Privacy Policy

Effective Date: 2026-06-05  ·  Version: 1.5

This Privacy Policy explains how CalPair (operated by iPSUM engineering e.K.) collects, uses, and protects your personal data when you use our calendar synchronization service. We are committed to data minimization and privacy by design.

1. Controller

The responsible party (Controller) for data processing on this website is:
iPSUM engineering e.K. (Owner: Thomas Jordan)
See Imprint for full address and contact details.
Email: hello@calpair.io
Security/Abuse: security@calpair.io

2. Categories of Processed Data

We collect and process the following categories of data:

• Account Data: Email address, user UUID, registration date, tier, and lifetime synced events count.
• Authentication Data: Encrypted OAuth tokens for Google and Microsoft, and encrypted app-specific passwords for CalDAV accounts (e.g. Apple iCloud, Fastmail, mailbox.org). All credentials are encrypted at rest using AES-256-GCM — see Data Security below.
• Session Data: Session IDs, User-Agent strings, IP addresses, and timestamps.
• Calendar Sync Metadata: Calendar Pair configurations (Calendar IDs, account labels, privacy texts), sync states, and event mappings. Crucially: We do NOT store event titles, descriptions, locations, or attendee emails persistently. We only store cryptographic hashes (SHA-256) of these fields to detect changes.
• Webhook Data: Webhook subscription IDs (Pro tier, optional feature).
• Public Availability Feed Data (optional, paid tiers): If you enable a public availability feed, we store only its configuration — a random access token, the calendars and labels you choose to publish, the time window, access timestamps and a counter, and (only if you enable the PIN-protected web view) a scrypt hash of the PIN you set. We do not store any event content; the feed is generated live from your connected calendars on each request.
• Technical Logs: Server logs containing IP addresses, request metadata, and error messages (14-day retention).
• Audit Data: Records of account deletions (including email hashes and IP addresses).

Attendee Data from Third Parties

When you synchronize calendar events involving other people (attendees), we temporarily read their email addresses from your source calendar API to process the event. We do not store attendee email addresses persistently, nor do we write them to your target calendar. The processing happens purely in-memory during the sync run.

Public Availability Feed (optional)

On paid tiers, you may publish your availability through a public feed — either a subscribable ICS link for calendar apps or a PIN-protected web view. In both cases, recipients see only busy/free time blocks and a label you choose (default "Busy"). Your event titles, descriptions, locations, and attendees are never published. The link is a capability URL (anyone holding it — or the link plus PIN — can view the availability), and you can revoke it at any time from the Portal.

3. Purposes and Legal Basis

We process your data for the following purposes based on the General Data Protection Regulation (GDPR):

For attendee data, we rely on the exception from the information obligation under Art. 14 (5) (b) GDPR (disproportionate effort), as the data is processed only ephemerally and we have no direct relationship with the attendees.

4. Recipients & Data Sharing

How your calendar data flows. CalPair's core function is to copy calendar events between the two accounts you connect in a Calendar Pair, on your instruction. When you set up a pair, you tell us to read events from your source calendar and write the corresponding entries into your target calendar. This means data from one provider is, on your explicit instruction, transferred to the other provider you selected — in both directions:

• If Google is the source, events we read via the Google Calendar API are written into your chosen target (Microsoft Outlook, another Google account, or a CalDAV account such as Apple iCloud, Fastmail, or mailbox.org).
• If Google is the target, events from your Microsoft, CalDAV/Apple, or other source account are written into your Google calendar. The same applies symmetrically to Microsoft and CalDAV accounts.

What we copy depends on the per-pair privacy setting you choose: either the full event (title, time, location, description) or — if you enable privacy mode — only an anonymized busy block with a label you set (default "Busy"), with title, description and location removed. We never copy attendee email addresses into the target calendar.

Google user data — Limited Use. CalPair's use and transfer of information received from Google APIs adheres to the Google API Services User Data Policy, including the Limited Use requirements. We use Google Calendar data solely to provide the sync features you request. We do not sell Google user data, use it for advertising, or use it to train AI/ML models. We disclose Google user data only (a) to the sync target you yourself configure, (b) to the recipients of an availability feed (Open Agenda) you choose to publish — in that case only free/busy time blocks and a label you set, never event details, (c) to the infrastructure sub-processors strictly necessary to run the service (listed below), or (d) where required by law.

To run the service, we rely on the following processors and third-party services:

• Hetzner Online GmbH (Germany): Our primary hosting provider. A Data Processing Agreement (DPA) is in place.
• Bunny.net (BunnyWay d.o.o., Šmartinska 152, 1000 Ljubljana, Slovenia): Content Delivery Network. Bunny.net processes IP addresses and HTTP request metadata exclusively on EU servers. A Data Processing Agreement is concluded automatically upon account creation. Privacy Policy.
• Scaleway SAS (France, EU): Transactional email provider for service notifications and account-related emails, and encrypted off-site database backup storage (Object Storage, Paris region). EU-based provider, data stored in France. A Data Processing Agreement is in place via Scaleway's standard DPA.
• Google Ireland Ltd. / Google LLC (USA): Identity provider and calendar API. Google acts as an independent data controller for authentication and as a data processor for calendar API access on your behalf.
• Microsoft Ireland Operations / Microsoft Corp. (USA): Identity provider and calendar API. Microsoft acts as an independent data controller for authentication and as a data processor for calendar API access on your behalf.
• Stripe Payments Europe Ltd. (Ireland) / Stripe Inc. (USA): Payment processing for paid subscriptions. When you subscribe to a paid plan, Stripe collects payment details (card or bank data), billing name and address, IP address, and device fingerprint as an independent data controller for fraud prevention purposes, in addition to processing payments on our behalf. CalPair itself stores only Stripe identifiers, subscription status, and billing period — never full card data. When you delete your account, we cancel your subscription and delete your Stripe customer record. See Stripe's Privacy Policy.
• CalDAV providers you connect (e.g. Apple iCloud — Apple Inc., USA; Fastmail Pty Ltd, Australia; mailbox.org — Heinlein Support GmbH, Germany): If you connect a CalDAV calendar, you do so under your own existing account with that provider, using an app-specific password you generate. CalPair accesses it only on your explicit instruction and acts as the recipient or source of the events you choose to sync. These providers act under your own contract with them; CalPair does not establish a separate processor relationship with them (analogous to the Google/Microsoft source connection). Where this involves a transfer to the USA, Apple is certified under the EU-US Data Privacy Framework; for other third countries the transfer rests on your own choice of provider and is necessary to perform the sync you requested (Art. 49 (1) (b) GDPR).

5. Data Transfers to Third Countries

Certain data processing (such as interacting with Google or Microsoft APIs) involves transferring data to servers located in the United States. If you connect a CalDAV account hosted outside the EU (e.g. Apple iCloud in the USA or Fastmail in Australia), the events you choose to sync to or from it are likewise transferred there — see the CalDAV entry in Section 4 for the legal basis.

Legal basis for US transfers: Google LLC and Microsoft Corp. are certified under the EU-US Data Privacy Framework (DPF). The European Commission has recognized the DPF as providing an adequate level of data protection (Art. 45 GDPR). You can verify their certification at dataprivacyframework.gov.

Where the DPF does not apply or should it be invalidated, we rely on the Standard Contractual Clauses (SCC) of the European Commission or Art. 49 (1) (b) GDPR (necessary for the performance of a contract). We monitor the status of the DPF and will implement alternative safeguards without delay if required.

6. Data Security

We protect your data — including the sensitive calendar data accessed via the Google, Microsoft and CalDAV APIs — with the following measures:

• Encryption in transit: All connections to CalPair and all calls to provider APIs (Google, Microsoft, CalDAV) use TLS (HTTPS).
• Encryption at rest: OAuth access/refresh tokens and CalDAV app-specific passwords are encrypted field-level in our database using AES-256-GCM (key derived via scrypt), with a per-record authenticated binding to your user ID, provider and account so ciphertext cannot be transplanted between accounts. They are decrypted only in memory, only for the duration of a sync run.
• Data minimization by design: We do not persistently store your event content. Titles, descriptions, locations and attendee emails are processed only in memory during a sync; we persist only SHA-256 hashes of the relevant fields to detect changes.
• Encrypted backups: Off-site database backups are encrypted with GPG/AES-256 and stored in the EU (Scaleway Object Storage, Paris region).
• Access control & audit: Access to production systems is restricted to the operator; administrative actions on user data require a second factor (email-token confirmation) and are recorded in an audit log.

7. Storage Duration and Data Deletion

We store your data only as long as necessary for the respective purpose:

• Account & Sync Data: Stored as long as your account is active.
• Event Mappings: When you delete a calendar event, the mapping hash is marked as deleted and kept for a maximum of 30 days (Soft-Delete) to prevent re-sync errors.
• Sessions: Session data (including IP and User-Agent) is deleted 7 days after the session expires or is revoked.
• Server Logs: Technical logs are automatically rotated and deleted after 14 days.
• Audit Data (Account Deletions): When you delete your account, we store a hash of your email address and your last IP for up to 3 years to prevent abuse and double-delete errors.
• Backups: We operate automated, encrypted off-site database backups (GPG/AES-256) stored in the EU (Scaleway Object Storage, Paris region). Backups are retained for a limited period according to our lifecycle policy; when an account is deleted, the data naturally falls out of the backup window after this retention period.

8. Your Rights

Under the GDPR, you have the following rights regarding your personal data:

• Right of Access (Art. 15): You can request a full export of your data at any time via the self-service export function in the CalPair Portal.
• Right to Rectification (Art. 16): You can correct inaccurate data in your account settings.
• Right to Erasure (Art. 17): You can permanently delete your account and all associated calendar data via the CalPair Portal.
• Right to Restriction of Processing (Art. 18)
• Right to Data Portability (Art. 20): You can download your data in a machine-readable JSON format via the Portal.
• Right to Object (Art. 21): You can object to processing based on legitimate interests (Art. 6 (1) (f)).
• Right to Withdraw Consent (Art. 7 (3)): If processing is based on consent, you can withdraw it at any time.

To exercise these rights (where not possible via self-service), please contact hello@calpair.io.

Right to lodge a complaint with a supervisory authority (Art. 77 GDPR):
You have the right to lodge a complaint with a data protection authority. The authority responsible for us is:
Der Hessische Beauftragte für Datenschutz und Informationsfreiheit
Gustav-Stresemann-Ring 1, 65189 Wiesbaden, Germany.

9. Cookies

CalPair uses strictly necessary cookies to provide the service:

• __Host-calpair_session in production (calpair_session in local development, 30 days): Keeps you logged in securely.
• __Host-calpair_oauth_state in production (calpair_oauth_state locally, 10 minutes): Prevents CSRF attacks during the Google/Microsoft login flow.
• __Host-calpair_altcha in production (calpair_altcha locally, 5 minutes): Bot protection before OAuth login.
• __Host-calpair_invite in production (calpair_invite locally, 10 minutes): Carries the invite code from the form to the OAuth callback during signup.

Because these cookies are strictly necessary for the technical operation of the service, no active consent banner is required (§ 25 (2) TDDDG). We do not use tracking or marketing cookies.

10. Changes to this Privacy Policy

We may update this Privacy Policy from time to time. If we make significant changes, we will notify you by asking you to accept the updated policy upon your next login. The version number above will be incremented with each material update.