→ LEGAL

PRIVACY
POLICY

Last updated: November 21, 2025

We take your privacy seriously. Here's how we handle your data.

01. WHAT WE COLLECT

→ Account Information

Email address, name, and authentication credentials when you sign up.

→ Google Calendar Data

We access the following Google user data through the Google Calendar API:

  • Calendar events - Event start/end times, busy/free status
  • Calendar metadata - Calendar names, IDs, time zones
  • Event visibility - To determine if events should be synced

We DO NOT access or store: event titles, descriptions, attendees, locations, attachments, or meeting notes. We only read timing information needed to create blocking events.

→ Microsoft Calendar Data

For Microsoft/Outlook calendars, we access event timing and availability status through Microsoft Graph API. Same privacy-first approach: no event details, only times.

→ OAuth Tokens

Encrypted access tokens for Google, Microsoft, and Apple calendar services. Stored securely and never shared.

→ Usage Data

Sync logs, error reports, and performance metrics to improve the service.

02. HOW WE USE YOUR DATA

We process Google user data and other calendar data exclusively for the following purposes:

Calendar Synchronization: We read event timing data from your source calendars (Google, Microsoft, Apple) and create corresponding "Busy" blocking events in your target calendars. This prevents double-bookings across your accounts without exposing private event details.
Authentication & Authorization: We use OAuth tokens to authenticate your identity with calendar providers and maintain authorized access to sync your calendars according to your preferences.
Service Maintenance: We log sync operations, errors, and performance metrics to debug issues, optimize reliability, and improve the synchronization engine.
Customer Support: When you contact support, we may access your sync logs and configuration to troubleshoot issues and resolve problems with your account.
Security & Fraud Prevention: We monitor for suspicious activity, unauthorized access, and potential security threats to protect your account and our service.

→ Google Data Specific Usage:

Google Calendar data is used only for calendar synchronization. We do not use Google user data for advertising, marketing, analytics, AI training, or any purpose other than providing you with calendar sync functionality. We do not share Google user data with third parties except as required to operate the service (see Data Sharing section below).

03. WHAT WE DON'T DO

NO selling data: We never sell, rent, or share your personal information with third parties for marketing

NO reading event details: We only access event times, not titles, descriptions, or attendees

NO tracking: We don't use invasive analytics or third-party tracking scripts

NO data mining: Your calendar data is used solely for synchronization, nothing else

04. DATA SHARING

We share your data only in the following limited circumstances:

→ Calendar Service Providers (Required for Service Operation)

To provide calendar synchronization, we must share data with:

  • Google LLC - We send API requests to Google Calendar API containing OAuth tokens and calendar event data to read your events and create blocking events. Google processes this data according to their Privacy Policy.
  • Microsoft Corporation - We send API requests to Microsoft Graph API for Outlook/Microsoft 365 calendar synchronization.
  • Apple Inc. - If you connect Apple Calendar, we interact with Apple's CalDAV servers for event synchronization.

Purpose: These interactions are essential to read calendar events from your source calendars and create blocking events in your target calendars. Without this data sharing, the service cannot function.

→ Infrastructure & Service Providers

We use trusted third-party services to operate Caltsu:

  • Vercel Inc. - Hosting and application infrastructure (servers in US/EU)
  • Neon (Neon Inc.) - PostgreSQL database hosting with encryption at rest
  • Stripe Inc. - Payment processing (we do not store credit card numbers)
  • Inngest Inc. - Background job processing for calendar sync tasks

Purpose: These providers process data on our behalf to operate the service infrastructure. They are bound by data processing agreements and cannot use your data for their own purposes.

→ Legal Requirements

We may disclose user data if required by law, court order, or government regulation, or to protect the rights, property, or safety of Caltsu, our users, or others.

✗ What We NEVER Do:

  • Sell your personal data or Google user data to advertisers or data brokers
  • Share calendar data with third parties for marketing purposes
  • Use your data to train AI models or machine learning systems
  • Provide your data to analytics companies beyond basic service metrics

05. DATA STORAGE & SECURITY

→ Encryption

In Transit: All data transmitted between your browser, our servers, and calendar APIs is encrypted using TLS 1.3 or higher.

At Rest: Database stored in Neon PostgreSQL with AES-256 encryption. OAuth access tokens and refresh tokens are encrypted separately using application-level encryption with unique per-user keys.

→ Infrastructure Security

Our infrastructure is hosted on enterprise-grade cloud providers:

  • Vercel (SOC 2 Type II certified) - Application hosting with DDoS protection
  • Neon (SOC 2 compliant) - PostgreSQL database with automated encrypted backups
  • ISO 27001 certified data centers with physical security controls

→ Access Control

Principle of Least Privilege: Only authorized technical personnel have access to production systems. All access is logged and audited. Multi-factor authentication is required for all administrative access. Customer data access is restricted to support requests only.

→ Data Retention Policy

Google Calendar Data: We do not store event details (titles, descriptions, attendees). We only store:

  • Event timing hashes (to detect changes) - Retained for 90 days
  • Sync logs (timestamps, success/error status) - Retained for 90 days
  • OAuth tokens - Retained until you disconnect the account or delete your account

Account Data: Your account information (email, name, connected accounts, sync configuration) is retained until you delete your account.

→ Data Location

Primary data storage: United States (Neon US region). Application servers: Global CDN with automatic routing to nearest region. Your data may be processed in the US and EU.

06. YOUR RIGHTS & DATA DELETION

You have full control over your data. Under GDPR and other privacy laws, you have the following rights:

→ Right to Access

Request a complete copy of all personal data we store about you, including account information, connected calendars, sync configuration, and logs.

How to exercise: Email privacy@caltsu.com with "Data Access Request" in the subject line. We will respond within 30 days with a downloadable archive.

→ Right to Correction

Update your email address, name, or other account information directly in your account settings.

How to exercise: Log in to your dashboard → Settings → Account. Or email support@caltsu.com.

→ Right to Deletion (Right to be Forgotten)

You can delete your account and all associated data at any time. Deletion is permanent and includes:

  • Your account information (email, name, profile)
  • All connected calendar accounts and OAuth tokens
  • Sync configuration and rules
  • All sync logs and event hashes
  • Billing information (Stripe customer ID)

Note: We will also delete all blocking events we created in your calendars. Original events in your calendars remain untouched.

How to Delete Your Account:

  1. Log in to your Caltsu account at caltsu.com/login
  2. Go to Settings → Account
  3. Scroll to "Danger Zone"
  4. Click "Delete Account"
  5. Confirm deletion by entering your email address
  6. Account and all data will be deleted within 48 hours

Alternative: Email privacy@caltsu.com with "Account Deletion Request" and we will process your request within 72 hours.

→ Right to Data Portability

Export your sync configuration, connected accounts list, and sync rules in machine-readable JSON format.

How to exercise: Dashboard → Settings → Export Data, or email support@caltsu.com.

→ Right to Revoke Access

Disconnect any calendar account at any time from your dashboard. This immediately revokes our access to that calendar and deletes associated OAuth tokens.

How to exercise: Dashboard → Connected Calendars → Click "Disconnect" next to any account.

You can also revoke access directly through Google, Microsoft, or Apple account settings.

→ Right to Object & Restrict Processing

Object to specific data processing activities or request temporary restrictions. Contact privacy@caltsu.com with your specific request.

07. THIRD-PARTY SERVICES

We use the following services to operate Caltsu:

→ Google Calendar API

For syncing Google calendars. Subject to Google's privacy policy.

→ Microsoft Graph API

For syncing Microsoft/Outlook calendars. Subject to Microsoft's privacy policy.

→ Stripe

For payment processing. We don't store credit card information. Subject to Stripe's privacy policy.

08. COOKIES

We use minimal cookies for:

Authentication: Keep you logged in (essential)

Preferences: Remember your theme (dark/light mode)

No tracking cookies. No advertising cookies. No nonsense.

09. CHILDREN'S PRIVACY

Caltsu is not intended for users under 18. We do not knowingly collect data from children. If you believe a child has provided us with personal information, contact us immediately.

10. CHANGES TO THIS POLICY

We may update this privacy policy occasionally. Material changes will be announced via email and a notice in the dashboard. Continued use after changes means you accept the updated policy.

11. DATA CONTROLLER

The data controller responsible for your personal data is:

DataDux Oy

Business ID: 3427414-9

Registered in Finland

Address: Huopalahdentie 24, 00350 Helsinki

Note: DataDux Oy operates the Caltsu service and is responsible for processing your personal data in accordance with Finnish law and the EU General Data Protection Regulation (GDPR).

12. CONTACT US

Questions about privacy? Want to exercise your rights? Get in touch:

Company:DataDux Oy

Email:privacy@caltsu.com

Support:support@caltsu.com

We typically respond within 48 hours.

READY TO SYNC?

Your privacy is protected. Start syncing calendars today.