Privacy Policy
Last updated: March 3, 2026
sidecal (“we”, “us”, “our”) provides a multi-calendar scheduling service. This privacy policy explains how we collect, use, store, and protect personal data when you use our service.
1. Data We Collect
Account Data (Registered Users)
- Identity & contact: Name, email address, username, avatar (from OAuth provider)
- Authentication: OAuth tokens for Google and Microsoft accounts (encrypted at rest), password hash (if you set a password), two-factor authentication secrets
- Calendar metadata: Calendar names, busy/free information, and event titles (used solely for scheduling). We do not store full calendar event details beyond what is needed for availability calculations.
- Billing: Stripe customer ID and subscription status. We do not store credit card numbers — all payment data is handled by Stripe.
- Preferences: Timezone, working hours, branding settings
Booking Data (Bookers)
- Contact: Name and email address provided when booking
- Booking details: Selected date, time, timezone, answers to custom questions set by the host
Technical Data
- Cookies: See Section 7 below
- Server logs: IP addresses and request timestamps for rate limiting and security. These are not linked to user accounts and are retained for a maximum of 30 days.
2. How We Use Your Data
- Scheduling: Checking availability across your connected calendars, creating bookings, and sending event invitations
- Notifications: Sending booking confirmations, reminders, cancellation, and rescheduling emails
- Billing: Processing subscription payments via Stripe
- Security: Rate limiting, abuse prevention, and authentication
- Service improvement: Aggregated, anonymised usage statistics (no individual tracking)
3. Legal Basis for Processing
- Contract performance: Processing your data is necessary to provide the scheduling service you signed up for (account data, calendar data, booking data)
- Legitimate interest: Security measures, abuse prevention (trial fingerprinting), and service reliability
- Consent: Optional functional cookies (you can opt out via the cookie banner)
4. Data Storage & Security
- Location: All data is stored on servers located in the European Union (Hetzner, Germany)
- Encryption: OAuth tokens are encrypted at rest. Passwords are hashed with bcrypt. All connections use TLS.
- Access: Access to production systems is restricted to authorised personnel only
5. Third-Party Processors
We share data with the following third-party services, only as necessary to operate sidecal:
| Service | Purpose | Data Shared |
|---|---|---|
| Stripe | Payment processing | Email, customer ID |
| Resend | Transactional email delivery | Email address, email content |
| Google Calendar API | Calendar sync & availability | OAuth tokens, calendar queries |
| Microsoft Graph API | Calendar sync & availability | OAuth tokens, calendar queries |
6. Data Retention
- Active accounts: Data is retained for as long as your account exists
- Cancelled/declined bookings: Automatically deleted after 12 months
- Revoked calendar accounts: Hard-deleted after 6 months of being disconnected
- Deleted accounts: All personal data is deleted immediately upon account deletion, except for anonymised abuse prevention records (see below)
- Abuse prevention: When you delete your account, we retain a record of previously connected calendar account identifiers (with no link to your personal data) to prevent trial abuse. These records contain only a provider identifier and cannot be used to identify you.
7. Cookies
sidecal uses a minimal number of cookies:
| Cookie | Type | Purpose | Duration |
|---|---|---|---|
authjs.session-token | Strictly necessary | Authenticates your session | Session |
authjs.csrf-token | Strictly necessary | CSRF protection | Session |
sidecal_last_login | Functional | Remembers which OAuth provider you last used for a “last used” badge on the login page | 1 year |
You can choose to accept or decline functional cookies via the cookie consent banner shown on your first visit.
8. Your Rights
Under the General Data Protection Regulation (GDPR) and similar laws, you have the following rights:
- Access: Download a copy of all your personal data from your account settings page
- Erasure: Delete your account and all associated data from your account settings page
- Portability: Export your data in a machine-readable JSON format from your account settings page
- Rectification: Update your name, email, and other settings from your dashboard
- Restriction: You can disconnect calendar accounts at any time to stop data processing for those calendars
- Objection: Contact us if you wish to object to any processing based on legitimate interest
For bookers (people who book appointments): you can access your booking data via the link included in your booking confirmation email, or contact us directly.
9. Contact
For any privacy-related questions or to exercise your rights, contact us at:
Email: privacy@sidecal.com
10. Changes to This Policy
We may update this privacy policy from time to time. We will notify registered users of material changes via email. The “Last updated” date at the top of this page indicates when this policy was last revised.