Privacy Policy

Last updated: 2026-06-14. WhenMeet.me takes a deliberately minimal approach to data: we read calendar Free/Busy only, never event contents, and never sell or train AI on your data.

Information we collect

Account

• Email address and name from the calendar account you sign in with (Google or Microsoft).
• Your time zone, so meeting times render correctly.

Calendar availability — Free/Busy only

When you connect a calendar we read only whether you are busy or free at given times, live via the provider’s Free/Busy endpoint. We do not read or store event titles, descriptions, locations, attendees or notes, and we never copy your calendar into our database. The merged availability for a scheduling request is cached at the edge for 60 seconds, then discarded.

Meetings you create

• The meeting’s time, optional title, chosen conference type (Google Meet / Microsoft Teams) and the participant email addresses you enter — stored so we can render the share page and send invitations.

Manual availability

If you mark free time by hand at /free, the time ranges you paint are stored against your email address so they can feed into the group heat-map. Nothing else is collected there.

Contacts

Email addresses (and names) of people you’ve invited, kept to power autocomplete the next time you schedule.

Authentication & anti-abuse

• OAuth tokens for calendar access, encrypted at rest, plus a signed session cookie.
• On the anonymous forms (suggest-a-time, mark-free) we may send a Cloudflare Turnstile token and your IP to Cloudflare to block bots.

How we use your information

• To find common availability and let you book a meeting.
• To send meeting invitations and notifications by email.
• To prevent abuse and to detect and fix technical issues.

Calendar access

WhenMeet.me only:

• Reads your Free/Busy to compute availability;
• Creates a new event when you confirm a meeting time;
• Never modifies or deletes your existing events;
• Never reads event contents;
• Never shares your calendar with other users — guests see only aggregated “N of M free” counts, never your individual busy blocks.

Data sharing and third parties

• Calendar providers: Google and Microsoft, solely to read Free/Busy and create events you confirm.
• Cloudflare: hosting and infrastructure (Workers, D1 database, KV cache) and Turnstile bot protection.
• Mailgun: delivery of transactional email (invites and notifications).
• Legal requirements: we may disclose information if required by law.

We do not sell, rent, or transfer your personal information or Google user data to third parties for marketing or any purpose unrelated to running WhenMeet.me.

AI/ML statement: data obtained through Google Workspace APIs (or any calendar provider API) is not used to develop, improve or train generalized AI or ML models. It is used only for the scheduling functionality of this app.

Data storage and security

• All data is encrypted in transit (TLS).
• OAuth tokens are encrypted at rest; only their SHA-256 is kept for API tokens.
• Live Free/Busy is cached at most 60 seconds, then dropped.

Data retention

We keep your account, the meetings you create, your contacts and any manually-painted availability until you delete them or ask us to. Disconnecting a calendar removes its stored tokens. You can request full account deletion at any time via Support.

Your rights

• Access your personal information;
• Correct inaccurate information;
• Request deletion of your information;
• Withdraw calendar access by disconnecting a provider;
• Export your data.

Changes to this policy

We may update this policy and will revise the “Last updated” date above.

Contact

Questions about privacy? Visit our Support page or email lukasz@wearfits.com.