Privacy Policy

CalARK accounts are provisioned by an administrator; the service is intended for the people and organizations that administrator invites. By using CalARK you agree to this policy. If you do not agree, please don’t use the service.

We collect only what we need to run the service:

• Account information — your name, email address, your password (stored only as a salted hash, never in plain text), and the secret for your authenticator-app two-factor login (stored encrypted). We never see your password or two-factor codes.
• Connected-account credentials — when you connect a Google or Microsoft account, we receive OAuth access and refresh tokens. These are encrypted at rest (AES-256-GCM) and used only to access the calendars you connect.
• Calendar content — event details (such as titles, times, locations, descriptions, attendees, and conferencing links) and free/busy availability. CalARK reads this live from the providers each time you view your calendar and does not keep a long-term database copy of your events.
• Change notifications — if real-time sync is enabled, we register push channels with Google/Microsoft so they tell our servers that a calendar changed; this simply prompts your open session to refresh. The notification itself does not include your event contents.
• Preferences — settings such as your timezone, default view, account colors, and notification choices.
• Technical data — limited request metadata (e.g. IP address and timestamps) used for security, rate-limiting, and abuse prevention.

• To display your calendars in one unified view and compute availability.
• To create, update, or respond to events on a connected calendar — only when you ask.
• To authenticate you and secure your account (password + two-factor).
• To send transactional and notification emails you’ve opted into (such as agenda digests, account-connected confirmations, and invitation reminders).
• To operate, maintain, secure, and improve the service.

We do not sell your information, use it for advertising, or use it to train generalized or independent AI/ML models.

CalARK’s use and transfer of information received from Google APIs adheres to the Google API Services User Data Policy, including the Limited Use requirements.

When you connect a Google account, you grant CalARK access to your Google Calendar — to read your calendars and events and to create or update events when you request it. We use this Google data only to provide and improve the user-facing calendar features described in this policy. We do not transfer this data to others except as necessary to provide or improve those features, to comply with applicable law, or as part of a merger/acquisition with your notice and consent; and we do not use it for advertising or to train generalized AI models.

You can review or revoke CalARK’s access at any time from your Google Account permissions (and the equivalent Microsoft account privacy settings), or by disconnecting the account inside CalARK.

We don’t sell your data. We share it only with:

• The calendar providers (Google, Microsoft) — to read and write the calendar data you authorize.
• Service providers that help us operate, strictly on our behalf: our application hosting, our database (MongoDB), and our email provider (Resend). They may process data only to provide their service to us.
• Legal and safety — when required by law, to enforce our terms, or to protect the rights, safety, and security of our users or the service.

OAuth tokens and your two-factor secret are encrypted at rest with AES-256-GCM; passwords are stored only as Argon2 hashes. Traffic is served over TLS, and sign-in requires two-factor authentication. No method of transmission or storage is perfectly secure, but we work to protect your information using industry-standard measures.

We keep your account information and connected-account tokens for as long as your account is active. Disconnecting a calendar account removes its stored tokens and stops any push channels. To delete your account and associated data, contact us at calark@alirazakhan.meand we will delete it within a reasonable period, except where we must retain certain records to comply with the law. Because we read calendar events live and don’t store them, there is no separate event archive to purge.

Depending on where you live, you may have the right to access, correct, export, or delete your personal information, and to object to or restrict certain processing. To exercise these rights, email calark@alirazakhan.me. You can also manage most data directly in the app’s settings.

We may process and store information in countries other than your own. Where we transfer data internationally, we take steps to ensure it remains protected consistent with this policy and applicable law.

CalARK is not directed to children and is not intended for anyone under 16. We do not knowingly collect personal information from children.

We may update this policy from time to time. When we make material changes, we’ll update the “Last updated” date above and, where appropriate, notify you. Continued use after an update means you accept the revised policy.

Questions about this policy or your data? Email us at calark@alirazakhan.me.