Skip to content

Legal

Privacy Policy

Last updated: 2026-06-15

Note: This is a thorough draft; have legal counsel review before public launch.

This Privacy Policy explains how ILUCARA LLC (“Ilucara,” “we,” “us,” or “our”) collects, uses, discloses, and protects information in connection with Asta Calendar (the “Service”) — a cross-platform calendar application available on the web, macOS, iOS, and Android that connects your Google, Microsoft, and Apple iCloud calendars to provide a unified view and automatic cross-account “shadow blocking.”

By creating an account or using the Service, you agree to the practices described in this Policy. If you do not agree, please do not use the Service.

1. Who We Are and Scope

This Policy applies to all users of Asta Calendar across the web app, desktop apps (macOS), and mobile apps (iOS and Android). It covers personal information we process when you create an account, connect your calendar providers, and use the Service’s features.

The data controller for the purposes of the EU/UK General Data Protection Regulation (GDPR) is ILUCARA LLC, located in Austin, Texas, USA. Our contact details are set out in the “Contact Us” section below.

2. Information We Collect

2.1 Account and Profile Information

When you create an account, we collect your name (if provided) and email address, and we maintain authentication credentials and account settings (such as your preferred time zone and display preferences).

2.2 OAuth Tokens and Authentication Credentials

To connect your calendars, we collect and store the credentials needed to access your calendar providers on your behalf:

  • Google and Microsoft: OAuth 2.0 access tokens and refresh tokens issued when you authorize Asta. We store these tokens (encrypted at rest) so we can synchronize your calendars and maintain shadow blocks without requiring you to re-authenticate each time.
  • Apple iCloud: An app-specific password that you generate in your Apple ID settings and provide to Asta, used to connect to iCloud Calendar over the CalDAV protocol. We store this credential (encrypted at rest) solely to access your iCloud calendar data as you have directed.

We do not collect or store your primary Google, Microsoft, or Apple account passwords.

2.3 Calendar and Event Data

When you connect a calendar account, we access and mirror calendar and event data from that account so the Service can present a unified view and compute cross-account availability. This data may include:

  • Calendar identifiers, names, colors, and time zones;
  • Event titles, descriptions, locations, start and end times, recurrence rules, and free/busy status;
  • Event organizers and attendees (including their names and email addresses);
  • Event metadata such as creation and modification timestamps, response status, and visibility settings.

This mirrored data is stored in our application database (see “Sub-Processors” below) so the Service can function reliably and efficiently.

2.4 Derived “Shadow Block” Events

With your authorization, Asta creates derived “shadow block” events on your connected calendars. These are placeholder busy events that reflect commitments on your other connected calendars, so that all of your calendars stay mutually up to date. We store the mapping between your real events and the shadow blocks we create so we can keep them synchronized and remove them when appropriate.

2.5 Device and Push Notification Data

On mobile and desktop, we collect device push notification tokens (for example, Apple Push Notification service and Firebase Cloud Messaging tokens) so we can send you notifications you have enabled. We may also collect basic device and operating-system information needed to deliver the app experience.

2.6 Usage and Diagnostic Data

We collect usage analytics and diagnostic information to operate, secure, and improve the Service, including:

  • Product analytics events (for example, which features are used and general interaction patterns);
  • Error reports, crash logs, stack traces, and performance metrics;
  • Log data such as IP address, timestamps, app version, device type, and operating system.

We aim to minimize the personal information contained in analytics and diagnostics and, where feasible, to pseudonymize or aggregate it.

2.7 Information You Provide Directly

If you contact support, respond to surveys, or otherwise communicate with us, we collect the information you choose to provide, including the contents of your messages.

3. How We Use Your Information

We use the information described above for the following purposes:

  • Provide the Service: authenticate you, connect and synchronize your calendars, compute availability, and create and maintain shadow block events.
  • Maintain and secure the Service: detect, prevent, and respond to fraud, abuse, security incidents, and technical issues.
  • Improve the Service: understand how the Service is used, diagnose problems, and develop new and improved user-facing features.
  • Communicate with you: send you transactional messages (such as account, security, and service notifications) and respond to your support requests.
  • Send notifications: deliver push notifications and reminders you have enabled.
  • Comply with law: meet our legal and regulatory obligations and enforce our Terms of Service.

We do not use your data to build advertising profiles, and we do not sell your personal information.

4. Google API Services User Data Policy — Limited Use

Asta Calendar’s use and transfer of information received from Google APIs adheres to the Google API Services User Data Policy, including the Limited Use requirements.

Specifically, with respect to data we obtain through Google APIs (such as Google Calendar data and your Google account email):

  • We use Google user data only to provide and improve the user-facing features of Asta Calendar that you have requested — namely, presenting a unified calendar view and creating and maintaining cross-account shadow blocks.
  • We do not use Google user data for serving advertisements, including retargeting, personalized, or interest-based advertising.
  • We do not sell Google user data, and we do not transfer it to third parties except (a) as necessary to provide or improve the user-facing features described above (for example, to the sub-processors listed in this Policy), (b) to comply with applicable law, or (c) as part of a merger, acquisition, or sale of assets with notice to affected users.
  • We do not allow humans to read your Google user data unless (a) we first obtain your explicit consent to read specific data, (b) it is necessary for security purposes (such as investigating abuse), (c) it is necessary to comply with applicable law, or (d) the data is aggregated and anonymized and used for internal operations in accordance with applicable privacy and other laws.

These same limitations apply to any future transfer of Google user data.

5. Microsoft Graph Data Handling

Calendar and account data we obtain through Microsoft Graph (Outlook/Microsoft 365 calendars) is handled on the same restricted basis as described above for Google data. We use Microsoft Graph data only to provide and improve the user-facing features you have requested; we do not use it for advertising; we do not sell it; we do not transfer it except to provide or improve those features, to comply with law, or in connection with a corporate transaction with notice; and we do not permit human access to it except for security, legal compliance, with your explicit consent, or in aggregated and anonymized form. Our use of Microsoft Graph is also governed by Microsoft’s applicable platform terms.

6. Apple iCloud / CalDAV Data Handling

Calendar data we obtain from Apple iCloud over CalDAV, using the app-specific password you provide, is handled on the same restricted basis. We use iCloud calendar data only to provide and improve the user-facing features you have requested; we do not use it for advertising; we do not sell it; and we do not permit human access to it except for security, legal compliance, with your explicit consent, or in aggregated and anonymized form. You may revoke Asta’s access at any time by deleting the app-specific password in your Apple ID settings or by disconnecting iCloud within Asta.

If you are located in the European Economic Area, the United Kingdom, or Switzerland, we process your personal information under the following legal bases:

  • Performance of a contract (Art. 6(1)(b)): to provide the Service you have requested, including connecting your calendars and maintaining shadow blocks.
  • Legitimate interests (Art. 6(1)(f)): to secure, maintain, and improve the Service, prevent abuse, and understand product usage, balanced against your rights and interests.
  • Consent (Art. 6(1)(a)): where we rely on your consent, such as connecting a specific calendar provider, enabling push notifications, or optional analytics where required by law. You may withdraw consent at any time without affecting prior processing.
  • Legal obligation (Art. 6(1)(c)): to comply with applicable laws and respond to lawful requests.

8. Sub-Processors

We rely on a limited set of trusted service providers (“sub-processors”) to operate the Service. Each is bound by contractual obligations to protect your data and to process it only on our instructions. These providers process data in the United States.

Sub-processorPurpose
Neon (managed PostgreSQL)Application database — stores account data, mirrored calendar/event data, tokens, and shadow-block mappings
CloudflareNetwork delivery, DNS, edge security, and DDoS protection
PolarMerchant of Record for payments, billing, and sales tax (future paid tier; see below)
ResendTransactional email delivery
PostHogProduct analytics
SentryError monitoring and crash reporting

We may update this list from time to time as our service providers change. Material changes will be reflected in an updated version of this Policy.

9. Payments

Asta Calendar is currently a free beta and does not charge for use. When we introduce a paid tier in the future, payments will be processed by Polar, acting as our Merchant of Record. This means Polar handles checkout, billing, and the collection and remittance of sales tax, and Polar will collect the payment information necessary to process your transaction (such as billing details and payment method). We do not store your full payment card numbers. Polar’s handling of your payment information is governed by Polar’s own privacy policy.

10. Data Retention

We retain your personal information for as long as your account is active or as needed to provide the Service. Mirrored calendar and event data is retained while the relevant calendar remains connected, so we can keep your unified view and shadow blocks accurate. OAuth tokens and the iCloud app-specific password are retained while the corresponding provider remains connected.

When you disconnect a provider, delete your account, or request deletion, we delete the associated data as described below, subject to limited retention needed to comply with legal obligations, resolve disputes, prevent fraud and abuse, and enforce our agreements. Diagnostic and log data is retained for a limited period and then deleted or aggregated.

11. Deleting Your Data and Revoking Access

You can delete your account at any time from within the app. When you delete your account, we:

  • Purge your account, mirrored calendar/event data, and shadow-block mappings from our systems;
  • Revoke and delete the OAuth tokens and iCloud app-specific password we hold;
  • Remove the shadow block events Asta created where technically feasible.

Disconnecting an individual provider removes that provider’s mirrored data and credentials and revokes Asta’s access to that account. You can additionally revoke Asta’s access directly from your provider:

To request a copy of your data (export) or deletion, or if you have trouble using the in-app controls, contact us at privacy@astacalendar.com. We will respond within the timeframes required by applicable law.

12. Your Privacy Rights

12.1 GDPR/UK GDPR Rights

If you are in the EEA, UK, or Switzerland, you have the right to access, rectify, erase, restrict, and port your personal data; to object to certain processing; and to withdraw consent where processing is based on consent. You also have the right to lodge a complaint with your local supervisory authority.

12.2 California Privacy Rights (CCPA/CPRA)

If you are a California resident, you have the right to know what personal information we collect, use, and disclose; the right to request deletion of your personal information; the right to correct inaccurate personal information; and the right to non-discrimination for exercising your rights.

We do not sell or share your personal information as those terms are defined under the CCPA/CPRA, and we have not done so in the preceding twelve months. Because we do not sell or share personal information, no opt-out is required; however, you may still exercise your “do not sell or share” rights at any time, and we will honor them.

12.3 Exercising Your Rights

To exercise any of these rights, use the in-app controls or email us at privacy@astacalendar.com. We will verify your request as required by law before fulfilling it. You may use an authorized agent where permitted.

13. Security

We implement technical and organizational measures designed to protect your information, including encryption of OAuth tokens and the iCloud app-specific password at rest, encryption of data in transit (TLS), access controls, and monitoring. No method of transmission or storage is completely secure, and we cannot guarantee absolute security. If we become aware of a security incident affecting your personal information, we will notify you and the appropriate authorities as required by law.

14. Cookies and Analytics

On the web app, we use strictly necessary cookies and similar technologies to keep you signed in and to operate core functionality. We use PostHog for product analytics and Sentry for error monitoring, which may set identifiers needed to measure usage and diagnose issues. Where required by law, we will request your consent for non-essential analytics. You can control cookies through your browser settings, though disabling some cookies may affect functionality.

15. Children’s Privacy

The Service is not directed to, and is not intended for use by, children. You must be at least 16 years old (or 13 where permitted by applicable local law, and not younger) to use the Service. We do not knowingly collect personal information from children under these ages. If you believe a child has provided us personal information, contact us at privacy@astacalendar.com and we will delete it.

16. International Data Transfers

We are based in the United States, and our sub-processors process data in the United States. If you access the Service from outside the United States, your information will be transferred to and processed in the United States and other jurisdictions that may have data-protection laws different from those in your country. Where required, we rely on appropriate safeguards (such as the European Commission’s Standard Contractual Clauses) for international transfers of personal data.

17. Changes to This Policy

We may update this Privacy Policy from time to time. When we make material changes, we will update the “Last updated” date above and, where appropriate, provide additional notice (such as in-app or by email). Your continued use of the Service after an update means you accept the revised Policy.

18. Contact Us

If you have questions, requests, or concerns about this Policy or our data practices, contact us at: