1. What We Collect
We collect only what is necessary to run the Service:
- Email address — used for passwordless sign-in
and service notifications
- OAuth tokens — encrypted credentials that allow
us to access your Google and Microsoft calendars on your behalf
- Calendar metadata — calendar names and IDs
needed to configure sync pairs
- Calendar events — read and written during
synchronization as configured by you
2. How We Use Your Data
Your data is used exclusively to:
- Authenticate you and secure your account
- Perform calendar synchronization as you configure it
- Send transactional emails (sign-in links, important notices)
- Monitor service health and diagnose errors
We do not use your data for advertising, profiling, or any purpose unrelated to
providing the Service.
3. Google and Microsoft Calendar Data
twocal's use of data received from Google APIs adheres to the Google API Services User Data Policy, including the Limited Use requirements. We access your Google Calendar data only to
sync events as you direct, and we do not transfer this data to third parties except as
necessary to provide the Service. The same principle applies to Microsoft Calendar data
accessed via Microsoft Graph.
4. Data Storage and Security
- OAuth tokens are encrypted at rest using AES-256
- All data is transmitted over TLS
- Data is stored in a PostgreSQL database hosted on Fly.io (region: US East)
- We retain your data as long as your account exists
5. Data Sharing
We do not sell or rent your personal data. We share data only with:
- Google / Microsoft — to perform calendar sync
via their APIs
- Postmark — transactional email delivery
- Fly.io — hosting and database infrastructure
- Sentry — error monitoring (no calendar event
content is sent)
6. Your Rights and Choices
- Access & export — contact us to request a copy
of your data
- Deletion — delete your account from Settings;
your data is removed within 30 days
- Revoke calendar access — remove twocal from
your Google or Microsoft account permissions at any time
7. Cookies and Tracking
twocal uses only a session token (stored in localStorage) for authentication. We do
not use third-party tracking cookies or analytics.
8. Children's Privacy
The Service is not directed at children under 13. We do not knowingly collect data
from children.
9. Changes to This Policy
We may update this Privacy Policy from time to time. We will notify you of material
changes by email. Continued use of the Service after changes constitutes acceptance.