Privacy Policy
Last updated: April 8, 2026
This policy applies to California residents and all users of Calendarito and describes our practices under the California Consumer Privacy Act (CCPA) as amended by the California Privacy Rights Act (CPRA), the Google API Services User Data Policy, and applicable U.S. federal law.
1. Our Core Commitment
We do not view, store, or have access to your calendar events.
Your events are created directly in your Google Calendar using the official Google Calendar API. Content you provide (text, files, PDFs, or images) is processed transiently by AI to extract structured event data and is immediately discarded after calendar creation. We never persist the actual event content on our servers.
We do not sell or share your personal information for cross-context behavioral advertising, as those terms are defined under Cal. Civ. Code § 1798.140.
2. Information We Collect
The table below uses the statutory categories defined by the CCPA/CPRA (Cal. Civ. Code § 1798.140).
| CCPA Category | Specific Data Elements | Source | Business Purpose |
|---|---|---|---|
| Identifiers | Google user ID; OAuth access token; email address (used as account identifier in Supabase) | Directly from you via Google OAuth | Authentication; creating events in your Google Calendar on your behalf |
| Internet or other electronic network activity information | Anonymized usage counts (events created, tokens consumed, file upload counts); transient text, PDF, or image content submitted for AI extraction | Directly from you; OpenAI as service provider (processes and returns structured data) | AI event extraction; service monitoring; cost management |
| Inferences drawn from other personal information | Structured event data (title, date, time, location, description) extracted from submitted content by AI | Derived from content you provide; processed by OpenAI as service provider | Presenting extracted events for your review before calendar creation; discarded immediately after |
We do not collect sensitive personal information as defined by Cal. Civ. Code § 1798.121, and we do not knowingly collect personal information from consumers under 16.
3. How We Use Your Information
We use the personal information described above exclusively for the following business purposes:
- • Service delivery: Authenticating you with Google and creating calendar events you have explicitly confirmed.
- • AI event extraction: Sending your submitted content to OpenAI (acting as a service provider under a data processing agreement) to parse structured event data. OpenAI does not use your data to train its models under our enterprise agreement.
- • Cost and operations monitoring: Tracking anonymized token usage and event counts to manage our OpenAI and hosting costs.
- • Debugging and product improvement: Retaining anonymized usage logs to identify issues and improve extraction accuracy.
We do not use your personal information for automated decision-making that produces legal or similarly significant effects. The AI extraction step structures events for your review and explicit confirmation before any calendar entry is created.
4. Data Processing and Third Parties
We disclose personal information to the following categories of service providers/contractors solely for the business purposes described above. We do not "sell" or "share" personal information with any third party.
Google LLC
CCPA categories disclosed: Identifiers; Inferences (event content you confirm for creation).
Purpose: All calendar read/write operations occur through the official Google Calendar API using your OAuth credentials. Google handles storage and delivery of your events.
Google API Services User Data Policy: Our use and transfer to any other app of information received from Google APIs will adhere to the Google API Services User Data Policy, including the Limited Use requirements. We access only the calendar.events scope (write) required to create events on your behalf. We do not read your existing calendar events, contacts, or any other Google data.
OpenAI, L.L.C.
CCPA categories disclosed: Internet or other electronic network activity information (transient content); Inferences (structured extraction result).
Purpose: Event extraction only. Your content is processed transiently and not used to train OpenAI models. OpenAI acts as a service provider under a data processing agreement.
Supabase, Inc.
CCPA categories disclosed: Identifiers (user ID, email); Internet or other electronic network activity information (anonymized usage counts).
Purpose: Authentication (storing your OAuth session) and logging anonymized usage statistics. Event content is not stored in a way that allows reconstruction of your personal schedule.
5. What We Do NOT Do
- • We do not read your existing Google Calendar events
- • We do not store your raw event content, uploaded files, or text inputs on our servers
- • We do not sell your personal information
- • We do not share your personal information for cross-context behavioral advertising
- • We do not use your data to train AI models
- • We do not share identifiable personal information with third parties beyond what is strictly necessary for the service to function
- • We do not knowingly collect personal information from individuals under 16 years of age
6. Data Retention
| Data Type | Retention Period | Criteria / Basis |
|---|---|---|
| Browser localStorage (draft events, UI state) | Until you clear your browser data or click "Add more events" | Controlled entirely by you; never transmitted until you confirm creation |
| OAuth access token (Supabase session) | Until you sign out or revoke access in your Google Account settings | Required to maintain authenticated session; deleted immediately upon revocation |
| Transient AI input (text, files, images) | Not retained; discarded immediately after OpenAI returns extracted event data | Never stored on our servers beyond in-flight processing |
| Anonymized usage logs (token counts, event counts, upload counts) | Up to 24 months | Retained for cost reconciliation, auditing, and aggregate service improvement; deleted on a rolling 24-month basis or upon valid deletion request |
7. Security
We implement reasonable technical and organizational safeguards appropriate to the nature of the data we process, including:
- • All data transmitted between your browser, our servers, Google, OpenAI, and Supabase is encrypted in transit using TLS 1.2 or higher.
- • OAuth tokens are stored in Supabase with row-level security; only your authenticated session can access your own credentials.
- • Access to production systems and logs is restricted to authorized personnel on a need-to-know basis.
No method of transmission or storage is 100% secure. If you believe your data has been compromised, contact us immediately at privacy@calendarito.com.
8. Children's Privacy
Calendarito is not directed to children under the age of 13 and does not knowingly collect personal information from children under 13. We also do not sell or share personal information of consumers between the ages of 13 and 15 without affirmative opt-in, and we do not knowingly collect personal information from individuals under 16. If you believe a child has provided us with personal information, please contact us at privacy@calendarito.com and we will delete it promptly.
9. Your California Privacy Rights (CCPA/CPRA)
If you are a California resident, you have the following rights under the CCPA/CPRA (Cal. Civ. Code §§ 1798.100–1798.199):
Right to Know / Access
You have the right to request that we disclose: (a) the categories and specific pieces of personal information we have collected about you, (b) the categories of sources from which it was collected, (c) our business or commercial purpose for collecting it, and (d) the categories of third parties to whom we disclose it. Requests may cover personal information collected on or after January 1, 2022.
Right to Correct
You have the right to request that we correct inaccurate personal information we maintain about you.
Right to Delete
You have the right to request deletion of personal information we have collected about you, subject to certain exceptions (e.g., information required to complete a transaction, detect security incidents, or comply with a legal obligation).
Right to Opt Out of Sale or Sharing
We do not sell or share personal information. No opt-out is required, but you may still submit a request and we will confirm our practices.
Right to Limit Use of Sensitive Personal Information
We do not collect or process sensitive personal information as defined by Cal. Civ. Code § 1798.121. This right is not currently applicable to Calendarito.
Right to Non-Discrimination
We will not discriminate against you for exercising any of your CCPA/CPRA rights. We will not deny you goods or services, charge different prices, or provide a different level of service because you exercised a privacy right.
Global Privacy Control (GPC)
If your browser transmits a Global Privacy Control signal, we will treat it as a request to opt out of the sale or sharing of personal information. Since we do not sell or share personal information, no additional action is required on our end, but we honor GPC signals in accordance with Cal. Civ. Code § 1798.135(b).
How to Submit a Verifiable Consumer Request
You may submit a verifiable consumer request by either of the following methods:
- • Email: privacy@calendarito.com — Include your full name and the email address associated with your Calendarito account.
- • In-app:Navigate to your account settings and use the "Submit a Privacy Request" option (available when signed in).
Response Timeline and Verification
We will acknowledge receipt of your request within 10 business days and respond substantively within 45 calendar days. If we require additional time, we will notify you in writing before the initial 45-day period expires and may extend our response by an additional 45 days (90 days total) where reasonably necessary.
To protect your privacy, we will verify your identity before fulfilling a request. Verification typically requires confirming the email address associated with your account. We may request additional information if we cannot reasonably verify your identity from the information provided.
Appeals: If we decline to take action on your request, you may appeal that decision by contacting us at privacy@calendarito.com with the subject line "Privacy Request Appeal." We will respond to your appeal within 45 calendar days.
You may also revoke Calendarito's Google access at any time through your Google Account permissions.
10. Changes to This Policy
We review and update this Privacy Policy at least annually, as required by the CCPA/CPRA. For material changes that affect your rights or our data practices in a significant way, we will notify you via email (to the address associated with your account) or via a prominent in-app notice at least 30 days before the change takes effect. The "Last updated" date at the top of this page reflects the most recent revision.
11. Contact Us
For privacy-related questions, consumer rights requests, or concerns about our data practices:
Calendarito
Email: privacy@calendarito.com
Subject line for rights requests: "California Privacy Request"
This policy is accessible via the Calendarito settings menu and is available in a screen-reader-compatible, printable format at this URL. Legal references: Cal. Civ. Code §§ 1798.100 et seq. (CCPA/CPRA); CPPA regulations effective January 1, 2026; Google API Services User Data Policy; FTC Act § 5.