Skip to content
Independently verified · Quarterly re-audit
EU VETTED

Cal.com

VERIFIED
Calendar booking · United States
Founded 2021 · cal.com ↗

US-incorporated open-source Calendly alternative (Cal.com Inc, SF) founded by EU developers; production code moving closed-source in 2026.

In short

Cal.com, in the Calendar booking category, is operated by a US-incorporated entity and remains directly subject to the CLOUD Act.

Assessment notes

Cal.com is US-incorporated as Cal.com, Inc. (San Francisco) despite its EU-founder origin (Peer Richelsen + Bailey Pumfleet, 2021): Delaware-style US corporation, US$32M VC-funded, and the privacy policy explicitly states data is transferred to and maintained in the US. Sub-processors are heavily US (Stripe, Twilio, Daily.co) plus PostHog (UK). No public DPA; no sub-processors list beyond general privacy-policy disclosure. In 2026 Cal.com began moving its production codebase behind closed doors with only a stripped community edition (Cal.diy, MIT) remaining open-source, so the historical 'open-source Calendly alternative' positioning is degrading. The hosted SaaS carries direct CLOUD Act exposure as a US-incorporated entity (US-owned, US-hosted, no public DPA) and should not be the procurement-grade choice for strict EU buyers; the self-host path via Cal.diy on EU infrastructure (EU-hosted, no CLOUD Act exposure for that path) is the only structurally clean option. Alternatives in the category (SuperSaaS NL, Reservio CZ, Doodle CH, Cronofy UK) are all structurally cleaner from an EU-sovereignty perspective.

CLOUD ACT
OWNERSHIP
SUB-PROCS
8 · 8 US
CLOUD Act by deployment

Exposure depends on how you run this product.

Hosted SaaS (default)

Vendor-operated: the sub-processors below apply.

Self-hosted (open-source)

Deploy on your own EU infrastructure and you control hosting and every sub-processor.

Verified signals
Jurisdiction
  • EU / adequacy hosting
  • EU / adequacy operator
  • No US CLOUD Act exposure
Transparency
  • Public DPA
  • Sub-processors disclosed
  • Open-source clients
  • Third-party certification
JUMP TO
OVERVIEW

About Cal.com

Cal.com is one of the most-cited "open-source Calendly alternative" SaaS products of the past few years, founded in 2021 by Peer Richelsen (German) and Bailey Pumfleet (UK), with the commercial entity incorporated as Cal.com, Inc. in San Francisco, California despite the EU-founder origin. The company has raised approximately US$32M in venture funding and the GitHub repository (calcom/cal.com) has accumulated more than 41,000 stars since launch. The product replaces Calendly's hosted scheduling experience with a self-hostable, AGPLv3-licensed open-source codebase plus a managed SaaS (cal.com), a model that was the directory's reference "EU founders bringing US-style SaaS open-source pressure" story until 2026.

The 2026 strategic shift complicates the listing. Per public reporting and direct corporate communication, Cal.com is moving its production codebase behind closed doors during 2026, leaving only a stripped community edition called Cal.diy under the more-permissive MIT licence, while rewritten authentication, data-handling, and commercial systems become proprietary. This narrows the structural "fork-if-anything-changes" guarantee that historically distinguished Cal.com from Calendly. For procurement-grade EU buyers the picture is now: (a) the hosted Cal.com SaaS is US-incorporated under Cal.com, Inc. and subject to US extraterritorial law by default, direct CLOUD Act exposure under our strict-ownership stance; (b) the privacy policy explicitly confirms data transfers to the United States, with US sub-processors Stripe, Twilio, and Daily.co alongside PostHog (UK); (c) the Cal.diy MIT community edition on EU infrastructure (Hetzner, OVHcloud, Scaleway) remains a legitimate self-host option but with reduced feature parity vs the proprietary hosted product.

Pricing for the hosted SaaS is freemium with paid Team and Enterprise tiers; specific entry-tier EUR figures were not captured at audit. Best fit: developers and product builders who specifically want the Cal.com API surface and accept US-incorporation; teams comfortable with the new MIT/Cal.diy self-host path on EU infrastructure for sovereignty. Procurement-grade EU-only buyers needing a structurally EU-incorporated alternative should choose Doodle (CH, TX Group), SuperSaaS (NL, founder-owned), or Reservio (CZ, ABUGO Group) instead; all listed elsewhere in this category.

SUB-PROCESSORS

Sub-processor map · 8

Source ↗
  • Amazon Web Services (S3) US
    United States

    Encrypted storage of video recordings

  • Daily.co US
    United States

    Video conferencing and recording API

  • GitHub US
    United States

    CI/CD: code hosting, review, build

  • Google Analytics US
    United States

    Website performance and navigation analytics (non-EU visitors)

  • Intercom US
    United States

    Customer support and communication

  • PostHog US
    United States

    Product analytics; feature testing and observability

  • Stripe US
    United States

    Payment processing

  • Twilio US
    United States

    Email and SMS booking reminders/notifications

8 of 8 sub-processors are US-incorporated. CLOUD Act exposure applies.
CERTIFICATIONS

Frameworks & certifications · none listed

We checked the vendor's website and standard certification body registries. No active certifications found at the time of last audit (2026-05-11).
FEATURES

Capability matrix

Payment collection Yes
White-label Yes
Calendar sync Yes
Round-robin / team Yes
Group bookings Yes
Video integration Yes
Automated reminders Yes
Free tier Yes
INTEGRATION & ACCESS
REST API Yes
SSO (SAML / OIDC) Yes
COMPLIANCE & GOVERNANCE
Audit log Yes
Self-host / on-prem option Yes
PRICING

Pricing & tiers

FREEMIUM
Custom pricing

Contact vendor for tier or volume pricing.

View pricing page ↗
PUBLIC DOCUMENTS

Public documents

Vendor does not publish a public DPA. Without a publicly accessible Data Processing Addendum, small EU customers cannot self-serve the processor agreement. This is recorded as no public DPA (see How we assess).
  • Data Processing Addendum (DPA)
    — missing
    missing
  • Sub-processors list
    cal.com/privacy…
    Open ↗
  • Terms of Service
    cal.com/terms…
    Open ↗
ALTERNATIVES

Alternatives in this category

Cronofy
United Kingdom · Founded 2013
EU-HOSTED

Nottingham UK developer-API-first calendar / scheduling platform (Cronofy, founded 2013), ISO 27001 + SOC 2; Wise / GoCardless / Indeed customers.

Public DPA Sub-processors Open source
FROM
CLOUD ACT
MATERIAL
Doodle
Switzerland · Founded 2007
EU-BASED

Swiss group-scheduling pioneer (Doodle AG, Zurich, 2007), owned by TX Group (SIX-listed Swiss media holding); SOC 2 + GDPR + HIPAA.

Public DPA Sub-processors Open source
FROM
CLOUD ACT
MINOR
Reservio
Czechia · Founded 2012
EU-BASED

Brno-based Czech booking platform (Reservio s.r.o., ABUGO Group), 500k+ businesses, freemium with branded customer apps.

Public DPA Sub-processors Open source
FROM
CLOUD ACT
MINOR