Privacy Policy

This notice explains how we process personal data when you use CalMirror (hereinafter the “Service”) in accordance with the General Data Protection Regulation (GDPR).

1. Controller

Gietmanic, Daniel Gietmann, Siegburger Straße 129 B, 53229 Bonn, Germany. Email: hello@calmirror.com.

2. Hosting and infrastructure

The marketing website (calmirror.com) is delivered via Azure Static Web Apps (Microsoft Corporation). The web application (app.calmirror.com) and background services (sync engine, webhook receiver) run on servers operated by us at Hetzner Online GmbH, Industriestr. 25, 91710 Gunzenhausen, Germany (server location: Germany).

The respective hosting provider processes technical access data (e.g. IP address, time of access, requested resource) on our behalf to deliver and secure the services. The legal basis is Art. 6 (1) (f) GDPR (legitimate interest in stable, secure operation). Data processing agreements (Art. 28 GDPR) are in place with the providers.

3. Data processed when using the Service

When you create an account and connect calendars, we process:

• Account data: Name, email address, password (stored only as a hash), two-factor authentication settings.
• Connection data: OAuth tokens or app-specific passwords for the connected calendar accounts. These are encrypted with AES-256-GCM before storage and decrypted only for synchronization.
• Calendar data: Events from the connected calendars (times, titles, locations, descriptions, attendees, recurrences) to the extent necessary for the mirroring you configured. Depending on your per-link settings, only availability information (“Busy”) or a custom placeholder you defined may be written to the target calendar.
• Cached calendar data: Events are temporarily cached in our database to power the dashboard and efficient synchronization.
• Usage and log data: Technical logs for debugging, security and operation.

4. Purposes and legal bases

Processing is carried out to provide the Service (mirroring calendars between accounts you have connected) and therefore to fulfill the user agreement pursuant to Art. 6 (1) (b) GDPR. Processing is also carried out to ensure security, stability and to prevent misuse pursuant to Art. 6 (1) (f) GDPR.

5. Recipients and processors

To provide the Service, personal data is transferred to the following categories of recipients:

• Calendar providers (Apple/iCloud, Google, Microsoft/Outlook, other CalDAV servers): To read source calendars and write to target calendars. Transfer occurs exclusively on the basis of your explicit connection and authorization of the respective accounts.
• Hetzner Online GmbH (Germany): Hosting of the web application and background services.
• Microsoft Azure: Cloud services for storing account, connection and calendar data as well as for controlling synchronization and background processing. Data is processed in the EU (Germany).
• Resend, Inc. (USA): Sending of transactional emails (email confirmation, password reset, confirmation of email address changes). Emails may be sent from the Ireland region (eu-west-1) to reduce delivery latency for recipients in Europe. However, account and metadata (including email addresses, send timestamps and logs) are stored in the United States. The EU Standard Contractual Clauses (SCCs) apply, as well as Resend’s certification under the EU-U.S. Data Privacy Framework (DPF).

Personal data is not passed on to any other third parties unless this is required to comply with legal obligations.

6. Storage duration

Personal data is stored for as long as your account is active or a statutory retention obligation exists. When you delete your account or disconnect a calendar connection, the associated access credentials (encrypted), mirror links, event mappings and cached events are deleted or anonymized.

7. Your rights

You have the right to access (Art. 15 GDPR), rectification (Art. 16), erasure (Art. 17), restriction of processing (Art. 18), data portability (Art. 20) and to object to processing (Art. 21 GDPR). You also have the right to lodge a complaint with a supervisory authority.

8. Cookies and similar technologies

The Service uses technically necessary cookies and similar storage technologies, in particular for authentication and session management (Better Auth). These are strictly necessary for the operation of the Service. Consent is not required for this (§ 25 (2) TDDDG).

No third-party analytics or marketing cookies are used.

9. Automated decision-making / Profiling

No automated decision-making or profiling that produces legal effects for you takes place.