Privacy Policy

Last Updated: February 2, 2026

Introduction

Welcome to Multical ("we," "our," or "us"). We are committed to protecting your privacy and being transparent about how we collect, use, and protect your information. This Privacy Policy explains our practices regarding data collection and use for the Multical calendar synchronization service.

1. Information We Collect

1.1 Account Information

When you create a Multical account, we collect:

• Name: Your full name
• Email Address: Used for account identification, login, and communication
• Password: Stored as a cryptographically hashed value (using Argon2) - we never store plain-text passwords

1.2 Calendar Connection Information

When you connect your calendars, we collect and store:

• Calendar Provider: Which service you use (Google Calendar, Microsoft 365)
• Calendar Email: The email address associated with your connected calendar
• Access Tokens: Encrypted OAuth tokens that allow us to access your calendar data
• Refresh Tokens: Encrypted tokens used to maintain your calendar connection

Encryption: All access tokens and refresh tokens are encrypted using AES-256-GCM encryption before storage.

1.3 Calendar Data

We access and temporarily process:

• Event Titles
• Event Times (start and end)
• Event Descriptions
• Event Locations
• Video Conference Links (Google Meet, Microsoft Teams, etc.)
• Event Status (confirmed, tentative, cancelled)
• Busy/Free Status

Important: We do NOT permanently store the full content of your calendar events. We only store:

• Event metadata needed to create blocking events (event IDs, times)
• Sync rules you configure
• Last sync timestamps

1.4 Sync Rules and Preferences

We store your configured settings:

• Which calendars to sync
• Keyword filters (words to include/exclude)
• Privacy settings (show/hide location, video links)
• Visibility preferences (busy only, title only, or full details)
• Working hours and weekend preferences

1.5 Payment Information

When you subscribe, we collect:

• Stripe Customer ID: Identifier linking you to Stripe
• Subscription Details: Your plan tier, status, and billing dates
• Payment Method Details: Handled and stored by Stripe (we never see your full credit card numbers)

1.6 Technical Information

We automatically collect:

• Session Data (stored in Redis)
• IP Address (for security)
• Browser Type (for compatibility)
• Device Information (for responsive design)
• Log Data (for debugging and security)

1.7 Cookies and Similar Technologies

We use:

• Session Cookies: To keep you logged in
• Security Cookies: For CSRF protection

2. How We Use Your Information

2.1 Core Service Functionality

• Calendar Synchronization: Creating blocking events across your calendars
• Event Processing: Reading event data to determine what to sync
• Webhook Management: Setting up real-time sync when calendars change
• Rule Application: Filtering events based on your preferences

2.2 Account Management

• Authentication: Verifying your identity when you log in
• Email Communication: Password resets, welcome messages, service updates
• Subscription Management: Processing payments and managing subscriptions

2.3 Service Improvement

• Bug Fixes: Identifying and resolving technical issues
• Feature Development: Understanding how features are used
• Performance Optimization: Monitoring sync speed and reliability

2.4 Security and Fraud Prevention

• Account Security: Detecting unauthorized access attempts
• Payment Security: Preventing fraudulent transactions
• System Security: Monitoring for malicious activity

3. How We Share Your Information

3.1 Third-Party Service Providers

We share data with:

• Stripe (Payment Processing) - Privacy Policy
• Render (Infrastructure Hosting) - Privacy Policy
• Google Calendar API - Privacy Policy
• Microsoft Graph API - Privacy Policy
• Mailtrap (Email Service) - Privacy Policy

3.2 We Do NOT Share Your Data:

• ❌ With advertisers
• ❌ With data brokers
• ❌ For marketing purposes (except our own service communications)
• ❌ With anyone else unless legally required

3.3 Legal Requirements

We may disclose information if required by:

• Court orders or subpoenas
• Legal processes
• National security or law enforcement requests
• Protection of our rights or safety

4. Data Retention

4.1 Active Accounts

While your account is active, we retain:

• Account information: Indefinitely
• Calendar credentials: Until you disconnect a calendar
• Sync rules: Until you delete them
• Event metadata: For 90 days or until you delete events
• Payment records: As required by law (typically 7 years)

4.2 Account Deletion

When you delete your account:

• Personal information is deleted within 30 days
• Calendar connections are immediately revoked
• Event data is deleted immediately
• Financial records are retained as required by law

4.3 Inactive Accounts

Accounts inactive for more than 2 years may be deleted after email notification.

5. Your Rights and Choices

5.1 Access and Portability

• View all your account information in your dashboard
• Export your sync rules (contact support)
• Download your data (contact support)

5.2 Correction

• Update your name and email in account settings
• Modify sync rules at any time
• Change calendar connections

5.3 Deletion

• Disconnect individual calendars (revokes access immediately)
• Delete sync rules
• Delete your entire account (contact support)

5.4 Opt-Out

• Disable calendar syncing without deleting your account
• Unsubscribe from marketing emails
• Disable specific sync rules

6. Security Measures

6.1 Data Protection

• Encryption in Transit: All data transmitted over HTTPS/TLS
• Encryption at Rest: Sensitive tokens encrypted with AES-256-GCM
• Password Security: Argon2 hashing with salt
• Database Security: PostgreSQL with access controls

6.2 Access Controls

• Session-based authentication
• CSRF protection
• Rate limiting on sensitive endpoints
• Regular security audits

6.3 Third-Party Security

• OAuth 2.0 for calendar access (we never see your calendar passwords)
• PCI-compliant payment processing through Stripe
• Secure webhook verification

7. Children's Privacy

Multical is not intended for users under 13 years of age. We do not knowingly collect information from children under 13. If you believe a child has provided us with personal information, please contact us immediately.

8. International Data Transfers

Your data is processed in the United States. By using Multical, you consent to data transfer to the U.S. We ensure appropriate safeguards are in place for international transfers.

9. California Privacy Rights (CCPA)

If you are a California resident, you have additional rights:

• Right to Know: What personal information we collect, use, and share
• Right to Delete: Request deletion of your personal information
• Right to Opt-Out: Opt-out of sale of personal information (we do not sell data)
• Right to Non-Discrimination: Equal service regardless of privacy choices

To exercise these rights, contact us at privacy@usemultical.com

10. European Privacy Rights (GDPR)

If you are in the EU/EEA, you have additional rights:

• Right of Access: Obtain a copy of your personal data
• Right to Rectification: Correct inaccurate data
• Right to Erasure: Request deletion ("right to be forgotten")
• Right to Restrict Processing: Limit how we use your data
• Right to Data Portability: Receive your data in portable format
• Right to Object: Object to processing for direct marketing
• Right to Withdraw Consent: Withdraw consent at any time

Legal Basis for Processing:

• Contract performance (providing calendar sync services)
• Consent (connecting calendars, optional features)
• Legitimate interests (service improvement, security)

To exercise these rights, contact us at privacy@usemultical.com

11. Changes to This Privacy Policy

We may update this Privacy Policy periodically. Changes will be:

• Posted on this page with updated "Last Updated" date
• Notified via email for material changes
• Effective 30 days after posting (unless otherwise stated)

Continued use after changes constitutes acceptance.

12. Contact Us

For privacy questions, concerns, or to exercise your rights:

Email: privacy@usemultical.com
Support: support@usemultical.com
Mail: Multical Privacy Team, 3712 N. Broadway #104, Chicago, IL 60613

13. Consent

By using Multical, you consent to this Privacy Policy and our collection, use, and sharing of information as described.