Trust

Security & privacy at ZagCal

ZagCal exists to stop double-bookings without copying your calendars around. The whole product is built on one rule: we sync busy/free only — never your event details.

What we read and write

To know when you're free, ZagCal reads only the busy/free time ranges from your connected calendars. We do not read event titles, descriptions, guests, or locations.

When we mirror a commitment to your other calendars, we write a generic "Busy" block — a placeholder with no detail about the underlying meeting. So even across your own accounts, nothing about an event is ever exposed.

Least-privilege access

Google and Microsoft are connected via OAuth using the minimum scopes needed for free/busy. You can revoke ZagCal's access from your provider at any time.
Apple iCloud is connected with an app-specific password over CalDAV — never your main Apple ID password.
Disconnect a calendar and ZagCal removes the busy placeholders it created. Your real events are never touched.

Encryption

Access tokens and calendar credentials are encrypted at rest using envelope encryption with versioned, rotatable key-encryption keys — a database read alone cannot reveal them. All traffic to ZagCal is encrypted in transit over TLS.

Isolation across organizations

Many of our users work across several organizations. ZagCal enforces strict data isolation between every organization you belong to: a calendar in one org never bleeds into another, and the sync engine refuses to mirror across ownership boundaries.

Your data, your control

ZagCal supports full export of your account data and complete account erasure — email privacy@zagcal.com to exercise either. On deletion we tear down the placeholders ZagCal created on your providers and remove your data. Exports are built from an allowlist of fields and never include your access tokens or any event content.

Booking pages keep details where they belong

When someone books time through your public page, that real meeting is written to the single calendar you chose. Your other calendars only ever see the generic busy block the sync engine propagates — so a booker's name and notes never leave your target calendar.

How we operate

We maintain a threat model and run with fail-closed production hardening (e.g. ZagCal refuses to start without its encryption keys configured).
We never see or store payment card details — payments are handled by Stripe.

Found a security issue? Email security@zagcal.com. We appreciate responsible disclosure and will work with you on a fix.