Privacy Policy

1. Introduction

CalendarShot ("we," "our," or "us") is committed to protecting your privacy. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our progressive web application (PWA) and services.

CalendarShot is an AI-powered service that extracts calendar events from images (such as work schedules, appointment cards, and calendar screenshots) and allows you to sync them with your calendar providers.

2. Information We Collect

2.1 Information You Provide

• Account Information: Email address and authentication credentials when you sign up
• Images: Photos and images you upload containing calendar information
• Calendar Data: Event information extracted from your images (dates, times, titles, descriptions, locations)
• Calendar Connections: OAuth tokens and connection details for third-party calendar services you choose to connect

2.2 Automatically Collected Information

• Usage Data: Information about how you interact with our service, including processing times and features used
• Device Information: Browser type, operating system, device identifiers
• Log Data: IP addresses, access times, error logs, and performance metrics
• Session Data: Authentication tokens and session identifiers stored in secure HTTP-only cookies

3. How We Use Your Information

We use the collected information for the following purposes:

• Service Provision: To process your images and extract calendar events using AI models
• Calendar Synchronization: To sync extracted events with your connected calendar services
• Account Management: To create and manage your user account
• Service Improvement: To analyze usage patterns and improve our AI models and service performance
• Communication: To send service-related notifications and respond to your inquiries
• Security: To detect, prevent, and address technical issues and fraudulent activity
• Legal Compliance: To comply with applicable laws and regulations

4. Third-Party Services

CalendarShot integrates with the following third-party services:

4.1 Authentication & Data Storage

• Supabase: Provides authentication services and database storage for user accounts, calendar events, and processing jobs

4.2 AI Processing

• OpenRouter: Routes image processing requests to AI vision models (OpenAI GPT-4o-mini, Google Gemini 2.5 Flash, Anthropic Claude Sonnet 4)
• Note: Images are sent to these AI providers for processing. We use models that do not retain or train on your data

4.3 Calendar Providers

• Google Calendar: When you connect Google Calendar, we use OAuth 2.0 to access and sync events
• Other Calendar Services: CalDAV-compatible calendar services you choose to connect
• Permissions: We only request the minimum permissions necessary to create and manage calendar events

4.4 Hosting & Deployment

• Vercel: Hosts and deploys our application infrastructure

Each of these third-party services has their own privacy policies governing how they handle data. We encourage you to review their policies:

• Supabase Privacy Policy: https://supabase.com/privacy
• OpenAI Privacy Policy: https://openai.com/privacy
• Google Privacy Policy: https://policies.google.com/privacy
• Anthropic Privacy Policy: https://www.anthropic.com/privacy

5. Data Storage and Security

5.1 Storage Location

Your data is stored securely using Supabase's infrastructure, which uses industry-standard encryption and security practices.

5.2 Security Measures

• End-to-end HTTPS encryption for all data transmission
• Secure, signed URLs for image uploads (no base64 encoding)
• HTTP-only cookies for session management to prevent XSS attacks
• OAuth 2.0 for third-party calendar authentication
• Encrypted storage for calendar provider tokens
• Row-level security policies in database to protect user data
• Regular security audits and updates

5.3 Data Retention

• Images: Uploaded images are processed and may be temporarily stored for processing purposes. We do not retain images longer than necessary for extraction
• Extracted Events: Calendar events remain in your account until you delete them
• Account Data: Retained while your account is active and for a reasonable period after account deletion as required by law
• Processing Logs: Performance and error logs are retained for up to 90 days for debugging and improvement purposes

6. Data Sharing and Disclosure

We do not sell your personal information. We may share your information only in the following circumstances:

• With Your Consent: When you explicitly authorize us to share information (e.g., syncing to your calendar)
• Service Providers: With third-party services necessary to operate our service (as listed in Section 4)
• Legal Requirements: When required by law, court order, or governmental request
• Business Transfers: In connection with a merger, acquisition, or sale of assets (with notice to you)
• Protection of Rights: To protect the rights, property, or safety of CalendarShot, our users, or the public

7. Your Rights and Choices

7.1 Access and Control

You have the following rights regarding your personal information:

• Access: Request a copy of the personal information we hold about you
• Correction: Update or correct inaccurate information
• Deletion: Request deletion of your account and associated data
• Export: Download your calendar event data in a portable format
• Disconnect: Revoke calendar provider connections at any time

7.2 Communication Preferences

You can opt out of non-essential communications. However, we may still send you service-related notifications necessary for the operation of your account.

7.3 Cookie Management

Our service uses essential cookies for authentication and session management. These are necessary for the service to function and cannot be disabled while using CalendarShot.

8. Google API Services User Data Policy

CalendarShot's use of information received from Google APIs adheres to the Google API Services User Data Policy, including the Limited Use requirements.

• We only request the minimum Google Calendar permissions necessary to create and manage events
• We do not store or retain your existing Google Calendar data. We access your calendar solely to insert the specific events generated from your uploaded images.
• We do not use Google user data for advertising purposes
• We do not allow humans to read Google user data unless:
  • You explicitly consent
  • It's necessary for security purposes (e.g., investigating abuse)
  • It's required by law
• We do not transfer Google user data to third parties except as necessary to provide our service or as required by law

9. Children's Privacy

CalendarShot is not intended for use by children under 13 years of age. We do not knowingly collect personal information from children under 13. If you believe we have collected information from a child under 13, please contact us immediately.

10. International Data Transfers

Your information may be transferred to and processed in countries other than your country of residence. These countries may have different data protection laws. By using CalendarShot, you consent to the transfer of your information to our facilities and service providers globally.

11. Changes to This Privacy Policy

We may update this Privacy Policy from time to time. We will notify you of significant changes by posting the new Privacy Policy on this page and updating the "Last Updated" date. Your continued use of CalendarShot after changes become effective constitutes acceptance of the revised policy.

12. Contact Us

If you have questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us:

We will respond to your request within a reasonable timeframe as required by applicable law.