⚠️ Draft pending review. This document is a working draft and has not yet been reviewed by counsel. Do not treat it as the published policy. This notice will be removed once review is complete.
Effective date: April 23, 2026 Last updated: April 23, 2026
1. Who we are
already.events ("already.events", "we", "us", "our") is operated by The French Company Grocer, LLC, a Texas limited liability company doing business as already.events. For the purposes of the EU General Data Protection Regulation ("GDPR") and the UK GDPR, we are the data controller of the personal data described in this policy.
- Website: https://already.events
- Contact for privacy matters: support@already.events
If you have questions about this policy or want to exercise any of the rights described below, email us at the address above.
2. Summary
already.events is a calendar-sharing tool. You connect your Google Calendar, choose what to show, and we render a public view at a subdomain of already.events. To do that, we need read-only access to your calendar data and a small amount of account and billing information. We don't sell your data, we don't use it to train machine-learning models, and we don't use it for advertising. The sections below describe exactly what we collect, why, for how long, and how to get it removed.
3. Personal data we collect and why
The table below lists every category of personal data we process, the purpose, and the legal basis under GDPR Article 6 (where applicable).
| Category | Source | Purpose | GDPR Art. 6 basis |
|---|---|---|---|
| Email address | You (via Google OAuth or direct entry) | Account identity, magic-link sign-in, billing receipts, service notices | Contract (6(1)(b)); legitimate interests for transactional notices (6(1)(f)) |
| Display name, profile picture | Google OAuth | Showing you signed-in state in the app; optionally displaying on your public view if you choose | Contract (6(1)(b)) |
| Google OAuth refresh token | Google, on your authorization | Fetching your calendar data on your behalf to render your published views | Contract (6(1)(b)) |
| Google Calendar list and event data | Google Calendar API | Rendering the public views you choose to publish | Contract (6(1)(b)) |
| Billing data (Stripe customer ID, subscription status, transaction records) | Stripe | Processing your subscription, issuing receipts, preventing fraud | Contract (6(1)(b)); legal obligation for tax records (6(1)(c)) |
| Session and auth tokens | Generated by us when you sign in | Keeping you signed in securely | Contract (6(1)(b)) |
| Request logs (IP address, user-agent, timestamp) | Your browser via Cloudflare | Security, abuse prevention, debugging | Legitimate interests (6(1)(f)) |
We do not collect special-category data (racial or ethnic origin, political opinions, health data, biometric data, etc.). Please do not put such data into your calendar event titles or descriptions if you intend to publish them, because anything you publish becomes visible to whoever you share the view with.
Card details. We never see or store your payment card numbers. Stripe handles card data directly and is PCI-DSS compliant.
4. Google user data — Limited Use disclosure
already.events's use and transfer of information received from Google APIs adhere to the Google API Services User Data Policy, including the Limited Use requirements.
4.1 Exactly what we access
When you connect your Google account, we request only these OAuth scopes:
https://www.googleapis.com/auth/calendar.calendarlist.readonly— to list the calendars on your Google account so you can pick which ones to use.https://www.googleapis.com/auth/calendar.events.readonly— to read events from the calendars you've chosen, so we can render them on your public view.
Both scopes are read-only. We cannot create, modify, or delete events or calendars on your Google account.
4.2 How we use this data
We use Google user data for the sole purpose of providing the user-facing calendar-sharing feature that you signed up for: rendering the public views you choose to publish. Consistent with the Limited Use requirements, we affirm:
- We do not sell Google user data.
- We do not transfer Google user data to third parties except as necessary to provide or improve the user-facing features of already.events, comply with applicable law, or as part of a merger, acquisition, or sale of assets with notice to users.
- We do not use Google user data for serving advertisements.
- We do not allow humans to read Google user data, except (a) with your explicit consent for specific events (such as a support request where you ask us to look at a specific event), (b) where necessary for security purposes (such as investigating abuse), (c) to comply with applicable law, or (d) where the data has been aggregated and anonymized and is used for internal operations.
- We do not use Google user data to develop, improve, or train generalized or non-personalized AI or machine-learning models.
4.3 Storage and revocation
We store only refresh tokens, encrypted at rest. Access tokens are fetched as needed and are held only in memory for the duration of a request. You can disconnect already.events at any time from your Google Account connections page; doing so revokes our access immediately. Revocation through Google's interface does not automatically delete your already.events account — to do that, use the account deletion flow described in Section 8.
5. Subprocessors
We use the following third-party service providers ("subprocessors") to operate already.events. Each of them processes personal data on our behalf under a data processing agreement.
| Subprocessor | Function | Location |
|---|---|---|
| Stripe, Inc. | Payment processing, subscription management, invoicing | USA |
| Google LLC | OAuth authentication and Google Calendar API | USA |
| Resend (Resend Inc.) | Transactional email delivery (magic-link sign-in, account notices) | USA |
| Cloudflare, Inc. | Hosting, CDN, DNS, edge email routing | USA (with global edge) |
We will update this list when we add or replace a subprocessor. Material changes will be announced as described in Section 13.
6. International data transfers
already.events is operated from the United States, and all our subprocessors listed above are US-based. If you access the service from outside the United States (including from the European Economic Area, the United Kingdom, or Switzerland), your personal data will be transferred to and processed in the United States.
For transfers of personal data from the EEA, UK, or Switzerland to the United States, we rely on the European Commission's Standard Contractual Clauses (2021/914) and, where applicable, the UK International Data Transfer Addendum, together with appropriate supplementary measures (encryption in transit and at rest, access controls, scoped credentials). Where a subprocessor participates in the EU–US Data Privacy Framework (Stripe, Google, and Cloudflare are certified), we also rely on that framework as an adequate transfer mechanism.
You may request a copy of the relevant transfer safeguards by emailing support@already.events.
7. How long we keep data (retention)
| Data | Retention |
|---|---|
| Account profile data (email, name, picture) | Until you delete your account |
| Google OAuth refresh tokens | Until you delete your account or disconnect Google |
| Cached Google Calendar data | Only as long as needed to render your views; refreshed or discarded on each fetch cycle |
| Billing data (Stripe customer, subscription) | Until you delete your account; Stripe retains transaction records per its own policy |
| Invoices / receipts | 7 years (retained by Stripe on our behalf for US tax compliance) |
| Session and auth tokens | Until expiry or sign-out |
| Request logs (IP, user-agent, timestamp) | Approximately 30 days at Cloudflare |
| Deletion audit row (one-way hash of email + timestamp only — no PII) | Retained indefinitely for fraud and abuse prevention |
8. Deleting your account
You can delete your already.events account yourself from within the app. When you do:
- Your Google OAuth refresh token is revoked server-side so we can no longer access your calendar.
- Your Stripe subscription is canceled.
- Personal-data fields on your Stripe customer record (name, email, phone, address) are cleared via Stripe's API. Past invoice PDFs remain at Stripe for 7 years to satisfy US tax retention guidance (IRS records-retention rules).
- All account data in our own systems is deleted.
- We retain a single audit row containing only a one-way hash of your email address and the deletion timestamp. This row contains no personal data that can be used to contact or identify you, and exists to prevent abuse (for example, to stop someone from cycling deletion to evade a ban).
If you'd prefer we handle the deletion for you, email support@already.events from the address on your account.
9. Your rights
9.1 If you are in the EEA, UK, or Switzerland (GDPR / UK GDPR)
You have the following rights with respect to your personal data:
- Right of access (Art. 15) — to confirm whether we process your data and receive a copy.
- Right to rectification (Art. 16) — to correct inaccurate data.
- Right to erasure (Art. 17) — to have your data deleted (the "right to be forgotten"). You can exercise this yourself via the in-app deletion flow at any time.
- Right to restriction of processing (Art. 18).
- Right to data portability (Art. 20) — to receive your data in a machine-readable format. For Google Calendar data, Google Takeout is the most direct option since we don't store a structured copy of your event history.
- Right to object (Art. 21) to processing based on legitimate interests.
- Rights related to automated decision-making (Art. 22) — we do not make automated decisions with legal or similarly significant effects about you.
To exercise any of these rights, email support@already.events from the address on your account. We will respond within 30 days. If we cannot verify your identity or your request is manifestly unfounded or excessive, we may decline or charge a reasonable fee, and we will explain why.
You also have the right to lodge a complaint with your national data protection authority. In the UK, that's the Information Commissioner's Office.
9.2 If you are a California resident (CCPA / CPRA)
You have the following rights:
- Right to know what personal information we collect, use, disclose, and retain about you.
- Right to delete your personal information (with limited exceptions, such as records we must keep for tax purposes).
- Right to correct inaccurate personal information.
- Right to opt out of sale or sharing of personal information. We do not sell or share personal information as those terms are defined under the CCPA/CPRA, and we do not use personal information for cross-context behavioral advertising.
- Right to limit use of sensitive personal information. We do not use sensitive personal information for purposes that would trigger this right.
- Right to non-discrimination for exercising these rights.
To exercise any of these rights, email support@already.events. We may need to verify your identity before fulfilling your request. You may also designate an authorized agent to make a request on your behalf.
10. Cookies and local storage
already.events uses a small number of cookies and browser-storage entries. We do not use advertising or cross-site tracking cookies.
| Item | Type | Purpose |
|---|---|---|
| Session token cookie | HTTP cookie, HttpOnly, Secure (in production), SameSite=None (in production; Lax in local development) |
Keeps you signed in. SameSite=None is required in production because our app (app.already.events) and API (api.already.events) live on different subdomains; we apply a defense-in-depth X-Requested-With header check on destructive requests to mitigate the CSRF surface that SameSite=None opens. |
| Cloudflare security cookies (if present) | HTTP cookie | Bot and abuse detection |
Session cookies are strictly necessary for the service to function and are not subject to consent under ePrivacy rules. You can clear them at any time through your browser settings, but you'll be signed out.
11. Children
already.events is not directed to children. We do not knowingly collect personal data from anyone under 13 (in the United States) or under 16 (in the EEA, unless a lower age applies in your country). If you believe a child has created an account, email support@already.events and we will delete the account promptly.
12. Security
We take the protection of your data seriously. Our measures include:
- Encryption in transit (TLS 1.2 or higher) for all connections to already.events.
- Encryption at rest for Google OAuth refresh tokens and other sensitive credentials.
- Scoped credentials — we request only the minimum OAuth scopes necessary.
- Principle of least privilege for internal access to production systems.
- Third-party processors (Stripe, Google, Cloudflare, Resend) that maintain their own recognized security certifications (SOC 2, ISO 27001, PCI-DSS as applicable).
No system is perfectly secure. If you believe your account has been compromised, email support@already.events immediately.
13. Changes to this policy
If we make material changes to this policy, we'll notify you by email to the address on your account and update the "Effective date" at the top. Continued use of already.events after a change takes effect constitutes acceptance of the updated policy. The current policy is always available at https://already.events/privacy.
14. Contact
Questions, requests, or complaints about this policy or your personal data:
The French Company Grocer, LLC (d/b/a already.events) Email: support@already.events