NimbleCal

Security

Last reviewed May 14, 2026

How we protect your data.

Security features

End-to-end encryption

Calendar content you save in the app is encrypted on your devices before storage or sync.

  • Authenticated encryption via libsodium secretbox
  • Keys derived from your password on-device
  • Servers store encrypted blobs plus limited sync metadata
  • For encrypted calendar records you store or sync in the app, NimbleCal cannot read your event titles, notes, or descriptions in plaintext

Email invites are the main exception today. If you send an Email invite, NimbleCal stores and sends recipient email addresses for delivery, plus the invitation details recipients and email systems need to understand the invite, including the event title, start/end time, timezone, organizer name/email, optional organizer message, and any event location or description.

See: Encryption overview

Local-first architecture

Your data lives in your browser first (IndexedDB), so the app stays fast and offline-friendly.

  • Local encrypted storage (RxDB / IndexedDB)
  • Offline viewing and editing (syncs when you're back online)
  • Import/export via ICS to avoid lock-in (note: .ics files are plain text outside NimbleCal)

See: Offline mode

Signup abuse protection

Account signup uses Friendly Captcha plus a short-lived verification record checked at the real account-creation boundary.

  • NimbleCal verifies the challenge on its own server path before it asks Supabase Auth to create the account.
  • NimbleCal stores hashed proof records, limited verification metadata, and related timestamps needed to enforce the boundary and support incident review. Those records are short-lived; see the Privacy Policy for the current retention details.
  • This flow currently applies to account signup.

See: Privacy and security FAQ

Privacy by design

Built from the ground up with privacy as the primary concern.

  • No ads in the app
  • No third-party analytics scripts in the app
  • The website uses Plausible for cookie-free aggregate pageview analytics and limited website click-event labels
  • We do not sell your personal data or calendar content, share that data or content for cross-context behavioral advertising or targeted advertising, build advertising profiles from that data or content, or use that data or content to train AI models

Security practices

Defense-in-depth posture

We aim to keep the attack surface small and use reputable infrastructure providers for auth, hosting, and payments.

Responsible disclosure

There is a clear process for security researchers to report vulnerabilities responsibly.

Data-minimizing defaults

Calendar content you save in the app is encrypted end-to-end by default. NimbleCal servers still process the account, billing, sync, reminder, diagnostic, signup abuse-protection, support, feedback, and invite data needed to run the service.

No calendar content recovery

Because calendar content is end-to-end encrypted, we cannot decrypt or recover it on your behalf. Quick unlock is a trusted-device local unlock helper, not recovery for a brand-new device. Password resets preserve access only when you can still unlock encryption on a trusted device; if you lose your password and every trusted-device unlock path, the fallback may be to start fresh.

Report a security issue

If you discover a security vulnerability, please report it responsibly to:

security@nimblecal.com

We appreciate your help in keeping NimbleCal secure for everyone.

Related: