Privacy Policy

Personal information you disclose to us

In Short: We collect personal information that you provide to us.

We collect personal information that you voluntarily provide when you register on the Services, sign in with a third-party provider, or contact us. The personal information we collect includes:

• Name
• Email address
• Profile identifier from Google or Microsoft (when used to sign in)
• Profile photo URL (when provided by your sign-in provider)
• OAuth access and refresh tokens for calendar integrations
• Calendar busy/free times and event metadata within the scopes you authorize

If you create an account with email and password, the password is handled exclusively by Firebase Authentication and stored in hashed form. We never see, log, or store your raw password.

Sensitive Information

We do not process sensitive personal information.

Google API Services

Our use and transfer of information received from Google APIs adheres to the Google API Services User Data Policy, including the Limited Use requirements.

In Short: We process your information to provide and administer the Services, authenticate you, compute team availability, communicate with you, and maintain security.

• To create and authenticate your account.
• To compute and display shared availability for the teams you participate in.
• To create calendar events on your behalf when you authorize event creation.
• To respond to inquiries and provide support.
• To prevent fraud, abuse, and security incidents.
• To comply with applicable law.

We do not use your information for advertising and do not use it to train AI/ML models.

In Short: We only process your personal information when we have a valid legal reason to do so under applicable law.

If you are located in the EU or UK, we may rely on the following legal bases under GDPR and UK GDPR:

• Consent— you have given us permission to process your information for a specific purpose, which you can withdraw at any time.
• Performance of a Contract— processing is necessary to deliver the Services to you.
• Legal Obligations— processing is required to comply with law, regulation, or legal process.
• Vital Interests— processing is necessary to protect the vital interests of you or another person.

If you are located in Canada, we rely on your express or implied consent, which you may withdraw at any time, except in the limited cases where applicable law permits processing without consent.

In Short: We share information only with the sub-processors listed below or when required by law.

We do not sell your personal information and do not share it with third parties for targeted advertising. We share information with the following sub-processors who help us operate the Services:

• Firebase (Google LLC)— authentication, database (Cloud Firestore), file storage, and hosting.
• Firebase Performance Monitoring (Google LLC) — monitoring of database reads, response times, and runtime errors.
• Vercel Inc.— web application hosting and serverless function execution.
• Google LLC— Google OAuth and Google Calendar API integration (only when you connect a Google account).
• Microsoft Corporation— Microsoft Identity Platform and Microsoft Graph / Outlook Calendar integration (only when you connect a Microsoft account).

We may also share or transfer your information in connection with a merger, sale of company assets, financing, or acquisition of all or part of our business.

In Short: We use cookies and similar technologies only for essential functionality and security.

We use cookies and similar technologies to keep you signed in, maintain session security, remember preferences, and support core site functionality. We do not use cookies for advertising, do not sell or share cookie data, and do not run third-party advertising trackers.

We do not currently provide an in-app cookie preference center because the cookies we set are strictly necessary for the Services to function. You can clear or block cookies through your browser settings; doing so may prevent you from signing in or using the Services.

Specific information about how we use these technologies is set out in our Cookie Notice.

In Short: You may sign in using your Google or Microsoft account.

Our Services support sign-in with Google and Microsoft accounts. When you choose to sign in this way, we receive your name, email address, profile identifier, and (where available) profile picture from your provider. We do not currently support Facebook, X, or other social providers.

We use this information solely for the purposes described in this Privacy Notice. We do not control, and are not responsible for, other uses of your personal information by Google or Microsoft. You can revoke our access at any time:

• Google — myaccount.google.com/permissions
• Microsoft — account.microsoft.com/consent

In Short: We keep your information for as long as your account is active, or as required by law.

• Account data and team membership— retained while your account is active.
• OAuth tokens— deleted when you disconnect the integration or delete your account.
• Calendar busy/free data— processed in memory to compute availability and not retained beyond what is needed to display the resulting busy blocks.
• Account deletion— associated personal data is removed immediately, except where retention is required by law.

In Short: We aim to protect your personal information through organizational and technical security measures.

We rely on Firebase Authentication for password handling, store data in Cloud Firestore with access rules, transmit data over TLS, and restrict administrative access to authorized personnel. However, no electronic transmission or storage technology can be guaranteed to be 100% secure, so we cannot promise that unauthorized third parties will not be able to defeat our security measures. You should access the Services only within a secure environment.

In Short: If we discover a personal data breach affecting you, we will notify you without undue delay.

In the event of a confirmed personal data breach that is likely to result in a risk to your rights and freedoms, we will notify affected users by email at the address associated with their account and, where required by applicable law (including GDPR Article 33 and relevant US state laws), notify the appropriate supervisory authority. Notifications will describe, to the extent known, the nature of the breach, the categories of data involved, the likely consequences, and the measures we have taken or propose to take in response.

In Short: The Services are not directed to children under 13.

The Services are not directed to children under 13 years of age, and we do not knowingly solicit data from or market to children under 13. We do not actively verify the age of users. If you are a parent or guardian and believe your child has provided personal information to us, please contact support@btwncalendars.com and we will take reasonable steps to delete such information.

In Short: Depending on where you live, you may have the right to access, correct, delete, export, or restrict processing of your personal information.

In some regions (such as the EEA, UK, Switzerland, and Canada), you have certain rights under applicable data protection laws, including:

• The right to request access to and obtain a copy of your personal information.
• The right to request correction or erasure.
• The right to restrict the processing of your personal information.
• Where applicable, the right to data portability.
• The right not to be subject to solely automated decision-making.

To exercise these rights, email support@btwncalendars.com. You may also revoke OAuth access to your Google or Microsoft account at any time using the links in Section 6, and you can review, update, or delete most of your account data directly from your account settings.

If you are located in the EEA or UK and believe we are unlawfully processing your personal information, you also have the right to lodge a complaint with your local data protection authority. If you are located in Switzerland, you may contact the Federal Data Protection and Information Commissioner.

Most web browsers include a Do-Not-Track (“DNT”) feature. Because no uniform standard for recognizing and implementing DNT signals has been finalized, we do not currently respond to DNT browser signals. If a standard is adopted that we are required to follow, we will update this notice accordingly.

In Short: Residents of certain US states have additional rights regarding their personal information.

If you are a resident of California, Colorado, Connecticut, Delaware, Florida, Indiana, Iowa, Kentucky, Maryland, Minnesota, Montana, Nebraska, New Hampshire, New Jersey, Oregon, Rhode Island, Tennessee, Texas, Utah, or Virginia, you may have the right to request access to, correct, delete, or obtain a copy of the personal information we maintain about you, and to withdraw consent to processing.

Categories of Personal Information We Collect

• Identifiers— name, email address, profile identifier from sign-in provider. YES
• California Customer Records (name only) — YES
• Internet activity— limited diagnostic data collected by Firebase Performance Monitoring for reliability purposes only. YES
• Protected classification characteristics, commercial information, biometric information, geolocation data, professional/employment information, education information, sensitive personal information, and inferences — NO

Sale & Sharing

We have not sold personal information and have not shared personal information for targeted advertising in the preceding twelve (12) months, and we do not currently do so.

Your Rights

• Right to know whether we are processing your personal data.
• Right to access your personal data.
• Right to correct inaccuracies.
• Right to request deletion.
• Right to obtain a copy of your data.
• Right to non-discrimination for exercising your rights.

How to Exercise Your Rights

Email support@btwncalendars.com. We may need to verify your identity before fulfilling a request. Authorized agents must provide written, signed permission from you.

Appeals

If we decline to act on your request, you may appeal by emailing support@btwncalendars.com. If your appeal is denied, you may submit a complaint to your state attorney general.

In Short: Yes, we will update this notice as necessary to stay compliant with relevant laws.

The updated version will be indicated by an updated “Last updated” date at the top of this Privacy Notice. If we make material changes, we may notify you by prominently posting a notice or by emailing the address on your account.

If you have questions or comments about this notice, contact us at:

You may review or change account information from your account settings page. To delete your account and associated personal data, use the delete account option in your settings or email support@btwncalendars.com. Deletion is immediate, except where retention is required by law.

Google API Services — Limited Use

BTWN Calendars’ use and transfer to any other app of information received from Google APIs adheres to the Google API Services User Data Policy, including the Limited Use requirements. We request only the minimum Google Calendar scopes needed to read busy/free times and write events you authorize. Calendar event metadata is used solely to compute availability for your teams; it is not sold, used for advertising, used to train AI/ML models, or shared with third parties beyond what you direct.

Microsoft Graph / Outlook Calendar

When you connect a Microsoft account, we request the minimum Microsoft Graph scopes needed to read busy/free times and write events you authorize. Tokens and event metadata are handled under the same Limited Use principles described above and are governed by the Microsoft Privacy Statement on Microsoft’s side.

Sub-processors

• Firebase (Google LLC)— authentication, Cloud Firestore database, storage, hosting, and Performance Monitoring.
• Vercel Inc.— web hosting and serverless function execution.
• Google LLC— Google Calendar API integration (only when you connect a Google account).
• Microsoft Corporation— Microsoft Graph / Outlook Calendar integration (only when you connect a Microsoft account).

Account Deletion & Data Removal

You can disconnect a calendar integration at any time from the account settings page, which revokes our access tokens. To delete your account and all associated personal data, use the delete account option in your user settings. Deletion is immediate.