My Activity Calendar MyActivityCalendar

Privacy Policy

Effective date: May 28, 2026

What Information We Collect

When you create an account on My Activity Calendar, we collect the following information:

  • Your name and username
  • Your email address (used for account activation)
  • Your password (stored securely using one-way hashing)
  • Event data you add to your calendar (names, dates, locations, images, GPX files)

Google Calendar Integration

If you choose to import events from Google Calendar, we request read-only access to your calendar data. We only import the event details you explicitly select. We do not store your Google credentials — authentication is handled securely via Google OAuth. We do not access, share, or retain any Google data beyond the events you choose to import.

How We Use Your Information

We use your information solely to provide the My Activity Calendar service:

  • To create and maintain your account
  • To display your activity calendar publicly at your unique URL
  • To send you account activation emails

Data Sharing

We do not sell, trade, or share your personal information with third parties. Your activity calendar is publicly visible at your chosen URL, but your email address and account details are never displayed publicly.

Data Security & Protection Mechanisms

We implement the following technical and organizational measures to protect your sensitive data:

  • All data transmitted between your browser/app and our servers is encrypted using TLS/SSL (HTTPS). No unencrypted connections are accepted.
  • User passwords are hashed using bcrypt with a cost factor of 12 rounds. We never store passwords in plain text and cannot retrieve your original password.
  • OAuth access tokens (Google Calendar, Strava) are stored encrypted in our database and are only used for their intended purpose. Tokens are never shared with third parties.
  • Access to the production database is restricted to the application administrator only. The database server is not publicly accessible and requires authenticated access.
  • User sessions are protected with secure, HTTP-only cookies with CSRF token verification on all state-changing requests.
  • We practice data minimization — we only collect and store the minimum data necessary to provide the service. Google Calendar data is imported once and we do not retain your Google OAuth tokens after the import session.

Google Calendar Data Handling

When you use the Google Calendar import feature, the following data handling practices apply:

  • We request read-only access (calendar.readonly scope) — we cannot modify or delete any data in your Google Calendar.
  • Only the event title, date, and location are copied from your selected Google Calendar events into our application. No other Google data is stored.
  • Google Calendar data is never shared with, sold to, or disclosed to any third party.
  • Google Calendar data is never used for advertising, analytics, profiling, or any purpose other than displaying your imported events in your activity calendar.
  • You can delete any imported event at any time from your account. Deleting an event permanently removes it from our database.
  • You can revoke our access to your Google Calendar at any time by visiting your Google Account permissions page (myaccount.google.com/permissions). Revoking access does not delete already-imported events.

Data Retention

Your account data and events are retained for as long as your account is active. If you request account deletion, all personal data, events, uploaded images, GPX files, and associated data are permanently deleted within 30 days. Google OAuth tokens are not stored beyond the active import session.

Your Rights

You may request deletion of your account and all associated data at any time by contacting the administrator. Upon deletion, all your events, uploaded images, and GPX files will be permanently removed.

Contact

For questions about this privacy policy, please visit adventurepeter.com.