Draft — pending legal review. This document is a good-faith draft describing how Kaiju Calendar works today. It has not yet been reviewed by counsel and must be finalized before paid general availability. EVERNOIR LLC's full registered-agent street address must also be added here before legal GA.

Privacy Policy

Last updated: June 16, 2026

Kaiju Calendar is operated by EVERNOIR LLC, a Wyoming limited liability company ("we", "us", "our"). Kaiju Calendar helps you see events from multiple calendar accounts in one place and automatically blocks busy time across all of them. To do that, we connect to your Google and Microsoft calendar accounts on your behalf. This policy explains what we collect, what we do with it, and what we don't do.

If anything here is unclear, email hello@kaijuapps.ai and a real person will reply.

What we collect

  • Account information: the email address you sign in with, an optional display name, and your time zone.
  • Calendar data: the list of calendars on your connected accounts, and for each calendar, the events within a rolling window (typically the last 30 days and the next 90 days). For each event we store its title, start and end times, time zone, recurrence rule, status, and a copy of the provider's raw response for that event (which can include the attendee email addresses the provider returns).
  • Authorization tokens: OAuth access and refresh tokens issued by Google or Microsoft when you connect a calendar account. These let us read and write your calendars without asking you to log in to the provider every time.
  • Billing information: if you subscribe, Stripe handles your card data. We store only a Stripe customer ID and your subscription status — never your card number.

We do not currently use any third-party product-analytics or advertising tools, and we do not collect IP-based location, advertising identifiers, or cross-site tracking data.

How we store your OAuth tokens

Calendar tokens are the most sensitive data we hold. We treat them accordingly:

  • Tokens are encrypted at rest using AES-256-GCM authenticated encryption. The encryption key is held as a server-side secret, separate from the database, so an attacker who obtained a database copy alone could not read the tokens.
  • Tokens are never sent to your browser. Calendar API calls happen server-side. Your browser only ever sees the calendar data we choose to render.
  • Tokens are never written to logs or error output.
  • We refresh tokens when the provider issues a new one. If a token refresh fails, we mark the account as needing reauthorization and stop syncing until you reconnect.

What we read from your calendars

We read the metadata listed under "Calendar data" above. We do not read your email, your contacts, your files, or anything outside the calendar scope you grant. The exact OAuth scopes we request are:

  • Google: https://www.googleapis.com/auth/calendar (read and write your calendars).
  • Microsoft: Calendars.ReadWrite, User.Read, offline_access.

What we write to your calendars

The only thing Kaiju Calendar writes to your calendars on its own is busy placeholders: events we create on Calendar B to block out the same time as a real event on Calendar A. Every placeholder we create is tagged in two ways:

  • A marker identifying it as a Kaiju Calendar placeholder, including the source event's identifier.
  • A custom extended property on the event itself, where the calendar provider supports it.

These tags let us identify our own placeholders during sync and remove them cleanly if you change blocking rules, delete the source event, disconnect an account, or delete your account. Events you create through Kaiju Calendar's own event composer are written normally to whatever calendar you target — those aren't placeholders.

What we do not do

  • We do not sell your data. We have never done so and never will.
  • We do not train AI models on your calendar data.
  • We do not share calendar content with advertisers or data brokers.
  • We do not read your email, your contacts, your files, or anything outside the calendar scopes listed above.
  • We do not modify the content of your real events. We only write placeholders, and only on calendars configured to receive them.

Subprocessors

We use the following infrastructure providers to run Kaiju Calendar:

  • Supabase — database (PostgreSQL), authentication, and background jobs.
  • Vercel — application hosting and CDN.
  • Stripe — billing and payment processing.
  • Resend — transactional email delivery (for example, sign-in links and account notices).
  • Sentry — application error monitoring and diagnostics (United States). Receives technical error reports only; configured to exclude personal data — email addresses and calendar identifiers are scrubbed before transmission.
  • Anthropic — AI provider powering the in-app support chat (United States). Receives the text you type into the support chat in order to generate a reply; it has no access to your calendars, events, or account. Anthropic retains API inputs for up to 30 days for trust-and-safety purposes and does not use them to train its models.

We share with each subprocessor only the data needed for the function it performs on our behalf, and only to operate the Service.

Data retention and deletion

We keep your data for as long as you have an active account. When you delete your account, we:

  1. Remove every busy placeholder we created on your provider calendars, using the placeholder identifiers we stored.
  2. Delete the OAuth tokens we stored from our database. You can also revoke Kaiju Calendar's access at any time directly from your Google or Microsoft account security settings.
  3. Delete your account data from our systems once the placeholder teardown completes.

If a teardown cannot complete because a provider token has already been revoked, we force-remove the account after 7 days and record (in our server logs) the identifiers of any placeholders we could no longer reach to delete. You can also disconnect a single calendar account at any time; when you do, we remove the placeholders we wrote to it and delete its token, even if your Kaiju Calendar account remains.

Your rights

If you are in the EU, UK, or another jurisdiction with similar laws, you have the right to:

  • Access the personal data we hold about you.
  • Correct inaccurate data.
  • Delete your data (see the deletion process above).
  • Export your data in a machine-readable format.
  • Object to or restrict certain processing.
  • Lodge a complaint with your local data protection authority.

You can exercise any of these rights by emailing hello@kaijuapps.ai. We respond within 30 days.

Cookies and tracking

Kaiju Calendar uses first-party cookies, set by our authentication provider, to keep you signed in. We do not use advertising cookies, cross-site trackers, or third-party analytics.

Security

All traffic to Kaiju Calendar is served over HTTPS. Calendar tokens are encrypted at rest with AES-256-GCM. Database access is restricted to your authenticated account, and we are rolling out database row-level security as an additional safeguard. We do not log tokens or calendar content.

No system is perfectly secure. If you believe you've found a vulnerability, email hello@kaijuapps.ai and we'll respond promptly.

Children

Kaiju Calendar is not directed at children under 16 and we do not knowingly collect data from anyone under 16. If you believe a child has signed up, contact us and we'll delete the account.

Changes to this policy

If we make material changes to this policy, we'll email anyone with an active account at least 14 days before the changes take effect. The "Last updated" date at the top of this page always reflects the current version.

Contact

EVERNOIR LLC — Sheridan, Wyoming, USA. Privacy questions: hello@kaijuapps.ai.

See our Terms of Service for the contract that governs your use of Kaiju Calendar.