1. Data Controller

EventBarrier is operated by Nicolas Bonet, an individual based in Colombia. For the purposes of data protection law, Nicolas Bonet is the data controller responsible for your personal information.

2. Information We Collect

2.1 Google Account Information

When you sign in with Google OAuth, we collect:

• Basic profile information: Your name, email address, and profile picture
• Google account ID: A unique identifier for your Google account
• OAuth tokens: Access and refresh tokens to interact with your calendars

2.2 Calendar Data

To provide our synchronization service, we access:

• Calendar metadata: Calendar names, colors, and access permissions
• Event information: Event titles, dates, times, and attendee lists
• Event properties: Event status, transparency, and recurrence patterns
• Blocking events: Events we create to prevent double-booking

2.3 Usage and Technical Data

We automatically collect certain information about your use of the service:

• Sync activity logs: Records of synchronization operations and results
• Error logs: Technical information about any errors that occur
• Usage analytics: How often you use the service and which features (via Vercel Analytics or Phantom)
• Device information: Browser type, operating system, and IP address
• Session data: Login times and session duration

3. Legal Basis for Processing (GDPR)

For users in the European Union, we process your personal data based on the following legal grounds:

• Consent: You explicitly consent to our access to your Google Calendar data
• Contract performance: Processing necessary to provide the synchronization service
• Legitimate interests: Improving service quality and security (where not overridden by your rights)
• Legal obligations: Compliance with applicable laws and regulations

4. How We Use Your Information

4.1 Core Service Provision

We use your information to:

• Authenticate your identity and maintain secure sessions
• Access your Google Calendars to read existing events
• Create blocking events in your target calendars
• Synchronize changes across your calendars in real-time
• Provide you with a dashboard to manage sync preferences
• Send notifications about sync status and conflicts
• Enforce free tier limitations (2 calendar limit)
• Process premium subscription payments

4.2 Service Improvement

We may use aggregated, anonymized data to:

• Improve performance and reliability
• Understand usage patterns and optimize features
• Identify and fix technical issues
• Develop new features and enhancements

4.3 Communication

We may use your email address to:

• Send important service announcements
• Notify you of security issues or policy changes
• Respond to your support requests
• Send sync status notifications (if enabled)
• Process subscription and billing communications

5. Information Sharing and Disclosure

5.1 No Sale of Personal Data

We do not sell, rent, or trade your personal information or calendar data to third parties for marketing or any other purposes.

5.2 Service Providers

We share your information only with trusted service providers who assist us in operating our service:

• Google LLC: For calendar access and authentication via OAuth
• Vercel Inc: For hosting, infrastructure, and analytics services
• Supabase Inc: For secure database storage and management
• Payment processors: For handling premium subscription payments (when implemented)

These service providers are contractually obligated to protect your information and use it only for the specific purposes we authorize.

5.3 Legal Requirements

We may disclose your information if required by law or if we believe in good faith that such disclosure is necessary to:

• Comply with legal obligations or court orders
• Protect our rights, property, or safety
• Protect the rights, property, or safety of our users
• Investigate fraud or security issues
• Respond to government requests in accordance with applicable law

6. International Data Transfers

EventBarrier is hosted on Vercel's global infrastructure and uses Supabase for data storage. Your data may be transferred to and processed in:

• United States: Primary hosting location
• European Union: For EU users, data may be processed within the EU
• Other regions: As necessary for service delivery and performance

For transfers outside the European Economic Area (EEA), we ensure adequate protection through:

• Standard Contractual Clauses approved by the European Commission
• Adequacy decisions where applicable
• Other appropriate safeguards as required by GDPR

7. Data Security

We implement comprehensive security measures to protect your personal information:

• Encryption: All data is encrypted in transit (TLS) and at rest (AES-256)
• OAuth security: We use Google's secure OAuth 2.0 protocol
• Access controls: Strict access controls limit data access to authorized systems only
• Infrastructure security: Hosted on secure, monitored cloud infrastructure (Vercel/Supabase)
• Regular monitoring: Continuous monitoring for security threats and vulnerabilities
• Data minimization: We only collect and store data necessary for service operation

8. Data Retention

We retain your information only as long as necessary to provide our service and comply with legal obligations:

• Account data: Retained while your account is active
• Calendar sync settings: Retained to maintain synchronization preferences
• Activity logs: Retained for 90 days for troubleshooting and service improvement
• Error logs: Retained for 30 days for debugging purposes
• Payment data: Retained as required for accounting and legal compliance

When you delete your account or revoke permissions, we will delete your personal data within 30 days, except where retention is required by applicable law or for legitimate business purposes (such as fraud prevention).

9. Your Rights (Including GDPR Rights)

9.1 General Rights

You have the following rights regarding your personal data:

• Right of access: Request a copy of your personal data
• Right to rectification: Correct inaccurate or incomplete data
• Right to erasure: Request deletion of your personal data
• Right to restrict processing: Limit how we process your data
• Right to data portability: Receive your data in a portable format
• Right to object: Object to processing based on legitimate interests

9.2 GDPR Rights (EU Users)

If you are located in the European Union, you have additional rights under the General Data Protection Regulation (GDPR):

• Right to withdraw consent: Withdraw consent for data processing at any time
• Right to lodge a complaint: File a complaint with your local data protection authority
• Right to be informed: Receive clear information about how your data is used

9.3 How to Exercise Your Rights

To exercise any of these rights, please contact us at contact@eventbarrier.com. We will respond to your request within 30 days (or 1 month for GDPR requests).

You can also manage your data directly through:

• EventBarrier dashboard: Manage calendar sync settings and preferences
• Google Account settings: Revoke EventBarrier's access at myaccount.google.com/permissions

10. Google API Services User Data Policy

EventBarrier's use and transfer of information received from Google APIs adheres to theGoogle API Services User Data Policy, including the Limited Use requirements.

10.1 Limited Use Compliance

EventBarrier only uses Google user data to:

• Provide and improve our calendar synchronization features
• Ensure security and fraud prevention
• Comply with applicable laws

10.2 Data Minimization

We only request the minimum Google Calendar permissions necessary:

• https://www.googleapis.com/auth/calendar.readonly: To read existing events and detect conflicts
• https://www.googleapis.com/auth/calendar: To create blocking events in target calendars

11. Cookies and Tracking Technologies

11.1 Essential Cookies

We use essential cookies and similar technologies to:

• Maintain your login session (NextAuth.js session cookies)
• Remember your preferences and settings
• Ensure the security of our service
• Provide core functionality

11.2 Analytics Cookies

We use privacy-focused analytics (Vercel Analytics or Phantom) to understand service usage and improve performance. These analytics:

• Collect aggregated, anonymized usage data
• Do not track you across other websites
• Do not collect personally identifiable information
• Can be opted out of through your browser settings

11.3 No Third-Party Tracking

We do not use third-party advertising networks, social media pixels, or cross-site tracking technologies.

12. Children's Privacy

EventBarrier is not intended for use by children under the age of 16. We do not knowingly collect personal information from children under 16. If we become aware that we have collected personal information from a child under 16, we will take steps to delete such information promptly.

If you are a parent or guardian and believe your child has provided us with personal information, please contact us immediately at contact@eventbarrier.com.

13. Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices or for legal, operational, or regulatory reasons. We will:

• Post the updated Privacy Policy on our website
• Update the "Last updated" date at the top of this policy
• Notify you of significant changes via email
• For material changes, obtain your consent where required by law

Your continued use of EventBarrier after any changes constitutes acceptance of the updated Privacy Policy.

14. Data Protection Authority

If you are located in the European Union and have concerns about our data processing practices, you have the right to lodge a complaint with your local data protection authority. You can find contact information for EU data protection authorities at:

European Data Protection Board - National Authorities