1. Introduction
This Privacy Policy describes how Syncs LLC, a California limited liability company ("Syncs," "we," "us," or "our"), collects, uses, stores, shares, and protects your personal information when you use Shae.io and all related services, applications, and features (collectively, the "Service"). Shae is a web-based scheduling platform that helps friends and groups find overlapping availability to make plans.
We are committed to protecting your privacy and handling your data with transparency. This Privacy Policy applies to all users of the Service, including registered account holders ("Users") and individuals who interact with Shae Links without creating an account ("Guests").
By accessing or using the Service, you acknowledge that you have read, understood, and agree to the practices described in this Privacy Policy. If you do not agree with this Privacy Policy, you must not access or use the Service.
This Privacy Policy should be read in conjunction with our Terms of Service.
2. Information We Collect
We collect information necessary to provide, maintain, and improve the Service. The types of information we collect depend on how you interact with Shae.
2.1 Information You Provide Directly
Account Information
When you create an account, we collect the following information through our supported authentication providers (Google OAuth and Discord):
- Display name
- Email address
- Profile picture URL (if provided by the authentication provider)
- Authentication tokens and identifiers necessary to maintain your session
Availability Data
When you participate in scheduling — either as a Host or a participant — we collect:
- Time windows and date ranges you select as available
- Part-of-day preferences (morning, afternoon, evening)
- Refined time ranges when you specify exact start and end times
- Your timezone information
- General availability patterns you optionally save as your "usual availability"
Event Data
When you create or participate in an Event, we collect:
- Event titles and activity types
- Duration preferences and location information
- Quorum settings (minimum participant thresholds for group events)
- Participant roster information
- Event status and confirmed times
Vibe Profile Data
If you choose to set up a Vibe Profile, we collect:
- Activity preferences (activities you are interested in)
- General availability patterns you choose to share with friends
Guest Information
If you participate as a Guest (without creating an account), we collect:
- The display name you provide
- Your email address (if provided)
- Availability Data as described above
Communications
If you contact us for support or provide feedback, we collect the content of your communications, including your email address and any information you choose to provide.
2.2 Information Collected Automatically
When you access or use the Service, we automatically collect certain technical information:
- Device information: device type, operating system, browser type and version, screen resolution
- Network information: IP address, internet service provider
- Usage information: pages visited, features used, time spent on pages, click patterns, referring URLs
- Cookies and similar technologies: as described in Section 8 of this Privacy Policy
- Log data: server logs including access times, error logs, and request metadata
2.3 Information from Third-Party Services
When you authenticate using a third-party provider (Google or Discord), we receive information from that provider as authorized by your privacy settings with that provider. This typically includes your name, email address, and profile picture.
3. Google API Services — Data Access and Use
This section describes how Shae accesses, uses, stores, and shares data obtained through Google API Services. This section is provided in compliance with the Google API Services User Data Policy, including the Limited Use requirements.
3.1 Google Scopes We Request
Shae requests access to the following Google OAuth scopes. We only request the narrowest scopes necessary to provide the specific features described below:
| Scope | Purpose | Data Accessed |
|---|---|---|
| openid | Authenticate your identity and create your Shae account via Google Sign-In. | Unique Google account identifier |
| Identify your account, send event confirmations, and enable communication about scheduled plans. | Your Google account email address | |
| profile | Display your name and profile picture within the Service so friends can recognize you. | Display name and profile photo URL |
| calendar.events.readonly | Read your existing calendar events to show you busy/free times when selecting availability, helping you avoid double-booking. This scope is requested only when you opt in to the calendar integration feature. | Calendar event titles, start/end times, and free/busy status. Shae does NOT access event descriptions, attendee lists, attachments, or other event metadata. |
| calendar.events | Write confirmed Shae plans directly to your Google Calendar so you do not need to manually create calendar entries. This scope is requested only when you opt in to the calendar sync feature. | Shae creates new calendar events for confirmed plans only. Shae does NOT modify or delete any existing calendar events. |
Calendar scopes are requested incrementally: they are only requested at the moment you choose to use the calendar integration feature, not at initial sign-up. You can use Shae without ever granting calendar access.
3.2 How We Use Google User Data
Data obtained through Google API Services is used exclusively for the following purposes:
- Authentication: To securely verify your identity and maintain your session.
- Profile display: To show your name and photo to friends within the Service so they can recognize you when coordinating plans.
- Calendar integration: To display your busy/free times during availability selection (read-only), and to add confirmed plans to your Google Calendar (write). Calendar data is accessed only in real-time when you use the feature and is not stored on our servers beyond the minimum necessary to process the request.
- Event notifications: To send you email confirmations and reminders about confirmed plans you have created or joined.
3.3 Google API Services Limited Use Disclosure
Shae.io's use and transfer to any other app of information received from Google APIs will adhere to the Google API Services User Data Policy, including the Limited Use requirements.
Specifically, Shae's use of Google user data is limited to the following practices:
- We limit our use of Google user data to providing or improving user-facing features that are prominent in the Shae application's user interface, specifically: scheduling coordination, calendar integration, and user identification within the Service.
- We do not transfer Google user data to third parties, except: (a) as necessary to provide or improve user-facing features in the Shae application and only with your consent; (b) for security purposes such as investigating abuse; (c) to comply with applicable laws; or (d) as part of a merger, acquisition, or sale of assets, with your explicit prior consent.
- We do not use Google user data for advertising purposes. We do not use or transfer Google user data for serving ads, including retargeting, personalized, or interest-based advertising.
- We do not use Google user data to determine creditworthiness or for lending purposes.
- We do not sell Google user data to any third party, including advertising platforms, data brokers, or information resellers.
- We do not allow humans to read Google user data, unless: (a) you have given us affirmative consent to view specific data (e.g., for technical support); (b) it is necessary for security purposes (e.g., investigating a bug or abuse); (c) it is necessary to comply with applicable law; or (d) the data is aggregated and anonymized and used for internal operations in accordance with applicable privacy requirements.
- We do not use Google user data for training generalized or non-personalized AI or machine learning models. Transfers of data for generalized AI/ML model training are prohibited.
3.4 How We Handle Google Calendar Data
Because calendar data is particularly sensitive, we apply additional safeguards:
- Calendar data is accessed in real-time only when you actively use the calendar integration feature within the scheduling flow.
- We access only the minimum calendar event data necessary: event titles and start/end times to determine busy/free status. We do not access event descriptions, attendee lists, locations, attachments, conference data, or other metadata of your existing calendar events.
- Calendar busy/free information is processed in-session and is not permanently stored on our servers. Temporary caching may occur for the duration of your active scheduling session only.
- When writing events to your calendar, we create only new events for Shae-confirmed plans. We never modify or delete your existing calendar events.
- You can revoke Shae's access to your Google Calendar at any time through your Google Account permissions page (myaccount.google.com/permissions) or through Shae's settings.
- Calendar integration is entirely optional. The core scheduling functionality of Shae works without any Google Calendar access.
3.5 Revoking Google Access
You can revoke Shae's access to your Google data at any time by:
- Visiting your Google Account security settings at myaccount.google.com/permissions and removing Shae from authorized applications.
- Contacting us at privacy@shae.io to request that we disconnect your Google account.
- Using the account settings within the Shae application (when available).
Revoking Google access will disable calendar integration and may affect your ability to sign in. Your existing Shae data (events, availability, profile) will be retained unless you separately request account deletion.
4. How We Use Your Information
4.1 Providing and Operating the Service
- To create and manage your account
- To facilitate scheduling coordination between you and other participants, including running our Blind Matching algorithm to identify overlapping availability
- To calculate and display scheduling overlaps and Quorum results for group events
- To send event-related notifications, confirmations, and reminders
- To display your Vibe Profile information to your friends on the platform
- To generate .ics calendar files for confirmed plans
4.2 Improving and Developing the Service
- To analyze usage patterns and understand how features are used (using aggregated, anonymized data)
- To identify and fix bugs, errors, and performance issues
- To develop new features and improve existing ones
- To conduct internal analytics and reporting
4.3 Communicating with You
- To send service-related announcements and administrative messages
- To respond to your inquiries, feedback, and support requests
- To notify you of material changes to this Privacy Policy or our Terms of Service
4.4 Safety and Security
- To detect, prevent, and address fraud, abuse, and security incidents
- To protect the rights, property, and safety of our users and the public
- To enforce our Terms of Service
5. Blind Matching and Schedule Privacy
A core design principle of Shae is mutual respect in scheduling. Our Blind Matching system is designed to protect your schedule privacy:
- When coordinating with another person (1-1 scheduling), both parties independently submit their availability. Only overlapping time windows are revealed to either party. Neither participant can see the other's full schedule or specific unavailable times.
- In group scheduling, the Host sets a time window and Quorum threshold. Participants submit their availability independently. The Service calculates which times meet the Quorum requirement and presents those to the Host. Individual participants' raw schedules are not exposed to other participants.
- Your "usual availability" preferences (saved general patterns) are used to pre-fill your availability selections. This data is not shared with other users unless you explicitly choose to display it on your Vibe Profile.
- Vibe Profile availability patterns are intentionally general (e.g., "usually free weekend mornings") and are shared only if you opt in to this feature. They do not reveal specific calendar entries or commitments.
6. How We Share Your Information
We do not sell, rent, or trade your personal information to third parties. We share your information only in the following limited circumstances:
6.1 With Other Participants
When you participate in an Event, certain information is shared with other participants as necessary for the scheduling functionality:
- Your display name and avatar are visible to other participants in the same Event.
- Overlapping availability (not your full schedule) is shared as described in Section 5.
- If you have a Vibe Profile and have opted to share it, your activity preferences and general availability patterns are visible to friends on the platform.
6.2 With Service Providers
We engage trusted third-party service providers to help us operate and improve the Service. These providers have access to your information only as needed to perform services on our behalf and are contractually obligated to protect your data. Our current service providers include:
- Supabase: Database hosting, authentication infrastructure, and real-time data services.
- Vercel: Web application hosting and deployment.
- Google: Authentication services (Google OAuth) and, if you opt in, Google Calendar API for calendar integration.
- Discord: Authentication services (Discord OAuth) for users who choose to sign in via Discord.
6.3 For Legal Reasons
We may disclose your information if we reasonably believe that disclosure is necessary to:
- Comply with any applicable law, regulation, legal process, or governmental request.
- Enforce our Terms of Service, including investigation of potential violations.
- Detect, prevent, or otherwise address fraud, security, or technical issues.
- Protect against harm to the rights, property, or safety of Syncs LLC, our users, or the public as required or permitted by law.
6.4 Business Transfers
If Syncs LLC is involved in a merger, acquisition, bankruptcy, reorganization, or sale of assets, your information may be transferred as part of that transaction. We will notify you via email and/or a prominent notice on the Service of any change in ownership or uses of your personal information, as well as any choices you may have regarding your personal information.
6.5 With Your Consent
We may share your information with third parties when you have given us explicit consent to do so.
7. Data Retention
7.1 Active Account Data
We retain your account information, Vibe Profile, and saved availability preferences for as long as your account is active.
7.2 Event Data
Completed or cancelled Events and their associated data are retained for up to 12 months after the Event concludes, after which they are automatically deleted or anonymized.
7.3 Guest Data
Information submitted by Guests is retained for the duration of the Event lifecycle and the subsequent retention period described above.
7.4 Google Calendar Data
Calendar data accessed via the Google Calendar API is processed in real-time and is not permanently stored on our servers. Temporary session-level caching may occur during your active use of the calendar integration feature. Any temporarily cached calendar data is deleted when your session ends or within 24 hours, whichever is sooner.
7.5 Automated Data and Logs
Server logs and automatically collected technical data are retained for up to 90 days for security, debugging, and performance monitoring purposes.
7.6 Deletion Upon Request
You may request deletion of your data at any time as described in Section 10. Upon receiving a valid deletion request, we will delete your personal information within 30 days, except where retention is required by law.
8. Cookies and Tracking Technologies
8.1 What We Use
We use cookies and similar technologies to operate the Service:
| Cookie Type | Purpose | Duration |
|---|---|---|
| Essential / Authentication | Maintain your login session, authenticate requests, and prevent CSRF. | Session / up to 30 days |
| Preferences | Remember your settings such as timezone, saved availability, and display preferences. | Up to 12 months |
| Analytics | Understand how users interact with the Service to improve functionality. We use only first-party or privacy-respecting analytics. | Up to 12 months |
8.2 What We Do Not Use
Shae does not use:
- Third-party advertising cookies or tracking pixels
- Cross-site tracking cookies
- Cookies for retargeting or interest-based advertising
- Google user data obtained via API Services for any cookie-based tracking or advertising purpose
8.3 Your Cookie Choices
You can manage cookie preferences through your browser settings. Disabling essential cookies may affect your ability to use the Service. We honor Do Not Track (DNT) signals where technically feasible.
9. Data Security
We take the security of your personal information seriously and implement commercially reasonable technical, administrative, and organizational measures to protect your data.
9.1 Technical Safeguards
- Encryption in transit: All data transmitted between your device and our servers is encrypted using TLS 1.2 or higher (HTTPS).
- Encryption at rest: User data stored in our database is encrypted at rest using AES-256 encryption.
- Secure authentication: We use OAuth 2.0 for authentication and do not store passwords.
- Access controls: Database access is restricted through Row-Level Security (RLS) policies.
- Environment isolation: Service-role credentials are stored as server-side environment variables and are never exposed to client-side code.
9.2 Organizational Safeguards
- Access to personal data is limited to personnel who require it to perform their job functions.
- All personnel with access to user data are subject to confidentiality obligations.
- We conduct regular reviews of our data processing practices and security measures.
9.3 Incident Response
In the event of a data breach that affects your personal information, we will notify you and any applicable regulatory authorities as required by law, including a description of the breach, the types of data affected, and the steps we are taking in response.
While we implement robust security measures, no method of electronic transmission or storage is 100% secure. We cannot guarantee absolute security of your data.
10. Your Rights and Choices
We respect your rights regarding your personal information. Depending on your location, you may have the following rights:
10.1 Access
You may request a copy of the personal information we hold about you. We will provide this information in a commonly used, machine-readable format within 30 days of receiving a verified request.
10.2 Correction
You may update or correct your account information at any time through the Service's settings or by contacting us.
10.3 Deletion
You may request the deletion of your account and all associated personal data by contacting us at privacy@shae.io. Upon a verified deletion request, we will:
- Delete your account profile, display name, email, and authentication data.
- Delete your saved availability preferences and Vibe Profile.
- Delete or anonymize your participation data in Events you hosted or joined.
- Remove any calendar events Shae created in your Google Calendar (if technically feasible and if you request this).
Deletion will be completed within 30 days, except where we are required by law to retain certain data.
10.4 Data Portability
You may request a copy of your data in a structured, commonly used, machine-readable format for transfer to another service.
10.5 Objection and Restriction
You may object to or request restriction of certain data processing activities. Where we process your data based on legitimate interest, you may object, and we will cease processing unless we have compelling legitimate grounds.
10.6 Withdraw Consent
Where we process your data based on consent, you may withdraw consent at any time without affecting the lawfulness of processing performed before the withdrawal. This includes revoking Shae's access to your Google account and calendar data.
10.7 How to Exercise Your Rights
To exercise any of the above rights, please contact us at privacy@shae.io. We will respond to verified requests within 30 days.
11. California Privacy Rights (CCPA/CPRA)
If you are a California resident, you have additional rights under the California Consumer Privacy Act (CCPA), as amended by the California Privacy Rights Act (CPRA).
11.1 Right to Know
You have the right to know what personal information we collect, use, disclose, and sell (if applicable). The categories of personal information we collect are described in Section 2.
11.2 Right to Delete
You have the right to request deletion of your personal information, subject to certain exceptions. See Section 10.3 for details.
11.3 Right to Opt Out of Sale
Syncs LLC does not sell personal information as defined by the CCPA/CPRA. We do not sell your personal information to third parties for monetary or other valuable consideration.
11.4 Right to Non-Discrimination
We will not discriminate against you for exercising any of your CCPA/CPRA rights.
11.5 Categories of Information
In the preceding 12 months, we have collected the following categories of personal information as defined by the CCPA:
| Category | Examples | Collected? |
|---|---|---|
| Identifiers | Name, email address, account ID | Yes |
| Internet/network activity | Browsing history, interaction with Service, IP address | Yes |
| Geolocation data | Timezone (inferred), general location from IP | Yes (approximate) |
| Professional/employment info | None | No |
| Education info | None | No |
| Biometric info | None | No |
| Sensory data | None | No |
| Commercial info | None | No |
| Inferences | Scheduling preferences, activity interests | Yes |
11.6 Authorized Agents
You may designate an authorized agent to make a request on your behalf. The agent must provide proof of written authorization and we may still require you to verify your identity directly.
11.7 Contact for California Requests
California residents may submit requests by emailing privacy@shae.io with the subject line "California Privacy Request." We will respond within 45 days as required by law.
12. International Data Transfers
The Service is operated from the United States. If you access the Service from outside the United States, you understand and consent to the transfer of your information to the United States and to other countries where our service providers operate.
We take steps to ensure that your data receives an adequate level of protection wherever it is processed, including implementing appropriate data processing agreements with our service providers.
If you are located in the European Economic Area (EEA), United Kingdom, or Switzerland, we rely on appropriate legal mechanisms for cross-border data transfers, including Standard Contractual Clauses approved by the European Commission.
13. Children's Privacy
The Service is not directed to children under the age of 13 and we do not knowingly collect personal information from children under 13. If you are under 13, please do not use the Service or provide any personal information to us.
If we become aware that we have collected personal information from a child under 13 without parental consent, we will take immediate steps to delete that information. If you are a parent or guardian and believe we may have collected information from your child, please contact us at privacy@shae.io.
Users between the ages of 13 and 18 may use the Service with the consent and supervision of a parent or legal guardian.
14. Third-Party Links and Services
The Service may contain links to third-party websites or services that are not owned or controlled by Syncs LLC. This Privacy Policy does not apply to those third-party services. We encourage you to review the privacy policies of any third-party services you access.
We are not responsible for the privacy practices of third-party services, including the authentication providers (Google, Discord) and infrastructure providers (Supabase, Vercel) described in Section 6.2.
15. Changes to This Privacy Policy
We may update this Privacy Policy from time to time to reflect changes in our practices, technologies, or legal requirements. When we make material changes, we will:
- Update the "Effective Date" and "Last Updated" dates at the top of this Privacy Policy.
- Notify registered users via the email address associated with their account.
- Post a prominent notice on the Service.
Your continued use of the Service after the effective date of any changes constitutes your acceptance of the updated Privacy Policy.
If we change the way we access, use, or share Google user data, we will prompt you to re-consent before making use of your data in any new way, as required by the Google API Services User Data Policy.
16. Contact Us
If you have any questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us:
Syncs LLC
Operating as Shae.io
Email: privacy@shae.io
Website: https://shae.io
For privacy-related requests, please email privacy@shae.io. We aim to respond to all inquiries within 30 days.
Shae.io's use and transfer to any other app of information received from Google APIs will adhere to the Google API Services User Data Policy, including the Limited Use requirements.
© 2026 Syncs LLC (dba Shae.io) — Group plans, minus the chaos.