Privacy First

Privacy & Security

We believe your calendar data is personal. Here's exactly how we handle it.

TL;DR

  • No account required – we don't collect your email, name, or personal info
  • No event storage – calendar events are fetched on-demand and never stored
  • No cookies or tracking – no analytics, no advertising, no third-party scripts
  • Open source – fully auditable code on GitHub

What We Store

When you create a calendar collection, we store only:

  • Collection metadata: Name, description, and creation timestamp
  • Calendar source URLs: The iCal feed URLs you provide
  • Display preferences: Calendar names and colors you assign
  • Collection GUID: A unique identifier (auto-generated or custom)
Note: Calendar URLs are stored in plaintext. If your calendar URLs contain authentication tokens (common with Google Calendar), those tokens are stored as part of the URL.

What We Don't Store

  • ×Your calendar events – events are fetched in real-time and immediately returned to your client
  • ×Personal information– no accounts, no emails, no names required
  • ×Usage analytics – no tracking pixels, no Google Analytics, no third-party scripts
  • ×Cookies – we don't set any cookies

How Data Flows

When you subscribe to a combined calendar:

  1. 1Your calendar app requests our aggregated feed URL
  2. 2We fetch events from each source calendar in parallel
  3. 3Events are merged, deduplicated, and returned
  4. 4Event data is immediately discarded – nothing is cached
External Connections: We connect to the calendar servers you specify (Google, Outlook, iCloud, etc.) to fetch your events. These connections use HTTPS encryption.

Security Measures

HTTPS Everywhere

All connections encrypted with TLS. HTTP requests automatically upgraded.

Secure Headers

HSTS, CSP, X-Frame-Options, and other security headers enforced.

Cryptographic GUIDs

Collection IDs generated using cryptographically secure random functions.

Input Validation

All inputs sanitized and validated before processing.

Server Logging

For debugging and operational purposes, our servers may log:

  • Collection GUID and name when accessed
  • Number of calendars in a collection
  • Success/failure status of calendar fetches
  • Error messages (not calendar content)

Logs are ephemeral and not persisted long-term. We do not log IP addresses, calendar event content, or detailed URL paths.

Access Control

Collections use a GUID-based access model:

  • Anyone with your collection's GUID can access it
  • Auto-generated GUIDs are cryptographically random (effectively unguessable)
  • Custom IDs you choose may be easier to guess – use them wisely
Tip: Treat your collection URL like a private link. If you want to revoke access, delete the collection and create a new one.

Fully Open Source

Don't take our word for it – audit the code yourself. This entire application is open source and available on GitHub.

View Source Code

Questions about our privacy practices?

Open an issue on GitHub or reach out via the repository.

← Back to Home