Privacy Policy

Plain-Language Summary

We collect what you give us, what your calendar shares, what your Invitees provide when they book with you, and basic technical data.
We use it to run scheduling, security, and product improvement; we send marketing only with consent where required.
We use a small number of trusted vendors (Hostinger, SendPulse, Stripe) to operate the Service. They are listed in Section 8.
You have rights — access, correction, deletion, portability, and others — and we'll respond within 30 days.
We are based in the United States. We use Standard Contractual Clauses for data transfers from the EEA, UK, and Switzerland.

This summary is informal; the full text below governs.

1. Who We Are and How to Contact Us

This Privacy Policy describes how Kikinda LLC, located in Naples, Florida, USA ("Kikinda," "42min.us," "we," "us," or "our"), collects, uses, discloses, and otherwise processes personal information in connection with the Service.

For privacy questions, requests, or complaints, contact:

Kikinda LLC
Naples, FL, USA
Email: plus@42min.us

For purposes of GDPR / UK GDPR, Kikinda LLC is the controller of personal information described in this Policy except where we act as a processor on behalf of a Customer (see Section 3).

Data Protection Officer / EU Representative: Not appointed at this time. We will reassess this when our processing volume or risk profile requires it.

2. Scope

This Privacy Policy applies to personal information we collect when you:

create or use a 42min account;
connect calendars or third-party services;
schedule, host, attend, or manage meetings through the Service;
use team, admin, routing, API, browser-extension, mobile, recording, AI, or messaging features;
visit our website or interact with our emails;
communicate with us; or
otherwise interact with the Service.

This Privacy Policy does not apply to third-party websites, platforms, products, or services we do not control, even when they are linked from or integrated with the Service.

3. Customer vs. Invitee Data; Controller vs. Processor

42min serves two groups of people:

Customers (registered users). We are the controller of personal information of Customers — name, email, account details, billing data, etc.

Invitees (people who book or attend meetings through a Customer's booking page). We act as a processor on behalf of the Customer regarding Invitee Data. The Customer is the controller and decides what data to collect through booking forms. To exercise rights regarding Invitee Data, contact the Customer first; we will assist the Customer as required by our Data Processing Addendum.

4. Categories of Personal Information We Collect

A. Information you provide directly

Name, email address, phone number, company name, job title, time zone, account credentials;
Profile details, preferences, meeting availability settings, booking page details, custom questions, forms, notes, and uploaded content;
Support messages, feedback, and survey responses;
Marketing preferences and subscription choices;
Billing information (when paid features apply).

B. Calendar, meeting, and scheduling data

Calendar connection metadata;
Availability information;
Event titles, dates, times, attendees, invitees, duration, locations, and meeting metadata;
Booking requests, routing form responses, confirmation and reminder settings;
Google Calendar synchronization data;
Google Meet meeting details generated or connected through the Service;
Microsoft 365 / Outlook calendar data (when that integration becomes available);
Admin and team scheduling information.

C. Invitee and attendee data

Name, email address, phone number;
Responses to booking questions or routing forms;
Time zone and meeting preferences;
Communications related to a scheduled meeting;
Participation, attendance, and event metadata.

D. AI, recording, transcript, and messaging data

When and if these features are enabled in the Service:

Recordings, transcripts, chat content, notes, prompts, summaries, action items, and AI-generated outputs;
SMS reminder data, delivery data, and response metadata;
Usage and audit logs connected with these features.

Status: As of the Last Updated date, AI, recording, and transcription features are not enabled. This Section 4(D) describes how data would be processed if and when we launch those features.

E. Device, usage, and technical information

IP address;
Browser type, device type, operating system, app version, language, identifiers;
Log data, timestamps, pages viewed, clicks, referring URLs, feature interactions;
Cookie identifiers and similar technologies (see Cookie Statement);
Approximate location derived from IP address.

F. Information from third parties

Google and other connected account providers;
Pre-existing CRM connections you authorize (e.g., Pipedrive);
Calendly migration imports you authorize;
Your employer, organization, or team administrator;
People who invite or schedule meetings with you;
Service providers helping us operate the Service;
Analytics, security, or fraud-prevention partners.

We do not purchase or rent personal information from data brokers.

5. How We Use Personal Information

We use personal information for the following purposes, mapped to our legal bases under GDPR / UK GDPR:

Purpose	Legal Basis (EEA / UK)
Provide, maintain, and operate the Service (account creation, calendar connection, booking, reminders, integrations)	Performance of a contract
Send service-related notices (transactional emails, security alerts, account changes)	Performance of a contract / legal obligation
Authenticate users and secure access	Legitimate interests (security) / legal obligation
Detect, investigate, and prevent fraud, abuse, security incidents, and Acceptable Use violations	Legitimate interests (security and integrity of the Service)
Analyze usage, develop new features, troubleshoot, improve performance	Legitimate interests (improving the Service)
Send marketing emails and product announcements	Consent (where required) / legitimate interests (where permitted)
Process billing and payments (when paid features apply)	Performance of a contract / legal obligation (tax)
Enforce our Terms and other agreements; defend legal claims	Legitimate interests / legal obligation
Comply with subpoenas, court orders, and legal requests	Legal obligation
Protect the rights, safety, and property of users, third parties, and Kikinda	Legitimate interests / vital interests

Where we rely on consent, you may withdraw it at any time without affecting prior processing. Where we rely on legitimate interests, you have the right to object (Section 12).

6. Automated Decision-Making and Profiling

The Service includes routing forms that automatically direct Invitees to specific event types or team members based on their answers. This is automated processing, but does not produce legal effects on Invitees and is not "solely automated decision-making" within the meaning of Article 22 GDPR.

If you would like human review of how a routing form treated you, contact the Customer who configured it, or contact us at plus@42min.us.

We do not use personal information to train artificial intelligence or machine-learning models without explicit consent, and we do not sell personal information.

7. Cookies and Similar Technologies

We use cookies, local storage, pixels, and similar technologies. Where required by law, we will request your consent for non-essential cookies. For details, including cookie names, purposes, and how to manage your preferences, see our Cookie Statement.

8. Sub-Processors and How We Disclose Personal Information

8.1 Sub-Processors

We use a small set of trusted vendors to operate the Service. These vendors process personal information on our behalf and are bound by written data-protection obligations comparable to ours. As of the Last Updated date, our sub-processors are:

Sub-processor	Purpose	Location of processing
Hostinger International Ltd.	Application hosting, database hosting, server infrastructure	United States
SendPulse Inc.	Transactional and marketing email; SMS delivery	United States, EU
Stripe, Inc.	Payment processing (only when paid features apply; not active as of the Last Updated date)	United States

We will update this list as we add or change vendors and provide reasonable notice to Customers via email or in-product. To receive sub-processor change notifications, email plus@42min.us with subject "subscribe: subprocessors". Customers may object to a new sub-processor in writing within 30 days of notice; if we cannot reasonably accommodate the objection, you may terminate the affected Service.

8.2 Connected Services (Customer-Authorized Integrations)

Connected Services are third-party services that you choose to connect to the Service via OAuth, API, or import. They act as separate data controllers under their own privacy policies — we are not responsible for their handling of your data, but we list them here for transparency:

Connected Service	What it is	When data flows
Google (Calendar, Meet)	Calendar synchronization and meeting links	When you connect a Google account
Microsoft 365 / Outlook	Calendar synchronization (planned)	When the integration becomes available and you connect an account
Pipedrive	CRM integration (when you connect)	When you authorize the connection
Calendly	One-time migration import (when you authorize)	Only during migration

You may disconnect any Connected Service at any time through your account settings.

8.3 Other Disclosures

We may share personal information:

With other 42min users in the same organization or team to whom you grant access;
With meeting participants and Invitees with whom you share booking pages or events;
With authorities, courts, or third parties when required by law, to enforce our Terms, or to protect rights, safety, and property;
With successor entities in connection with a merger, acquisition, financing, reorganization, or sale of assets, with notice to affected users.

We do not sell personal information for monetary or other valuable consideration. We do not share personal information for cross-context behavioral advertising.

9. Data Retention

We retain personal information only as long as reasonably necessary for the purposes described in this Privacy Policy. Specific retention periods:

Category	Retention
Account profile data	While the account is active; soft-deleted within 30 days of account closure; backups purged within 90 days
Calendar and booking data	While the account is active; deleted with the account
Invitee Data (when we process for Customers)	Per Customer instructions; deleted on Customer's request or when the Customer's account is deleted
Routing form responses	While the Customer's account is active
AI / recording / transcript data (when launched)	Customer-controlled retention; default 30 days unless the Customer configures otherwise
Email marketing preferences and unsubscribe records	Indefinite suppression list (CAN-SPAM compliance)
Audit, security, and access logs	Up to 24 months
Customer support communications	Up to 36 months after last interaction
Tax and billing records (when paid features apply)	7 years after the relevant transaction
Aggregated and de-identified analytics	Indefinite

We may retain information longer when required by law, regulatory obligations, dispute resolution, or to protect our rights.

10. International Data Transfers

42min is operated from the United States. Personal information may be transferred to, stored in, and processed in the United States and other countries where we or our sub-processors operate.

For transfers from the European Economic Area, United Kingdom, or Switzerland to countries that have not received an adequacy decision (including the United States, in the absence of applicable adequacy):

We rely on the EU Standard Contractual Clauses (SCCs) approved by the European Commission;
For UK transfers, we rely on the UK International Data Transfer Addendum (IDTA) or the UK Addendum to the SCCs;
For Swiss transfers, we apply the SCCs as recognized by the Swiss Federal Data Protection and Information Commissioner.

We conduct transfer impact assessments for material new transfers. You may request a copy of the relevant transfer mechanisms by emailing plus@42min.us.

11. Data Security

We implement commercially reasonable technical, administrative, and organizational measures to protect personal information, including:

Encryption in transit: TLS 1.2 or higher for all communications with the Service;
Encryption at rest: AES-256 for production data stores and backups;
Password security: Argon2 / bcrypt password hashing (no plaintext storage);
Access controls: least-privilege access, multi-factor authentication for administrators;
Network security: firewalls, segmented production environments, DDoS protections via our hosting provider;
Monitoring and logging: access logs, anomaly detection, alerting;
Backups and recovery: regular encrypted backups with restoration testing;
Vendor due diligence: sub-processors are bound to comparable security obligations;
Vulnerability management: dependency scanning, periodic security reviews.

No system is completely secure. If we become aware of a personal data breach, we will:

Notify affected Customers without undue delay and, where required by law, within 72 hours of becoming aware;
Provide information about the nature of the breach, likely consequences, and measures taken;
Cooperate with Customers as required by the Data Processing Addendum.

12. Your Privacy Rights

Depending on where you live and your role (Customer or Invitee), you may have rights to:

Know what personal information we process;
Access or obtain a copy of your personal information;
Correct inaccurate or incomplete information;
Delete personal information ("right to be forgotten");
Restrict or object to processing (including direct marketing);
Withdraw consent at any time, where consent is the legal basis;
Data portability (receive your information in a structured, machine-readable format);
Opt out of automated decision-making with legal or similarly significant effects;
Opt out of "sale" or "sharing" of personal information (we do not sell or share for cross-context advertising);
Limit the use of sensitive personal information (under CPRA);
Lodge a complaint with your supervisory authority or data-protection regulator;
Not be discriminated against for exercising your rights.

To exercise rights, contact plus@42min.us. We may need to verify your identity. We will respond within 30 days (extendable to up to 90 days for complex requests, with notice to you).

If you are an Invitee, your booking data is controlled by the Customer who organized the booking. Please contact that Customer first. We will assist as required by the DPA. Where we have a direct relationship with you (e.g., through your own account), you may also contact us.

13. Region-Specific Disclosures

A. California (CCPA / CPRA)

In the past 12 months, we may have collected, used, or disclosed the following categories of personal information for the business or commercial purposes described in Section 5:

Identifiers (name, email, IP address, account identifiers);
Customer records (phone, employer, billing information when applicable);
Commercial information (subscription, transaction records);
Internet/electronic activity (logs, usage data);
Geolocation (approximate, from IP);
Professional/employment (job title);
Inferences drawn from usage to operate the Service.

Sources include you directly, Connected Services you authorize, and our service providers.

Disclosures for business purposes are made to sub-processors and Connected Services described in Section 8.

We do not sell or share personal information for cross-context behavioral advertising. We do not knowingly collect personal information from California residents under 16 without authorization.

Sensitive personal information. We do not use or disclose sensitive personal information for purposes beyond those allowed by CPRA without additional notice.

California rights: right to know, right to delete, right to correct, right to limit use of sensitive personal information, right to opt-out of sale/sharing, right to non-discrimination. To exercise rights, email plus@42min.us. Authorized agents may submit requests on your behalf with valid documentation.

We honor Global Privacy Control (GPC) signals as opt-out requests for sale/sharing where we engage in such activities.

B. EEA, UK, and Switzerland (GDPR / UK GDPR / FADP)

You have the rights described in Section 12. The legal bases for our processing are described in Section 5. Our international transfer mechanisms are described in Section 10.

Controller: Kikinda LLC, Naples, FL, USA, plus@42min.us.

EU Representative under GDPR Art. 27: Not appointed at this time. We will appoint one when our processing volume or risk profile requires it.

Right to lodge a complaint: You may complain to your local data-protection authority, including the UK Information Commissioner's Office (ICO) for UK residents, or the Swiss Federal Data Protection and Information Commissioner for Swiss residents.

C. Other Jurisdictions

We provide rights to residents of jurisdictions with comparable data-protection laws (e.g., Brazil's LGPD, Canada's PIPEDA, Australia's Privacy Act, and U.S. state laws including Virginia, Colorado, Connecticut, Utah, and Texas). To exercise rights, email plus@42min.us.

14. Google API Services Disclosure

42min's use and transfer of information received from Google APIs adheres to the Google API Services User Data Policy, including the Limited Use requirements. In particular:

We use Google Calendar data only to provide the user-facing features you connect (calendar synchronization, event creation, conflict detection);
We do not use Google user data for advertising;
We do not transfer Google user data to third parties except as necessary to provide or improve user-facing features, comply with applicable law, or as part of a merger or sale (with notice);
We do not allow humans to read Google user data unless: (a) we have your explicit consent; (b) it is necessary for security purposes (e.g., investigating abuse); (c) it is necessary to comply with applicable law; or (d) the data is aggregated and used for internal operations after de-identification;
We do not use Google user data to develop, improve, or train generalized artificial intelligence or machine-learning models.

15. Children's Privacy

The Service is intended for users aged 16 or older (or the age of digital consent in your jurisdiction, if higher). We do not knowingly collect personal information from children below this age. If we learn we have collected such information, we will delete it. If you believe a child has provided us personal information, contact plus@42min.us.

The Service is not directed to children under the age of 13 (United States) and is not designed to comply with the Children's Online Privacy Protection Act (COPPA) for that age group.

16. Health Information; HIPAA

The Service is not intended for processing protected health information (PHI) regulated by HIPAA. We are not a HIPAA Covered Entity or Business Associate, and we do not enter into Business Associate Agreements (BAAs). Do not use the Service to transmit, receive, or store PHI.

17. Do Not Track and Global Privacy Control

Our response to "Do Not Track" browser signals may vary depending on context and legal requirements. Where applicable, we honor Global Privacy Control (GPC) signals as opt-out requests for sale/sharing of personal information.

18. Marketing Communications

We may send newsletters, feature announcements, product updates, and promotional communications where permitted by law. You may unsubscribe at any time using the unsubscribe link or by emailing plus@42min.us. Unsubscribing does not affect transactional or service-related communications, which are necessary to provide the Service.

19. Changes to This Privacy Policy

We may update this Privacy Policy. For material changes, we will provide at least 30 days' advance notice via email and in-product notification. The "Last Updated" date indicates when the Policy was last revised. Continued use after the effective date constitutes acceptance.

20. Contact

Kikinda LLC
Naples, FL, USA
Email: plus@42min.us