Privacy Policy

CalendarBunnyBot

Effective Date: January 12, 2026

1. Introduction

This Privacy Policy describes how GrumpyOats FZ-LLC ("Company," "we," "us," or "our") collects, uses, stores, and protects information when you use CalendarBunnyBot (the "Service"). We are committed to protecting your privacy and handling your data responsibly.

By using the Service, you consent to the data practices described in this Privacy Policy. If you do not agree with our data practices, please do not use the Service.

2. Data Controller

GrumpyOats FZ-LLC, a company registered in the United Arab Emirates, acts as the data controller for personal data collected through the Service.

Registered Address:
Compass Building, Al Shohada Road
Al Hamra Industrial Zone FZ
United Arab Emirates

For questions about our data practices or to exercise your rights, contact us at contact@grumpyoats.com.

3. Information We Collect

3.1 Account Information: When you use the Service, we collect your Telegram user ID (telegram_id), your Telegram display name (full name), and your Telegram username if available.

3.2 Calendar Integration Credentials: We collect and store security keys, tokens, and credentials necessary to access and write to your connected Google Calendar account. These credentials are encrypted and stored securely.

3.3 Chat Content: The Service processes messages from Telegram chats, groups, channels, and forums that you grant access to. This includes messages sent by you and by other participants in those conversations. Chat content is processed to identify and extract calendar-relevant information. Chat messages are retained for a maximum of thirty (30) days for debugging purposes, after which they are automatically deleted from our systems.

3.4 Calendar Event Data: We store information about calendar events created through the Service, including event titles, dates, times, descriptions, and associated metadata.

3.5 Usage Data: We collect information about how you interact with the Service, including feature usage, command history, error logs, and performance metrics.

3.6 Payment Information: Payment processing is handled by Paddle. We receive limited payment information from Paddle including transaction IDs, subscription status, and billing history. We do not store complete payment card details.

4. How We Use Your Information

We use the information we collect to:

(a) Provide, maintain, and improve the Service;
(b) Process chat messages using AI to identify calendar events;
(c) Create and manage calendar entries in your connected calendar;
(d) Process payments and manage your subscription;
(e) Communicate with you about the Service, including support requests;
(f) Detect, prevent, and address technical issues, fraud, and security concerns;
(g) Comply with legal obligations;
(h) Enforce our Terms and Conditions.

5. Third-Party Data Processors

We share your information with the following third-party service providers:

5.1 Telegram: The Service operates entirely through the Telegram platform. Your account information, chat content, and interactions with the bot are transmitted through Telegram's infrastructure. Telegram processes this data in accordance with their privacy policy.

5.2 Anthropic: Chat content is transmitted to Anthropic's API for AI processing to identify calendar events. Anthropic processes this data in accordance with their privacy policy. Your data is NOT used to train Anthropic's AI models.

5.3 Paddle: Payment information is processed by Paddle in accordance with their privacy policy and PCI-DSS requirements.

5.4 Google: Calendar integration requires sharing data with Google Calendar API. Your use of Google Calendar is subject to Google's privacy policy and terms of service.

5.5 Infrastructure Providers: We use Cloudflare and Hetzner as our cloud infrastructure providers, with data hosted in the European Union. These providers are bound by data processing agreements.

5.6 Neon: We use Neon as our database provider. Your account information and calendar event data are stored in Neon's infrastructure in accordance with their privacy policy and data processing agreements.

5.7 OpenRouter: Chat content may be transmitted to OpenRouter's API for AI processing to identify calendar events. OpenRouter processes this data in accordance with their privacy policy. Your data is NOT used to train AI models.

5.8 Google Gemini: Chat content may be transmitted to Google's Gemini API for AI processing to identify calendar events. Google processes this data in accordance with their privacy policy and API terms of service. Your data is NOT used to train AI models.

5.9 Sentry: We use Sentry for error tracking and application monitoring. Error reports may include technical information about your interactions with the Service. Sentry processes this data in accordance with their privacy policy.

5.10 PostHog: We use PostHog for product analytics to understand how the Service is used and to improve our features. PostHog processes usage data in accordance with their privacy policy.

5.11 Google Analytics: We use Google Analytics to analyze website traffic and usage patterns. Google Analytics processes this data in accordance with Google's privacy policy.

5.12 Pydantic Logfire: We use Pydantic Logfire for application logging and observability. Log data may include technical information about Service operations. Logfire processes this data in accordance with their privacy policy.

6. Google API Limited Use Disclosure

CalendarBunnyBot's use and transfer of information received from Google APIs adheres to the Google API Services User Data Policy, including the Limited Use requirements. Specifically:

(a) We only use access to Google Calendar data to provide the calendar event creation functionality you request;
(b) We do not use Google Calendar data for serving advertisements;
(c) We do not allow humans to read your Google Calendar data unless: (i) we have your affirmative consent, (ii) it is necessary for security purposes, (iii) it is necessary to comply with applicable law, or (iv) our use is limited to internal operations and the data has been aggregated and anonymized;
(d) We do not transfer Google Calendar data to third parties except as necessary to provide the Service, as required by law, or as part of a merger, acquisition, or sale of assets with notice to users.

7. Third-Party Chat Participants

          THE SERVICE PROCESSES MESSAGES FROM MULTI-PARTICIPANT CONVERSATIONS, INCLUDING GROUP CHATS, CHANNELS, AND
          FORUMS. THIS MEANS WE PROCESS PERSONAL DATA OF INDIVIDUALS WHO HAVE NOT DIRECTLY AGREED TO THIS PRIVACY
          POLICY.
        

We process third-party chat data solely for the purpose of identifying calendar-relevant information. We do not create profiles of third-party participants, use their data for marketing, or share their information beyond what is necessary to provide the Service.

What We Extract From Messages: The AI analyzes chat messages to identify and extract only calendar-relevant information, specifically:

Event titles and descriptions;
Dates and times;
Locations (if mentioned in relation to an event);

What We Do NOT Extract or Store:

Personal opinions, private conversations, or off-topic discussions;
Contact information (phone numbers, email addresses) unless part of an event description;
Profiles or behavioral patterns of third-party participants;
Messages unrelated to calendar events.

If you are a third party whose messages have been processed through the Service and wish to exercise your data protection rights, please contact us at contact@grumpyoats.com.

8. Data Storage and Security

8.1 Location: Your data is stored on servers located in the European Union.

8.2 Security Measures: We implement industry-standard security measures including encryption in transit (TLS), encryption at rest, access controls, and regular security audits. Calendar credentials are encrypted using strong cryptographic standards.

8.3 No Guarantee: While we strive to protect your information, no method of transmission over the Internet or electronic storage is 100% secure. We cannot guarantee absolute security.

9. Data Breach Notification

In the event of a personal data breach that is likely to result in a risk to your rights and freedoms, we will:

(a) Notify the relevant supervisory authority within seventy-two (72) hours of becoming aware of the breach, where feasible;
(b) Notify affected users without undue delay when the breach is likely to result in a high risk to their rights and freedoms;
(c) Provide information about the nature of the breach, the likely consequences, and the measures taken or proposed to address it;
(d) Document all breaches, including the facts, effects, and remedial actions taken.

10. Data Retention

10.1 Chat Content: Chat messages processed by the Service are retained for a maximum of thirty (30) days solely for debugging and troubleshooting purposes. After this period, chat content is automatically and permanently deleted from our systems. Extracted calendar event data (event titles, dates, times, and descriptions) may be retained separately as described below.

10.2 Account Information: We retain your account information (Telegram ID, display name, username) and calendar credentials for as long as your account is active and for a minimum of twelve (12) months following your last activity.

10.3 Calendar Event Data: Calendar event data created through the Service is retained for as long as your account is active and for twelve (12) months following account cancellation, unless you request earlier deletion.

10.4 Post-Cancellation: Following account cancellation or termination, we retain account and calendar event data for twelve (12) months unless you request earlier deletion or unless retention is necessary for legal compliance, fraud prevention, or dispute resolution.

10.5 Operational Data: Certain data necessary for the correct functioning of the Service (such as error reports and aggregate analytics) may be retained indefinitely in anonymized or aggregated form. This data does not include identifiable chat content.

10.6 Legal Requirements: We may retain data for longer periods where required by law, legal proceedings, or regulatory obligations.

11. Your Rights

11.1 All Users: You have the right to request deletion of your personal data by contacting us at contact@grumpyoats.com. We will process deletion requests within thirty (30) days, subject to legal retention requirements.

11.2 European Union Residents (GDPR Rights): If you are located in the European Economic Area (EEA), United Kingdom, or Switzerland, you have additional rights under the General Data Protection Regulation (GDPR):

(a) Right of Access: You may request a copy of your personal data;
(b) Right to Rectification: You may request correction of inaccurate data;
(c) Right to Erasure: You may request deletion of your data (subject to legal exceptions);
(d) Right to Data Portability: You may request your data in a portable format;
(e) Right to Object: You may object to certain processing activities;
(f) Right to Restrict Processing: You may request limitation of processing;
(g) Right to Withdraw Consent: Where processing is based on consent, you may withdraw it at any time.

To exercise any of these rights, please contact us at contact@grumpyoats.com. We will respond to requests within thirty (30) days. You also have the right to lodge a complaint with a supervisory authority. For EEA residents, you may contact your local data protection authority. A list of EU data protection authorities is available at https://edpb.europa.eu/about-edpb/about-edpb/members_en.

11.3 Legal Basis for Processing (GDPR): We process personal data under the following legal bases:

(a) Contract: Processing necessary to provide the Service you requested (e.g., your Telegram ID, calendar credentials, chat content for event extraction);
(b) Legitimate Interest: Processing necessary for our legitimate business interests (e.g., usage analytics, fraud prevention, service improvement);
(c) Consent: Where you have given explicit consent;
(d) Legal Obligation: Processing required by law.

11.4 California Residents (CCPA/CPRA Rights): If you are a California resident, you have rights under the California Consumer Privacy Act as amended by the California Privacy Rights Act (CCPA/CPRA):

Notice at Collection: We collect the following categories of personal information for the purposes described in Section 4 of this policy:

Identifiers (Telegram ID, username, display name);
Internet or electronic network activity information (usage data, command history, interaction logs);
Commercial information (subscription status, payment history, transaction IDs);
Calendar data (event titles, dates, times, descriptions).

Your California Privacy Rights:

(a) Right to Know: You may request information about the categories and specific pieces of personal information we have collected about you, the categories of sources from which we collected it, the business purpose for collecting it, and the categories of third parties with whom we share it;
(b) Right to Correct: You may request correction of inaccurate personal information we maintain about you;
(c) Right to Delete: You may request deletion of your personal information, subject to certain exceptions;
(d) Right to Non-Discrimination: We will not discriminate against you for exercising your privacy rights;
(e) We Do Not Sell or Share Personal Information: We do not sell, rent, or trade your personal information to third parties for monetary or other valuable consideration. We do not "share" personal information (as defined by CPRA) for cross-context behavioral advertising.

Sensitive Personal Information: We do not collect sensitive personal information as defined under CPRA (such as Social Security numbers, financial account credentials, precise geolocation, or health information) beyond what is necessary to provide the Service.

How to Exercise Your Rights: To exercise your California privacy rights, contact us at contact@grumpyoats.com or use the Service's data deletion commands. We will verify your identity and respond to verifiable requests within forty-five (45) days. If we need additional time, we will notify you of the extension (up to an additional 45 days) and explain the reason. You may also file a complaint with the California Attorney General at oag.ca.gov/privacy.

12. Automated Decision-Making

The Service uses artificial intelligence to automatically identify and extract calendar events from chat messages. You should be aware that:

(a) The AI processes chat content to determine what constitutes a calendar-relevant event, including dates, times, locations, and event descriptions;
(b) This automated processing directly results in calendar entries being created in your connected calendar;
(c) No automated decisions are made that produce legal effects or similarly significantly affect you beyond the calendar entry creation;
(d) You have the ability to review, modify, or delete any calendar entries created by the Service;
(e) You may contact us at contact@grumpyoats.com if you have concerns about how the automated processing affects you.

13. AI Training

Your data is NOT used to train artificial intelligence or machine learning models. Chat content is processed by Anthropic's API solely for the purpose of identifying calendar events and is not retained by Anthropic for training purposes. We do not use your data to train, improve, or develop any AI or machine learning models, whether our own or those of third parties.

14. Confidentiality of Private Chats

We maintain strict confidentiality of all chat content processed through the Service. Private chats, group conversations, and any messages processed by the Service are never shared with, disclosed to, or made accessible to any individuals who are not authorized participants in those conversations, except:

(a) As necessary to provide the Service (e.g., transmission to Anthropic's API for calendar event extraction, as described in Section 5.2);
(b) With your explicit consent;
(c) As required by law, legal process, or governmental request;
(d) To protect the rights, property, or safety of GrumpyOats FZ-LLC, our users, or the public.

Our employees and contractors access chat content only when necessary for debugging, customer support (at your request), or legal compliance, and are bound by confidentiality obligations.

15. Children's Privacy

The Service is not intended for individuals under eighteen (18) years of age. We do not knowingly collect personal information from children under 18. If we become aware that we have collected personal data from a child under 18, we will take steps to delete that information promptly.

16. International Data Transfers

Your data is stored in the European Union. However, our AI processing provider (Anthropic) and payment processor (Paddle) may process data in other jurisdictions. Where data is transferred outside the EEA, we ensure appropriate safeguards are in place, such as Standard Contractual Clauses or adequacy decisions.

17. Cookies and Tracking

The Service operates entirely through Telegram and does not use cookies or web tracking technologies directly. However, linked services (such as payment pages) may use their own cookies subject to their respective privacy policies.

18. Marketing Communications

We may occasionally send you communications about the Service, including feature updates, tips, and service announcements. You may opt out of non-essential communications at any time by using the unsubscribe option in the communication or by contacting us at contact@grumpyoats.com. Note that you cannot opt out of essential service communications such as security alerts or changes to our Terms.

19. Changes to This Privacy Policy

We may update this Privacy Policy from time to time. We will notify you of material changes by posting the updated policy and revising the effective date. Your continued use of the Service after changes are posted constitutes acceptance of the revised Privacy Policy.

20. Contact Us

If you have questions about this Privacy Policy or wish to exercise your rights, please contact us at:

GrumpyOats FZ-LLC
Compass Building, Al Shohada Road
Al Hamra Industrial Zone FZ
United Arab Emirates
Email: contact@grumpyoats.com