YearTrips Privacy Policy

YearTrips connects to your Google account with OAuth and requests only the permissions needed to display your calendars and events in the app:

• Google Calendar read-only access: calendar IDs, calendar names, descriptions, colors, access roles, primary calendar status, and selected calendar status.
• Google Calendar event read-only access: event IDs, titles, descriptions, start and end dates or times, event colors, event status, and Google Calendar event links for the calendars and year you choose to view.
• Basic Google account information: your email address and profile name so the app can show which Google account is connected.

We use Google user data only to provide YearTrips' calendar features. Calendar and event data is fetched from Google's APIs, converted into the app's display format, and returned to your browser so you can see your year, trips, vacations, school calendar, and related events in one view.

• We do not create, modify, or delete your Google Calendar events.
• We do not use Google user data for advertising.
• We do not sell Google user data.
• We do not use Google user data to train AI or machine learning models.

YearTrips stores the following data to keep you signed in and remember your local preferences:

• OAuth tokens: access and refresh tokens are encrypted with AES-256-GCM and stored in HTTP-only cookies in your browser.
• Basic account information: your Google email address and profile name are stored in the encrypted session cookie so the app can identify the connected account.
• Calendar preferences: the calendar IDs you select are stored locally in your browser.

We do not store your Google Calendar events on our servers. Calendar event data is processed only to respond to your request and display the app.

We do not sell or share Google user data with advertisers, data brokers, or unrelated third parties. Google user data may be processed by the following service providers only as needed to run the app:

• Google APIs: YearTrips sends your OAuth token to Google to request your calendar list and events.
• Vercel: YearTrips is hosted on Vercel. Requests for calendar data pass through Vercel's hosting infrastructure so the app can securely call Google's APIs and return results to your browser.

OAuth tokens are encrypted before storage and kept in HTTP-only cookies, which means they cannot be accessed by JavaScript running in your browser. Session cookies use SameSite protection and are sent over HTTPS in production. All communication with Google APIs uses HTTPS encryption.

Encrypted session cookies are retained for up to 30 days unless you sign out or clear your cookies earlier. OAuth state cookies used during sign-in expire after 10 minutes. Calendar preferences remain in your browser until you clear your browser storage or change your selections.

To remove YearTrips' access to your Google Calendar and delete locally stored data:

1. Sign out of YearTrips to clear the encrypted session cookie.
2. Go to your Google Account → Security → Third-party apps, find "YearTrips" or "Year View", and click "Remove Access".
3. Clear your browser cookies and local storage to remove local session and preference data.

You can also request help with data deletion by contacting bernat@fornes.dev.

• YearTrips' use and transfer of Google user data complies with the Google API Services User Data Policy, including the Limited Use requirements.
• We access Google user data only with your consent and only for the features described in this policy.
• We do not transfer Google user data except as necessary to provide or improve user-facing features, comply with law, or protect the app and its users.

We may update this privacy policy from time to time. We will notify you of any changes by posting the new policy on this page and updating the "Last updated" date.

If you have any questions about this privacy policy, please contact us at bernat@fornes.dev