Privacy Policy

Last updated: March 2026

What caldir does

caldir is an open-source command-line tool that syncs your calendar between cloud providers (like Google Calendar) and local .ics files on your computer. All calendar data is stored locally on your filesystem.

What caldir.org processes

caldir.org provides an OAuth relay service so you can authenticate with Google Calendar without creating your own Google Cloud project. During authentication:

caldir.org temporarily processes:

Your OAuth authorization code and tokens pass through caldir.org during the initial authentication and when refreshing expired access tokens. These are relayed directly to and from Google's servers and are never stored, logged, or retained on caldir.org.

Google user data: scopes and use

caldir requests the following Google OAuth scopes:

  • calendar.calendarlist.readonly — to read your list of calendars so you can choose which ones to sync.
  • calendar.events.owned — to read and write calendar events that you own, enabling bidirectional sync between Google Calendar and your local .ics files.

caldir uses Google user data solely to synchronize your calendar events between Google Calendar and local files on your computer. Your Google data is not used for advertising, analytics, or any other purpose.

Where your data lives

All calendar data and authentication tokens are stored locally on your computer:

  • Calendar events are saved as .ics files in your calendar directory (e.g., ~/caldir/).
  • OAuth tokens are stored in ~/.config/caldir/providers/google/session/.

No Google user data is stored on caldir.org or any remote server controlled by caldir.

Data protection

caldir protects your Google user data through the following mechanisms:

  • All communication with Google's APIs and the caldir.org OAuth relay is encrypted in transit using HTTPS/TLS.
  • OAuth tokens and calendar data are stored only on your local filesystem, protected by your operating system's file permissions.
  • The caldir.org OAuth relay processes authorization codes and tokens in memory only — they are never written to disk, logged, or persisted.
  • caldir requests the minimum OAuth scopes necessary for calendar sync (read-only calendar list, owned events only).

Data retention and deletion

On caldir.org: No Google user data is retained. Authorization codes and tokens pass through in memory during authentication and token refresh, and are immediately discarded.

On your computer: Calendar data and OAuth tokens are stored locally for as long as you choose to keep them. You can delete your data at any time by:

  • Deleting your local calendar files (e.g., rm -rf ~/caldir/).
  • Deleting your stored OAuth tokens (e.g., rm -rf ~/.config/caldir/).
  • Revoking caldir's access in your Google Account permissions.

Third parties

caldir does not share your Google user data with any third parties. The only external services involved are Google Calendar (for sync) and the caldir.org OAuth relay (for authentication only, with no data retention).

Self-hosted alternative

If you prefer not to use the caldir.org relay, you can create your own Google Cloud project and provide your own OAuth credentials. In this mode, caldir.org is not involved at all.

Contact

For questions about this privacy policy, open an issue on GitHub.