NimbleCal

Privacy Policy

TL;DR: NimbleCal is end-to-end encrypted for calendar content. The servers see your email address and basic account and billing information, encrypted blobs of calendar data, subscription metadata, optional diagnostics you choose to include when sending feedback, and optional email update preferences if you opt in. We do not run ads or behavioral tracking, and we do not use your calendar content to train AI models.

Last updated: January, 2026

Introduction

NimbleCal is operated by Nimbledot, LLC ("NimbleCal", "we", "us"). This privacy policy describes how we handle data for:

  • The NimbleCal web app at app.nimblecal.com and related domains
  • The NimbleCal marketing site at www.nimblecal.com and related domains
  • Backend services used for sync, authentication, payments, and email

Where this policy says "server" it means our backend infrastructure and managed services (for example Supabase, Polar, and Plunk) that process data on our behalf.

High-level data model

NimbleCal uses an end-to-end encrypted, local-first architecture:

  • Your calendar content (titles, descriptions, locations, notes, and other event details) is encrypted on your device with keys that never leave your device in plaintext.
  • The server stores only encrypted blobs of calendar, event, settings, and key data. We cannot read your calendar content.
  • Some metadata is stored unencrypted so the system can function (for example, an internal identifier linking records to your account, flags that mark records as deleted, and timestamps for sync and notifications). This metadata never includes your event titles, descriptions, or other calendar text.
  • Authentication, subscription, and feedback features require handling personal data such as email addresses and payment metadata; these parts are not zero-knowledge.

The rest of this policy spells out, in detail, exactly what the servers see and what remains private to your devices.

What we do not do

Today:

  • The NimbleCal app does not run analytics scripts, advertising, or cross-site tracking.
  • The NimbleCal marketing site uses Plausible, a privacy-focused analytics tool with no cookies or cross-site tracking, only to understand aggregate traffic on nimblecal.com.
  • We do not share your calendar content with advertisers or data brokers.
  • We do not train AI models on your calendar content.
  • We do not sell your data, and we cannot sell your calendar content because we cannot decrypt it without your keys.

What the servers can see

1. Account and authentication data

We use Supabase for authentication and user management. Through Supabase, the servers can see:

  • Your email address and basic account profile (for example, display name if you provide it)
  • Auth tokens and session metadata needed to keep you signed in
  • Password hashes (using strong, slow hashing via libsodium; we never store raw passwords)
  • Metadata about sign-in methods (for example, that you registered with email and password)

Supabase also maintains standard server logs (for example, IP address, user agent, timestamps, and error messages) in order to operate the service securely and debug issues.

We do not require your real name or a phone number to create a NimbleCal account. You can use an alias or forwarding email address if you prefer; we only use your email to identify your account, send essential messages like verification and password reset emails, and associate subscriptions with an account you control.

2. Encrypted calendar, event, settings, and key data

NimbleCal uses an encrypted local database (RxDB) in your browser and synchronizes data to Supabase. The key points:

  • Event, calendar, and settings documents:
    • On your device, these are stored in local IndexedDB in RxDB collections such as encryptedCalendars, encryptedEvents, encryptedSettings, and encryptedKeys.
    • Each record contains:
      • Non-sensitive metadata in plaintext:
        • A unique identifier (for example id)
        • An internal owner identifier (for example ownerId) that links the record to your account
        • Timestamps such as lastModified
        • Soft-deletion flags such as isDeleted and isVisible
      • Encrypted content:
        • A single encrypted blob (for example encryptedData with a matching dataNonce) that contains the serialized document, including event titles, descriptions, locations, notes, recurrence details, and other sensitive fields.
  • Encryption:
    • A per-user Data Encryption Key (DEK) is derived and protected using your password and libsodium's modern cryptography (for example: secretbox for authenticated encryption and Argon2id for key derivation).
    • Additional per-calendar and per-event keys are generated and stored encrypted in the encryptedKeys collection; the plaintext keys never reach the server.
    • The server sees only ciphertext and non-sensitive metadata; it cannot decrypt your calendar content without your keys, which we never store in plaintext.

In other words: the server can tell that a particular account (identified by an internal user ID linked to your email) has N calendars and M events and when they were last changed, but it cannot see what those events actually say.

3. Reminder scheduling metadata (not end-to-end encrypted)

To support notifications and upcoming-event queries, NimbleCal maintains a separate "reminders" collection that is intentionally not end-to-end encrypted. This collection contains only scheduling metadata:

  • reminderId (for example, a composite of event ID and time)
  • eventId (internal identifier of the related encrypted event)
  • userId (which user owns the reminder)
  • reminderTime (the UTC timestamp when the reminder should fire)
  • Timestamps such as createdAt and updatedAt
  • Soft-deletion flags

This means:

  • The server can see that there is a reminder associated with a given event and roughly when it should fire.
  • The server does not see the event title, description, location, attendees, or other calendar content associated with the reminder; those remain inside the encrypted event payload.

We keep this reminder information unencrypted so that a backend process can efficiently determine which reminders are due and trigger notifications across your devices. To minimize exposure, we limit this to the minimum fields needed to schedule reminders (IDs and timestamps) and keep all human-readable event content inside the encrypted event documents.

4. Subscription and payment-related data

We use Polar for subscription billing and Supabase for storing subscription snapshots:

  • When you purchase a subscription:
    • Polar creates a checkout session and processes your payment.
    • Polar passes us webhook events that include subscription IDs, product IDs, customer IDs, and the customer email address associated with the subscription.
    • We do not log full webhook payloads or customer emails in plain text logs.
  • In Supabase, we store subscription records such as:
    • Subscription ID
    • Customer ID and (for compatibility with billing flows) a copy of the customer email address
    • Product ID and subscription status (for example, active, canceled, revoked)
    • Period start and end timestamps
    • Flags such as "cancel at period end"
  • We also record minimal subscription status flags in your Supabase user metadata (for example, whether you are on the free or paid tier).

Polar itself processes your payment method details. We do not store your card number or bank information on our own servers.

5. Feedback and support data

If you choose to send feedback from within the app:

  • The "Feedback" form stores your submission in a Supabase table (for example user_feedback) with fields such as:
    • Category (for example bug, feature, other)
    • The message you typed (truncated to a reasonable length)
    • Optional email address if you choose to include it so we can reply
    • Optional diagnostics (for example browser user agent, platform, language, and timezone) if you leave diagnostics enabled
  • This data is visible to us for the purpose of triaging issues and improving the product.
  • Feedback is not used for advertising, is not shared with third-party marketers, and is not combined with your encrypted calendar content.

If you instead email us directly, we will of course receive whatever you send to that email address.

6. Email invitations and notifications

When we send email (for example invitations, and optional product updates if you opt in), we use an email provider (currently Plunk):

  • The provider receives:
    • Recipient email addresses
    • Event summary details necessary to render the invitation (for example event title, times, timezone, location) and the invite link
    • Optional message from the organizer if you choose to include one
    • A small iCalendar (ICS) file that represents the event for calendar clients
  • The invite link includes a token that allows the recipient to view and respond to the invitation. For privacy, we advise recipients not to forward the link.
  • Plunk's API receives the email metadata and content. For privacy, we do not use open-tracking pixels or cross-site tracking for NimbleCal emails.

7. Cookies, local storage, and session storage

To keep you signed in and to support key management, the app uses:

  • Supabase auth cookies:
    • Set on the app domain, used to maintain your authenticated session.
    • Marked with modern security attributes (for example Secure, HttpOnly, SameSite).
    • May be visible to Supabase edge functions and logs as part of normal operation.
  • Local storage and session storage:
    • Used to store encrypted key material (for example a DEK encrypted with a key derived from your auth token), feature flags, and small pieces of state like "when you last submitted feedback".
    • Not used to store your event titles, descriptions, or other plaintext calendar content.
    • May be used to store device-specific salts or encrypted DEK blobs to support "remember this device" flows; these values alone are not sufficient to decrypt your data without your password or authentication.

The hosted app does not set third-party tracking cookies.

8. Marketing site data

The marketing site is hosted on Vercel:

  • Vercel's edge network may log:
    • Request URLs and query parameters
    • IP address, user agent, and basic request headers
    • Response status codes and timing information
  • The marketing site does not have user accounts or login forms.
  • The marketing site has an optional email sign-up form for product updates. If you use it, we store your email address and preferences (like how often you want updates) and use them only to send the updates you asked for. You can unsubscribe anytime.
  • The marketing site uses Plausible analytics to measure aggregate traffic on nimblecal.com. Plausible is a privacy-focused, cookie-free analytics service that does not track you across other sites or build advertising profiles. It receives standard web request information (such as page URL, referrer, approximate location based on IP, and user agent) to produce aggregated statistics. We use these statistics only to understand which pages are being visited and to improve the site.

What is end-to-end encrypted (zero-knowledge) versus not

End-to-end encrypted (server cannot read)

Encrypted on your device before leaving your browser:

  • Event titles, descriptions, notes, and free-text details
  • Event locations and internal notes fields
  • Calendar titles, descriptions, color preferences, and similar configuration details
  • Most user-specific settings that are stored in the encrypted settings collection
  • Per-calendar and per-event encryption keys

In short: anything that would reveal the content of your schedule (who, what, where, why) is encrypted.

Not end-to-end encrypted (server can see)

Required for authentication, billing, sync coordination, or notifications:

  • Your email address, account metadata, and subscription status
  • Standard auth and infrastructure logs (IP address, user agent, timestamps)
  • Encrypted document metadata such as IDs, ownerId, lastModified, deletion flags, and whether a calendar is visible
  • Reminder records (event IDs, user IDs, timestamps when reminders should fire)
  • Feedback submissions, including optional email and diagnostics if you provide them
  • Invite email metadata (recipient addresses, event summary, invite link)
  • Marketing email preferences (if you opt in)
  • Any information you choose to send us directly by email or support channels

Third-party services and their privacy information

We rely on a small set of infrastructure providers to operate NimbleCal:

  • Supabase (authentication, database, and sync APIs). See their privacy information on supabase.com.
  • Polar (subscription billing and checkout). See their privacy information on polar.sh.
  • Plunk (email delivery for invitations and optional opt-in product updates). See their privacy information on useplunk.com.
  • Plausible (privacy-focused analytics for the marketing site). See their privacy information on plausible.io.
  • Vercel (hosting for the app and marketing site). See their privacy information on vercel.com.

These providers process data on our behalf to deliver the Service. When they act as independent controllers (for example, in their own product analytics), their own privacy policies govern that processing.

Legal bases for processing (where applicable)

Depending on your jurisdiction, we may rely on different legal bases to process your data, including:

  • Performance of a contract: For example, providing you with access to the app, syncing your encrypted data, and honoring your subscription.
  • Legitimate interests: For example, securing the service, preventing abuse, debugging issues, and improving reliability, provided these interests are not overridden by your rights.
  • Consent: For optional features like including your email and diagnostics with feedback. If we ever introduce app-level analytics or similar optional features beyond what is described here, we would only enable them with your explicit opt-in consent and would update this policy first. Where we rely on consent, you can withdraw it at any time in the relevant settings or by contacting us.

Data retention

We generally follow these guidelines:

  • Account data and encrypted calendar data:
    • Retained while your account is active.
    • Deleted or anonymized within a reasonable period after you request account deletion or after extended inactivity, subject to technical constraints and legal obligations.
  • Subscription and billing metadata:
    • Retained as required for accounting, fraud prevention, and tax compliance.
    • Typically kept for several years, depending on jurisdiction.
  • Feedback:
    • Retained as long as it is useful for improving the product, unless you ask us to remove it sooner.
  • Logs:
    • Infrastructure and security logs are retained for a limited period and then rotated or aggregated.

Exact retention periods may change as our infrastructure evolves; we strive to keep data no longer than necessary for the purposes described in this policy.

Your rights and choices

Depending on where you live, you may have rights such as:

  • Access: Request a copy of the personal data we hold about you (for example, account and subscription records, feedback).
  • Correction: Ask us to correct inaccurate or incomplete information.
  • Deletion: Ask us to delete your account data where we are not legally required to keep it.
  • Restriction and objection: Request that we limit or stop certain processing.
  • Portability: Request a machine-readable export of certain data.

Because your calendar content is end-to-end encrypted and we cannot decrypt it server-side, "access" and "export" for calendar content are typically handled client-side by exporting from the app while you are logged in.

To exercise any of these rights, contact us using the details below. We may need to verify your identity before fulfilling your request.

You can also control many aspects directly in the app:

  • Sign out to clear in-memory keys and session state.
  • Use the in-app reset tools (or your browser's storage controls) to clear local data.
  • Adjust reminder behavior and other app preferences.

International transfers

Our infrastructure providers (for example Supabase, Polar, Plunk, Plausible, and Vercel) may process data in multiple regions, including the United States and the European Union. When data is transferred across borders, we rely on appropriate safeguards (for example, standard contractual clauses where applicable) to protect your information.

Because your calendar content is encrypted end-to-end, the impact of these transfers on your calendar privacy is reduced. Account, billing, and feedback data may still be subject to local laws in the regions where our providers operate.

Security practices

We take security seriously and use a combination of:

  • Strong cryptography for calendar content (modern libsodium primitives)
  • Strict Content Security Policy (CSP) and other browser security headers
  • Limited data access by role (for example, row-level security in Supabase for subscription and feedback tables)
  • Hardened webhook handling and minimal logging of sensitive fields
  • Defense-in-depth techniques such as clearing caches and service workers on sign-out, and one-time build reloads to avoid stale assets

No system is perfectly secure, but the architecture is designed so that server compromise alone is not enough to reveal your calendar content without your encryption keys.

Changes to this policy

We may update this policy from time to time as the product and infrastructure evolve.

  • Material changes that affect how your data is handled will be highlighted in the app and/or on the website.
  • We will update the "Last updated" date at the top of this page.
  • Where required by law, we will seek your consent before applying certain changes.

If we ever decide to add analytics, additional integrations, or new data uses that are not covered here, we will update this page first in clear language and, where appropriate, give you a choice before enabling them.

Contact

If you have questions or concerns about this policy or how NimbleCal handles data, you can reach us at:

For jurisdiction-specific questions (for example about GDPR or other local regulations), please include your country of residence so we can respond with the most relevant information.