Privacy Policy

SyncBlock (the "Service") is a calendar integration service operated by an independent developer. This policy describes what personal information the Service collects, why it is collected, how long it is retained, and what rights you have.

The Service collects the following personal information.

When you sign up:

• Email address
• Name (optional)
• Password (for email sign-up, stored encrypted)

When you connect a Google account:

• Google account ID
• Email address
• Name
• Profile picture URL

When you connect a Microsoft account:

• Microsoft account ID
• Email address
• Name

Collected automatically during use:

• User preferences such as language, timezone, and theme
• Local events and tags created within the Service

Event data from Google Calendar and Outlook Calendar is NOT persistently stored in the Service's database. When you view your calendar, the Service calls each platform's API in real time to display events.

Data may be held transiently in the following locations:

• Server memory: temporarily held while relaying the API response to the client, then discarded after the response is sent.
• Browser memory: held in your browser session for rendering, discarded when the session ends or you navigate away.
• Server logs: only metadata for debugging (request URL, response code, user ID) is recorded. Event content (title, description, attendees, etc.) is never written to logs.

Local events that you create directly within the Service are stored in the Service's database. When you create, modify, or delete an event in SyncBlock that is bound to an external calendar (Google/Outlook), the change is propagated to that platform, but the event content itself is not copied into SyncBlock's database.

• Providing the calendar integration service (Google Calendar, Outlook Calendar sync)
• User authentication and account management
• Saving user preferences (language, timezone, theme, etc.)
• Providing schedule sharing features

SyncBlock's use and transfer to any other app of information received from Google APIs will adhere to the Google API Services User Data Policy, including the Limited Use requirements.

• Data received through Google APIs is used solely to provide calendar integration features.
• Google user data is not transferred to or sold to third parties.
• Google user data is not used for advertising purposes.
• A human may read Google user data only with your explicit consent, for security purposes, to comply with applicable law, or as necessary to provide the Service.

The Service requests the following Google OAuth scopes. Each scope is used only for the stated purpose:

• email — used to identify your account and create a login session.
• profile — used to display your name and profile picture within the Service.
• https://www.googleapis.com/auth/calendar.calendarlist.readonly — used to list the calendars in your connected Google account. Only calendar metadata (name, color) is read; this scope cannot modify calendars.
• https://www.googleapis.com/auth/calendar.events — used to display, create, modify, and delete events on your Google Calendar when you operate the unified calendar in SyncBlock. No changes are made to your calendar without an explicit user action (clicking create / edit / delete). A read-only scope would not be sufficient because SyncBlock's core feature is letting you edit events across calendars from a single interface, which requires write access.

Data received through the Microsoft Graph API is used solely for calendar integration and user authentication. Microsoft user data is not shared with third parties or used for advertising purposes.

• OAuth access tokens: approximately 1 hour (automatically refreshed upon expiry)
• OAuth refresh tokens: deleted when you disconnect the account or delete your account
• Account information: deleted immediately upon account deletion
• Local events and tags: deleted immediately upon account deletion

When you delete your account, the Service revokes Google and Microsoft OAuth tokens and permanently deletes all your data from the database.

The Service does not sell or share your personal information with third parties, except in the following cases.

• When you choose to share your schedule using the sharing feature
• When required by law

You have the right to:

• Request access to your personal data
• Update your personal data (via the Settings page)
• Disconnect calendar accounts (via the Settings page)
• Delete your account and all associated data

The Service uses HttpOnly cookies for authentication. These cookies are used solely to maintain your login session and are not used for advertising or tracking.

The Service implements the following security measures to protect your personal data.

• Encryption in transit: All data transmissions are encrypted using HTTPS (TLS) protocol.
• Password protection: User passwords are hashed using a one-way hash function (bcrypt) before storage. Original passwords are never stored on the server.
• Authentication token security: JWT tokens are signed with a server-side secret key and delivered via HttpOnly, Secure, and SameSite cookies.
• OAuth token management: Google and Microsoft OAuth tokens are stored in the database and immediately revoked upon account deletion.
• Access control: All API endpoints are protected by JWT-based authentication guards, and unauthenticated access is blocked.
• Infrastructure security: The Service is hosted on a cloud platform with HTTPS enforcement, and the database is accessed through encrypted connections.
• Data processing location: User data is stored and processed on Neon PostgreSQL in the Asia-Pacific (Singapore, ap-southeast-1) region, while application servers run on Vercel's global edge network.

If this policy is updated, we will notify you through an in-service announcement.

For privacy-related inquiries: contact@sync-block.app