suggestion. Under our Azure OpenAI service terms, prompts are not used to train Microsoft or OpenAI models, and prompts are retained for up to 30 days by Microsoft solely for abuse monitoring. Requests are routed to EU Azure regions where available. Legal basis: Art. 6(1)(b) GDPR. These features produce suggestions for you to accept, edit or discard; they do not make automated decisions within the meaning of Art. 22 GDPR. AI-generated outputs may be inaccurate or incomplete and should be reviewed before use; you remain responsible for the content you send, publish or act on.

SMS and WhatsApp messages. Where you configure outbound SMS or WhatsApp messages through meetergo — for example booking reminders, confirmations, or messages sent as part of a workflow — the recipient’s phone number, the message content and the delivery status are processed by Twilio, Inc. under our instruction. Legal basis: Art. 6(1)(b) GDPR for the service to you; you are responsible as controller for the lawful basis towards the message recipient.

9.3 Your choices inside the application

Most account data is editable directly in the settings. You can close your account from the admin area. On closure we delete your account data within 30 days, subject to the statutory retention obligations set out in section 13 (in particular billing records). You can also request deletion of a specific item (a contact, a file, a booking) at any time by contacting privacy@meetergo.com, and you can request a machine-readable export of the personal data we hold about you under Art. 15 GDPR via the same address.

10. Guests

10.1 What you are reading

You are reading this section because you are interacting with meetergo through a meetergo user’s invitation — by booking a meeting, submitting a form or joining a meetergo Connect call — without having an account of your own. This section explains what happens to your data from our side. For what the meetergo user does with your data afterwards (for example adding you to their CRM or sending follow-up emails), please contact them — their details are displayed on the booking or form page and in any confirmation email you received.

The subsections below refer to “booking pages” for brevity; the same principles apply to standalone form pages a meetergo user has set up, which use the same page infrastructure.

10.2 Two controllers

The meetergo user you booked with is the controller for the booking itself: the name and email you supplied, the time you picked, anything you wrote in the form fields and everything they do with that data afterwards.

meetergo GmbH acts as their processor for the operation of the booking infrastructure. We ourselves are controller only for a small set of processing activities which we need to operate the platform: the technical delivery of the page, abuse prevention, and — where the meetergo user has enabled it — double opt-in audit logs to evidence consent to the booking. These are described below.

10.3 Cookies and third-party scripts on booking pages

meetergo itself does not load analytics or marketing scripts on booking pages. The only browser storage meetergo sets by default is a short-lived session token required to protect the submission against CSRF and duplicate bookings; this is strictly necessary under § 25(2) TDDDG and does not require your consent.

The meetergo user whose booking page you are visiting can enable Google Analytics 4 and/or Meta Pixel tracking on their booking page. Where such tracking is enabled, the relevant scripts are loaded only after consent has been collected:

• Standalone booking pages. meetergo shows its own cookie banner (provided through CookieFirst, see section 6) on the booking page and loads the configured analytics or marketing scripts only after you have consented through it, in line with § 25(1) TDDDG and Art. 6(1)(a) GDPR. If you decline, the scripts do not load and the booking page continues to function normally.
• Embedded booking pages. Where the booking page is embedded as an iframe on the meetergo user’s own website, meetergo relies on the consent collected by the embedding website’s cookie banner before loading the scripts. The meetergo user is required, as controller for the embedding website, to ensure that a TDDDG-compliant consent is in place before the iframe is rendered.

For the tracking the meetergo user has configured, that user becomes a controller (or joint controller together with the respective tracking provider) for the processing that takes place once the script has loaded, including the retention and use of the collected data on the provider’s platform. For questions about tracking on a specific booking page, please contact the meetergo user whose page it is; their contact details are displayed on the booking page.

10.4 Technical delivery

For each request to a booking page our server logs the request IP, timestamp, user-agent and URL. Legal basis: Art. 6(1)(f) GDPR — our legitimate interest in the operational integrity and security of the service. Retained for up to 14 days.

10.5 Anti-spam (where activated)

Where the meetergo user has activated anti-spam protection for their booking page, submissions are checked by Friendly Captcha GmbH (Germany). Friendly Captcha is not loaded on booking pages where this protection has not been activated. Data processed when it is loaded: anonymised IP, referrer URL, URL, user-agent, timestamp. Legal basis: Art. 6(1)(f) GDPR — our legitimate interest in preventing automated and fraudulent bookings. No third-country transfer.

10.6 Double opt-in (where enabled)

Where the meetergo user has enabled a double-opt-in confirmation, you will receive a confirmation email and must click a link to finalise the booking. We record the minimum information needed to evidence consent: timestamp, event type, truncated user-agent, IP address and the confirmation token. The raw IP address is retained for 30 days and then cleared; a salted one-way hash of the IP is kept for the remainder of the audit record. Legal basis: Art. 6(1)(c) GDPR in conjunction with Art. 7(1) GDPR.

10.7 Joining a meetergo Connect call

When you join a meetergo Connect video or audio call, your audio and video streams are relayed through meetergo-operated media servers at AWS Frankfurt (eu-central-1). Streams are processed only for the duration of the call; Connect currently offers no recording feature. Session metadata (session identifier, the display name you chose, join and leave timestamps, device and connection-quality data your browser reports, IP address) is processed to establish and maintain the call and retained in access logs for up to 14 days.

Legal basis: Art. 6(1)(b) GDPR. What the meetergo user does with your participation afterwards (for example linking it to a meeting record or a CRM entry) is their own processing as controller — contact that user for questions about that downstream use.

10.8 Exercising your rights

You retain the full set of data-subject rights described in section 14. For questions about what the meetergo user does with the data you supplied (such as requests to delete your booking record, form submission or call-participation record, or to object to marketing), please contact that user directly in the first instance. For questions about meetergo’s own controller-side processing, write to privacy@meetergo.com. If you contact us about a matter that is really for the meetergo user we will forward the request to that user without undue delay and let you know.

11. Subprocessors

We work with a small set of carefully selected providers as processors under Art. 28 GDPR. They fall into the following categories of recipient: hosting and infrastructure, content delivery, transactional and customer-communication email, customer support, billing and payments, product analytics, AI features, SMS and WhatsApp delivery, consent management, anti-spam, and applicant tracking.

The current list — including each provider’s legal entity, processing location and transfer mechanism — is published and maintained separately at:

help.meetergo.com/en/legal/list-of-subprocessors

A data processing agreement is in place with every provider on that list.

Integration partners you connect to your own meetergo account (for example your calendar provider, CRM or conferencing tool) are not our subprocessors. When you establish such a connection we act on your instruction; you engage the integration partner directly under that partner’s own terms, and you are the controller for that processing.

12. International transfers

Our primary hosting is in the European Economic Area. Where a subprocessor is based outside the EEA or may transfer personal data to a third country for technical reasons, we rely on one of the following instruments:

• An adequacy decision of the European Commission (Art. 45 GDPR).
• The EU-US Data Privacy Framework (adequacy decision of 10 July 2023), where the US recipient is self-certified at the time of the transfer.
• Standard Contractual Clauses 2021/914 (Art. 46(2)(c) GDPR) as a fallback or primary mechanism.

The third countries involved at the date of the last update of this policy are the United States (Microsoft, Twilio, Resend, PostHog, and onward transfers within the Stripe and AWS groups) and, incidentally, other locations within the service groups of those providers. The transfer mechanism applicable to each provider is stated in the published subprocessor list.

Switzerland

For users in Switzerland, processing takes place on servers located in the European Union. Onward transfers may occur to the United States under the Swiss-US Data Privacy Framework (adequacy recognition of the Swiss Federal Council, effective 15 September 2024) and, as a fallback, Standard Contractual Clauses adapted to the Swiss Federal Act on Data Protection (revDSG). You may contact the Swiss Federal Data Protection and Information Commissioner (FDPIC) in accordance with Art. 49 revDSG.

13. Retention

We keep personal data only for as long as is necessary for the purpose for which it was collected. Specific retention periods are stated with the relevant processing activity above. Where a statutory retention period applies the longer period controls; in particular §§ 147 AO and 257 HGB require records relevant to taxation and commercial law to be kept for up to ten years (and from 1 January 2025, eight years for accounting receipts within the meaning of § 147 Abs. 1 Nr. 4a AO), calculated from the end of the calendar year in which the record is created or — for documents such as invoices and commercial correspondence — in which the last entry was made or the document was received or sent, as provided in § 147 Abs. 4 AO and § 257 Abs. 5 HGB. Where deletion is technically not possible without compromising another retention obligation, the data is blocked from further processing instead.

14. Your rights

Subject to the conditions in Chapter III GDPR, you have the following rights in relation to personal data we process about you:

• Right of access (Art. 15 GDPR). For the authenticated application you can request a machine-readable export of all personal data we hold about you in a single request at privacy@meetergo.com.
• Right to rectification (Art. 16 GDPR).
• Right to erasure (Art. 17 GDPR), subject to statutory retention obligations.
• Right to restriction (Art. 18 GDPR).
• Right to data portability (Art. 20 GDPR).
• Right to object (Art. 21 GDPR), including to direct marketing at any time.
• Right to withdraw consent (Art. 7(3) GDPR) without affecting the lawfulness of processing based on consent before its withdrawal.

The simplest way to exercise any of these rights is to email privacy@meetergo.com. We respond within one month of receiving the request; for complex requests this period may be extended by a further two months, in which case we will inform you.

15. Children

The meetergo service is intended for business use and is not directed at children under the age of 16. We do not knowingly collect personal data from children. If you become aware that a child has provided us with personal data, please contact privacy@meetergo.com and we will delete the data without undue delay.

16. Data security

We apply technical and organisational measures appropriate to the risk to protect personal data against loss, destruction, unauthorised access, alteration and disclosure. These include TLS encryption in transit, at-rest encryption for primary databases and object storage, one-way password hashing, role-based access controls, employee confidentiality undertakings and data processing agreements with every subprocessor.

A summary of our security posture is published at help.meetergo.com/en/legal/security-best-practices.

If we become aware of a personal data breach that is likely to result in a risk to your rights and freedoms we will notify you and the competent supervisory authority as required by Art. 33–34 GDPR.

17. Complaints

You have the right to lodge a complaint with a data protection supervisory authority (Art. 77 GDPR). Our lead supervisory authority is:

Landesbeauftragte für Datenschutz und Informationsfreiheit Nordrhein-Westfalen
Kavalleriestraße 2–4, 40213 Düsseldorf, Germany
https://www.ldi.nrw.de/

Under Art. 77(1) GDPR you may also lodge a complaint with the supervisory authority of your Member State of habitual residence, place of work, or place of the alleged infringement. Users in Switzerland may contact the Swiss Federal Data Protection and Information Commissioner (FDPIC).

18. Updates

We may revise this policy to reflect changes in the service, our subprocessors or legal requirements. The current version is always available at https://meetergo.com/privacy with the “Last updated” date and version number at the top. For material changes — in particular new categories of personal data, new purposes, or new third-country transfers — the updated version will be posted at least 30 days before it takes effect, and the change will be highlighted at the top of this page during that period. Earlier versions are archived and available on request.