Privacy Policy

Effective: June 19, 2026

Easycal Inc. ("we," "us," "our") operates the Easycal scheduling platform. This Privacy Policy explains how we collect, use, and protect your information when you use our service.

1. Information We Collect

We collect information you provide when creating an account, including your name, email address, and profile information from the identity provider you sign in with (Google or Microsoft) obtained through OAuth.

We also collect first-party usage data about your own account activity — such as booking pages created and slots selected — to operate, secure, and improve user-facing features of Easycal. This product-analytics data does not include Google or Microsoft user data (your calendar or contacts), which is handled only as described in the sections below.

2. Calendar Data (Google Calendar & Microsoft 365)

Easycal checks availability through the Google Calendar FreeBusy API and the Microsoft Graph getSchedule endpoint, depending on which provider you connect. For availability, we query only free/busy status for the time ranges relevant to your booking pages — we do not read event titles, descriptions, attendees, or other calendar details.

When you connect a Google or Microsoft account, we store an OAuth refresh token to act on your calendar on your behalf. This token is stored securely in our database and is used solely to (1) check free/busy availability and (2) create, update (reschedule), and delete (cancel) the calendar events for bookings made through Easycal. We do not access calendar data for any other purpose.

Team members whose availability is checked do not need to sign up. Their free/busy data is queried through standard Google Workspace or Microsoft 365 permissions granted by the organizer's connected account.

3. Contacts Data

If you connect a Google account, Easycal uses the Google People API (contacts.readonly and contacts.other.readonly scopes) to read your saved contacts and "other contacts" (people you have previously emailed). If you connect a Microsoft account, Easycal uses the Microsoft Graph People.Read and Contacts.Read permissions to read the people you frequently interact with and your saved Outlook contacts. We use this contacts data for a single purpose: to suggest invitee email addresses (autocomplete) while you build a booking page, so you don't have to type them by hand.

We read only the name, email address, and profile photo of each contact. Contact suggestions are held in a short-lived in-memory cache (about 10 minutes) and are never written to our database, never sold, and never shared with third parties. Disconnecting the account ends this access immediately.

4. Google & Microsoft User Data — Limited Use

Easycal's use and transfer of information received from Google APIs to any other app will adhere to the Google API Services User Data Policy (https://developers.google.com/terms/api-services-user-data-policy), including the Limited Use requirements.

In particular, the Google user data we access (calendar free/busy and contacts) is used only to provide and improve the user-facing scheduling features described in this policy. We do not sell this data, we do not use it for advertising, and we do not use it to develop, improve, or train generalized or non-personalized AI or machine-learning models. No humans read this data except (a) with your explicit consent, (b) where necessary for security or to investigate abuse, or (c) where required to comply with applicable law.

We apply the same commitments to Microsoft user data. Our use of information received from the Microsoft Graph API (your calendar free/busy, calendar events, and contacts) complies with the Microsoft APIs Terms of Use, is limited to providing and improving the user-facing scheduling features described in this policy, and is never sold, used for advertising, or used to develop or train generalized or non-personalized AI or machine-learning models. The same human-access limits described above apply equally to Microsoft user data.

5. Authentication

We use Supabase as our authentication provider. You sign in via Google OAuth or Microsoft (Entra ID) OAuth, and Supabase manages your session tokens. We do not store your Google or Microsoft password. Your authentication session is maintained through secure, HTTP-only cookies.

6. Billing & Payments

Payment processing is handled entirely by Stripe. When you subscribe to a paid plan, your payment details are collected and stored by Stripe — we never see or store your full credit card number. We receive only a confirmation of your subscription status, plan details, and billing history from Stripe.

7. Cookies & Local Storage

We use essential cookies to maintain your authentication session. We also store your theme preference (light/dark mode) in your browser's localStorage.

We do not use third-party tracking cookies or advertising cookies.

8. Third-Party Services

We share data with the following third-party services, each for a specific purpose:

• Google — Calendar API for free/busy availability and event creation, and People API for contact suggestions (when a Google account is connected) • Microsoft — Graph API for free/busy availability, event creation, and contact suggestions (when a Microsoft account is connected) • Supabase — Authentication and database hosting • Stripe — Payment processing and subscription management • Resend — Transactional emails (booking confirmations, reminders, follow-ups)

Each provider processes data according to their own privacy policy. We only share the minimum data necessary for each service to function.

9. Data Retention

We retain your account data for as long as your account is active. Booking page data is retained for 12 months after the event date, then automatically deleted. Contact suggestions are never persisted — they live only in a short-lived in-memory cache (about 10 minutes). If you delete your account, we remove your personal data within 30 days, except where retention is required by law.

10. Your Rights

You have the right to access, correct, or delete your personal data at any time. You can disconnect any connected calendar account (Google or Microsoft) from Easycal, which revokes our access to that account's calendar and contacts data and deletes the stored refresh token.

To exercise these rights, contact us at legal@easycal.io or use the account settings in the application.

11. Children's Privacy

Easycal is not intended for use by children under 16. We do not knowingly collect personal information from children. If you believe a child has provided us with personal data, please contact us and we will delete it promptly.

12. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of material changes by posting the updated policy on this page and updating the effective date. Continued use of Easycal after changes constitutes acceptance of the revised policy.

13. Contact Us

For privacy-related inquiries, contact us at legal@easycal.io or write to:

Easycal Inc. Email: legal@easycal.io