1. Introduction
BayCal (“we,” “our,” or “us”) operates the website getbaycal.com and the BayCal web application. This Privacy Policy explains what information we collect, how we use it, and the choices you have regarding your data.
2. Information We Collect
2.1 Account Information
When you create an account, we collect your email address and a hashed password (or OAuth provider identifier if you sign in with Google). We do not store plaintext passwords.
2.2 Calendar Data
When you connect a calendar, we access your calendar events in read-only mode. We store event titles, times, locations, and organizer information to display them in the unified calendar view. All calendar data is encrypted at rest using AES-256-GCM with a unique key per user.
2.3 OAuth Tokens
When you connect Microsoft 365 or Google Workspace calendars, we store OAuth access and refresh tokens encrypted at rest. These tokens are used exclusively to read your calendar events and are never shared with third parties.
2.4 What We Do NOT Collect
- We do not log your IP address
- We do not log your geographic location
- We do not log your login times or session activity
- We do not install anything on your devices
- We do not use tracking cookies for advertising
- We do not sell, rent, or share your data with any third party
3. How We Use Your Information
- Display your calendar events in a unified view
- Detect scheduling conflicts across your calendars
- Send you meeting alerts and notifications you configure
- Process your subscription payments (via Stripe — we never see your full card number)
- Communicate essential service updates (e.g., security notices)
4. Data Encryption & Security
All sensitive data — calendar events, OAuth tokens, and connection metadata — is encrypted at rest using AES-256-GCM with envelope encryption. Each user has a unique encryption key that is itself encrypted by a master key. Even in the event of a database breach, your data is cryptographically unreadable.
Data in transit is protected by TLS 1.3. Our infrastructure is hosted on Vercel and Supabase, both of which maintain SOC 2 Type II compliance.
5. Calendar Access Permissions
BayCal requests read-only access to your calendars:
- Microsoft 365: Calendars.Read, User.Read, offline_access
- Google Workspace: calendar.readonly
BayCal cannot and will never create, modify, or delete events on your work calendars.
6. Third-Party Services
We use the following third-party services strictly for operating the application:
- Supabase — Authentication and database hosting
- Vercel — Application hosting and serverless functions
- Stripe — Payment processing (we never store your card details)
- Microsoft Graph API — Read-only calendar access for Microsoft 365 accounts
- Google Calendar API — Read-only calendar access for Google Workspace accounts
We do not use advertising networks, analytics trackers, or data brokers.
7. Data Retention & Deletion
Your data is retained only while your account is active. When you delete your account:
- All calendar events are permanently deleted
- All OAuth tokens are revoked and deleted
- All connection records are deleted
- All alert configurations are deleted
- Your user record and encryption keys are destroyed
- No backups of your data are retained
This process is irreversible. Once deleted, your data cannot be recovered.
8. Your Rights
You have the right to:
- Access your data through the application interface
- Disconnect any calendar connection at any time
- Delete your account and all associated data at any time
- Export your data upon request
9. Children's Privacy
BayCal is not intended for use by anyone under the age of 18. We do not knowingly collect personal information from children.
10. Changes to This Policy
We may update this Privacy Policy from time to time. We will notify registered users of material changes via email. The “Last updated” date at the top reflects the most recent revision.
11. Contact Us
If you have questions about this Privacy Policy or your data, contact us at: privacy@getbaycal.com