Privacy Policy

Our privacy policy and how we use your data

Last updated: February 20, 2026

1. What Data We Collect

In Short

We collect your email address, calendar connection tokens, and the sync rules you create. We never store your calendar events.

When you use CalendarPipe, we collect the following information:

Account information — your email address, obtained via OAuth sign-in (Google or Microsoft).
Encrypted OAuth tokens — access and refresh tokens that allow CalendarPipe to connect to your calendars on your behalf. These are stored encrypted using AES-256-GCM.
Sync rule configurations — the source calendar, target calendar, and pipe function code you define for each sync rule.
Usage and operational logs — sync timing, error counts, and diagnostic information used to keep your syncs running reliably.

CalendarPipe does NOT store your calendar events. Events are fetched from your source calendar, processed through your pipe function in real-time, and synced to your target calendar. We do not maintain a copy of your calendar data on our servers.

2. How We Use Your Data

In Short

We use your data to run your calendar syncs and keep the service working reliably.

We use the data we collect for the following purposes:

Providing and operating the CalendarPipe sync service
Maintaining your calendar connections using your stored OAuth tokens
Monitoring sync reliability, diagnosing errors, and improving performance
Sending service-related communications (important updates, account notices)

Your data is not sold, rented, or shared with third parties for advertising purposes. We do not use your data to build advertising profiles or share it with data brokers.

3. Google Calendar Connections

In Short

We use Google Calendar access only to sync events as you configure. We do not sell, share, or use your Google data for advertising.

CalendarPipe's use and transfer of information received from Google APIs to any other app adheres to the Google API Services User Data Policy, including the Limited Use requirements.

When you connect a Google account, CalendarPipe requests the following OAuth scopes:

https://www.googleapis.com/auth/calendar — read and write calendar events in order to perform syncs
https://www.googleapis.com/auth/userinfo.email — identify your Google account so we can associate it with your CalendarPipe account

Google data is used exclusively to sync calendar events according to your configured rules. Your Google data is:

NOT sold to any third party
NOT used for advertising or marketing purposes
NOT used for credit decisions or other non-service purposes
NOT transferred to third parties except as strictly necessary to provide the sync service (e.g., writing events to your target Google Calendar)

4. Microsoft Calendar Connections

In Short

We use Microsoft Calendar access only to sync events as you configure, with the same protections as Google data.

When you connect a Microsoft account, CalendarPipe requests the following OAuth scopes:

Calendars.ReadWrite — read and write calendar events in order to perform syncs
User.Read — read your basic profile to identify your Microsoft account
offline_access, openid, email, profile — standard OpenID Connect scopes for authentication and token refresh

Microsoft data is subject to the same handling commitments as Google data: not sold, not used for advertising, events are processed in real-time during sync and are not stored on CalendarPipe servers.

5. AI-Powered Gate Generation

In Short

When you use AI to generate a pipe function, your description is sent to OpenAI. OpenAI does not use API data to train its models.

CalendarPipe offers an optional AI feature that generates pipe function code from a natural-language description. This feature uses OpenAI's API (gpt-4o-mini model).

When you use this feature, the following is sent to OpenAI:

Your natural-language description of the pipe function (up to 500 characters)
CalendarPipe's system prompt, which includes type definitions for the gate function API

The following is NOT sent to OpenAI: your calendar events, OAuth tokens, or any other calendar data.

OpenAI does not use data submitted via its API to train its models. API inputs and outputs may be retained by OpenAI for up to 30 days for safety and abuse monitoring, after which they are deleted. For more information, see OpenAI's API data usage policies.

This feature is entirely optional — you can write pipe functions manually or use pre-built templates instead.

6. Third-Party Services

In Short

We use a small number of trusted services to run CalendarPipe. Here is who they are and what they do.

CalendarPipe relies on the following third-party services to operate:

Supabase — database and authentication. Your personal data is stored in Supabase's EU Central region (Frankfurt, Germany), ensuring it remains within the European Union.
OpenAI — AI-powered pipe function generation, as described in Section 5 above.
Stripe — payment processing for Pro subscriptions. Stripe handles all payment data directly and is PCI-compliant. CalendarPipe does not store your full credit card details.
Vercel — web application hosting and content delivery.

We also use standard infrastructure services for internal operations such as job scheduling and bot protection. These services do not process your personal content or calendar data.

7. Data Security

In Short

Your OAuth tokens are encrypted with AES-256-GCM. All data is transmitted over TLS.

We take security seriously. Here is how we protect your data:

OAuth tokens are encrypted using AES-256-GCM before being stored in our database
All data is transmitted over TLS (HTTPS)
Tokens are deleted immediately when you disconnect a calendar account
We conduct regular security reviews of our infrastructure and dependencies

While we implement strong security measures, no method of electronic storage or transmission is 100% secure. If you discover a security issue, please contact us at privacy@calendarpipe.com.

8. Data Retention

In Short

We keep your data while your account is active. Delete your account and we delete everything.

Your data is retained for as long as your account is active and for the period necessary to provide the service. Sync logs are retained for operational monitoring and are periodically pruned.

When you delete your account, the following is removed from our systems:

All personal data associated with your account
All encrypted OAuth tokens
All sync rule configurations
All sync history and logs

Deletion is processed within 30 days of account removal.

9. Your Rights (GDPR)

In Short

If you are in the EU, you have the right to access, correct, delete, and port your data. Email privacy@calendarpipe.com and we will respond within 30 days.

Your data is stored with Supabase in the EU Central region (Frankfurt, Germany), ensuring your data remains within the European Union.

Under the General Data Protection Regulation (GDPR), EU residents have the following rights:

Right to access — request a copy of the personal data we hold about you
Right to rectification — correct inaccurate or incomplete data
Right to erasure — delete your account and all associated data (the “right to be forgotten”)
Right to data portability — receive your data in a machine-readable format
Right to object — object to processing based on legitimate interests
Right to restriction of processing — limit how we process your data in certain circumstances

Our legal basis for processing your data is: contract performance (providing the sync service you signed up for) and legitimate interests (security monitoring and abuse prevention).

To exercise any of these rights, email us at privacy@calendarpipe.com. We will respond within 30 days.

10. Account Deletion

In Short

You can delete your account from Settings at any time. This removes all your data.

You can delete your account at any time from your account Settings page. Deleting your account removes all personal data, OAuth tokens, sync rules, and sync history from our systems.

If you need help deleting your account, you can also email us at privacy@calendarpipe.com and we will take care of it for you.

Account deletion is irreversible. Once deleted, your data cannot be recovered.

11. Contact Us

If you have questions about this Privacy Policy or your data, contact us at:

CalendarPipe
privacy@calendarpipe.com

Privacy Policy

Our privacy policy and how we use your data

Last updated: February 20, 2026

1. What Data We Collect

In Short

We collect your email address, calendar connection tokens, and the sync rules you create. We never store your calendar events.

When you use CalendarPipe, we collect the following information:

Account information — your email address, obtained via OAuth sign-in (Google or Microsoft).
Encrypted OAuth tokens — access and refresh tokens that allow CalendarPipe to connect to your calendars on your behalf. These are stored encrypted using AES-256-GCM.
Sync rule configurations — the source calendar, target calendar, and pipe function code you define for each sync rule.
Usage and operational logs — sync timing, error counts, and diagnostic information used to keep your syncs running reliably.

2. How We Use Your Data

In Short

We use your data to run your calendar syncs and keep the service working reliably.

We use the data we collect for the following purposes:

Providing and operating the CalendarPipe sync service
Maintaining your calendar connections using your stored OAuth tokens
Monitoring sync reliability, diagnosing errors, and improving performance
Sending service-related communications (important updates, account notices)

Your data is not sold, rented, or shared with third parties for advertising purposes. We do not use your data to build advertising profiles or share it with data brokers.

3. Google Calendar Connections

In Short

We use Google Calendar access only to sync events as you configure. We do not sell, share, or use your Google data for advertising.

CalendarPipe's use and transfer of information received from Google APIs to any other app adheres to the Google API Services User Data Policy, including the Limited Use requirements.

When you connect a Google account, CalendarPipe requests the following OAuth scopes:

https://www.googleapis.com/auth/calendar — read and write calendar events in order to perform syncs
https://www.googleapis.com/auth/userinfo.email — identify your Google account so we can associate it with your CalendarPipe account

Google data is used exclusively to sync calendar events according to your configured rules. Your Google data is:

NOT sold to any third party
NOT used for advertising or marketing purposes
NOT used for credit decisions or other non-service purposes
NOT transferred to third parties except as strictly necessary to provide the sync service (e.g., writing events to your target Google Calendar)

4. Microsoft Calendar Connections

In Short

We use Microsoft Calendar access only to sync events as you configure, with the same protections as Google data.

When you connect a Microsoft account, CalendarPipe requests the following OAuth scopes:

Calendars.ReadWrite — read and write calendar events in order to perform syncs
User.Read — read your basic profile to identify your Microsoft account
offline_access, openid, email, profile — standard OpenID Connect scopes for authentication and token refresh

5. AI-Powered Gate Generation

In Short

When you use AI to generate a pipe function, your description is sent to OpenAI. OpenAI does not use API data to train its models.

CalendarPipe offers an optional AI feature that generates pipe function code from a natural-language description. This feature uses OpenAI's API (gpt-4o-mini model).

When you use this feature, the following is sent to OpenAI:

Your natural-language description of the pipe function (up to 500 characters)
CalendarPipe's system prompt, which includes type definitions for the gate function API

The following is NOT sent to OpenAI: your calendar events, OAuth tokens, or any other calendar data.

This feature is entirely optional — you can write pipe functions manually or use pre-built templates instead.

6. Third-Party Services

In Short

We use a small number of trusted services to run CalendarPipe. Here is who they are and what they do.

CalendarPipe relies on the following third-party services to operate:

Supabase — database and authentication. Your personal data is stored in Supabase's EU Central region (Frankfurt, Germany), ensuring it remains within the European Union.
OpenAI — AI-powered pipe function generation, as described in Section 5 above.
Stripe — payment processing for Pro subscriptions. Stripe handles all payment data directly and is PCI-compliant. CalendarPipe does not store your full credit card details.
Vercel — web application hosting and content delivery.

We also use standard infrastructure services for internal operations such as job scheduling and bot protection. These services do not process your personal content or calendar data.

7. Data Security

In Short

Your OAuth tokens are encrypted with AES-256-GCM. All data is transmitted over TLS.

We take security seriously. Here is how we protect your data:

OAuth tokens are encrypted using AES-256-GCM before being stored in our database
All data is transmitted over TLS (HTTPS)
Tokens are deleted immediately when you disconnect a calendar account
We conduct regular security reviews of our infrastructure and dependencies

While we implement strong security measures, no method of electronic storage or transmission is 100% secure. If you discover a security issue, please contact us at privacy@calendarpipe.com.

8. Data Retention

In Short

We keep your data while your account is active. Delete your account and we delete everything.

Your data is retained for as long as your account is active and for the period necessary to provide the service. Sync logs are retained for operational monitoring and are periodically pruned.

When you delete your account, the following is removed from our systems:

All personal data associated with your account
All encrypted OAuth tokens
All sync rule configurations
All sync history and logs

Deletion is processed within 30 days of account removal.

9. Your Rights (GDPR)

In Short

If you are in the EU, you have the right to access, correct, delete, and port your data. Email privacy@calendarpipe.com and we will respond within 30 days.

Your data is stored with Supabase in the EU Central region (Frankfurt, Germany), ensuring your data remains within the European Union.

Under the General Data Protection Regulation (GDPR), EU residents have the following rights:

Right to access — request a copy of the personal data we hold about you
Right to rectification — correct inaccurate or incomplete data
Right to erasure — delete your account and all associated data (the “right to be forgotten”)
Right to data portability — receive your data in a machine-readable format
Right to object — object to processing based on legitimate interests
Right to restriction of processing — limit how we process your data in certain circumstances

Our legal basis for processing your data is: contract performance (providing the sync service you signed up for) and legitimate interests (security monitoring and abuse prevention).

To exercise any of these rights, email us at privacy@calendarpipe.com. We will respond within 30 days.

10. Account Deletion

In Short

You can delete your account from Settings at any time. This removes all your data.

You can delete your account at any time from your account Settings page. Deleting your account removes all personal data, OAuth tokens, sync rules, and sync history from our systems.

If you need help deleting your account, you can also email us at privacy@calendarpipe.com and we will take care of it for you.

Account deletion is irreversible. Once deleted, your data cannot be recovered.

11. Contact Us

If you have questions about this Privacy Policy or your data, contact us at:

CalendarPipe
privacy@calendarpipe.com