Privacy Policy

Last updated: 24 September 2025

Clariia (“we”, “us”, “our”) respects your privacy. This Privacy Policy explains what personal information we collect, how we use and share it, and the choices you have. If you do not agree with this policy, please do not use the Service.

Contact: donna.odonoghue@gmail.com • Address: 86 Lorna Street, New Plymouth, New Zealand

1) Scope

This policy applies to the websites, apps, and services we operate that link to it (the “Service”), including our integrations with Google services (e.g., Google Calendar). It does not cover third-party services that we do not control.

2) Information We Collect

2.1 Information you provide to us

Account details (from Google Sign-In or email sign-up): name, email address, profile photo (if available).
Support content: information you send us in emails or forms.

2.2 Information we obtain from Google when you connect your account

When you opt in, we request the narrowest Google OAuth scopes needed for the features you use (for example, read-only access to calendar events or permission to create events). We do not request full access unless necessary for a feature you explicitly use.

Google Calendar data. We access only the minimum data required to perform the feature you invoke (e.g., listing your events or creating an event you confirm). We do not store full event bodies or calendar contents on our servers. We may store minimal operational metadata such as event or calendar IDs and timestamps needed to deliver the feature reliably.

2.3 Automatically collected information

Device/usage: IP address, device type, browser type, basic diagnostics, and interaction logs for security and reliability.
Cookies/SDKs: essential cookies for sign-in/session; optional analytics (see §10).

3) How We Use Information

To provide, maintain, and improve the Service and its features you request (e.g., reading your calendar to show upcoming events; creating events when you ask us to).
To secure the Service, prevent abuse, and troubleshoot issues.
To communicate with you (support, service notices, updates).
To comply with legal obligations.

4) Google User Data — Limited Use & Human Access

We use Google user data only to provide and improve user-facing features that you request or to comply with law. We do not sell Google user data or use it for ads. We do not transfer Google user data except (a) to service providers acting on our behalf under strict confidentiality and security obligations and only to operate the Service or (b) as required by law.

Human access to Google user data does not occur unless you explicitly ask for support that requires it, we obtain your consent, or access is required by law. We log such access where legally permitted.

Tokens: We use OAuth access tokens from Google to perform actions you request. We do not store Google refresh tokens for users of the consumer Google Identity Provider via Firebase Auth. Server-side tokens (if any) are stored securely and rotated regularly.

5) Firestore and Other Firebase Services

Firestore (Cloud Firestore): We store minimal operational metadata necessary to run the Service (e.g., document IDs, calendar IDs, event IDs, timestamps, feature flags, and user preferences). We do not store Google Doc contents or full Calendar event bodies. Firestore data is encrypted at rest and in transit.
Firebase Authentication: Used to sign you in. We store your UID, email, and basic profile (if provided) to manage your account.
Cloud Functions / Cloud Logging: May process and log operational events (non-content) for reliability, debugging, and security.

6) Data Retention & Deletion

Operational metadata (IDs/timestamps, job state, error codes): retained up to 90 days for reliability, abuse prevention, and auditing, then deleted or de-identified.
Access tokens: short-lived and rotated; cached tokens purged within 24 hours after you disconnect or revoke access.
Logs: security and service logs retained up to 30 days unless a longer retention is required for legal or security reasons.

Disconnect / revoke: You can revoke our access at any time at myaccount.google.com/permissions. When you revoke, we stop accessing your Google data immediately and purge cached tokens as above.

Deletion requests: You may request deletion of your account data by emailing donna.odonoghue@gmail.com. We will complete account-level deletion within 30 days unless retention is required by law or to resolve active disputes.

7) Legal Bases (EEA/UK only)

Where GDPR/UK GDPR applies, we process:

To perform our contract with you (provide requested features);
With your consent (connecting your Google account and granting scopes);
For our legitimate interests (service security, fraud prevention, improvement), where those interests are not overridden by your rights.

8) Sharing & Transfers

We share information only with:

Service providers (processors) that help us operate the Service (e.g., Google Cloud/Firebase). They must follow our instructions, protect your data, and cannot use it for their own purposes.
Legal/disclosure when required by law, safety, or to protect our rights.
Business transfers (e.g., merger/acquisition) with continued protections or notice and choices where required.

International transfers: Data may be processed in countries other than your own. Where required, we use appropriate safeguards (e.g., Standard Contractual Clauses). Hosting region: [Specify your Firebase/Cloud region here].

9) Security

Encryption in transit (HTTPS/TLS) and at rest (Firestore/Cloud Storage).
Least-privilege access controls and role separation.
Key/token management with rotation and restricted access.
Monitoring, logging, and intrusion detection for abuse and anomalous activity.
Vendor due diligence and data processing agreements with subprocessors where applicable.

Incident response: If we learn of a data breach affecting your personal information, we will notify you and relevant authorities as required by law.

10) Cookies, SDKs & Analytics

We use essential cookies/SDKs for authentication and session management. If we use analytics, it is to understand feature usage and improve the Service; analytics data is de-identified or aggregated where feasible. You can opt out of non-essential analytics where offered in-app or via your browser settings.

11) Your Rights & Choices

Depending on your location, you may have rights to access, correct, delete, or port your personal information, and to object to or restrict certain processing. To exercise these rights, email donna.odonoghue@gmail.com. We may verify your request and may be unable to comply where an exception applies (e.g., legal obligations).

12) Children’s Privacy

The Service is not directed to children. We do not knowingly collect personal information from children under [choose: 13 or 16]. If you believe a child has provided us information, contact us and we will delete it.

13) Third-Party Links

The Service may contain links to third-party sites/services. Their privacy practices are governed by their own policies.

14) Changes to This Policy

We may update this policy from time to time. Material changes will be notified via in-app notice or email. The “Last updated” date above reflects the latest version.

Appendix: Google Integration Disclosures

We request only the Google OAuth scopes needed for the features you choose to use, such as:
- https://www.googleapis.com/auth/calendar.readonly – Read events to display them in the app.
- https://www.googleapis.com/auth/calendar.events – Create/update events only when you ask us to.
We do not store full Google Calendar event bodies or calendar contents on our servers. Minimal operational metadata (IDs/timestamps) may be stored in Firestore to deliver features reliably.
You can revoke access anytime at myaccount.google.com/permissions. After revocation, we stop access immediately and purge cached tokens within 24 hours; related logs are purged within 30 days.
We comply with Google’s Limited Use requirements: no selling of Google user data, no use for advertising, no unnecessary transfers, and no human access without consent or legal necessity.

OAuth scopes we request & purposes

openid – Associate you with your Google account for authentication.
https://www.googleapis.com/auth/userinfo.email – See your primary Google Account email address to identify your account and send service notices.
https://www.googleapis.com/auth/userinfo.profile – See your basic profile (e.g., name, photo) to personalize the experience.
https://www.googleapis.com/auth/drive.file – See, edit, create, and delete only the specific Google Drive files you use with this app; we do not have access to your entire Drive. Used solely to read/write files you explicitly open or create via the Service.
https://www.googleapis.com/auth/calendar.readonly – Read events to display them in the app (no write access).
https://www.googleapis.com/auth/calendar.events – Create/update events in your calendars only when you ask us to.

We request only the minimum scopes needed for the features you choose to use. We do not sell Google user data, use it for ads, or allow human access without your request (support) or where required by law. You can revoke access anytime at myaccount.google.com/permissions.

If you have questions about this policy or our data practices, contact donna.odonoghue@gmail.com.