Privacy Policy
Last updated: May 11, 2026
Overview
Data we collect
- Account information — your email address and display name, provided when you sign up or via OAuth (Google, Microsoft).
- OAuth tokens — access tokens and refresh tokens issued by Google, Microsoft, and Yahoo when you connect a calendar account. These are stored encrypted at rest using AES-256-GCM. We never store your Google or Microsoft account password.
- Calendar data — event titles, times, descriptions, locations, attendees, and organiser details fetched from your connected calendar providers. This data is stored in our database to power sync and sharing features.
- Usage data — IP addresses and user-agent strings logged in our audit trail when share links are accessed. We do not use third-party analytics.
- Apple / GMX credentials — for CalDAV-based providers (Apple iCloud, GMX), we store your app-specific password encrypted at rest. We do not store your primary Apple ID password.
How we use your data
- To sync your calendars and display events in your dashboard.
- To generate combined calendars and serve them to people you share with, at the permission level you configure.
- To send transactional emails — share invitations, OTP verification codes, and re-authentication notices. We do not send marketing emails.
- To maintain an audit trail of sharing activity so you can review who accessed your calendars.
We do not sell, rent, or trade your personal data or calendar contents to any third party.
Third-party services
JoinCal integrates with the following services to deliver its core functionality:
- Google Calendar API — to read and write events in your Google calendars.
- Microsoft Graph API — to read and write events in your Outlook / Microsoft 365 calendars.
- Yahoo Calendar API — to read events from Yahoo Calendar.
- Supabase — authentication and database hosting. Data is stored in EU-West (Ireland) by default.
- Resend — transactional email delivery.
Each of these providers has their own privacy policies governing how they handle data on their infrastructure.
Data retention
- Your calendar data is retained while your account is active.
- Disconnecting a calendar account immediately deletes all synced events from JoinCal for that account.
- Deleting your JoinCal account removes all your data within 30 days, except where retention is required by law.
- Audit logs are retained for 90 days.
Security
We take security seriously:
- OAuth tokens are encrypted at rest with AES-256-GCM. The encryption key is stored separately from the database.
- All traffic is served over HTTPS/TLS.
- Share links can be revoked instantly. Password-protected and email-gated links add additional access controls.
- We request only the minimum OAuth scopes needed — read-only for most providers, read-write only when you explicitly enable event creation.
Your rights
Depending on your jurisdiction, you may have the right to access, correct, or delete your personal data. To exercise these rights, email us at privacy@joincal.net. We aim to respond within 30 days.
Cookies
JoinCal uses session cookies set by Supabase Auth to keep you signed in. We do not use advertising or tracking cookies.
Changes to this policy
We may update this policy from time to time. When we do, we will update the "Last updated" date above. Continued use of JoinCal after a change constitutes acceptance of the updated policy.
Contact
Questions about this policy? Email privacy@joincal.net.