Data Processing Addendum

For account, billing, product analytics, security, and direct customer relationship data, ParallelCals is normally a controller. For calendar and booking data processed under a business customer's workspace instructions, the customer is controller and ParallelCals is processor.

• ParallelCals operator: ICIRAUQUI SL.
• Privacy and security contact: hello@parallelcals.com.

ParallelCals processes customer personal data only to provide, secure, support, and improve the configured calendar, availability, booking, and synchronization service, or as required by law. The customer's documented instructions are these terms, the Privacy Policy, the customer's app configuration, and lawful written instructions sent to hello@parallelcals.com.

• Data subjects: workspace users, connected calendar account holders, event participants visible in connected calendars, booking invitees, admins, and support contacts.
• Personal data: account identifiers, emails, names, calendar metadata, calendar event titles/times/statuses, live event details displayed on request, booking details, booking management links, meeting/conference metadata, sync logs, provider IDs, and billing metadata.
• Special categories: ParallelCals does not intentionally request special-category data, but calendar content may reveal sensitive information entered by users or third parties.

ParallelCals currently uses these subprocessors:

• Supabase: authentication, database, and backend services.
• Vercel: hosting, serverless execution, CDN, deployments, and cron invocation.
• Google APIs: Google Calendar OAuth, calendar listing, event read/write, and webhooks when enabled by the user.
• Microsoft Graph: Microsoft OAuth, calendar listing, event read/write, and change notifications when enabled by the user.
• Stripe: checkout, billing portal, subscriptions, payments, tax, and payment records.

ParallelCals will maintain an up-to-date subprocessor list here. Material subprocessor changes will be notified through the service, email, or this page where required by law or contract.

• OAuth tokens are encrypted at rest and are never exposed to the browser.
• Service role credentials are used only in server-side modules, route handlers, cron handlers, and administrative jobs.
• Access to production systems is limited to authorized personnel with a business need.
• The service uses provider OAuth state validation, RLS-backed tenant separation, structured logs, retry-safe sync jobs, and cancellation-aware background processing.
• Operational processes cover access reviews, secret rotation, backup/restore expectations, incident handling, and regular security review.

ParallelCals will reasonably assist customers with data subject requests, deletion/export requests, security inquiries, and processor compliance information, taking into account the nature of the service and available data. Requests should be sent to hello@parallelcals.com.

When a customer deletes an account, disconnects calendars, or requests deletion, ParallelCals deletes or anonymizes app data where reasonably possible, subject to legal, billing, fraud-prevention, security, and dispute retention. Future app-created provider events can be removed where provider access remains available.

ParallelCals will notify affected customers without undue delay after becoming aware of a confirmed personal data breach involving customer personal data. Audits are supported through reasonable security documentation, questionnaires, and written responses unless a separate written agreement requires another process.

Where customer personal data is transferred internationally, ParallelCals relies on lawful transfer mechanisms made available by its providers, including data processing agreements, standard contractual clauses, adequacy decisions, or equivalent safeguards where applicable.