Privacy Policy

Last updated: 2026-05-22

CalCast ("we," "us," or "our") is a calendar synchronization service that mirrors busy time from one Google Calendar onto another as private "hold" blocks. This Privacy Policy explains what information we access, what we store, and how we handle it.

By using CalCast you agree to the practices described here.

1. Information We Access from Google

When you connect a Google account to CalCast, you authorize us to access the following data via the Google Calendar API:

Your basic profile (email address, name, profile picture) — used to identify your account inside CalCast and display it in the app.
Your list of calendars — so you can pick which calendar is the source and which is the destination for a cast.
Events on your calendars — we read events on the source calendar to determine busy time, and we create, update, and delete "hold block" events on the destination calendar to mirror that busy time.

CalCast requests only the narrowest scopes necessary for these features:

https://www.googleapis.com/auth/calendar.events — read and write events
https://www.googleapis.com/auth/calendar.calendarlist.readonly — list your calendars
openid, email, profile — sign in and identify your account

CalCast does not request access to your Gmail, Drive, Contacts, or any other Google service.

2. Information We Store

CalCast operates a small server-side backend (hosted on Supabase) that stores the minimum data needed to keep your casts synchronized. Specifically:

Your CalCast user record — a stable Google account identifier ("sub"), the email address on your primary connected account, and timestamps.
Connected accounts — for each Google account you connect, we store the email address, your encrypted OAuth refresh token (see §6 Security), an encrypted short-lived access token, and status flags (e.g. whether the account needs reconnection).
Casts and color casts — the source and destination calendar IDs and human-readable calendar names you selected, plus your settings: sync window, buffer minutes, hold block title and color, and optional keyword filter (see note below).
Hold block references — the IDs of hold blocks CalCast has created on your destination calendars, so it can update or remove them on later syncs and clean them up if you delete a cast or your account.
Sync activity logs — for each cast and color cast, the timestamp of the most recent sync, success or failure status, and counts of how many hold blocks were created, updated, deleted, or left unchanged. Error messages, when present, include the Google event ID involved and the error description; they do not include event titles or other content.
Watch channel metadata — internal IDs and expiration timestamps that let us listen for changes to your source calendars via Google's push notification system.

About keyword filters: If you set a keyword filter on a cast or color cast, the text you enter is stored in our database as plaintext. We pass it directly to Google's Calendar search API to determine which events match. Avoid putting sensitive information into this field that you wouldn't want stored.

We do not store:

The titles, descriptions, attendees, locations, or any other content of your calendar events.
The contents of any non-CalCast events on your calendars.
Push notification tokens or any other device identifiers.
Anything from Google services other than Calendar.

During a sync, CalCast reads the start and end times of source-calendar events in memory, computes which hold blocks need to be created, updated, or deleted, and writes those changes. The source event details are not written to our database and are discarded as soon as the sync finishes.

3. How We Use Information

We use the information we access and store for the following purposes only:

Operating CalCast — keeping your destination calendar(s) synchronized with your source calendar(s), and applying color rules to events you've configured for color casts.
Showing you status — displaying connected accounts, last-sync times, and any errors that need your attention.
Communicating with you — sending occasional email reminders when an account needs to be reconnected (because its OAuth grant has expired or been revoked). These are transactional emails only; we do not send marketing email.
Improving the service — using anonymous sync logs to diagnose bugs and improve reliability.

We do not use your data for advertising, profiling, training AI/ML models, or any purpose unrelated to operating CalCast.

4. Limited Use of Google User Data

CalCast's use and transfer to any other app of information received from Google APIs will adhere to the Google API Services User Data Policy, including the Limited Use requirements.

In particular:

CalCast uses Google user data only to provide and improve the user-facing features that are prominent in the CalCast user interface (mirroring busy time as hold blocks, recoloring matching events).
CalCast does not transfer Google user data to any third party except as necessary to provide or improve those features, to comply with applicable law, or as part of a merger, acquisition, or sale of assets with the user's notice and consent.
CalCast does not use Google user data for serving advertisements.
No human at CalCast reads your Google user data, except where you have given affirmative consent for support purposes, where it is necessary for security purposes (such as investigating abuse), to comply with applicable law, or where the data is aggregated and used for internal operations in accordance with applicable privacy and other laws.

5. Information Sharing

CalCast does not sell or rent your personal information. We share information only with the following service providers, and only as necessary to operate CalCast:

Google — for accessing Calendar data on your behalf via the Google Calendar API and for OAuth authentication.
Supabase — our backend hosting provider. They process and store the data described in §2 on infrastructure they operate. See Supabase's privacy policy.
Resend — our transactional email provider, used only to send account reconnection reminders. See Resend's privacy policy.

We may also disclose information if required by law, subpoena, or other legal process, or if we believe disclosure is necessary to protect rights, property, or safety.

6. Data Security

We take the following measures to protect your data:

OAuth tokens are encrypted at rest. Your Google OAuth refresh token is encrypted using AES-256-GCM before being stored in our database. The encryption key is held separately in Supabase Vault.
All data is transmitted over HTTPS. CalCast does not communicate over unencrypted connections.
No OAuth tokens on your device. The CalCast iOS app stores only a short-lived session token. Your Google credentials never leave Google or our server.
Minimal scope requests. CalCast requests only the narrowest set of Google API permissions needed to operate.

No system is perfectly secure. While we follow industry-standard practices, we cannot guarantee absolute security and you use CalCast at your own risk.

7. Data Retention and Deletion

We retain your data only as long as your account exists. You can delete your account at any time:

In the CalCast iOS app: tap your profile circle → Delete account.

When you delete your account, CalCast immediately:

Stops all Google Calendar watch channels for your connected calendars.
Removes every CalCast-created hold block from every destination calendar across all your connected accounts.
Revokes your OAuth refresh tokens at Google (so CalCast disappears from your Google account's third-party apps list).
Deletes your user record and all related data (connected accounts, casts, color casts, sync logs) from our database.

If you only want to disconnect a single account without deleting everything, use the Disconnect option on that account in the app. Disconnecting an account stops syncing for that account, removes its hold blocks, and revokes its OAuth token. Your other accounts and CalCast user record stay intact.

You can also revoke CalCast's access directly from your Google account at myaccount.google.com/permissions. Note that doing so leaves any hold blocks CalCast created on your calendars in place — using the in-app Disconnect or Delete account flow first will clean those up.

8. Children's Privacy

CalCast is not directed to children under 13. We do not knowingly collect personal information from children under 13. If you believe a child has provided us with personal information, please contact us and we will delete it.

9. International Users

CalCast is operated from the United States. If you use CalCast from outside the United States, your data will be transferred to and processed in the United States. By using CalCast you consent to this transfer.

10. Changes to This Policy

We may update this Privacy Policy from time to time. If we make material changes, we will notify you by updating the "Last updated" date at the top of this policy and, for significant changes, by displaying a notice in the CalCast app or sending an email to your registered address. Continued use of CalCast after changes constitutes acceptance of the updated policy.

11. Contact Us

A contact address for privacy inquiries will be published here prior to CalCast's public launch.