Privacy Policy
Last updated: 2026-06-11
1. What we collect
When you use OBC Calendar, we collect:
- Account info: email address, password hash, sign-in timestamps.
- Workspace data: couriers, jobs, availability windows, invoices, calendar feed tokens, and everything else you create inside the Service.
- Billing info: Stripe customer + subscription IDs. Payment card details are handled by Stripe; we never see or store them.
- Server logs: IP addresses, request timestamps, user-agent strings, retained briefly for security and debugging.
2. Why we collect it
- To operate the Service and provide the features you signed up for.
- To process billing through Stripe.
- To send transactional email (signup confirmations, job invitations, invoice deliveries) via Resend.
- To prevent fraud and abuse (including the trial-history check that prevents repeat free trials on the same email).
- To improve the Service.
3. Where it lives
- Application data is stored in Supabase (Postgres + Storage), hosted on AWS infrastructure.
- Application code runs on Vercel.
- Billing data is handled by Stripe.
- Transactional email is delivered by Resend.
- Error reports (if any) are sent to Sentry. Personal data is scrubbed before sending.
4. Who has access
Your data is yours. Inside the Service:
- You and the members of your workspace see your workspace data per the role assignments you make.
- If you connect to a firm as a courier, that firm sees your availability and the jobs they assign you. They do not see jobs from other firms (see also: the cross-firm phantom slot design).
- Our team has limited access for support and debugging, and only when needed.
- We don't sell your data or use it for advertising.
5. How long we keep it
Active workspace data is retained as long as your account is active. When you delete your account from Settings → Account:
- Your workspaces and their data are scheduled for deletion after a 30-day grace period (so you can restore if you change your mind).
- After 30 days, all data is permanently removed from Supabase.
- A minimal trial-history record (your normalized email address) is retained to prevent re-trial abuse. This record contains no personal data beyond the email.
- Stripe retains billing records per its own data-retention policy.
6. Your rights
Depending on your jurisdiction (notably the EU under GDPR and California under CCPA), you may have the right to:
- Access the personal data we hold about you.
- Correct inaccurate data.
- Delete your data (Settings → Account → Delete account).
- Export your data (Settings → Account → Download my data).
- Object to processing for direct-marketing purposes.
Exercise any of these by emailing info@obccalendar.com. We'll respond within 30 days.
7. Security
We use Supabase's Row Level Security policies to isolate workspace data, HTTPS for all traffic, and Stripe-hosted checkout for billing so payment-card data never touches our servers. No system is perfectly secure; we'll notify you per local breach-notification law if a security incident affects your data.
8. Cookies and tracking
We use cookies only for authentication (keeping you signed in) and security. We don't use third-party advertising or behavioral-tracking cookies.
9. Changes
We may update this Privacy Policy occasionally. Material changes will be communicated via email or in-app notice before they take effect.
10. Contact
Questions, complaints, or rights requests? Email info@obccalendar.com.