Privacy Policy

Effective Date: 30 January 2026 Last Updated: 30 January 2026

1. Introduction

This Privacy Policy describes how RecurriCal, operated by Dan Murfitt (“we,” “us,” or “our”), collects, uses, and protects information when you use RecurriCal services, including:

The RecurriCal marketing website at recurrical.com (the “Website”)
The RecurriCal application at app.recurrical.com (the “Application”)

We are committed to protecting your privacy and complying with the General Data Protection Regulation (GDPR), ePrivacy Directive, and other applicable privacy laws.

Scope: This policy applies to both the marketing website and the application. We will clearly indicate which data collection practices apply to which service.

2. Information We Collect

2.1 Marketing Website (recurrical.com)

2.1.1 Analytics and Usage Data (PostHog)

We use PostHog, a privacy-focused analytics platform, to understand how visitors use our Website. PostHog is configured in cookieless mode and stores all data in the European Union (Frankfurt, Germany).

Data collected automatically includes:

Page views and navigation patterns
Device and browser information (type, version, screen resolution)
Operating system
Referring website (where you came from)
Time and date of visit
Approximate location (country/city level derived from IP address)
Session duration and interactions with the Website

Important privacy features:

No cookies used for analytics tracking
No cross-site tracking or third-party data sharing
IP-based identification without persistent identifiers
EU data storage (Frankfurt, Germany)
Cannot identify individual users across different browsing sessions

Legal Basis: Legitimate interest (GDPR Article 6(1)(f))

2.1.2 Security Data (CloudFlare)

We use CloudFlare to protect our Website from bots, DDoS attacks, and other security threats. CloudFlare may collect:

Bot detection data and scoring
Request metadata for DDoS protection
Session identifiers (when Anomaly Detection is enabled)
IP address and browser information

CloudFlare sets one cookie for security purposes:

Cookie name: __cf_bm
Purpose: Bot detection and DDoS protection
Duration: 30 minutes
Type: Strictly necessary (security)
Data: Encrypted, site-specific identifier with no personal information

Legal Basis: Legitimate interest and legal obligation (GDPR Article 6(1)(c) and (f))

2.1.3 Technical Data (Automatically Collected)

Like most websites, we automatically collect certain technical information when you visit:

IP address
Browser type and version
Time zone setting
Operating system and platform
HTTP referrer header

2.1.4 Data NOT Collected on Marketing Website

The marketing website does not collect:

Personal identification information (name, email address, phone number)
Account credentials or passwords
Payment information
Form submissions (there are currently no contact forms on the marketing site)
Newsletter signups or email addresses

2.2 Application (app.recurrical.com)

When you create an account and use the RecurriCal application, we collect and process the following information:

2.2.1 Account Information

Data you provide when creating an account:

Full name
Email address
Password (encrypted and never stored in plain text)
Organization/business name
Time zone preference

Legal Basis: Contract performance (GDPR Article 6(1)(b)) - necessary to provide the booking service you requested

2.2.2 Profile and Calendar Information

Data you provide when setting up your booking calendar:

Calendar name and description
Availability schedule (working hours, time off)
Booking page URL/slug
Meeting location or virtual meeting links
Service descriptions and pricing information
Booking rules and preferences

Legal Basis: Contract performance (GDPR Article 6(1)(b))

2.2.3 Booking Data

Data collected when bookings are created:

Client names and email addresses (entered by clients during booking)
Appointment dates, times, and durations
Booking notes and custom field responses
Email confirmation records
Cancellation and rescheduling history

Legal Basis: Contract performance (GDPR Article 6(1)(b)) and consent (GDPR Article 6(1)(a)) - clients provide information to request appointment booking

2.2.4 Technical and Usage Data

Data collected automatically when you use the application:

IP address and geographic location
Browser type, version, and settings
Device information (type, operating system)
Session activity and interaction patterns
Error logs and diagnostic information
Feature usage statistics

Legal Basis: Legitimate interest (GDPR Article 6(1)(f)) - to maintain application security, prevent abuse, and improve service quality

The application uses cookies for essential functionality and user preferences. See Section 4 “Cookies and Tracking Technologies” for detailed information.

2.3 Information We Do NOT Collect

RecurriCal does not collect or process:

Payment card information (if payment processing is added in the future, it will be handled by third-party processors who never share full card details with us)
Social Security numbers or government ID numbers
Health information or medical records (even for healthcare providers using our service)
Biometric data
Children’s data (our service is not directed to users under 16)
Sensitive personal data categories under GDPR Article 9

3. How We Use Your Information

3.1 Marketing Website

Analytics and Improvement (Legitimate Interest - Article 6(1)(f)):

Analyze website traffic and user behavior patterns
Improve website performance and user experience
Understand which features and content interest visitors
Optimize our marketing efforts and content strategy
Identify and fix technical issues

Security and Protection (Legitimate Interest & Legal Obligation - Article 6(1)(c) and (f)):

Protect against bot attacks and DDoS attempts
Ensure website security and availability
Prevent fraud, abuse, and unauthorized access
Comply with legal obligations for data security

3.2 Application

Provide Core Service (Contract Performance - Article 6(1)(b)):

Create and manage your account
Display your booking calendar to clients
Process appointment bookings and send confirmations
Manage your availability and prevent double-bookings
Send email notifications about bookings, changes, and cancellations
Provide calendar integration (.ics files)

Communication (Contract Performance - Article 6(1)(b)):

Send transactional emails (booking confirmations, reminders, cancellations)
Respond to support requests and inquiries
Provide important service updates and technical notices

Security and Fraud Prevention (Legitimate Interest - Article 6(1)(f)):

Authenticate users and maintain secure sessions
Detect and prevent unauthorized access
Identify and prevent fraudulent bookings or abuse
Maintain audit logs for security purposes

Service Improvement (Legitimate Interest - Article 6(1)(f)):

Analyze feature usage to improve the product
Identify and fix bugs or technical issues
Develop new features based on usage patterns
Monitor application performance and reliability

Legal Compliance (Legal Obligation - Article 6(1)(c)):

Comply with applicable laws and regulations
Respond to lawful requests from authorities
Enforce our Terms of Service
Protect our legal rights and interests

4. Cookies and Tracking Technologies

4.1 Marketing Website Cookies

4.1.1 Cookieless Analytics

Our marketing website uses PostHog in cookieless mode, which means:

No cookies or local storage is used for analytics
User identification relies on privacy-preserving methods
Cannot track individual users across separate browsing sessions
More privacy-friendly than traditional cookie-based analytics
No consent banner required under GDPR/ePrivacy Directive

CloudFlare sets one cookie for bot detection on the marketing website:

Property	Details
Cookie Name	`__cf_bm`
Purpose	Bot detection and DDoS protection
Provider	CloudFlare (third-party)
Duration	30 minutes
Category	Strictly necessary (security)
Data Stored	Encrypted bot score, no personal identifiers
GDPR Classification	No consent required (essential for security)

4.2 Application Cookies

The RecurriCal application uses the following cookies:

4.2.1 recurrical_session (Strictly Necessary)

Property	Details
Purpose	Maintain user authentication and session state
Provider	RecurriCal (first-party)
Duration	2 hours of inactivity (extends with each interaction)
Category	Strictly necessary
Data Stored	Encrypted session identifier (random token)
Security	HttpOnly: Yes, Secure: Yes (HTTPS), SameSite: Lax
GDPR Classification	No consent required (essential for service)

What it does: This cookie is essential for keeping you logged in as you navigate the application. Without it, you would need to re-authenticate on every page. Server-side session data includes authentication status, user ID, and CSRF token.

4.2.2 XSRF-TOKEN (Strictly Necessary - Security)

Property	Details
Purpose	Cross-Site Request Forgery (CSRF) attack protection
Provider	RecurriCal / Laravel Framework (first-party)
Duration	Session-based (expires with session)
Category	Strictly necessary (security)
Data Stored	Random cryptographic token
Security	HttpOnly: No (must be accessible to JavaScript), Secure: Yes, SameSite: Lax
GDPR Classification	No consent required (essential security)

What it does: This security cookie verifies that form submissions and state-changing requests originate from legitimate user actions on our website, protecting you from CSRF attacks. The token in the cookie must match the token in the request for the action to be processed.

4.2.3 remember_web_[hash] (Functional - Opt-in)

Property	Details
Purpose	“Remember Me” persistent login functionality
Provider	RecurriCal / Laravel Authentication (first-party)
Duration	400 days (approximately 13 months)
Category	Functional (user preference)
Data Stored	Encrypted authentication token
Security	HttpOnly: Yes, Secure: Yes, SameSite: Lax, Encrypted: Yes
GDPR Classification	Consent obtained via explicit opt-in (checkbox)

What it does: When you check “Remember Me” during login, this cookie allows you to stay logged in even after closing your browser or after your session expires. The cookie contains an encrypted token that is invalidated when you log out or change your password.

User Control: Only created when you explicitly check the “Remember Me” checkbox. You can remove it by logging out or clearing browser cookies.

4.2.4 appearance (Functional - User Preference)

Property	Details
Purpose	Remember visual theme preference (light/dark/system)
Provider	RecurriCal (first-party)
Duration	365 days (1 year)
Category	Functional (user preference)
Data Stored	Theme value: “light”, “dark”, or “system”
Security	HttpOnly: No, Secure: Yes, SameSite: Lax
GDPR Classification	Legitimate interest (user-initiated preference)

What it does: Remembers your chosen visual theme (light mode, dark mode, or system default) and ensures the application displays with the correct theme immediately on page load, preventing a “flash” of the wrong theme.

User Control: Set automatically when you change your theme preference in Settings → Appearance. Cleared automatically after 1 year or when you manually clear cookies.

4.2.5 sidebar_state (Functional - User Preference)

Property	Details
Purpose	Remember navigation sidebar expanded/collapsed state
Provider	RecurriCal (first-party)
Duration	7 days (1 week)
Category	Functional (user preference)
Data Stored	Boolean: “true” (expanded) or “false” (collapsed)
Security	HttpOnly: No, Secure: Yes
GDPR Classification	Legitimate interest (user-initiated preference)

What it does: Remembers whether you prefer the navigation sidebar expanded or collapsed, maintaining a consistent navigation experience across pages.

User Control: Set automatically when you click the sidebar toggle button. Cleared automatically after 7 days or when you manually clear cookies.

Cookie Name	Used On	Category	Duration	Consent Required?
`__cf_bm`	Marketing website	Strictly necessary (security)	30 minutes	No
`recurrical_session`	Application + booking pages	Strictly necessary	2 hours	No
`XSRF-TOKEN`	Application + booking pages	Strictly necessary (security)	Session	No
`remember_web_[hash]`	Application (auth only)	Functional (opt-in)	400 days	Yes (checkbox)
`appearance`	Application (auth only)	Functional	365 days	No*
`sidebar_state`	Application (auth only)	Functional	7 days	No*

*While consent is not legally required for preference cookies under legitimate interest, we inform users about them in this policy for full transparency.

4.4 Public Booking Pages

When visitors access public booking pages (e.g., /booking/{calendarSlug}) to book appointments, only strictly necessary cookies are set:

recurrical_session - Required for booking flow and form submission
XSRF-TOKEN - Required for security (CSRF protection)

No tracking, analytics, or preference cookies are used on public booking pages.

We do not display a cookie consent banner because:

Marketing website: Uses cookieless analytics; only security cookie is strictly necessary
Application: All cookies are either strictly necessary for the service OR set only when users take explicit actions (checking “Remember Me,” changing preferences)
No tracking: We use no advertising, marketing, or analytics cookies that require consent
Full compliance: This approach complies with GDPR and ePrivacy Directive requirements

4.6 Managing Cookies

Browser Controls: You can control and delete cookies through your browser settings. However, disabling strictly necessary cookies will prevent you from using certain features:

Without session cookies, you cannot log in or access your account
Without CSRF tokens, you cannot submit forms or make changes
Without “Remember Me,” you’ll need to log in each session

Preference Cookies: You can prevent preference cookies by:

Not checking “Remember Me” during login
Not changing theme or sidebar settings (they remain at default)
Manually clearing cookies in browser settings

5. Third-Party Services

5.1 PostHog (Analytics Platform - Marketing Website Only)

Purpose: Website analytics and user behavior tracking on marketing website
Data Shared: Usage data, device information, approximate location
Data Location: European Union (Frankfurt, Germany)
Privacy Policy: https://posthog.com/privacy
GDPR Compliance: https://posthog.com/docs/privacy/gdpr-compliance
Opt-Out: Contact us at [email protected] to opt out of analytics

5.2 CloudFlare (Security & CDN - Both Sites)

Purpose: DDoS protection, bot management, content delivery
Data Shared: Request metadata, IP address, browser information
Data Location: Global network
Privacy Policy: https://www.cloudflare.com/privacypolicy/
Cookie Policy: https://www.cloudflare.com/cookie-policy/

5.3 Email Service Provider (Application Only)

Purpose: Send transactional emails (booking confirmations, notifications)
Data Shared: Recipient email addresses, booking details, email content
Data Location: Mailgun (EU region)
Privacy Policy: https://www.mailgun.com/legal/privacy-policy/
Note: We only send transactional emails required for the service. No marketing emails are sent without explicit consent.

5.4 Infrastructure and Hosting (Application Only)

Purpose: Host the application and database
Data Shared: All application data (encrypted at rest)
Data Location: Digital Ocean, London, United Kingdom
Security: Industry-standard encryption, access controls, and security measures

5.5 Other Third-Party Services

Google Fonts (Both Sites):

Purpose: Typography (font delivery)
Data Shared: Minimal (font file requests)
Privacy Impact: Low (no tracking or analytics)

jsDelivr CDN (Marketing Website):

Purpose: Deliver static assets (JavaScript libraries)
Data Shared: File requests only
Privacy Impact: Minimal (content delivery network)

5.6 No Third-Party Tracking

RecurriCal does not use:

Google Analytics or similar tracking platforms
Social media pixels (Facebook Pixel, LinkedIn Insight, etc.)
Advertising networks or retargeting services
Marketing automation or attribution platforms
Third-party cookies for any purpose

6. Data Retention

6.1 Marketing Website Data

Analytics Data (PostHog):

Retention Period: 12 months
Automatic Deletion: Data automatically deleted after retention period
Early Deletion: Available upon request

Security Data (CloudFlare):

Cookie Expiration: __cf_bm cookie expires after 30 minutes
Request Logs: Retained per CloudFlare’s data retention policy

6.2 Application Data

Account Data:

Active Accounts: Retained for as long as your account remains active
Closed Accounts: Deleted upon request or periodically after account closure, unless legal retention is required

Booking Data:

Active Bookings: Retained while bookings are active/upcoming
Past Bookings: Retained for historical records unless you request deletion
Cancelled Bookings: Retained for a limited period, then deleted

Session Data:

Active Sessions: Deleted after 2 hours of inactivity
Remember Tokens: Valid for 400 days but invalidated immediately on logout or password change

Preference Cookies:

Appearance: Expires after 365 days
Sidebar State: Expires after 7 days

Legal Retention: In some cases, we may be required to retain certain data for legal, tax, or regulatory purposes even after you request deletion. We will inform you if this applies.

We Do NOT Sell Your Data

We never sell, rent, or trade your personal information to third parties for monetary compensation or other valuable consideration.

Service Providers:

PostHog (analytics) - marketing website analytics only
CloudFlare (security) - DDoS protection and content delivery
Email service provider - transactional emails for bookings (application only)
Hosting provider - infrastructure and data storage (application only)

All service providers are bound by data protection agreements and process data only according to our instructions.

Legal Requirements:

When required by law, court order, subpoena, or legal process
To comply with regulatory requirements
To protect our rights, property, or safety
To investigate fraud or security issues
To enforce our Terms of Service

Business Transfers:

In the event of a merger, acquisition, bankruptcy, or sale of assets, your data may be transferred
We will notify users of any such transfer

With Your Consent:

We may share data in other circumstances with your explicit consent

Advertising networks or data brokers
Social media platforms for advertising purposes
Marketing companies or list brokers
Analytics companies (except PostHog for website-only analytics)
Any third parties for their own marketing purposes

Public Booking Pages

When your clients book appointments through your public booking page:

Their data is shared with you (the account owner) as necessary to fulfill the appointment
Their email addresses are used to send booking confirmations and reminders
Their data is not shared with any other third parties except as described above
They are your clients: You are responsible for how you use their contact information outside our system

As a visitor or user from the European Economic Area (EEA), United Kingdom, or Switzerland, you have the following rights:

8.1 Right to Access (Article 15)

Request a copy of the personal data we hold about you, including:

What data we collect
How we use it
Who we share it with
How long we retain it

8.2 Right to Rectification (Article 16)

Request correction of inaccurate or incomplete personal data. You can also update most information directly in your account settings.

8.3 Right to Erasure / “Right to be Forgotten” (Article 17)

Request deletion of your personal data when:

It’s no longer necessary for the purposes collected
You withdraw consent (where processing was based on consent)
You object to processing and there are no overriding legitimate grounds
The data was unlawfully processed
Legal obligation requires erasure

Note: We may retain certain data if required by law or for legitimate business purposes (e.g., preventing fraud, resolving disputes).

8.4 Right to Restrict Processing (Article 18)

Request limitation of how we process your data in certain circumstances, such as when you contest the accuracy of data or object to processing.

8.5 Right to Data Portability (Article 20)

Receive your personal data in a structured, commonly used, machine-readable format (e.g., CSV, JSON) and transmit it to another service provider.

8.6 Right to Object (Article 21)

Object to processing of your personal data based on legitimate interests. We will stop processing unless we can demonstrate compelling legitimate grounds that override your interests.

Direct Marketing: You can object to any direct marketing communications at any time (though we currently do not send marketing emails).

Where processing is based on consent (e.g., “Remember Me” cookie), you may withdraw consent at any time. Withdrawal does not affect the lawfulness of processing before withdrawal.

8.8 Right to Lodge a Complaint

File a complaint with your local data protection authority (supervisory authority) if you believe we have violated your privacy rights.

EU Supervisory Authorities: https://edpb.europa.eu/about-edpb/about-edpb/members_en

How to Exercise Your Rights

Your full name and email address associated with your account
Clear description of your request
Any relevant details to help us locate your data
Proof of identity (if required for security purposes)

Response Time: We will respond to your request within 30 days as required by GDPR. For complex requests, we may extend this by an additional 60 days and will inform you of the extension.

No Fee: Exercising your rights is free of charge. We may charge a reasonable fee or refuse requests that are manifestly unfounded, excessive, or repetitive.

9. International Data Transfers

9.1 Data Storage Locations

PostHog (Marketing Website Analytics):

All analytics data stored in the European Union (Frankfurt, Germany)
No transfer of data outside the EU/EEA
Full GDPR compliance with EU data localization

CloudFlare (Both Sites):

Global CDN with servers worldwide
Participant in the EU-US Data Privacy Framework
Uses Standard Contractual Clauses (SCCs) for EU data transfers
Complies with GDPR requirements for international transfers

Application Data:

Primary data storage location: Digital Ocean, London, United Kingdom
Database backups: Digital Ocean, London, United Kingdom

9.2 Transfers Outside the EEA

If we transfer data outside the European Economic Area, we ensure adequate protection through:

EU-US Data Privacy Framework participation (where applicable)
Standard Contractual Clauses (SCCs) approved by the European Commission
Adequacy decisions recognizing equivalent data protection in destination countries
Other appropriate safeguards as permitted under GDPR Article 46

9.3 Your Rights Regarding Transfers

You have the right to:

Be informed about data transfers outside the EEA
Request information about safeguards in place
Object to such transfers in certain circumstances

10. Children’s Privacy

Our services are not directed to children under the age of 16. We do not knowingly collect personal information from children under 16.

If you are under 16: Please do not create an account or provide any personal information.

Parents and Guardians: If you believe we have collected information from your child, please contact us immediately at [email protected], and we will:

Verify the claim
Delete the information promptly
Close any associated account

11. Data Security

11.1 Security Measures

We implement industry-standard security measures to protect your data:

Technical Safeguards:

HTTPS/TLS encryption for all data in transit
Database encryption for sensitive data at rest
Password hashing using bcrypt (passwords never stored in plain text)
CloudFlare DDoS protection to prevent service disruption
Regular security updates to software and infrastructure
Automated backups with encryption

Access Controls:

Limited access to production systems
Principle of least privilege for system access

Application Security:

CSRF protection for all state-changing requests
XSS prevention through output encoding and Content Security Policy
SQL injection prevention through parameterized queries
Session security with secure, HttpOnly, and SameSite cookie attributes

11.2 No Absolute Security

While we implement reasonable security measures, no method of transmission over the internet or electronic storage is 100% secure. We cannot guarantee absolute security, and you use our services at your own risk.

In the Event of a Breach: If we discover a data breach that affects your personal data, we will notify you and the relevant supervisory authority as required by GDPR.

11.3 Report Security Issues

If you become aware of any security vulnerability, please report it immediately to [email protected]. We appreciate responsible disclosure and will work with you to address the issue promptly.

12. Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors.

Notice of Changes:

Updated “Last Updated” date will be displayed at the top of this page
Continued use of the Website or Application after changes constitutes acceptance of the updated policy

Material Changes: If we make significant changes that materially affect your privacy rights, we will provide prominent notice on the Website and/or Application.

Review Periodically: We encourage you to review this Privacy Policy periodically to stay informed about how we protect your information.

13. Contact Information

Data Controller

RecurriCal Operated by Dan Murfitt Based in England, United Kingdom

Privacy Inquiries

For questions, concerns, or requests regarding this Privacy Policy or our data practices, contact us at:

Email: [email protected]

Response Time: We aim to respond to all privacy inquiries promptly.

14. Additional Information

14.1 Scope of This Policy

This Privacy Policy applies to:

RecurriCal marketing website (recurrical.com)
RecurriCal application (app.recurrical.com)
Public booking pages (.recurrical.com/booking/)

This Privacy Policy does not cover:

Third-party websites linked from our services (see their respective privacy policies)
Services or practices of third-party service providers beyond what is described herein
Your own use of client data outside our system (you are responsible for complying with privacy laws when using client contact information)

14.2 Language

This Privacy Policy is written in English. If we provide translations in other languages, the English version governs in case of any conflict or inconsistency.

14.3 Governing Law

This Privacy Policy is governed by the laws of England and Wales, without regard to conflict of law provisions, and in compliance with UK GDPR and applicable data protection laws.

14.4 Severability

If any provision of this Privacy Policy is found to be unenforceable or invalid, that provision will be limited or eliminated to the minimum extent necessary so that the Privacy Policy will otherwise remain in full force and effect.

Questions or Concerns?

If you have any questions about this Privacy Policy or our privacy practices, please contact us at [email protected].