Privacy Policy

Last updated: 2026-06-11

This privacy policy describes how calendar-connect ("the Service", "we") handles personal data. The Service is operated by Left Blank, LLC ("Left Blank", "us") and reachable at [email protected].

What the Service does

calendar-connect lets you connect your Google Calendar and/or Microsoft 365 calendar accounts and republishes the events on those calendars as two iCalendar (.ics) feeds:

• A trusted feed containing full event details (title, description, location, attendees), accessible only via a long random URL you control and can revoke.
• A busy feed where each event's details are stripped and replaced with the word "Busy", suitable for public sharing.

What we collect

When you connect a calendar account we receive and store:

• The OAuth access and refresh tokens issued by Google or Microsoft, which we use to read your calendars on your behalf. These are stored encrypted at rest using authenticated symmetric encryption (AES-128-CBC + HMAC-SHA256, via Fernet).
• Your email address and the provider's user identifier, used to associate the connection with your account in our database.
• The events on the calendars you grant us access to, including the fields needed to re-publish them in the feeds (start, end, title, description, location, organizer, attendees, recurrence rules, status, and the provider-issued event identifier).
• HTTP request logs (IP address, timestamp, URL, status code) retained for up to 30 days for debugging and abuse-prevention purposes.

What scopes we request

• Google: https://www.googleapis.com/auth/calendar.readonly plus the standard OpenID Connect scopes (openid, email) to identify your account. We do not request write access. We do not access Gmail, Drive, Contacts, or any other Google service.
• Microsoft: Calendars.Read, User.Read, offline_access, openid, email. We do not request write access. We do not access Outlook mail, OneDrive, or any other Microsoft service.
• Public iCal URLs: if you add an iCal feed URL (.ics) to your account, we periodically fetch it as an unauthenticated HTTP request (or with HTTP Basic credentials you supply). The URL and any credentials are stored encrypted at rest.

How we use the data

The data is used solely to render your two iCalendar feeds. We do not:

• Sell or rent your data to third parties.
• Use your data for advertising, profiling, or training machine-learning models.
• Share your data with any third party other than the infrastructure sub-processors strictly required to operate the Service (currently: DigitalOcean, who hosts the application and database).
• Send email or write to your calendars on your behalf.

Use of information received from Google APIs adheres to the Google API Services User Data Policy, including the Limited Use requirements.

Who can see your data

Trusted feed URLs contain a long random token. Anyone you share a trusted feed URL with can read the full details of the events on that feed until you revoke the token in your account dashboard. Treat trusted feed URLs like passwords. Busy feed URLs are designed to be safe to share publicly: they reveal only the time blocks during which you are busy, with no other event details.

Where the data is stored

Data is stored in a managed PostgreSQL database hosted by DigitalOcean, LLC (Amsterdam region for our development environment; production region will be disclosed here when applicable). All data in transit is encrypted with TLS. OAuth refresh tokens are additionally encrypted at rest at the application layer, as described above.

How long we keep it

Calendar event data is retained as long as your account is active and is re-fetched on each sync. When you disconnect a calendar, all stored events and tokens for that account are deleted immediately. When you delete your account entirely, all of your data is deleted immediately. HTTP request logs are retained for up to 30 days.

Your rights

You can at any time:

• Revoke our access via your Google account (myaccount.google.com/permissions) or your Microsoft account (myaccount.microsoft.com).
• Disconnect a calendar account from your dashboard at /me, which deletes all stored events and tokens for that account.
• Delete your account entirely, which removes all data we hold about you. Email [email protected] if you can't sign in.
• Request an export of the data we hold about you by emailing [email protected].

Cookies

We set one HTTP-only, Secure, SameSite=Lax session cookie (cc_session) used to keep you signed in and to validate OAuth state during the sign-in flow. We do not use analytics, advertising, or third-party tracking cookies.

Children

The Service is not directed to children under 13 and we do not knowingly collect personal information from children.

Changes

If we make material changes to this policy we will update the date at the top of this page and, when feasible, notify connected users by email at the address associated with their primary account.

Contact

Questions, concerns, or data deletion requests: [email protected].