Privacy Policy

ParallelCals is operated by ICIRAUQUI SL as controller for account, billing, product, and direct customer relationship data. For business or organization workspaces, ParallelCals may also act as processor for calendar data processed on the customer's instructions. The Data Processing Addendum applies to that processor activity.

• Controller: ICIRAUQUI SL.
• Privacy and security contact: hello@parallelcals.com.
• Data Protection Officer: no DPO has been appointed. Use the privacy contact above.

• Account information: email address, name, authentication provider, linked login methods and verified email aliases, account type, organization, workspace membership, profile settings, theme, calendar display preferences, and terms acceptance records including IP address and user agent.
• Calendar connection information: provider account identifiers, provider account emails, provider calendar names and descriptions, optional custom display names, provider calendar IDs, colors, time zones, access roles, inclusion/enabled state, sync settings, OAuth scopes, encrypted access and refresh tokens, token refresh timestamps, and webhook channel metadata.
• Calendar event cache: provider event IDs, titles/summaries, start and end times, all-day state, recurrence references, original occurrence time, status, free/busy-related fields, time zone, sync hashes, minimized provider metadata needed for loop prevention, booking markers, and sync correctness, and, only when advanced sync is enabled for a rule, limited source location and meeting/join URL fields needed to copy those details into generated private target events.
• Live calendar event details: when you open an event in the app, ParallelCals may fetch current provider details such as description, location, attendees, organizer information, and meeting or conference links for display. These live detail responses are not stored in the synchronization event cache.
• Synchronization records: sync rules, target calendars, target item type and message, advanced sync settings such as source title/location/meeting-link copy toggles, RSVP filters, free-event handling, optional target color, app-owned mirrored event IDs, event exclusion records, jobs, logs, errors, retry state, and cancellation state.
• Booking information: booking link title, public description text, optional location, availability windows, invitee name, invitee email, invitee notes, selected slot, provider event IDs and URLs, generated meeting or conference information, booking status, cancellation/rescheduling metadata, and hashed booking-management tokens.
• Billing information: Stripe customer IDs, subscription status, subscription quantity, billing period dates, promotion grants/redemptions, billing usage snapshots, and payment/tax records handled by Stripe.
• Technical information: authentication cookies, request metadata, IP address, device/browser information, operational logs, hashed IP/email booking abuse-control records, and security/audit records normally generated by web applications.

Calendar titles can contain sensitive personal information that you or others placed in a calendar. Do not connect calendars or include events that you do not want ParallelCals to process for synchronization and availability features. Advanced sync does not copy descriptions or attendees, but copied titles, locations, and meeting links may still reveal sensitive context in the target calendars you choose.

• Account creation, login, profile management, and terms acceptance: contract necessity and legal obligation where records are required.
• Calendar connection, encrypted iCloud app-specific password storage where used, event caching, live event detail display, event creation, availability display, synchronization, booking links, invite delivery, meeting link creation where supported, and mirrored busy or out-of-office blocks: contract necessity and your provider authorization.
• Security, abuse prevention, debugging, retry handling, sync logs, service reliability, and product maintenance: legitimate interests in operating a secure and reliable service.
• Billing, subscriptions, tax, accounting, dispute handling, and legal notices: contract necessity and legal obligation.
• Provider OAuth consent and optional account linking: consent or provider authorization, which you can withdraw by disconnecting the provider, revoking provider access, or deleting your account.

You choose which Google, Microsoft, or iCloud accounts and which calendars to connect or include. For iCloud, you provide an Apple app-specific password that we store encrypted and use only for CalDAV calendar access. ParallelCals uses provider APIs only to provide the calendar, booking, availability, and synchronization features you configure, including creating events, inviting attendees, and adding Google Meet or Microsoft Teams links when you request those features on supported providers. We do not sell calendar data, share it for cross-context behavioral advertising, use it for ads, use it to determine creditworthiness, or use it to train AI models.

Use and transfer of information received from Google APIs adheres to the Google API Services User Data Policy, including Limited Use requirements. Microsoft Graph data is used according to Microsoft API terms and only for the user-facing features you enable. iCloud calendar access uses Apple's CalDAV service with your app-specific password.

We use service providers to operate ParallelCals:

• Supabase for authentication, PostgreSQL database, storage of app data, and backend services.
• Vercel for hosting, deployments, CDN, serverless execution, and cron invocation.
• Google APIs, Microsoft Graph APIs, and Apple iCloud CalDAV endpoints when you connect those calendar providers.
• Stripe for checkout, subscriptions, billing portal, payments, tax handling, and payment records.

Payment card details are handled by Stripe and are not stored by ParallelCals. The current subprocessor list and B2B processor terms are available in the Data Processing Addendum.

Some providers may process information outside your country, including outside the EEA. Where required, we rely on safeguards such as data processing agreements, standard contractual clauses, adequacy decisions, or other lawful transfer mechanisms made available by our providers.

• Calendar event cache is retained for up to 90 days unless needed for active synchronization, booking, dispute, abuse, or security handling.
• Booking links, bookings, invitee details, provider event references, and cancellation/rescheduling records are retained while the account or booking link remains active, unless deleted earlier or retained longer for billing, abuse, dispute, security, or legal reasons.
• Sync logs, sync jobs, webhook metadata, and public booking abuse-control attempt logs are retained for up to 180 days for reliability, retry, support, audit, and abuse prevention purposes.
• OAuth tokens are retained encrypted until you disconnect the provider, provider access is revoked and cleanup completes, or your account is deleted.
• Billing, tax, accounting, payment, fraud-prevention, legal, and terms acceptance records may be retained for up to 6 years or longer if required by law or needed to establish, exercise, or defend legal claims.
• When you delete your account, app data is deleted or anonymized where reasonably possible. If you choose to delete future app-created provider events first and provider cleanup fails, deletion is blocked so credentials remain available for retry.

We use technical and organizational measures designed to protect your information, including encrypted OAuth token storage, server-only service role access, role-based administrative controls, least-privilege provider scopes where feasible, structured logging, backup/restore controls from our infrastructure providers, and periodic access and secret reviews. No internet service can be guaranteed perfectly secure.

We maintain an incident response process. Where legally required, we notify the competent supervisory authority and affected users about personal data breaches within the required timeframes.

Depending on where you live, you may have rights to access, correct, delete, export, restrict, or object to processing of your personal data. You may also withdraw consent where processing is based on consent, without affecting processing that occurred before withdrawal.

You can download a JSON export from the Account page. To make another request, contact hello@parallelcals.com. We may need to verify your identity. We aim to respond within one month unless an extension is legally available.

You may lodge a complaint with your local data protection authority. For Spain, the competent authority is the Agencia Espanola de Proteccion de Datos (AEPD): aepd.es.

If the CCPA/CPRA applies to you, this policy is also our notice at collection. We collect the categories described above for the purposes described above and disclose them to service providers for those business purposes. We do not sell personal information or share personal information for cross-context behavioral advertising.

California residents may request to know, access, delete, or correct personal information, limit certain uses of sensitive personal information where applicable, opt out of sale or sharing, and avoid discrimination for exercising privacy rights. Submit requests through the privacy contact above or through your authenticated account where available.

ParallelCals does not use personal data for automated decisions that produce legal or similarly significant effects. Sync rules are user-configured automation for creating, updating, and deleting calendar blocks.

ParallelCals is not intended for children. You may not use the service if you are not legally able to enter into the agreement that applies to your use of the service.

We may update this Privacy Policy as the product, providers, or legal requirements change. If changes are material, we will take reasonable steps to notify users through the service or by email and require acceptance of updated terms where appropriate.