Legal

Privacy policy

Last updated: 2026-05-07. This document is a starting draft. Final wording should be reviewed by counsel before public launch.

What we collect

• Hosts: name, email, password hash (bcrypt), handle, profile image URL, IANA timezone, weekly availability ranges, workspace memberships.
• Visitors: name, email, timezone, optional notes / question text submitted with each booking.
• Calendar: if a host connects Google or Microsoft Calendar, we store their OAuth access + refresh tokens encrypted at rest with AES-256-GCM. We read free-busy ranges and may write booking events when the host enables two-way sync.
• Operational: audit log entries (operationId only, no PII), webhook delivery state, IP address for rate-limiting (not stored beyond the rate-limit window).

Third parties

• Database: Turso (libsql) — iad1 region, provider-managed at-rest encryption + 24h point-in-time recovery.
• Email: Resend handles transactional email (booking confirmations, reminders, magic-link sign-in).
• Payments: Stripe processes paid plan subscriptions. We never store card data ourselves; Stripe tokens stay on Stripe's PCI-compliant infrastructure.
• Error monitoring: Sentry receives stack traces with a per-event redactor that strips email + name + booking notes (`src/lib/sentry-redact.ts`).
• OAuth: GitHub, Google (Calendar), and Microsoft (Calendar) verify your identity / calendar connection. We receive only the scopes you authorize at consent time.

Your rights

• Export. Download a JSON dump of every row tied to your account at /settings/danger→ “Download as JSON”.
• Deletion. Permanently delete your account at /settings/danger → “Delete account”. The User row + cascading rows are removed immediately. Audit log entries (operationId only, no PII) are retained per our soft-delete + audit-survives policy.
• Correction. Edit your handle, name, email, and timezone at /profile +/settings/general.

Retention

Active accounts: indefinitely. Deleted accounts: PII removed immediately. Audit logs (operationId only): retained for diagnostic purposes.

Contact

Questions about this policy? Email privacy@officehours.app.