IMPLICATOR
Cal.com is moving its production codebase behind closed doors, the company said Tuesday, turning the once-obvious open-source Calendly answer into a harder buying decision. The scheduling startup will leave a stripped community edition, Cal.diy, under the MIT license while keeping rewritten authentication, data-handling, and commercial systems private. The shift, first detailed in The New Stack, matters because self-hosters now have to separate "can run it" from "should run it."
Cal.com framed the move as a security response. Bailey Pumfleet, the company's CEO, told The New Stack that open code gives attackers the "blueprints to the vault." Peer Richelsen, Cal.com's chairman, went further and said open-source applications should take sensitive parts private.
That sounds defensive. It also sounds scared.
Key Takeaways
- Cal.com is moving production code private while leaving Cal.diy as a thinner MIT community edition.
- Easy!Appointments is the strongest fully open self-hosted replacement for most public booking workflows.
- Nextcloud Calendar works best when Nextcloud already handles calendar, identity, and collaboration.
- Rallly and Croodle are useful poll tools, not full Calendly replacements.
AI-generated summary, reviewed by an editor. More on our AI guidelines.
Cal.diy is close but thinner
Cal.diy is still the closest thing to the old Cal.com. Open the repo and the family resemblance is obvious: booking pages, scheduling logic, TypeScript files, the same developer muscle memory. GitHub metadata checked April 15 put it above 41,000 stars and 12,000 forks. Not a ghost repo.
But the README changes the pitch. Cal.diy says it is recommended for personal, non-production use. Teams, Organizations, Workflows, Insights, SSO/SAML, and other commercial features are gone. The glass storefront is still there. The back office has moved.
That makes Cal.diy useful for developers who want Cal.com's code shape, a personal booking page, or a fork they can harden themselves. It is a weaker default for a clinic, consultancy, agency, school office, or small business that wants a public link and a quiet server.
If you do not want to become the maintainer, look elsewhere.
Easy!Appointments is the boring winner
The best general self-hosted Calendly replacement now looks like Easy!Appointments. Boring helps here.
Easy!Appointments is GPL-3.0 software, and its job is plain: put a booking form on the web, connect it to providers and services, send the email, then sync the calendar. Its GitHub repository had 4,132 stars and 1,513 forks when checked April 15. The repo was active that same day. It does not try to be scheduling infrastructure for every developer workflow. It books appointments.
That smaller ambition is why it works. A repair shop needs time slots, staff calendars, cancellation rules, email, and customer records. A consultant needs a link that does not leak their whole week. A small medical-adjacent office needs fewer moving parts, not a platform thesis.
Easy!Appointments will not match Cal.com's polish. It will not give a sales team the same slick routing, analytics, and enterprise authentication stack. But if the assignment is "replace Calendly with something I can host," it is the first pilot.
Nextcloud works if it is already home
Nextcloud Calendar is the second practical answer, but only for shops already living in Nextcloud. Its current calendar app includes appointment booking links, public or private configurations, conflict checks, booking hours, buffers, daily slot limits, and attendee forms, according to Nextcloud's user manual.
Keep the signal when vendors change the rules
Strategic AI news from San Francisco. No hype, no "AI will change everything" throat clearing. Just what moved, who won, and why it matters. Daily at 6am PST.
No spam. Unsubscribe anytime.
That is enough for one-on-one calls and internal booking flows. It also keeps scheduling inside a system that may already handle files, calendars, contacts, identity, and Talk rooms. Fewer doors to watch.
But deploying all of Nextcloud just to replace Calendly is a lot of plumbing for one faucet. If Nextcloud is already the calendar, use it. If not, Easy!Appointments is cleaner.
Poll tools are not booking tools
Rallly and Croodle belong in the conversation, but they answer a different question.
Rallly is a healthy AGPL-3.0 project for group scheduling and collaboration. It had more than 5,000 GitHub stars and same-day activity on April 15. Its self-hosting docs also say multi-user setups should buy a license key. Fair enough. But Rallly is closer to Doodle than Calendly.
Croodle is simpler, MIT-licensed, and built for date polls or general polls. Handy. Not a booking desk.
The distinction matters because migration pain hides inside verbs. "Schedule a group" is not "let strangers book me next Tuesday at 10:30." If you pick a poll tool for a booking problem, you will rebuild the missing workflow later.
Security is the real product now
Cal.com's argument did not come from nowhere. Anthropic's Mythos work, which Implicator covered last week, showed AI systems finding old flaws in hardened code. Cal.com also had recent security pain of its own. Gecko Security reported broken access controls that exposed bookings and enabled account takeover. NVD separately listed CVE-2026-23478 as a critical Cal.com authentication flaw affecting versions before 6.0.7.
Still, a private repo is not a deadbolt. It hides internals from casual scanners, but it also asks customers to trust the vendor's process. Open code gives defenders a chance to inspect, patch, and fork, but it gives attackers the same map.
The practical answer is not ideology. It is fit plus operations. For most self-hosters, that means Easy!Appointments first, Nextcloud Calendar if Nextcloud is already installed, Cal.diy only when a developer can own the risk, and Rallly or Croodle only for polls.
The old shortcut was a brand name. The new shortcut is a checklist: public booking link, calendar conflict checks, notifications, update cadence, backups, logs, rate limits, and a maintainer who still ships.
Open source is still on the table. The free lunch is not.
Frequently Asked Questions
Why is Cal.com going private?
Cal.com says AI-assisted vulnerability discovery makes public production code too risky for security-sensitive scheduling infrastructure. The company will keep Cal.diy open while moving rewritten production systems, including authentication and data handling, behind a private repository.
Is Cal.diy still open source?
Yes. Cal.diy is MIT-licensed and remains public. But it has removed several team and enterprise features, and its README recommends personal, non-production use, which makes it a weaker default for businesses that need a quiet production booking system.
What is the best self-hosted Calendly alternative now?
For most users, Easy!Appointments is the best first pilot. It is GPL-3.0, self-hosted, focused on web appointment booking, and supports provider schedules, services, customer records, email notifications, and Google Calendar sync.
When should I use Nextcloud Calendar instead?
Use Nextcloud Calendar if your organization already runs Nextcloud. Its appointment feature can handle booking links, public or private configurations, conflict checks, buffers, daily limits, and attendee forms without adding a separate app.
Are Rallly and Croodle Calendly replacements?
Not really. Rallly and Croodle are better for group polls and choosing a meeting time. They are useful, but they do not replace a standing booking page with provider schedules, cancellation rules, calendar sync, and appointment records.
AI-generated summary, reviewed by an editor. More on our AI guidelines.
Maria Garcia
Tech culture and generative AI reporter covering the intersection of AI with digital culture, consumer behavior, and content creation platforms. Focusing on technology's beneficiaries and those left behind by AI adoption. Based in California.
