Privacy Policy

Last updated: March 2026

Introduction

At TwoCals ("we," "us," "our," or "Company"), owned and operated by Fred Pedersen, we respect your privacy and are committed to protecting your personal data. This Privacy Policy explains how we collect, use, store, and protect information when you use our calendar synchronization service.

1. What Data We Collect

When you use TwoCals, we collect the following information:

  • Account Information: Your Google or Microsoft email address associated with your OAuth login.
  • Calendar Metadata: Calendar names, IDs, and associated account identifiers.
  • Event Time Data: Event start times, end times, and event IDs for the purpose of creating busy blocks.
  • Refresh Tokens: OAuth refresh tokens (encrypted at rest with AES-256-GCM) to maintain access to your calendars.

What we do NOT collect: We do not collect, store, or access event titles, descriptions, attendee lists, locations, or any other event content. We only store event IDs and time ranges for the purpose of mapping busy blocks.

2. Why We Collect This Data

We collect this data exclusively to provide our core service: synchronizing your calendars by creating "busy" blocks across calendar systems. Specifically, we use this data to:

  • Connect to your Google Calendar and Microsoft Outlook accounts
  • Retrieve your calendar schedules and event time data
  • Create busy blocks on synchronized calendars to prevent double-booking
  • Maintain real-time synchronization between your calendars

3. How We Store Your Data

Your data is stored securely using industry-standard practices:

  • Database: Supabase (PostgreSQL) with Row Level Security (RLS) enabled to ensure data isolation.
  • Encryption: OAuth refresh tokens are encrypted at rest using AES-256-GCM encryption.
  • Access Controls: Row-level security ensures that users can only access their own calendar data.
  • Infrastructure: Our application is hosted on Vercel, which provides industry-standard security and compliance measures.

4. Google API Services User Data Policy

TwoCals complies with the Google API Services User Data Policy, including the Limited Use requirements. Specifically:

  • We access Google Calendar data only for the purpose of creating busy blocks and syncing calendars.
  • We do not collect, access, or use Google data for any other purpose, including advertising or data selling.
  • We do not store event titles, descriptions, attendees, or other sensitive event details.
  • We retain Google tokens only for the duration of your account and service use.

5. Third-Party Services

TwoCals uses the following third-party services to provide and maintain our platform:

  • Supabase: Our primary database provider. See their privacy policy.
  • Vercel: Our application hosting provider. See their privacy policy.
  • Stripe: Our payment processor for Pro plan subscriptions. See their privacy policy.
  • Sentry: Our error tracking service for monitoring application stability. See their privacy policy.

6. Data Retention

We retain your data as follows:

  • Account Data: Retained while your account is active. Permanently deleted upon account deletion or within 30 days of deletion request.
  • Sync Logs: Retained for 30 days for troubleshooting and audit purposes, then automatically deleted.
  • OAuth Tokens: Retained only as long as necessary to maintain calendar synchronization. Deleted immediately upon account deletion.

7. Your Rights

You have the following rights regarding your personal data:

  • Access: You can request a copy of all data we hold about you.
  • Correction: You can request we correct inaccurate data.
  • Deletion: You can request deletion of your account and all associated data (right to be forgotten).
  • Data Portability: You can request your data in a portable format.
  • Withdrawal of Consent: You can withdraw consent for OAuth access by disconnecting your calendars in your account settings or by revoking app permissions in your Google/Microsoft account settings.

To exercise any of these rights, contact us at hello@twocals.com.

8. Cookies and Tracking

We use minimal cookies to operate our service:

  • Authentication Cookies: Essential cookies that keep you signed in to TwoCals.

We do NOT use:

  • Tracking cookies (Google Analytics, Mixpanel, etc.)
  • Third-party analytics or advertising cookies
  • Cookies for any purpose other than authentication

9. International Data Transfers

TwoCals is based in Estonia. When you use our service, your data is processed and stored in the United States (Vercel/Supabase). By using TwoCals, you consent to the transfer of your information to countries outside your country of residence, which may have data protection rules that differ from your home country.

10. Changes to This Policy

We may update this Privacy Policy from time to time. Material changes will be communicated via email or a prominent notice on our website. Your continued use of TwoCals after changes indicates your acceptance of the updated policy.

11. Contact Us

If you have questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact:

TwoCals

Owner: Fred Pedersen

Email: hello@twocals.com