Privacy Policy
Last updated: April 14, 2026 · Effective: April 14, 2026
Calist ("we", "us", "our") operates the Calist calendar assistant service, accessible via quical.app and through messaging bots on LINE, KakaoTalk, WhatsApp, and Telegram.
This policy explains what data we collect, why we collect it, how long we keep it, and how you can delete it. We comply with the EU General Data Protection Regulation (GDPR), UK GDPR, Brazil LGPD, Japan APPI, Korea PIPA, and the US California Consumer Privacy Act (CCPA).
1. What we collect
| Data | Why | Retention |
|---|---|---|
| Google account email, name, profile photo | Identify your account; display in dashboard | Until account deleted |
| Google Calendar OAuth tokens (encrypted at rest) | Create and manage calendar events on your behalf | Until account deleted or Google access revoked |
| Microsoft / Outlook OAuth tokens (encrypted at rest) | Create events in Outlook Calendar if connected | Until disconnected or account deleted |
| Chat message text (LINE, KakaoTalk, WhatsApp, Telegram) | Extract event information with AI (Claude); stored briefly for deduplication | Message metadata stored; raw text not retained after processing |
| Screenshots forwarded to the Telegram bot | Extract calendar event details via AI vision (Claude Sonnet). Use cases include booking confirmations, class schedules, tickets, and appointment cards. | Image bytes are sent to Anthropic's API, then immediately discarded. We never write the image to disk, the database, or logs. Only the extracted event fields (title, date/time, optional location and description) are retained. Anthropic processes the image per their privacy policy and does not use it to train models. |
| Calendar event details (summary, date/time, calendar ID) | Track events created via Calist; power delete/modify commands | Until event deleted or account deleted |
| Timezone preference | Correctly interpret relative dates ("tomorrow", "next Monday") | Until account deleted |
| Platform user IDs (LINE User ID, KakaoTalk ID, WhatsApp phone, Telegram chat ID) | Route bot messages to the correct account | Until platform disconnected or account deleted |
| Billing information (Stripe customer ID, subscription ID) | Manage your subscription; we never store card numbers directly | Until account deleted (Stripe retains billing history per their policy) |
| Anonymous trial sessions (Telegram chat ID, extracted event fields, guessed timezone) | Hold extracted events server-side for users trying Calist before creating an account. Source message text is never stored — only the extracted fields (title, date/time, optional location and description). | 24 hours from last activity, extended up to 7 days maximum from first message. Auto-deleted hourly. If you connect a Google Calendar, the extracted events migrate into your calendar and remain there per Google's retention; our server-side copy is purged. |
Anonymous trial tier (Telegram)
You can use Calist via Telegram without creating an account for up to 5 trial events. In this mode we store only: the chat ID Telegram provides, extracted event details, and a guessed timezone from Telegram's language_code. We never log or persist the original message text or forwarded screenshot. Screenshot bytes are sent to Claude for extraction and then dropped; we retain only the resulting event fields. Trial data is deleted automatically after 24 hours of inactivity (hard ceiling: 7 days from first message). Events you migrate to a connected Google Calendar live on in Google's storage per their retention policy even after our server-side trial copy is purged.
2. What we do not collect
- We do not read your existing Google Calendar events or Gmail inbox contents beyond what is necessary to create new events.
- We do not sell or share your data with third-party advertisers.
- We do not store credit card numbers — payments are processed by Stripe.
3. Third-party services
- Google — Google Calendar API and OAuth 2.0. Google Privacy Policy
- Microsoft — Microsoft Graph API and OAuth 2.0 (if Outlook connected). Microsoft Privacy Statement
- Anthropic (Claude) — AI model used to extract event information from your messages. Message text is sent to Anthropic's API and is subject to Anthropic's privacy policy. We do not use your data to train AI models.
- Stripe — payment processing. Stripe Privacy Policy
- LINE / KakaoTalk / Twilio (WhatsApp) / Telegram — messaging platforms that route your messages to Calist.
- Railway — infrastructure hosting. Data is hosted in the US.
4. Legal basis for processing (GDPR / UK GDPR / LGPD)
- Performance of a contract — processing your messages and creating calendar events is the core service you signed up for.
- Legitimate interests — preventing abuse, debugging errors, and maintaining service availability.
- Consent — connecting optional services (Outlook, bot platforms) requires explicit action by you.
5. Data transfers
Our servers are hosted in the United States (Railway). If you are in the EU, UK, Japan, Korea, or Brazil, your data is transferred to the US. We rely on Standard Contractual Clauses (SCCs) for EU/UK data transfers. By using Calist, you acknowledge this transfer.
6. Your rights
You have the right to:
- Access — request a copy of data we hold about you.
- Deletion — delete your account and all associated data. Use the "Delete Account" button in your dashboard, or email us (see below).
- Correction — update incorrect data (timezone, email via Google re-login).
- Portability — request a data export.
- Objection / Restriction — object to or restrict processing where the legal basis is legitimate interests.
- Withdrawal of consent — disconnect any platform (LINE, Outlook, etc.) at any time from your dashboard.
Japan (APPI): You may request disclosure, correction, or deletion of your retained personal information.
Korea (PIPA): You may request access to, correction of, deletion of, or suspension of processing of your personal information.
California (CCPA): California residents have the right to know, delete, and opt out of sale of personal information. We do not sell personal information.
7. Data retention
We retain your data for as long as your account is active. When you delete your account, all data (profile, tokens, calendar event records, platform IDs) is permanently deleted within 30 days. Stripe billing records are retained per Stripe's own data retention policy (typically 7 years for financial records).
8. Children
Calist is not directed to children under 13 (or under 16 in the EU). We do not knowingly collect data from minors.
9. Changes to this policy
We will notify you of material changes by posting an updated policy at this URL and, where required by law, by direct notification.
10. Contact
To exercise your rights or ask questions about this policy:
Email: privacy@quical.app