Privacy Policy

Last updated: May 24, 2025

Our Commitment to Privacy

At Weekday, we believe that privacy is a fundamental right. Our open-source calendar solution with AI features is built with privacy at its core, and we're committed to being transparent about how we handle your data.

Important: Weekday is a client-first calendar application. We DO NOT store your calendar events on our servers. All calendar data is processed directly between your browser and Google Calendar.

Our verified privacy commitments:

• Calendar Data Storage: We never store your calendar events - they remain in your Google Calendar account
• Client-Side Processing: All calendar processing happens in your browser
• Open Source: Our entire codebase is public and can be audited
• Minimal Data: We only request essential Google Calendar API permissions
• User Control: You can revoke our access to your Google Calendar at any time
• AI Features: All AI processing is done with privacy-preserving techniques

Google Account Integration

When you use Weekday with your Google Account:

• We request access to your Google Calendar data only after receiving your explicit consent
• We access only the necessary Google Calendar API scopes required for calendar functionality
• Your Google account credentials are never stored on our servers
• We use secure OAuth 2.0 authentication provided by Google
• You can revoke our access to your Google account at any time through your Google Account settings

Data Collection and Usage

Google Services Data Handling

• Calendar data is processed in accordance with Google API Services User Data Policy
• We only process and display calendar data - we don't store copies of your events
• All data transmission between our service and Google is encrypted using industry-standard TLS 1.3 protocols
• We maintain limited temporary caches only as necessary for application functionality, with a maximum retention period of 24 hours
• We collect basic usage analytics (page views, feature usage) to improve the service, but this data is anonymized

AI Feature Data Handling

• AI features process your calendar data only within your browser
• No calendar content is sent to external AI servers without explicit consent
• AI models are optimized to run locally when possible
• When cloud processing is required, data is anonymized and encrypted
• No AI training occurs on your personal calendar data

Self-Hosted Instances

• When you self-host Weekday, your calendar data remains entirely under your control
• No data is sent to our servers or third parties without your explicit consent
• You maintain complete ownership and responsibility for your data
• We provide detailed documentation on secure self-hosting practices
• You can configure your own data retention and backup policies
• Optional telemetry can be enabled to help us improve the platform

Data Processing Locations

• All data processing occurs in secure data centers in the United States
• Self-hosted instances can choose their own data processing location
• We comply with international data transfer regulations
• Data processing agreements are available for enterprise users

Data Protection and Security

Security Measures

• End-to-end encryption for all calendar communications using industry-standard protocols
• Secure OAuth 2.0 authentication for Google services with strict scope limitations
• Regular third-party security audits and penetration testing
• Open-source codebase for transparency and community security review
• Compliance with Google API Services User Data Policy and security requirements
• Real-time monitoring for suspicious activities and potential security threats
• Automated security patches and dependency updates

Infrastructure Security

• All servers are hosted in SOC 2 Type II certified data centers
• Network-level security with enterprise-grade firewalls
• Regular backup and disaster recovery testing
• Multi-factor authentication required for all administrative access
• Encryption at rest for all stored data using AES-256

Security Response

• 24/7 security incident response team
• Incident response plan with clear notification procedures
• Regular security training for all team members

Google User Data Handling

AI and Machine Learning Models

We explicitly affirm that Google Workspace APIs and any data obtained through them are NOT used to develop, improve, or train generalized AI and/or ML models.

• Any AI features in Weekday operate independently and do not use Google Workspace API data for model training
• Your Google Calendar data is processed solely for calendar functionality and display purposes
• No Google Workspace API data is fed into machine learning training pipelines
• AI models used in our application are pre-trained and do not learn from or incorporate your Google Calendar data

Data Access and Usage

We access the following Google user data through the Google Calendar API:

• Calendar events and details
• Calendar metadata (titles, dates, attendees)
• Calendar sharing settings
• Basic profile information

This data is used exclusively for providing calendar functionality within Weekday

• No Google user data is used for advertising, marketing, or profiling purposes
• We maintain detailed audit logs of all data access for security and compliance
• Access to user data is strictly limited to essential personnel

Data Sharing and Transfer

• Google user data is never shared with third parties except as required for core service functionality
• When necessary, we only work with service providers who comply with Google API Services User Data Policy
• All service providers are bound by strict confidentiality agreements
• We maintain a current list of all third-party service providers with access to Google user data
• Data sharing agreements are reviewed annually
• Users are notified of any material changes to our data sharing practices

Data Retention and Deletion

• Calendar data is processed in real-time and not permanently stored
• Temporary caches are automatically cleared after 24 hours
• Users can request immediate deletion of their cached data
• Account deletion process:
• All user data is immediately marked for deletion
• Cached data is purged within 24 hours
• Audit logs are retained for 30 days then permanently deleted
• Backup data is removed within 7 days
• We provide a data export tool for users to download their settings

User Rights and Controls

• Right to access: Request a copy of your data
• Right to rectification: Correct inaccurate data
• Right to erasure: Request deletion of your data
• Right to restrict processing: Limit how we use your data
• Right to data portability: Export your data
• Right to object: Opt-out of certain data processing

Limited Use Disclosure

Our use and transfer to any other app of information received from Google APIs will adhere to the Google API Services User Data Policy, including the Limited Use requirements.

Your Rights and Controls

• Right to revoke access to your Google account at any time
• Right to request deletion of any cached data
• Right to export your data
• Right to lodge complaints about data handling

Contact

For privacy-related questions or concerns:

• hello@ephraimduncan.com

Updates to This Policy

We may update this privacy policy from time to time. We will notify users of any material changes through our application or website.