Privacy Policy

Welcome to Common Ground. We are committed to protecting your privacy and ensuring the security of your personal information. This Privacy Policy explains how we collect, use, disclose, and safeguard your data when you use our calendar coordination service.

1. Information We Collect

1.1 Information You Provide

Account Information: Name, email address, and authentication credentials
Profile Information: Optional profile details you choose to provide
Group Information: Group names, descriptions, and organizer names you create

1.2 Calendar Data

🔒 Privacy-First Approach:

Basic Privacy Tier (Default): We ONLY collect when you are busy or free. We never see event titles, descriptions, attendees, locations, or any personal details.
Enhanced Privacy Tier (Optional): You can opt-in to see your own event titles (never shared with groups) to mark certain events as "negotiable" for more scheduling flexibility.

We use OAuth tokens (encrypted and stored securely) to sync only busy/free times from your connected calendars (Google Calendar, Microsoft 365, Apple Calendar, or imported .ics files).

1.3 Automatically Collected Information

Usage Data: Pages visited, features used, interaction patterns
Device Information: Browser type, operating system, IP address
Log Data: Access times, error logs, performance metrics

2. How We Use Your Information

We use the collected information for the following purposes:

Provide Services: Calculate group availability, coordinate meetings, send invitations
Account Management: Create and manage your account, authenticate users
Communication: Send service-related notifications, group invites, meeting proposals
Improvement: Analyze usage patterns to improve features and user experience
Security: Detect and prevent fraud, abuse, and security incidents
Legal Compliance: Comply with applicable laws and regulations

3. Calendar Data Privacy

Our Core Privacy Guarantee:

We never see your private calendar event details. Your calendar data is processed with the highest level of privacy protection.

What We NEVER Access:

Event titles (e.g., "Doctor appointment", "Team meeting")
Event descriptions or notes
Event attendees or participants
Event locations or addresses
Any personal information within events

What We DO Access:

Start and end times of events (to determine busy/free status)
Enhanced Tier Only: Event titles are fetched but stored locally in your browser for your own review (never sent to our servers or shared with groups)

Calendar Provider Permissions:

When you connect a calendar, we request these OAuth scopes:

Google Calendar: calendar.readonly and calendar.events
Microsoft 365: Calendars.Read
Apple Calendar: Read-only access via .ics import (no OAuth required)

These permissions allow us to read calendar events to calculate availability. We use the minimum permissions necessary and never request write access unless you explicitly grant it for adding confirmed meetings.

4. Data Sharing and Disclosure

4.1 Within Groups

When you join a group, the following information is shared with group members:

Your name (as provided during signup)
Your busy/free times within the group's scheduling window
NOT shared: Event details, calendar provider, email address (unless you're the organizer)

4.2 Service Providers

We may share data with trusted third-party service providers who assist us in operating our service:

Authentication: Clerk (user authentication and management)
Database: Supabase (encrypted data storage)
Hosting: Netlify (application hosting)
Calendar APIs: Google, Microsoft, Apple (OAuth authentication only)

All service providers are contractually obligated to protect your data and use it only for the purposes we specify.

4.3 Legal Requirements

We may disclose your information if required by law, court order, or government regulation, or if we believe disclosure is necessary to:

Comply with legal obligations
Protect our rights, property, or safety
Protect the rights, property, or safety of our users or the public
Investigate fraud or security issues

4.4 Business Transfers

If Common Ground is involved in a merger, acquisition, or sale of assets, your information may be transferred. We will notify you via email and/or prominent notice on our service before your data is transferred and becomes subject to a different privacy policy.

5. Data Security

We implement industry-standard security measures to protect your data:

Encryption in Transit: All data transmitted between your browser and our servers is encrypted using TLS/SSL
Encryption at Rest: OAuth tokens are encrypted using AES-256-GCM before storage
Access Controls: Strict role-based access controls limit who can access your data
Secure Authentication: Multi-factor authentication support, secure session management
Regular Security Audits: We conduct regular security reviews and updates
Minimal Data Storage: We store only what's necessary for the service to function

While we strive to protect your data, no method of transmission over the Internet or electronic storage is 100% secure. We cannot guarantee absolute security but are committed to protecting your information.

6. Your Rights

Under applicable data protection laws (including GDPR, Swiss FADP, and CCPA), you have the following rights:

Right to Access

Request a copy of the personal data we hold about you

Right to Rectification

Correct inaccurate or incomplete personal data

Right to Erasure ("Right to be Forgotten")

Request deletion of your personal data. You can delete your account at any time from your settings.

Right to Restrict Processing

Request limitation on how we process your data

Right to Data Portability

Receive your data in a structured, machine-readable format

Right to Object

Object to certain processing of your personal data

Right to Withdraw Consent

Withdraw consent at any time (e.g., disconnect your calendar)

To exercise any of these rights, please contact us at hello@safevide.dev. We will respond to your request within 30 days.

7. Data Retention

We retain your data for as long as necessary to provide our services and comply with legal obligations:

Account Data: Retained while your account is active, deleted within 90 days after account deletion
Calendar Sync Data: Retained for up to 90 days for availability calculations, then automatically deleted
OAuth Tokens: Stored encrypted until you disconnect your calendar or delete your account
Group Data: Retained while the group is active. When a group is deleted, all associated data is removed within 30 days
Log Data: Retained for 90 days for security and debugging purposes

8. Children's Privacy

Common Ground is not intended for use by individuals under the age of 16. We do not knowingly collect personal information from children under 16. If you become aware that a child has provided us with personal information, please contact us at hello@safevide.dev, and we will take steps to delete such information.

9. Changes to This Privacy Policy

We may update this Privacy Policy from time to time. We will notify you of any material changes by:

Posting the new Privacy Policy on this page
Updating the "Last Updated" date at the top
Sending an email notification for significant changes
Displaying an in-app notification

Your continued use of Common Ground after changes become effective constitutes your acceptance of the revised policy.

10. Contact Us

If you have any questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us:

Common Ground

Email: hello@safevide.dev

Location: Zurich, Switzerland

For GDPR-related inquiries or to exercise your data protection rights, please include "GDPR Request" in your email subject line.

Table of Contents