ShiftedCal
Get started

Privacy Policy

Last updated: May 2026

1. Who we are

ShiftedCal (the “Service”) is operated by HwangLabs Inc. (주식회사 황랩스) (“we”, “us”, “our”), the data controller for the personal data described in this policy. ShiftedCal is a read-only calendar viewer that displays your existing calendar events in a custom shifted timeline UI. It does not create, edit, delete, or share your calendar events.

2. Google user data we access

When you sign in with Google or connect a Google account, we request the minimum scopes necessary to display your calendar:

  • openid, .../auth/userinfo.email, .../auth/userinfo.profile — used to identify your account (email address, name, profile picture).
  • .../auth/calendar.calendarlist.readonly — read-only access to the list of calendars in your Google Calendar account, including each calendar’s title, time zone, color, and access role. Used to populate the calendar-selection UI.
  • .../auth/calendar.events.readonly — read-only access to events on calendars in your calendar list (start/end time, title, description, location, attendees). Used to render events in the shifted timeline UI and to receive push notifications when those events change.

We do not request scopes that allow us to create, modify, or delete events; we have no write capability to Google Calendar.

3. How we use Google user data

  • To render your calendar events inside the ShiftedCal application UI for you, the signed-in user.
  • To detect changes via Google Calendar push notifications so the displayed view stays current.
  • To remember which calendars you have selected to display, and how you have configured the view.

We do not use Google user data for advertising, do not sell or transfer it to third parties for any purpose other than providing the Service, do not use it to train artificial intelligence or machine learning models, and do not allow humans to read it except (a) with your explicit consent, (b) where necessary for security purposes (e.g. investigating abuse), or (c) where required by law.

4. Google API Services User Data Policy — Limited Use disclosure

ShiftedCal’s use and transfer to any other app of information received from Google APIs will adhere to the Google API Services User Data Policy, including the Limited Use requirements.

5. How we store and secure Google user data

  • OAuth refresh tokens(long-lived credentials used to call Google APIs on your behalf) are encrypted at rest using authenticated symmetric encryption (Fernet — AES-128-CBC with HMAC-SHA256, 256-bit key) before being written to our database. They are decrypted only in memory at the moment a request is made on your behalf. Short-lived access tokens (1-hour expiry) are stored without additional encryption beyond the database’s at-rest encryption.
  • Calendar list and event data is cached in our managed PostgreSQL database (operated by Supabase) to power the UI and reduce redundant Google API calls. The database is encrypted at rest by the database platform and accessible only over TLS.
  • All data is scoped to your user account; no other ShiftedCal user can read your Google data.
  • Production traffic to our backend is served over HTTPS only.

6. Other data we collect

In addition to data accessed via Google APIs, we collect:

  • Your account email and display name (from your sign-in provider).
  • Application preferences you set (time zone, workday window, theme, selected calendars).
  • Subscription and billing records (plan, billing period, payment status — payment card details are handled by Paddle and never touch our servers).
  • Anonymous product analytics (page views, feature usage) collected via Google Analytics 4.
  • Server-side technical logs (request paths, error stack traces, IP address) retained for up to 30 days for debugging and abuse prevention.

7. Microsoft user data

If you connect a Microsoft Outlook account, we request equivalent read-only scopes (Calendars.Read, User.Read, offline_access) and apply the same handling principles described in sections 3–5 above.

8. Sub-processors and third parties

We share personal data only with the following service providers, strictly to operate the Service. None of these providers receive Google user data for advertising or any purpose other than performing the function listed.

  • Supabase — managed PostgreSQL database hosting.
  • Vercel — frontend application hosting.
  • Cloudflare — DNS resolution and edge caching for static assets.
  • Paddle — payment processing and tax handling for subscriptions.
  • Resend — transactional email delivery.
  • Google Analytics 4 — anonymous product analytics.

9. How to revoke access and delete your data

You can disconnect a connected calendar account or delete your ShiftedCal account at any time.

Disconnect a Google account

  • In the app, go to Settings → Accounts and click Disconnect.
  • This immediately revokes our refresh token and deletes all cached calendar list data and event data we hold for that Google account.
  • You can also revoke our access at any time from your Google Account permissions page.

Delete your ShiftedCal account

  • Go to Settings → Personal → Delete Account.
  • Deletion is immediate and irreversible: connected accounts, OAuth refresh tokens, calendars, events, preferences, subscription history, and email records are removed in the same request, you are signed out, and a confirmation email is sent.
  • OAuth refresh tokens are also revoked at Google so we lose all access to your calendar data.
  • An audit record (your email, the time of deletion, and the reason you provided) is retained to satisfy legal and abuse-prevention obligations. No personal calendar or event data is part of this record.
  • Anonymised analytics records may be retained in aggregate form with no personally identifiable information.

10. Data retention

We retain personal data only for as long as your account is active or as needed to provide the Service. If your account is inactive for more than 24 months, we may delete it after prior email notification. Server logs are retained for up to 30 days. Aggregated, anonymised analytics may be retained indefinitely.

11. Email communications

We send transactional emails only — no marketing or promotional content. Categories you can manage from Settings → Email:

  • Account & lifecycle — welcome, account deletion, plan changes
  • Billing — subscription confirmations, renewal reminders
  • Product — sync issues, connected account notifications
  • Security — critical account security notifications (cannot be disabled)

12. Analytics

We use Google Analytics 4 (GA4) to understand aggregate usage patterns (page views, feature usage). Events do not include personally identifiable information. You can opt out by using a browser extension that blocks Google Analytics. Server-side analytics events sent via Measurement Protocol contain only a pseudonymous user identifier and event name.

13. Subscription cancellation

You can cancel your subscription at any time from Settings → Billing. Upon cancellation:

  • Your account reverts to the Free plan at the end of your billing period.
  • You retain access to your data and connected accounts up to the Free plan limits.
  • No refunds are issued for the unused portion of the billing period.

14. Your rights

Depending on your jurisdiction (including the EU/EEA, UK, and California), you may have the right to:

  • Access a copy of your personal data
  • Correct inaccurate data
  • Request deletion (right to be forgotten)
  • Object to or restrict certain processing
  • Data portability
  • Withdraw consent at any time (where processing is based on consent)

To exercise any of these rights, email [email protected]. You also have the right to lodge a complaint with your local data protection authority.

15. International transfers

Our service providers may process data in countries other than your own, including the United States and the European Union. Where required, we rely on appropriate safeguards such as the European Commission’s Standard Contractual Clauses.

16. Children

ShiftedCal is not directed to children under 13 (or under 16 in the EU/EEA). We do not knowingly collect personal data from children. If you believe a child has provided us with personal data, contact us and we will delete it.

17. Changes to this policy

We may update this Privacy Policy from time to time. Material changes will be communicated by email or through an in-app notice. The “Last updated” date at the top of this policy reflects the most recent revision.

18. Contact

For privacy questions, data requests, or to exercise any of your rights, email [email protected].

ShiftedCal is operated by HwangLabs Inc. (주식회사 황랩스).