Privacy Policy

Last updated: March 18, 2026

What Calmate Is

Calmate (“we”, “our”, “the Service”) is a calendar synchronization service that keeps your iCloud and Google Calendar events in sync. The Service is operated by the individual behind calmate.pro.

Zero-Knowledge Architecture

Calmate is built on a zero-knowledge principle. We never store the content of your calendar events (titles, descriptions, attendees, locations). The only data we process and store is sync metadata:

  • Event unique identifiers (UIDs)
  • Change detection tags (ETags, CTags, sync tokens)
  • Content hashes (SHA-256 — irreversible, used only for change detection)
  • Timestamps of last modification

Event content passes through our servers during sync but is never written to disk or any persistent storage.

Data We Store

Account Data

  • Email address and name (for authentication)
  • Hashed password (scrypt — we never see your plaintext password)

Calendar Credentials

  • Google OAuth refresh token — encrypted at rest with AES-256-GCM
  • iCloud Apple ID and App-Specific Password — encrypted at rest with AES-256-GCM

Encryption keys are stored separately from the database. Even in a database breach, credentials cannot be decrypted without the master key.

Subscription Data

  • Stripe customer ID and subscription status
  • We do not store credit card numbers — Stripe handles all payment data

Sync Logs

  • Sync status (success/error), event count, duration, timestamps
  • Error messages (technical only, never event content)

Third-Party Services

  • Google — OAuth for calendar access (Google Privacy Policy applies)
  • Apple iCloud — CalDAV access (Apple Privacy Policy applies)
  • Stripe — Payment processing (Stripe Privacy Policy applies)

Data Retention

Account data is retained while your account is active. Upon deletion:

  • All credentials are immediately deleted
  • Sync state and logs are deleted within 24 hours
  • Stripe data is retained per Stripe's retention policy

Your Rights

You can at any time:

  • Export your sync configuration
  • Disconnect Google or iCloud accounts
  • Delete your account and all associated data

Security

  • All connections use TLS (HTTPS)
  • Credentials encrypted with AES-256-GCM at rest
  • Database not exposed to the internet
  • Rate limiting on authentication endpoints

Contact

For privacy questions, email contact@calmate.pro.