Privacy Policy
Last updated: March 14, 2026
1. Controller and scope
This Privacy Policy explains how personal data is processed when you use this CalendarSync Cloud deployment (the "Service"). The controller is the operator of this deployment.
The policy applies to the web application, API, and worker services used to connect Google accounts and run calendar synchronization rules.
2. Data we process
Depending on your use of the Service, we process the following categories of data:
- Account and identity data: Google account subject ID, email address, and basic profile name used for sign in and account linking.
- Connection metadata: linked Google account identifiers, linked calendar IDs, calendar summaries, primary flags, and access roles.
- OAuth credentials: Google OAuth access and refresh tokens stored in encrypted form in the database.
- Sync configuration: rule names, source and target calendars, schedule, payload mode, direction, filters, transformations, dry-run settings, and execution settings.
- Run and operations data: run status, trigger type, timestamps, summaries, and error messages needed to operate and troubleshoot synchronization.
- Calendar event content: event data read from source calendars and written to target calendars to execute rules you configured.
- Technical request data: server-side request metadata and infrastructure logs generated by hosting providers.
3. Sources of data
We receive personal data directly from you and from Google when you connect accounts, including:
- Google Sign-In via NextAuth on the frontend.
- Google OAuth and Google UserInfo endpoint during account linking.
- Google Calendar API responses used to list calendars and run synchronization.
- Data you submit when creating or editing sync rules.
4. Purposes and legal bases
We process personal data for the following purposes:
- Provide authentication and account access.
- Link Google accounts and maintain active calendar connections.
- Execute scheduled and manual synchronization and cleanup runs.
- Store rule definitions and run history.
- Protect the Service against abuse and unauthorized access.
- Maintain security, reliability, and performance.
Under the GDPR, processing is typically based on Art. 6(1)(b) (performance of a contract) and Art. 6(1)(f) (legitimate interests in secure and reliable operation). Where consent is required by law, Art. 6(1)(a) applies.
5. Google permissions and calendar content
The Service requests Google scopes needed to identify your account and synchronize calendars, including OpenID, email/profile information, calendar read access, and calendar events write access.
Calendar event data is processed only to run the sync rules you enable (for example, full-details sync or busy-only sync). We do not sell calendar content or use it for advertising.
6. Storage, hosting, and processors
This deployment uses third-party infrastructure providers to operate the Service, including:
- Neon/PostgreSQL for application data storage.
- Google Cloud services for API/worker execution, scheduling, and optional key management.
- Vercel for frontend hosting.
- Google APIs for identity and calendar operations.
These providers process data as service providers/processors to deliver infrastructure and platform capabilities.
7. Security measures
We apply technical and organizational measures designed to protect personal data, including:
- Encryption of stored OAuth tokens (envelope encryption with AES-GCM and key versioning).
- Use of Google Cloud KMS when configured, with support for key rotation/migration.
- Restricted internal API endpoints protected by shared secrets and service authentication.
- Transport security (HTTPS/TLS) for data in transit.
8. Cookies and session data
The frontend uses authentication/session mechanisms provided by NextAuth to keep you signed in. This may involve strictly necessary cookies or similar session storage required to operate login and account sessions.
9. Data retention and deletion
We retain personal data for as long as needed to provide the Service, comply with legal obligations, resolve disputes, and enforce agreements.
If you remove a linked Google connection, related data connected through foreign-key relationships is deleted from operational tables (including associated encrypted token records and dependent sync data).
If you delete a sync rule, related run records and dependent rule data are removed according to database constraints. If you need full account deletion, contact the deployment operator.
10. International transfers
Depending on the region and provider configuration, personal data may be processed in countries outside your own jurisdiction. Where required, providers are expected to rely on appropriate transfer safeguards under applicable data protection law.
11. Your rights
Subject to applicable law (including GDPR where applicable), you may have rights to access, rectify, erase, restrict, or object to processing, withdraw consent, and request data portability. You may also have the right to lodge a complaint with a supervisory authority.
12. Children
The Service is not designed specifically for children. If you believe personal data of a child was processed without appropriate authorization, contact the deployment operator.
13. Changes to this policy
We may update this Privacy Policy from time to time. The current version is published on this page with the "Last updated" date.
14. Contact
For privacy requests (including access or deletion), contact the operator of this specific CalendarSync Cloud deployment through the support channel provided with the service.