Reclaim is now part of Dropbox, driving the future of productivity at work together
Discover AI scheduling →
Discover AI scheduling
Last updated January 8, 2024

Data Privacy & Security

At Reclaim, we believe that data privacy and security are Priority Zero.

We know that your calendar is a sensitive space, and we view it as a privilege to be entrusted to manage it for you. 

Privacy, data protection, and security are our highest priority at Reclaim, and ultimately we believe that your data belongs to you. We aim to be extremely clear and intentional about how and when we collect, store, transmit and use your data. 

Our default mindset is simple: do no harm, and don’t be creepy.

Fundamentally, we believe in the following key principles regarding your data and privacy:

  • Your data is ultimately yours, and you should have control over who has access to it.
  • You should be able to delete and remove your data from our software whenever you want, without having to jump through hoops or argue with anyone.
  • Your data should be protected, both at rest and in transit. 
  • Your data shouldn’t be accessed by anyone else without your consent, and you should never have to provide more data than the minimum necessary to provide value to you.

SOC2, GDPR, CCPA & Data Privacy Framework Certified

Reclaim is committed to complying with the GDPR, SOC2, CCPA and Data Privacy Framework standards. We're proud to have achieved the highest standards for security, privacy & compliance. If you're an IT or security representative for your company & are interested in getting more information, please contact us.

Commonly-asked questions

Is my data shared with third parties?

We will never sell or share your Reclaim data with a third party for profit or comarketing purposes; that is not our current business model and never will be. 

We will never access or look at your calendar data unless you ask and give us permission in a support scenario, or in extremely rare cases where it may be necessary to do so to fix a critical emergency with your Reclaim account.

We do use tools like Intercom to communicate with you and troubleshoot support issues, and in order to do that job we have to share your email address with that software. If we didn’t send it there, we couldn’t contact you to help you resolve a support issue, nor could we contact you to let you know about new features in Reclaim that you can take advantage of.

Even in cases where we send data to a third party in the normal course of business, however, we make every effort to redact and remove PII and replace it with an anonymized, unique user ID specific to your Reclaim account. For example, we use Google Analytics to measure site traffic, but we don’t ever send PII to that software — because it’s simply not necessary for us to do that job.

See a complete list of 3rd party tools that we work with as subprocessors.

How do I remove my data from Reclaim?

From the very beginning, Reclaim has been proud to offer a self-service delete capability. You can click a button in your account, confirm the deletion, and our software will automatically kick off a job to wipe all your calendar data from our systems within one hour, and also clean up your calendar to remove any Reclaim-created events. It’s that simple.

We fundamentally believe that deleting your data or your account shouldn’t be difficult. Obviously, we’re happier if you love Reclaim, but we view it as our job to earn that love — not to prevent you from leaving once you’ve signed up. We’ve invested significant engineering effort into ensuring your data gets properly purged from our systems, and we’re happy to provide additional confirmation if you’d like.

Want to learn more? Read this help article.

Do you store my data?

As with permissions, we believe that we should never store data unless it’s absolutely vital to performing the core mission of our software. To that end, Reclaim takes the following stance on storing your calendar data:

  • Reclaim does store data from the primary calendar associated with your Reclaim account. That means that the primary calendar associated with the email you use to sign up for Reclaim will be stored in Reclaim’s databases. We have to store this data, because it allows us to do things like reschedule your Tasks and Habits when conflicts occur, use prediction services to flip events between free and busy, and run processing against your events to automatically categorize them.
  • Reclaim does not store data from any other calendars that you’ve connected to Reclaim for the purposes of using Calendar Sync. We only need to hold that data in memory to make a synced copy of the event, and then we throw the data away as soon as that job is complete.
What permissions / scopes does Reclaim ask for?

Reclaim currently has four integrations that require permission scopes in order to use them:

Here is a brief overview of the permissions we ask for across these integrations. For more technical details, please check out the “Want More Details?” section below.

Google Calendar API Scopes

Google's APIs require us to ask for permissions for your Google Calendar.  We ask for these permissions just-in-time, meaning that we only ask for permissions when they are absolutely necessary — and we never ask for more permissions than we need. Here is an overview of those permissions.

These scopes are required to use the basic functionality in Reclaim.

View and edit events on all your calendars
Reclaim needs this permission to do things like:
  • Read events from your source and destination calendars so we can keep your calendars in sync.
  • Create, update, and remove Tasks, Habits, Buffer Time, and synced events from your calendars.
  • Respond to RSVP signals — e.g., if you accept an event from a source calendar, Reclaim automatically marks the synced copy on the destination calendar as busy.
  • Present analytics back to you on where your time is being spent.
  • Present your agenda in our Slack integration as well as respond to commands you issue from Slack.
  • Sync your Slack status with your calendar if you have the integration on.
See and download any calendar you can access using your Google Calendar
Reclaim really only needs this permission for one thing: to list and identify all your calendars for the purposes of a) letting you create sync policies in our Calendar Sync feature; as well as b) identifying which of your calendars is your "primary" so that we can block Tasks and Habits on it; and c) allows Reclaim to obtain calendar settings such as your time zone which we use for determining scheduling hours, and be notified when those settings change.
See and download your contacts
Reclaim only needs this permission for one thing: to see and download contacts created in Google Contacts. If available, these are used to make it easier to invite contacts to Smart 1:1s and Scheduling Links.
See and download contact info automatically saved in your "Other contacts"
Reclaim needs this permission to see and download the list of "other" contacts, which is the same address book you see when creating a Google calendar invite - essentially the people you have interacted with recently. Similar to the above, it is used for inviting contacts to Smart 1:1s and Scheduling Links.
See and download your organization's GSuite directory
Reclaim needs this permission to pull your Google Workspace directory contacts, if available (ie: the account is part of a Google Workspace). Similar to the above, it is used for initing contacts to Smart 1:1s, and Scheduling Links.

Slack Integration Scopes

Reclaim offers an optional (but extremely robust) Slack integration that lets you manage your calendar from Slack as well as sync your Slack status with your calendar events. In order to provide this integration, we need some permissions from your Slack workspace. You can view a complete list of these permissions here, but here is an overview of how we use them.

These scopes are only needed if you choose to install and use the Slack Integration.

im:history
We need to see the history of messages in order to update historical messages — for example, if someone has been invited to a meeting, and then the meeting is canceled or updated, we update the previous message before sending a new one in order to avoid spamming you with notifications.
users:read
We need this information to properly manage authentication in our database, as well as to manage handshakes between Slack and Reclaim.
app_mentions:read
We use messages associated with @reclaim to perform actions on behalf of the user, such as responding to meetings or changing RSVP statuses.
commands
We use slash commands to let users create Tasks quickly using Slack commands. We also use slash commands to gather feedback from users as well as access our help docs.
team:read
We need this information to properly manage authentication in our database, as well as to manage handshakes between Slack and Reclaim.
users:read.email
We use this scope to determine whether or not the user already has a valid login ID in Reclaim, which enables us to provide a faster onboarding experience.
dnd:read
We check the user's Do Not Disturb settings before we make changes to their status, which tells other users (for example) that they're currently in a personal event.
chat:write
We notify users via direct messages when they have been invited to a personal event, or when a personal event is updated or modified. We also notify users when a Habit or Task is about to begin. We send Scheduling Links to public Slack channels to book a meeting at the request of a user.
chat:write.customize
This allows us to fine-tune how the app is displayed, per the permission above.
identify
This allows us to identify a user in Slack as well as manage handshakes between Slack and Reclaim.
users.profile:read
We update the user's status based on their calendar activity if they've turned our Status Sync feature on. This allows us to read their status and keep it in sync with their calendar.
dnd:write
We update the user's Do Not Disturb based on their calendar activity if they've turned our Status Sync feature on. This feature allows us to write to that Do Not Disturb.
users.profile:write
We update the user's status based on their calendar activity if they've turned our Status Sync feature on. This scope allows us to write to that status.

Google Tasks API Scopes

Reclaim integrates with Google Tasks to let you create, manage, edit, and sync Tasks to Reclaim using the Google Tasks sidebar in Google Calendar. To do this, we only need one permission from you. Again, like Slack, this integration is optional.

This scope is only needed if you choose to install and use the Google Task Integration.

Create, edit, organize, and delete all your tasks
Reclaim uses this permission - should you opt into this feature by enabling the Google Tasks integration - to create tasks and schedule time on your calendar for them.

Google Mail / Gmail API Scopes

Reclaim integrates with Gmail to let you create things like Tasks and Scheduling Links right from a Gmail compose message window. To do this we only ask for the absolute necessary permissions — and we never ask for more permissions than we need.

These scopes are only needed if you choose to install and use the Reclaim Add-On for Google Workspace.

Create new drafts
We use this permission to enable you to insert a Reclaim Scheduling Link when composing a new email in Gmail via the Reclaim Google Workspace Add-On.
Read open message metadata
Per Google - this permission is required then the above "Create new drafts" permission is requested; it grants temporary permission for the Reclaim Google Workspace Add-On to read the subject and recipients of the draft email.
Did we not answer your question?

You can find more detailed information about Reclaim’s architecture, security policies, and other technical information below. 

You can also contact us at [email protected] or schedule time to meet with our security team directly. We’re happy to chat!

Is Reclaim SOC2 certified?

Reclaim is SOC2 Type II certified as of September 2023, and was renewed in 2024. SOC2 Type II is the highest standard for security certification and compliance, and we're proud to have achieved it. If you're an IT or security representative for your company and are interested in getting more information about our SOC2 report, please contact us.

Is Reclaim compliant with Privacy laws such as GDPR and CCPA?

As a company, Reclaim is committed to complying with the General Data Protection Regulation (GDPR) and the California Consumer Privacy Act (CCPA). We understand how important it is for our EU and California users and companies to feel secure and confident using Reclaim, and to that end we've incorporated those standards into our data and privacy practices.

Reclaim has self-serve data deletion processes and a Data Processing Addendum that is incorporated into our Business Terms of Service. Since GDPR is a relatively new and broad regulation that lacks a certification process, we have no mechanism to validate that we are complying with GDPR. However, through our efforts, good-faith improvements and discussions with Legal and Privacy consultants, we are confident that we are in compliance, both now and in the future.

If you are a company and sign up for Reclaim using our Business Terms of Service, our DPA is automatically in place for you. If you would like to get a signed copy of Reclaim's DPA, please contact us and we will be happy to send a pre-signed version over to you.

Privacy & Security Standards

Data & Infrastructure Hosting

Infrastructure Hosting

Amazon Web Services
Reclaim infrastructure is hosted on Amazon Web Services to leverage Amazon’s best-in-class security, privacy and redundancy features.
  • All data is hosted in the USA, with redundancy between us-east-1 and us-east-2 regions.
  • AWS data centers undergo regular security and compliance audits including SOC1 and SOC2, PCI Level 1, HITRUST, ISO27001 and are GDPR compliant.
  • Reclaim strictly adheres to the AWS CIS Benchmark for operations and security best practices.
Google Cloud Platform
As we are a major consumer of Google APIs, we work closely with Google to stay compliant and secure with access and management of your data.
Encryption
Data that is both transmitted and stored on Reclaim systems is always encrypted, both in-transit and at-rest.
  • HTTPS and TLS are forced with modern ciphers on all network transactions, both internally and with customers.
  • Databases and storage is encrypted-at-rest via industry-standard AES-256 with rotating keys.

Security & Compliance

Employee Security

Security Awareness Training
As part of onboarding, all Reclaim employees complete mandatory security training on information security, data privacy and protection, and the use of security tools and best practices.
Background Checks
All employees are required to pass a thorough background check before starting work at Reclaim.
Policy Acknowledgements
All Reclaim employees agree to and sign an acknowledgement of policies covering Confidentiality, Non-Disclosure, Anti-Harassment and Code of Conduct.

Policies & Procedures

Security Policies
Reclaim develops, implements and regularly updates internal security policies including:
  • Password Policy
  • Access Management
  • Incident Response
  • Vulnerability Management
  • Data Retention
Business Continuity / Disaster Recovery
Reclaim has developed plans for business continuity and disaster recovery to ensure availability and tests these procedures annually.

Vulnerability Management

Vulnerability Scanning
Reclaim maintains a rigorous vulnerability scanning program to proactively identify and patch security vulnerabilities:
  • External vulnerability scanning for OWASP Top 10 and SANS 25.
  • Static Code Analysis Scanning on our source code repositories.
Responsible Disclosure
We appreciate responsible reporting of security vulnerabilities on the Reclaim platform by third parties. See our Responsible Disclosure Policy for details on reporting vulnerabilities.

Software Development & Operations

Access Management
Access to systems and customer data is based on the principle of least privilege, protected by measures including 2FA and a combination of identity and resource-based access control.
Continuous Testing
Every change to our code and infrastructure goes through a comprehensive testing process before being released to production, including:
  • Peer reviews
  • Unit and integration tests
  • Validation in staging and preview builds
Monitoring & Observability
Reclaim leverages best-in-class monitoring and observability tools in order to quickly address and resolve incidents:
  • Infrastructure and Application Performance Monitoring
  • Application error and exception handling
  • Centralized application and infrastructure logging

Want more details?

Google Calendar Integration

Below are some details for commonly asked questions regarding how to we access and interact with your Google Calendar:

How to Report Security Vulnerabilities

We are very thankful to security researchers who help identify vulnerabilities in our service, as it benefits both us and our customers. 

Please see our Responsible Disclosure Policy for how to report security vulnerabilities, and know that every submission is read and investigated by a real person. Our team will work quickly to validate and assess the level of risk, and take action as needed in the best interests of protecting your data.

List of Subprocessors

Please see our subprocessors page for a list of subprocessors Reclaim uses as well as their respective security and compliance policies.

Sign up for updates

Receive notifications for Reclaim security updates

Thank you! Your submission has been received.
Oops! Something went wrong while submitting the form. Please try again or contact us at [email protected].
More than 300,000 people across 40,000 companies are active with Reclaim