Back to CalGlue

Privacy Policy

Overview

CalGlue keeps your Google Calendar and Microsoft 365 (Outlook) calendars in sync. We access only the calendar data needed to perform the syncs you configure, and we store only the minimum information required to operate the service.

Data We Collect

  • Account information: your name, email address, and profile picture from the OAuth provider you sign in with (Google or Microsoft).
  • OAuth tokens: access and refresh tokens for your linked Google and Microsoft accounts, stored encrypted at rest.
  • Calendar event data: event titles, times, descriptions, and attendee lists as needed to perform the sync you configure. The detail level depends on your sync settings (busy-only, title-only, or full details).
  • Sync metadata: sync tokens and delta links used for incremental sync, sync history logs, and connection configuration.

How We Use Your Data

Your data is used solely to provide the calendar sync functionality you configure. We do not use your data for any purpose other than operating CalGlue as described in this policy.

Google API Services User Data — Limited Use

CalGlue's use and transfer to any other app of information received from Google APIs will adhere to the Google API Services User Data Policy, including the Limited Use requirements. Specifically:

  1. CalGlue will not use Google user data for serving advertisements, including retargeting, personalized, or interest-based advertising.
  2. CalGlue will not allow humans to read Google user data unless: we have your affirmative agreement for specific messages; it is necessary for security purposes such as investigating abuse; it is necessary to comply with applicable law; or our use is limited to internal operations and the data have been aggregated and anonymized.
  3. CalGlue will not transfer Google user data to third parties unless: it is necessary to provide or improve user-facing features that are prominent in the requesting application's user interface; you provide affirmative consent; it is necessary for security purposes; or it is necessary to comply with applicable law.
  4. CalGlue will not use Google user data for developing, improving, or training generalized or non-personalized AI or machine learning models.

Google OAuth Scopes Requested

calendar.readonly

Read your Google Calendar events so CalGlue can copy them to your configured target calendar.

calendar.events

Create and update events on your Google Calendar when syncing from a connected Microsoft calendar.

userinfo.email

Identify your Google account by email address when linking it to CalGlue.

userinfo.profile

Display your name and profile picture in the CalGlue interface.

Microsoft Graph Scopes Requested

Calendars.ReadWrite

Read and write your Microsoft 365 calendar events for bidirectional sync with a connected Google calendar.

User.Read

Identify your Microsoft account by email address and display name when linking it to CalGlue.

openid, profile, email

Standard OpenID Connect claims used for authentication and displaying your identity.

offline_access

Maintain a refresh token so CalGlue can sync your calendars on a schedule without requiring you to re-authenticate.

Product Analytics

CalGlue uses PostHog for product analytics within the authenticated app. Analytics are not loaded on unauthenticated pages (login, join, or this privacy page).

What is captured:

  • Aggregate usage events: calendar connections, sync completions, and onboarding milestones. No calendar event content, full email addresses, OAuth tokens, or connection tokens are ever included in event properties.

Opt out:visit your Settings page and toggle “Product analytics” off. When opted out, no usage events are sent from your browser.

Data Storage and Security

  • All OAuth tokens are encrypted at rest using industry-standard authenticated encryption (AES-GCM) before being stored.
  • Data is encrypted in transit using HTTPS.
  • Database access is restricted to CalGlue's application servers over private networking; the database is not exposed to the public internet.

Data Retention

Your data is retained while your CalGlue account is active. Sync logs are retained for diagnostic purposes. You can remove linked accounts at any time from the Accounts page, which deletes the stored OAuth tokens for that provider.

Thirty-day grace period: if your subscription ends (cancellation or trial expiry) and you do not resubscribe within 30 days, CalGlue automatically deletes your OAuth tokens, connection configuration, synced-event metadata, and sync logs. Your account email and id are kept so re-signup with the same address remains frictionless. Events already copied to your destination calendars are not deleted — they live in your own calendar account, outside CalGlue's control.

Your rights: you can delete your account and export your data at any time from the Settings page. Account deletion is immediate: it cancels any active Stripe subscription, removes all personal data from our database, and records only a one-way hash of your email in a compliance audit log. The data export returns a JSON file containing your account profile, linked-account metadata, connections, invite codes, and the last 90 days of sync logs — never OAuth tokens.

Contact

If you have questions about this privacy policy or how CalGlue handles your data, email us at privacy@calglue.com.

Last updated: April 2026