Privacy Policy

Last updated: June 12, 2026

1. What We Collect

We collect only what is necessary to run the Service:

  • Email address — used for passwordless sign-in and service notifications
  • OAuth tokens — encrypted credentials that allow us to access your Google and Microsoft calendars on your behalf
  • Calendar metadata — calendar names and IDs needed to configure sync pairs
  • Calendar events — read and written during synchronization as configured by you

2. How We Use Your Data

Your data is used exclusively to:

  • Authenticate you and secure your account
  • Perform calendar synchronization as you configure it
  • Send transactional emails (sign-in links, important notices)
  • Monitor service health and diagnose errors

We do not use your data for advertising, profiling, or any purpose unrelated to providing the Service.

3. Google and Microsoft Calendar Data

twocal's use of data received from Google APIs adheres to the Google API Services User Data Policy, including the Limited Use requirements. We access your Google Calendar data only to sync events as you direct, and we do not transfer this data to third parties except as necessary to provide the Service. Specifically, twocal does not use your Google or Microsoft calendar data to train generalized or artificial-intelligence models, does not sell or rent it, and does not allow humans to read it except (a) with your explicit consent, (b) where necessary for security purposes such as investigating abuse, (c) to comply with applicable law, or (d) where the data has been aggregated and anonymized. The same principles apply to Microsoft Calendar data accessed via Microsoft Graph.

4. Data Storage and Security

  • OAuth tokens are encrypted at rest using AES-256
  • All data is transmitted over TLS
  • Data is stored in a PostgreSQL database hosted on Fly.io (region: US East)
  • We retain your data as long as your account exists
  • Encrypted database backups may retain deleted data for a limited period after account deletion before they expire automatically

5. Data Sharing

We do not sell or rent your personal data. We share data only with:

  • Google / Microsoft — to perform calendar sync via their APIs
  • Stripe — payment processing; after account deletion Stripe retains the transaction records it is legally required to keep
  • Postmark — transactional email delivery; delivery logs expire automatically after ~45 days
  • Fly.io — hosting and database infrastructure
  • Sentry — error monitoring (no calendar event content is sent); error events expire automatically after ~90 days

6. Your Rights and Choices

  • Access & export — download a copy of your data any time from Settings ("Download my data")
  • Deletion — delete your account from Settings; syncing stops immediately and your data is permanently removed after a 30-day grace period, during which you can sign back in to restore your account
  • Synced copies — events twocal created in your own calendars belong to you; when deleting your account you can optionally have us remove them first
  • Revoke calendar access — remove twocal from your Google or Microsoft account permissions at any time

7. Cookies and Tracking

twocal uses only what is needed to keep you signed in: a short-lived session token (stored in your browser's localStorage) and an httpOnly session cookie used to refresh it. We do not use third-party tracking cookies or analytics.

8. Children's Privacy

The Service is not directed at children under 13. We do not knowingly collect data from children.

9. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of material changes by email. Continued use of the Service after changes constitutes acceptance.

10. Contact

Questions or requests regarding your data? Email us at [email protected].