Privacy Policy

Last updated: November 25, 2025

Introduction

Malleable ("we," "our," or "us") operates the website malleable.cloud and the Malleable application (collectively, the "Service"). This Privacy Policy explains how we collect, use, disclose, and protect your personal information when you use our AI-powered calendar management and scheduling assistant service.

By using the Service, you agree to the collection and use of information in accordance with this Privacy Policy. If you do not agree with our practices, please do not use the Service.

Information We Collect

Information You Provide

Account Information: Email address, password (encrypted), and profile details
Calendar Data: Events, meetings, appointments, attendees, descriptions, and locations
Contact Information: Names, emails, phone numbers, companies, and notes in your CRM
Time Tracking Data: Time entries, duration, billable status, and hourly rates
Booking Page Data: Page configurations, event types, availability settings
Natural Language Input: Text you submit for AI-powered scheduling
Communications: Messages, feedback, and support requests you send us

Information from Third-Party Integrations

Google Account: When you connect Google, we access your Google Calendar data, including events, attendees, and calendar settings. We store OAuth tokens to maintain the connection.
Notion: When enabled, we access your Notion workspace to create meeting notes pages. We store integration tokens to maintain the connection.

Information Collected Automatically

Usage Data: Features used, actions taken, frequency of use, and interaction patterns
Device Information: Browser type, operating system, device type, and screen resolution
Log Data: IP address, access times, pages viewed, and referring URLs
API Usage: Request counts, error rates, and response times for service monitoring

Information from Bookings

When third parties book appointments through your public booking pages, we collect their name, email address, and any information they provide in response to custom questions. This information is associated with your account.

How We Use Your Information

To Provide the Service

Process natural language scheduling requests using AI
Create, update, and manage calendar events
Synchronize data with Google Calendar
Create meeting notes in Notion (when enabled)
Manage contacts and time tracking
Operate public booking pages
Send appointment confirmations and reminders

To Improve and Maintain the Service

Monitor and analyze usage patterns and trends
Identify and fix bugs, errors, and performance issues
Develop new features and improve existing ones
Ensure service reliability and security

To Communicate with You

Send service-related notifications and updates
Respond to your inquiries and support requests
Notify you of changes to our Terms or Privacy Policy
Send important security alerts

For Safety and Compliance

Prevent fraud, abuse, and unauthorized access
Enforce our Terms of Service
Comply with legal obligations
Protect the rights and safety of users

Third-Party Services & Data Sharing

We share your information with the following categories of third parties:

Infrastructure Providers

Supabase: Database hosting, authentication, and data storage (PostgreSQL)
Vercel: Application hosting and content delivery

AI & Machine Learning

Google Gemini AI: Your natural language input is sent to Google's Gemini API for processing. Google may process this data according to their privacy policy. We do not send your entire calendar—only the scheduling request text and current date/time context.

User-Initiated Integrations

Google Calendar: When you connect your Google account, we read and write calendar events on your behalf using Google's Calendar API.
Notion: When you enable Notion integration, we create pages in your specified Notion database for meeting notes.

We do not sell your personal information. We do not share your data with advertisers or data brokers. We only share data as described above or when required by law.

Legal Basis for Processing (GDPR)

If you are in the European Economic Area (EEA), we process your data based on:

Contract Performance: Processing necessary to provide the Service you requested
Consent: When you explicitly consent, such as connecting third-party integrations
Legitimate Interests: Improving our Service, preventing fraud, ensuring security
Legal Obligation: Compliance with applicable laws and regulations

Data Storage & Security

Security Measures

Passwords are hashed using industry-standard algorithms (bcrypt)
All data is encrypted in transit using HTTPS/TLS 1.2+
Data at rest is encrypted in our database infrastructure
Row-Level Security (RLS) ensures users can only access their own data
OAuth tokens for third-party services are stored securely
Regular security monitoring and updates
Access controls limit employee access to user data

Data Location

Your data is stored on servers located in the United States. If you are located outside the United States, your information will be transferred to and processed in the United States. By using the Service, you consent to this transfer.

Your Rights & Choices

Depending on your location, you may have the following rights:

Access & Portability

You can access your data through the Service. You can export your calendar events, contacts, and time entries using the export features in your account settings.

Correction

You can update or correct your profile information and data through the Service at any time.

Deletion

You can delete individual events, contacts, and time entries. You can also delete your entire account, which will permanently remove all your data from our systems within 30 days.

Disconnect Integrations

You can disconnect Google Calendar, Notion, or any other integration at any time through your account settings. This will stop data synchronization but will not automatically delete data already in the Service.

Opt-Out

You can opt out of non-essential emails through your account settings or by clicking "unsubscribe" in any email. Note that you cannot opt out of service-critical communications.

GDPR Rights (EEA Residents)

If you are in the EEA, you also have the right to: object to processing, restrict processing, withdraw consent, and lodge a complaint with your local data protection authority.

CCPA Rights (California Residents)

California residents have the right to know what personal information we collect, request deletion, and opt-out of the sale of personal information. We do not sell personal information. To exercise your rights, contact us at ryan.organically@gmail.com.

Data Retention

Active Accounts: We retain your data for as long as your account is active and as needed to provide the Service.

Account Deletion: When you delete your account, we will delete or anonymize your personal information within 30 days, except where we are legally required to retain it (e.g., for tax, legal, or audit purposes).

Backup Retention: Deleted data may persist in backups for up to 90 days before being permanently removed.

Usage Analytics: Aggregated, anonymized usage data may be retained indefinitely for analytics and service improvement purposes.

Cookies & Tracking

Essential Cookies

We use essential cookies for authentication, session management, and security (CSRF protection). These cookies are necessary for the Service to function and cannot be disabled.

No Tracking or Advertising Cookies

We do not use tracking cookies, advertising cookies, or third-party analytics cookies. We do not participate in ad networks or track you across other websites.

Children's Privacy

The Service is not intended for users under 18 years of age. We do not knowingly collect personal information from children under 18. If you are a parent or guardian and believe your child has provided us with personal information, please contact us immediately. If we discover that we have collected personal information from a child under 18, we will delete that information promptly.

International Data Transfers

Your information may be transferred to and processed in countries other than your country of residence, including the United States. These countries may have different data protection laws. By using the Service, you consent to the transfer of your information to these countries. We take steps to ensure your data is protected in accordance with this Privacy Policy regardless of where it is processed.

Beta/Development Notice

IMPORTANT: BETA SERVICE

Malleable is currently in development and beta testing. While we implement reasonable security measures, features may change and the service is provided "as-is." We recommend using caution with highly sensitive information and maintaining your own backups of important data.

Third-Party Links

The Service may contain links to third-party websites or services. We are not responsible for the privacy practices of these third parties. We encourage you to review the privacy policies of any third-party sites you visit.

Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors. When we make material changes, we will update the "Last updated" date at the top of this page and may notify you by email or through the Service. Your continued use of the Service after any changes constitutes acceptance of the revised Privacy Policy.

Contact Us

If you have questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us at:

Email: ryan.organically@gmail.com

Website: malleable.cloud

We will respond to your inquiry within 30 days. For data access, correction, or deletion requests, we may need to verify your identity before processing your request.

BY USING MALLEABLE, YOU ACKNOWLEDGE THAT YOU HAVE READ AND UNDERSTOOD THIS PRIVACY POLICY AND AGREE TO THE COLLECTION, USE, AND DISCLOSURE OF YOUR INFORMATION AS DESCRIBED HEREIN.