1. Who We Are
Unicala ("we", "us", or "our") is a calendar synchronization service operated by Luiz Gustavo Nogara,
reachable at [email protected].
Our service is available at unicala.io.
2. What Data We Collect
We collect only what is necessary to provide the service:
- Account data: your name and email address, used for authentication and communication.
- Calendar credentials: OAuth2 tokens or app-specific passwords required to access your calendars on your behalf. These are encrypted at rest using AES-256-GCM and never shared with third parties.
- Calendar event data: event titles, dates, times, descriptions, locations, and attendee counts — only as needed to perform synchronization. We do not store event content beyond what is actively being synced.
- Usage data: basic server logs (IP address, request path, timestamp) retained for up to 30 days for security and debugging purposes.
- Payment data: billing is handled entirely by Stripe. We do not store credit card numbers. We receive a customer ID and subscription status from Stripe.
3. How We Use Your Data
- To authenticate you and manage your account.
- To connect to your calendar providers (Google, Microsoft, Apple) and synchronize events according to your configuration.
- To send transactional emails (magic login links, booking confirmations). We do not send marketing emails unless you explicitly opt in.
- To process payments for paid plans via Stripe.
- To detect and prevent abuse, unauthorized access, and technical issues.
4. End-to-End Encryption Commitment
All calendar credentials (OAuth tokens and passwords) are encrypted with AES-256-GCM before being stored in our database.
The encryption key is not stored in the database. This means that even in the event of a database breach,
your calendar credentials cannot be read. We cannot read your calendar data beyond what is technically necessary
to perform synchronization — and we do not.
5. Data Sharing
We do not sell your data. We share data only with:
- Calendar providers (Google, Microsoft, Apple) — to perform synchronization on your behalf.
- Stripe — to process payments. Subject to Stripe's Privacy Policy.
- Infrastructure providers — our servers run on European or US-based cloud infrastructure. Data is not transferred to third countries without adequate safeguards.
6. Data Retention
- Account and sync data is retained while your account is active.
- When you delete your account, all associated data (credentials, sync configurations, calendar data) is permanently deleted within 30 days.
- Server logs are retained for up to 30 days.
- Anonymized, aggregated usage statistics may be retained indefinitely.
7. Your Rights
You have the right to:
- Access the personal data we hold about you.
- Request correction of inaccurate data.
- Request deletion of your account and all associated data.
- Export your data in a portable format.
- Withdraw consent at any time (e.g., disconnect a calendar account).
To exercise these rights, contact us at
[email protected].
We will respond within 30 days.
8. Security
We implement technical and organizational measures to protect your data: AES-256-GCM encryption for credentials,
JWT-based authentication with short-lived access tokens, rate limiting, CSRF protection, and TLS in transit.
No system is 100% secure. If you discover a security vulnerability, please contact us responsibly at
[email protected].
9. Cookies
The Unicala app uses only functional, session-related storage (JWT tokens in memory and refresh tokens in
localStorage). We do not use tracking cookies or
third-party advertising cookies. The landing page (unicala.io) does not set any cookies.
10. Third-Party Services
By connecting your calendar accounts, you authorize us to act on your behalf with:
Google User Data
When you connect a Google Calendar account, Unicala requests the following OAuth scopes:
openid, email, profile — to identify the Google account you connected and display it in the UI.https://www.googleapis.com/auth/calendar — to list the calendars you can access and read free/busy information, so you can select which calendars to include in sync and so that your public scheduling links show accurate availability.https://www.googleapis.com/auth/calendar.events — to read, create, update, and delete events on calendars you explicitly opt in to sync, so that events stay in sync across Google Calendar, Microsoft Outlook, and Apple iCloud.
How Google user data is handled:
- Purpose: Google user data is used only to provide the features you sign up for (calendar synchronization and public scheduling links). It is not used for advertising, is never sold, and is not used to train generalized machine-learning models.
- Storage: OAuth tokens are encrypted at rest with AES-256-GCM. Event metadata required for sync (identifiers, timestamps, change hashes) is stored; event content is retained only as long as needed to reconcile the event across providers.
- Transfer: Google user data is not shared with third parties other than infrastructure providers strictly required to run the service (hosting, database), and only as processors acting on our instructions.
- Retention & deletion: When you disconnect a Google account in Unicala, we call Google's token revocation endpoint and delete the stored credentials immediately. Mirrored event data related to that account is deleted within 30 days. When you delete your Unicala account, all associated data is permanently deleted within 30 days.
- Human access: Unicala staff do not access your Google user data except (a) with your explicit consent, (b) to comply with applicable law, or (c) to investigate a confirmed security incident, as permitted by the Google API Services User Data Policy.
Unicala's use and transfer to any other app of information received from Google APIs
will adhere to the Google API Services User Data Policy,
including the Limited Use requirements.
11. Children
Unicala is not directed at children under 13. We do not knowingly collect data from children.
If you believe a child has created an account, please contact us and we will delete it promptly.
12. Changes to This Policy
We may update this policy from time to time. We will notify you of material changes via email
or a prominent notice in the app at least 14 days before they take effect.
Continued use of Unicala after changes constitutes acceptance.