CalendoxCalendox Docs
Security & Privacy

Data Security

How Calendox stores, protects, and handles your calendar data.

What data Calendox stores

Calendox stores the minimum data required to operate the sync service:

DataPurpose
Calendar metadata (IDs, names, provider)Identify which calendars are part of a sync
Event metadata (event ID, iCalUID, sync state, a one-way content fingerprint)Track which events have been synced and detect whether one has actually changed, without storing its content
OAuth tokens (server-side only)Maintain calendar access without requiring you to re-authorize
Account profile (email, name)Identify your account in the Calendox interface

Calendox does not store the content of your calendar events — titles, descriptions, locations, and meeting passwords are never written to our database. For recurring events, Calendox stores only a one-way cryptographic hash of an event's content, used solely to detect whether it has changed since the last sync; the hash cannot be reversed to recover the original text. Your event titles, descriptions, and locations are read live from Google or Microsoft each time they're displayed in the Unified Calendar.

Encryption

  • All data in transit is protected by TLS 1.2 or higher.
  • The Calendox database is hosted on Azure, which encrypts data at rest at the storage layer.
  • OAuth access and refresh tokens are stored server-side only. They are never sent to or exposed in your browser, included in logs, or returned by any API response.

Access controls

  • Calendox uses Postgres row-level security (RLS) so that every database query is scoped to the authenticated user, or to the tenant for Business/Enterprise accounts — a user cannot read or write another user's data through the application, even if application code has a bug.

Data retention

  • Your calendar data and sync configuration are retained as long as your Calendox account is active.
  • When you delete your Calendox account, your subscription is cancelled, your connected calendars are removed, and your account record is deleted as part of that process — including calendars and directory data belonging to a Business or Enterprise team when the team itself is deleted.
  • Calendox retains a minimal record linking your email address (and any calendar provider accounts you connected) to free-trial usage for up to 5 years after account deletion — this prevents re-using the free trial by deleting and re-creating an account. See Plans and billing.
  • Records of devices used to sign in (kept to alert you to new sign-ins) are removed after 180 days of inactivity.
  • OAuth tokens are deleted from Calendox immediately when you disconnect a calendar provider or delete your account. This removes Calendox's stored copy of the token; it does not revoke the token on the provider's side — see Revoking access to fully remove Calendox's access from your Google, Microsoft, or Zoom account.

Compliance

Calendox is hosted on Microsoft Azure. For detailed compliance and privacy information, see our Privacy Policy.

Vulnerability disclosure

To report a security vulnerability, email security@calendox.com. Do not disclose vulnerabilities publicly until they have been resolved.

OAuth Permissions

A full list of OAuth scopes Calendox requests from Google, Microsoft, and Zoom, and why each is needed.

On this page

What data Calendox storesEncryptionAccess controlsData retentionComplianceVulnerability disclosure