PRIVACY POLICY

Last updated: January 4, 2025

This Privacy Notice for ColorKit for Google Calendar ("ColorKit," "we," "us," or "our"), a product of Calendar Extension, describes how and why we might access, collect, store, use, and/or share ("process") your personal information when you use our services ("Services"), including when you:

• Visit our website at https://calendarextension.com or https://portal.calendarextension.com, or any website of ours that links to this Privacy Notice

• Download and use our Chrome browser extension (ColorKit for Google Calendar), or any other application of ours that links to this Privacy Notice

• Use ColorKit. ColorKit makes Google Calendar easier to scan by adding day-column colors, custom task colors, and clean time-block overlays—so busy weeks pop at a glance. It installs in minutes, works across Day/Week/Month views, and runs entirely in your browser for privacy.

• Engage with us in other related ways, including any sales, marketing, or events

Questions or concerns? Reading this Privacy Notice will help you understand your privacy rights and choices. We are responsible for making decisions about how your personal information is processed. If you do not agree with our policies and practices, please do not use our Services. If you still have any questions or concerns, please contact us at adam@calendarextension.com.

━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━

CHROME WEB STORE LIMITED USE DISCLOSURE

ColorKit for Google Calendar's use of information received from Google APIs adheres to the Chrome Web Store User Data Policy, including the Limited Use requirements.

ColorKit only uses the minimal permissions necessary to provide our service:

• Google OAuth (email, profile): Used solely for user authentication and account management
• Google Tasks API (read-only): Used solely to enable the Task List Auto-Coloring feature - allows you to automatically color all tasks from specific Google Task lists

We DO NOT:
• Access your calendar events, titles, descriptions, or attendees
• Read, modify, or share your calendar data
• Use your data for advertising, profiling, or tracking
• Share your data with third parties except as required to provide the service (authentication, payment processing)
• Collect or transmit data unrelated to ColorKit's core functionality

All calendar customization happens locally in your browser. Your calendar data never leaves your device and is never transmitted to our servers.

This disclosure complies with Google Chrome Web Store User Data Policy requirements effective 2025.

━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━

SUMMARY OF KEY POINTS

This summary provides key points from our Privacy Notice, but you can find out more details about any of these topics by using our table of contents below to find the section you are looking for.

What personal information do we process? When you visit, use, or navigate our Services, we may process personal information depending on how you interact with us and the Services, the choices you make, and the products and features you use. We collect minimal personal data necessary to provide the service.

Do we process any sensitive personal information? We do not process sensitive personal information such as racial or ethnic origins, sexual orientation, religious beliefs, health information, or biometric data.

Do we collect any information from third parties? We receive limited information from Google OAuth when you sign in (email address, name, and profile picture if you grant permission). We also receive subscription status information from Paddle, our payment processor.

How do we process your information? We process your information to provide, improve, and administer our Services, authenticate users, manage subscriptions, process payments via Paddle, communicate with you, and for security and fraud prevention. We process your information only when we have a valid legal reason to do so.

In what situations and with which parties do we share personal information? We share information only with essential service providers: Paddle (payment processing), Supabase (database and authentication), Vercel (web hosting), and Google (OAuth authentication and push notifications). We do NOT sell your personal information.

How do we keep your information safe? We have adequate organizational and technical processes and procedures in place to protect your personal information, including TLS 1.3 encryption, AES-256 database encryption, and end-to-end encrypted push notifications. However, no electronic transmission over the internet can be guaranteed to be 100% secure.

What are your rights? Depending on where you are located geographically, you have certain rights regarding your personal information under GDPR, CCPA, UK GDPR, and other applicable privacy laws.

How do you exercise your rights? The easiest way to exercise your rights is by contacting us at adam@calendarextension.com. We will consider and act upon any request in accordance with applicable data protection laws.

━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━

TABLE OF CONTENTS

  1. WHAT INFORMATION DO WE COLLECT?

  2. HOW DO WE PROCESS YOUR INFORMATION?

  3. WHAT LEGAL BASES DO WE RELY ON TO PROCESS YOUR PERSONAL INFORMATION?

  4. WHEN AND WITH WHOM DO WE SHARE YOUR PERSONAL INFORMATION?

  5. DO WE USE COOKIES AND OTHER TRACKING TECHNOLOGIES?

  6. HOW DO WE HANDLE YOUR SOCIAL LOGINS?

  7. HOW LONG DO WE KEEP YOUR INFORMATION?

  8. HOW DO WE KEEP YOUR INFORMATION SAFE?

  9. DO WE COLLECT INFORMATION FROM MINORS?

  10. WHAT ARE YOUR PRIVACY RIGHTS?

  11. CONTROLS FOR DO-NOT-TRACK FEATURES

  12. DO UNITED STATES RESIDENTS HAVE SPECIFIC PRIVACY RIGHTS?

  13. DO OTHER REGIONS HAVE SPECIFIC PRIVACY RIGHTS?

  14. DO WE MAKE UPDATES TO THIS NOTICE?

  15. HOW CAN YOU CONTACT US ABOUT THIS NOTICE?

  16. HOW CAN YOU REVIEW, UPDATE, OR DELETE THE DATA WE COLLECT FROM YOU?

━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━

  1. WHAT INFORMATION DO WE COLLECT?

Personal information you disclose to us

In Short: We collect personal information that you provide to us.

We collect personal information that you voluntarily provide to us when you register on the Services, express an interest in obtaining information about us or our products and Services, when you participate in activities on the Services, or otherwise when you contact us.

Personal Information Provided by You

The personal information that we collect depends on the context of your interactions with us and the Services, the choices you make, and the products and features you use. The personal information we collect may include the following:

• Email addresses - Collected via Google OAuth for account creation and communication
• Names - May be collected via Google profile (if you grant permission)
• Profile picture URL - May be collected via Google profile (optional)

Sensitive Information

We do not process sensitive information.

Payment Data

We do NOT store any payment information. All payment data is handled exclusively by Paddle, our payment processor and Merchant of Record. Paddle is PCI DSS 4.0 Level 1 certified and GDPR compliant.

What we DO receive from Paddle:
• Customer ID (Paddle's unique identifier)
• Email address (to link payment to user account)
• Subscription status (active, trialing, canceled, past_due, paused)
• Subscription ID and Price ID
• Transaction dates
• Currency and pricing (amounts paid, not payment methods)

What we DO NOT receive from Paddle:
• Credit card numbers, CVV codes, or expiration dates
• Bank account numbers
• Full billing addresses
• Any other payment method details

All credit card processing, secure payment forms, and PCI compliance are handled exclusively by Paddle.

Google API Data

When you use the Task List Auto-Coloring feature, ColorKit requests read-only access to your Google Tasks:

• Google Tasks API (read-only): We read your Google Task list names and task IDs solely to enable automatic coloring of tasks from specific lists you choose
• Task Content: We read task titles and list associations to match them with your chosen colors
• Storage: Task-to-color mappings are stored locally in your browser (Chrome Sync storage)
• No Modification: We NEVER modify, create, or delete your tasks
• Limited Scope: We do NOT access task descriptions, due dates, or other task metadata beyond what's necessary for coloring

This data is used solely to provide the Task List Auto-Coloring feature and is NOT shared with any third party or used for any other purpose.

Information Automatically Collected

In Short: We automatically collect some information when you visit our website or use our extension.

We automatically collect certain information when you visit, use, or navigate the Services. This information does not reveal your specific identity but may include:

• Browser and device information (browser type, operating system)
• IP address (retained for 30 days in server logs, then deleted)
• Usage data (pages visited on our website, feature usage within extension)
• Push notification subscription data (encrypted endpoint, public keys)

This information is primarily needed to maintain the security and operation of our Services and for internal analytics.

Information Collected from Other Sources

We may receive limited information from third-party services when you:

• Sign in with Google OAuth (email, name, profile picture)
• Subscribe via Paddle (customer ID, subscription status, transaction data)

━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━

  1. HOW DO WE PROCESS YOUR INFORMATION?

In Short: We process your information to provide, improve, and administer our Services, communicate with you, ensure security, and comply with legal obligations.

We process your personal information for the following purposes:

• To facilitate account creation and authentication - We use Google OAuth to securely authenticate users without storing passwords

• To deliver and facilitate delivery of services to the user - We use your email and subscription status to enable access to ColorKit features

• To send administrative information to you - We may send you product updates, security alerts, and subscription information

• To fulfill and manage your subscriptions - We communicate with Paddle to verify your subscription status and enable/disable features accordingly

• To enable user-to-user communications - If you contact us for support, we will use your email to respond

• To send you push notifications - With your permission, we send Web Push notifications for subscription status updates (e.g., payment confirmation, renewal reminders)

• To request feedback - We may ask you to provide feedback on your experience

• To protect our Services - We use your information to monitor for suspicious activity, fraud prevention, and security purposes

• To enforce our terms, conditions, and policies - For business purposes, to comply with legal requirements, and to protect our rights

• To comply with legal obligations - We may process your information to comply with legal obligations such as tax laws and data retention requirements

━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━

  1. WHAT LEGAL BASES DO WE RELY ON TO PROCESS YOUR PERSONAL INFORMATION?

In Short: We only process your personal information when we believe it is necessary and we have a valid legal reason (i.e., legal basis) to do so under applicable law, like with your consent, to comply with laws, to provide you with services to enter into or fulfill our contractual obligations, to protect your rights, or to fulfill our legitimate business interests.

If you are located in the EU or UK, this section applies to you.

The General Data Protection Regulation (GDPR) and UK GDPR require us to explain the valid legal bases we rely on in order to process your personal information. As such, we may rely on the following legal bases to process your personal information:

• Consent - We may process your information if you have given us permission (i.e., consent) to use your personal information for a specific purpose. You can withdraw your consent at any time.

• Performance of a Contract - We may process your personal information when we believe it is necessary to fulfill our contractual obligations to you, including providing our Services or at your request prior to entering into a contract with you.

• Legal Obligations - We may process your information where we believe it is necessary for compliance with our legal obligations, such as to cooperate with law enforcement, regulatory agencies, or in connection with tax obligations.

• Vital Interests - We may process your information where we believe it is necessary to protect your vital interests or the vital interests of a third party, such as situations involving potential threats to the safety of any person.

• Legitimate Interests - We may process your information when we believe it is reasonably necessary to achieve our legitimate business interests and those interests do not outweigh your interests and fundamental rights and freedoms. For example, we may process your personal information for some of the purposes described in order to:

  • Provide and improve our Services

  • Detect, prevent, and address security issues

  • Diagnose technical problems and maintain our infrastructure

  • Understand how our Services are used to improve user experience

If you are located in Canada, this section applies to you.

We may process your information if you have given us specific permission (i.e., express consent) to use your personal information for a specific purpose, or in situations where your permission can be inferred (i.e., implied consent). You can withdraw your consent at any time.

If you are located outside the EU, UK, and Canada, this section applies to you.

In some regions (like the United States), you may have certain rights under applicable privacy laws, but we may process your personal information based on legitimate business purposes or contractual necessity.

━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━

  1. WHEN AND WITH WHOM DO WE SHARE YOUR PERSONAL INFORMATION?

In Short: We only share information with essential service providers necessary to operate our Services. We do NOT sell your personal information.

We may share your personal information in the following situations:

Service Providers: We share your information with third-party vendors and service providers who perform services for us or on our behalf and require access to such information to do that work. These service providers are:

  1. Paddle.com Market Limited (UK)

    • Purpose: Payment processing, subscription management, tax compliance

    • Data Shared: Email, customer ID, subscription status, transaction data

    • Compliance: PCI DSS 4.0 Level 1, GDPR compliant, SOC 2

    • Paddle Privacy Policy: https://www.paddle.com/legal/privacy

    • Note: Paddle is the Merchant of Record and handles all payment data

  2. Supabase, Inc. (USA)

    • Purpose: Database hosting, user authentication

    • Data Shared: Email, user ID, subscription status, authentication tokens

    • Compliance: SOC 2 Type II, GDPR compliant, ISO 27001

    • Encryption: AES-256 at rest, TLS 1.3 in transit

    • Supabase Privacy Policy: https://supabase.com/privacy

  3. Vercel, Inc. (USA)

    • Purpose: Web hosting, API endpoints

    • Data Shared: IP addresses (logs retained 30 days), HTTP request data

    • Compliance: SOC 2, ISO 27001, GDPR compliant

    • Vercel Privacy Policy: https://vercel.com/legal/privacy-policy

  4. Google LLC (USA)

    • Purpose: OAuth authentication, Web Push notifications, Google Tasks API

    • Data Shared: Email, name (optional), profile picture (optional), Google Tasks data (read-only)

    • Compliance: GDPR compliant, industry-standard OAuth 2.0

    • Google Privacy Policy: https://policies.google.com/privacy

    • Note: You can revoke ColorKit's access to your Google account at any time via https://myaccount.google.com/permissions

We do NOT:
• Sell your personal information to third parties
• Share your data for advertising, marketing, or profiling purposes
• Provide your data to data brokers
• Share your calendar data with anyone (we don't access it)

Business Transfers: We may share or transfer your information in connection with, or during negotiations of, any merger, sale of company assets, financing, or acquisition of all or a portion of our business to another company. We will notify you of any such transaction.

Legal Requirements: We may disclose your information where we are legally required to do so in order to comply with applicable law, governmental requests, a judicial proceeding, court order, or legal process, such as in response to a court order or a subpoena (including in response to public authorities to meet national security or law enforcement requirements).

Protect Rights and Safety: We may disclose your information where we believe it is necessary to investigate, prevent, or take action regarding potential violations of our policies, suspected fraud, situations involving potential threats to the safety of any person, or illegal activities, or as evidence in litigation in which we are involved.

International Data Transfers

Your information may be transferred to, and maintained on, servers located outside of your state, province, country, or other governmental jurisdiction where the data protection laws may differ from those of your jurisdiction.

If you are located in the EU, UK, or other regions with data protection laws, please note:

• Supabase (USA): EU Standard Contractual Clauses (SCCs) in place
• Vercel (USA): EU Standard Contractual Clauses (SCCs) in place
• Paddle (UK): UK GDPR adequacy decision, no additional safeguards needed for EU transfers
• Google (USA): EU-US Data Privacy Framework participant, GDPR compliant

We take all necessary measures to ensure that your data is treated securely and in accordance with this Privacy Notice and applicable data protection laws.

━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━

  1. DO WE USE COOKIES AND OTHER TRACKING TECHNOLOGIES?

In Short: We use minimal cookies for authentication. We do NOT use cookies for advertising or tracking.

Cookies We Use:

• Authentication Cookies (Essential)

  • Purpose: Maintain your login session via Supabase Auth

  • Type: HttpOnly, Secure, SameSite=Lax

  • Duration: 1 hour (access token), renewable via refresh token

  • Provider: Supabase

  • You cannot disable these without losing the ability to use ColorKit

• Paddle Checkout Cookies (Payment Processing)

  • Purpose: Secure payment processing and fraud prevention

  • Type: Session cookies, set by Paddle during checkout

  • Duration: Session-based

  • Provider: Paddle

  • These cookies are managed by Paddle and are necessary for payment processing

Chrome Sync Storage (Not Cookies):

• ColorKit stores your settings and preferences using Chrome's built-in sync storage
• This allows your customizations to sync across devices where you're signed into Chrome
• This is NOT a cookie and is managed by Google Chrome, not by us
• You can disable Chrome Sync at any time via Chrome settings

We do NOT use:

• Advertising cookies
• Analytics cookies (we use privacy-first, minimal logging)
• Third-party tracking pixels
• Social media tracking cookies
• Cross-site tracking

━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━

  1. HOW DO WE HANDLE YOUR SOCIAL LOGINS?

In Short: We use Google OAuth for secure authentication without storing passwords.

Our Services offer you the ability to register and log in using your Google account. Where you choose to do this, we will receive certain profile information about you from Google. The profile information we receive may include your email address, name, and profile picture.

We will use the information we receive only for the purposes that are described in this Privacy Notice or that are otherwise made clear to you on the relevant Services. Please note that we do not control, and are not responsible for, other uses of your personal information by Google. We recommend that you review their privacy notice to understand how they collect, use, and share your personal information.

You can revoke ColorKit's access to your Google account at any time by visiting:
https://myaccount.google.com/permissions

Revoking access will:
• Log you out of ColorKit
• Disable ColorKit features that require authentication
• Remove our access to your Google Tasks (if you enabled this feature)
• NOT delete your ColorKit account or subscription (contact us to delete your account)

━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━

  1. HOW LONG DO WE KEEP YOUR INFORMATION?

In Short: We keep your information for as long as necessary to fulfill the purposes outlined in this Privacy Notice unless otherwise required by law.

We will only keep your personal information for as long as it is necessary for the purposes set out in this Privacy Notice, unless a longer retention period is required or permitted by law (such as tax, accounting, or other legal requirements).

Retention Periods:

Active Account Data:
• Email, name, profile picture: Retained while your account is active
• Subscription status: Retained while your account is active
• Authentication tokens: 1 hour (access token), renewable via refresh token
• Chrome Sync settings: Retained indefinitely by Google Chrome (you control this)

After Account Deletion Request:
• Active account data: Deleted within 14 days
• Anonymized usage logs: Retained for up to 30 days, then deleted
• Financial records: Retained for 7 years (legal requirement for tax purposes)

Server Logs:
• IP addresses and HTTP logs: Retained for 30 days, then automatically deleted
• Error logs: Retained for 90 days for debugging, then deleted

Push Notification Data:
• Push subscription endpoints: Retained while your account is active
• Deleted within 14 days of account deletion or when you uninstall the extension

When we have no ongoing legitimate business need to process your personal information, we will either delete or anonymize such information, or, if this is not possible (for example, because your personal information has been stored in backup archives), then we will securely store your personal information and isolate it from any further processing until deletion is possible.

━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━

  1. HOW DO WE KEEP YOUR INFORMATION SAFE?

In Short: We use industry-standard security measures including TLS 1.3, AES-256 encryption, and end-to-end encrypted push notifications.

We have implemented appropriate and reasonable technical and organizational security measures designed to protect the security of any personal information we process. However, despite our safeguards and efforts to secure your information, no electronic transmission over the Internet or information storage technology can be guaranteed to be 100% secure, so we cannot promise or guarantee that hackers, cybercriminals, or other unauthorized third parties will not be able to defeat our security and improperly collect, access, steal, or modify your information.

Our Security Measures:

Encryption:
• TLS 1.3 encryption for all data in transit (HTTPS enforced)
• AES-256 encryption for data at rest (Supabase database)
• End-to-end encryption for Web Push notifications (keys generated by your browser, we cannot decrypt)

Authentication & Access Control:
• Google OAuth 2.0 (no passwords stored by us)
• JWT tokens with 1-hour expiration
• HttpOnly, Secure, SameSite=Lax cookies
• Row-Level Security (RLS) in database - users can only access their own data
• Principle of least privilege for API access

Infrastructure Security:
• Serverless hosting on Vercel (automatic security updates)
• SOC 2 Type II compliant infrastructure (Supabase, Vercel)
• Regular security updates and dependency scanning
• Environment variables stored securely (never in code)

Payment Security:
• PCI DSS 4.0 Level 1 compliant payment processing via Paddle
• We never see or store credit card information
• All payment data handled exclusively by Paddle

Code Security:
• Content Security Policy (CSP) enforced
• No inline JavaScript (required by Chrome Manifest V3)
• No eval() or remote code execution
• Parameterized database queries (SQL injection prevention)

Monitoring & Response:
• Automated security alerts via GitHub Dependabot
• Server logs monitored for suspicious activity
• 72-hour breach notification commitment (GDPR requirement)

Despite these measures, you should be aware that transmission of information via the internet is not completely secure. We will do our best to protect your personal information, but we cannot guarantee the security of your information transmitted to our Services.

━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━

  1. DO WE COLLECT INFORMATION FROM MINORS?

In Short: We do not knowingly collect data from or market to children under 18 years of age.

We do not knowingly collect, solicit data from, or market to children under 18 years of age, nor do we knowingly sell such personal information. By using the Services, you represent that you are at least 18 or that you are the parent or guardian of such a minor and consent to such minor dependent's use of the Services.

If we learn that personal information from users less than 18 years of age has been collected, we will deactivate the account and take reasonable measures to promptly delete such data from our records.

If you become aware of any data we may have collected from children under age 18, please contact us at adam@calendarextension.com.

━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━

  1. WHAT ARE YOUR PRIVACY RIGHTS?

In Short: Depending on your location, you may have certain rights regarding your personal information, including the right to access, correct, delete, and export your data.

Withdrawing your consent: If we are relying on your consent to process your personal information, you have the right to withdraw your consent at any time. You can withdraw your consent by contacting us at adam@calendarextension.com or by revoking access via https://myaccount.google.com/permissions.

Withdrawing your consent will not affect the lawfulness of any processing we conducted prior to your withdrawal, nor will it affect processing of your personal information conducted in reliance on lawful processing grounds other than consent.

Account Information: If you would at any time like to review or change the information in your account or terminate your account, you can:
• Visit your dashboard at https://portal.calendarextension.com
• Contact us at adam@calendarextension.com

Upon your request to terminate your account, we will deactivate or delete your account and information from our active databases within 14 days. However, we may retain some information in our files for:
• Legal obligations (e.g., tax records - 7 years)
• Preventing fraud
• Resolving disputes
• Troubleshooting problems
• Enforcing our legal terms

Opting out of marketing communications: You can unsubscribe from our marketing email list at any time by clicking on the unsubscribe link in the emails that we send or by contacting us at adam@calendarextension.com. You will then be removed from the marketing email list. However, we may still communicate with you regarding:
• Your account
• Your subscription
• Service announcements
• Security alerts
• Administrative messages

These transactional messages are necessary for providing the Services and cannot be opted out of without terminating your account.

━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━

  1. CONTROLS FOR DO-NOT-TRACK FEATURES

In Short: We respect Do-Not-Track (DNT) signals and do not track users.

Most web browsers and some mobile operating systems and mobile applications include a Do-Not-Track ("DNT") feature or setting you can activate to signal your privacy preference not to have data about your online browsing activities monitored and collected.

ColorKit does not engage in tracking across websites or over time, so DNT signals do not affect our Services. We do not use third-party advertising networks, analytics that track across sites, or other cross-site tracking technologies.

━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━

  1. DO UNITED STATES RESIDENTS HAVE SPECIFIC PRIVACY RIGHTS?

In Short: If you are a resident of California, Colorado, Connecticut, Utah, or Virginia, you have specific rights regarding access to your personal information.

California Residents (CCPA/CPRA)

California Civil Code Section 1798.83, also known as the "Shine The Light" law, permits our users who are California residents to request and obtain from us, once a year and free of charge, information about categories of personal information (if any) we disclosed to third parties for direct marketing purposes and the names and addresses of all third parties with which we shared personal information in the immediately preceding calendar year.

NOTE: We do NOT share personal information with third parties for their direct marketing purposes.

California Consumer Privacy Act (CCPA) Rights:

If you are a California resident, you have the following rights:

  1. Right to Know: You have the right to request that we disclose certain information to you about our collection and use of your personal information over the past 12 months, including:
    • Categories of personal information collected
    • Categories of sources of personal information
    • Business or commercial purpose for collecting personal information
    • Categories of third parties with whom we share personal information
    • Specific pieces of personal information we collected about you

  2. Right to Delete: You have the right to request that we delete personal information we collected from you, subject to certain exceptions.

  3. Right to Correct: You have the right to request that we correct inaccurate personal information we maintain about you.

  4. Right to Opt-Out of Sale: You have the right to opt-out of the sale of your personal information.
    NOTE: We do NOT sell personal information.

  5. Right to Limit Use of Sensitive Personal Information: You have the right to limit the use of sensitive personal information.
    NOTE: We do NOT collect sensitive personal information.

  6. Right to Non-Discrimination: We will not discriminate against you for exercising any of your CCPA rights.

To exercise your CCPA rights, contact us at adam@calendarextension.com. We will verify your request and respond within 45 days (extendable by 45 days if needed).

Other State Privacy Rights (Colorado, Connecticut, Utah, Virginia)

If you are a resident of Colorado, Connecticut, Utah, or Virginia, you have similar rights under your state's privacy law:

• Right to Access: Confirm whether we process your personal data and access such data
• Right to Correction: Correct inaccuracies in your personal data
• Right to Deletion: Delete personal data you provided to us
• Right to Data Portability: Obtain a copy of your personal data in a portable format
• Right to Opt-Out: Opt-out of targeted advertising, sale of personal data, or profiling
NOTE: We do NOT engage in targeted advertising, sale of personal data, or profiling

To exercise these rights, contact us at adam@calendarextension.com.

━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━

  1. DO OTHER REGIONS HAVE SPECIFIC PRIVACY RIGHTS?

In Short: You may have additional rights based on the country you reside in.

European Economic Area (EEA), United Kingdom (UK), and Switzerland

If you are located in the EEA, UK, or Switzerland, you have the following rights under the GDPR and UK GDPR:

  1. Right to Access: You have the right to request access to the personal information we hold about you.

  2. Right to Rectification: You have the right to request that we correct any inaccurate or incomplete personal information.

  3. Right to Erasure ("Right to be Forgotten"): You have the right to request deletion of your personal information under certain circumstances.

  4. Right to Restrict Processing: You have the right to request that we restrict processing of your personal information under certain circumstances.

  5. Right to Data Portability: You have the right to receive your personal information in a structured, commonly used, and machine-readable format and transmit it to another controller.

  6. Right to Object: You have the right to object to processing of your personal information under certain circumstances, including processing based on legitimate interests.

  7. Right to Withdraw Consent: Where we rely on consent to process your personal information, you have the right to withdraw that consent at any time.

  8. Right to Lodge a Complaint: You have the right to lodge a complaint with your local data protection authority if you believe we have violated your privacy rights.

UK Supervisory Authority:
Information Commissioner's Office (ICO)
Website: https://ico.org.uk/make-a-complaint/

EU Supervisory Authorities:
Find your local Data Protection Authority at: https://edpb.europa.eu/about-edpb/board/members_en

To exercise your GDPR rights, contact us at adam@calendarextension.com. We will respond within 30 days (extendable by 60 days for complex requests).

Canada (PIPEDA)

If you are a Canadian resident, you have rights under the Personal Information Protection and Electronic Documents Act (PIPEDA):

• Right to Access: Request access to your personal information
• Right to Correction: Request correction of inaccurate information
• Right to Withdraw Consent: Withdraw consent at any time
• Right to Complain: File a complaint with the Privacy Commissioner of Canada

Contact: adam@calendarextension.com

Australia (Privacy Act)

If you are an Australian resident, you have rights under the Australian Privacy Principles (APPs):

• Right to Access: Request access to your personal information
• Right to Correction: Request correction of inaccurate information
• Right to Complain: File a complaint with the Office of the Australian Information Commissioner (OAIC)

Contact: adam@calendarextension.com

Brazil (LGPD)

If you are a Brazilian resident, you have rights under the Lei Geral de Proteção de Dados (LGPD):

• Right to Access, Correction, Deletion, Portability, and more
• Right to Withdraw Consent
• Right to File a Complaint with the National Data Protection Authority (ANPD)

Contact: adam@calendarextension.com

━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━

  1. DO WE MAKE UPDATES TO THIS NOTICE?

In Short: Yes, we will update this notice as necessary to stay compliant with relevant laws and reflect changes to our practices.

We may update this Privacy Notice from time to time. The updated version will be indicated by an updated "Last updated" date at the top of this Privacy Notice.

If we make material changes to this Privacy Notice, we may notify you either by prominently posting a notice of such changes or by directly sending you a notification. We encourage you to review this Privacy Notice frequently to be informed of how we are protecting your information.

You can see when this Privacy Notice was last updated by checking the "Last updated" date at the top of this Privacy Notice.

━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━

  1. HOW CAN YOU CONTACT US ABOUT THIS NOTICE?

If you have questions or comments about this Privacy Notice, you may contact us:

By email: adam@calendarextension.com

By visiting our website: https://calendarextension.com

Data Controller Information:
Calendar Extension (ColorKit for Google Calendar)
Email: adam@calendarextension.com

For EU/UK residents:
If you have concerns about how we handle your personal information, you have the right to lodge a complaint with your local data protection authority. However, we encourage you to contact us first so we can address your concerns directly.

━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━

  1. HOW CAN YOU REVIEW, UPDATE, OR DELETE THE DATA WE COLLECT FROM YOU?

Based on the applicable laws of your country, you may have the right to request access to the personal information we collect from you, details about how we have processed it, correct inaccuracies, or delete your personal information.

To review, update, or request deletion of your personal information:

  1. Visit Your Dashboard: https://portal.calendarextension.com

    • View your account information

    • Update your email or profile

    • Request account deletion

  2. Email Us: adam@calendarextension.com

    • Request a copy of your data (data export)

    • Request correction of inaccurate data

    • Request deletion of your account

  3. Revoke Google Access: https://myaccount.google.com/permissions

    • Revoke ColorKit's access to your Google account

    • This will log you out and disable features requiring authentication

Account Deletion Process:
• Submit deletion request via dashboard or email
• We will confirm your request via email
• Your account and data will be deleted within 14 days
• Financial records retained for 7 years (legal requirement)
• Deletion is permanent and cannot be undone

We will respond to your request within:
• 30 days (GDPR/UK GDPR)
• 45 days (CCPA, extendable by 45 days)
• As required by applicable law in your jurisdiction

━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━

COMPLIANCE STATEMENT

This Privacy Notice complies with:
• EU General Data Protection Regulation (GDPR)
• UK GDPR and Data Protection Act 2018
• California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA)
• Colorado Privacy Act (CPA)
• Connecticut Data Privacy Act (CTDPA)
• Utah Consumer Privacy Act (UCPA)
• Virginia Consumer Data Protection Act (VCDPA)
• Canada Personal Information Protection and Electronic Documents Act (PIPEDA)
• Australia Privacy Act and Australian Privacy Principles (APPs)
• Brazil Lei Geral de Proteção de Dados (LGPD)
• Google Chrome Web Store User Data Policy and Limited Use requirements (2025)

Last Updated: January 4, 2025