Privacy Policy

1) Scope

This Privacy Policy applies to information we process when you:

• visit our website;
• create, manage, or respond to an event;
• purchase or use a paid plan (if available);
• communicate with us (e.g., support requests, feedback).

This policy does not apply to third-party websites or services you may access through links on our Service.

2) Key concepts about the Service (Token Links)

The Service uses a link-based access model:

• Event links allow participants to respond without creating an account.
• Organizers use the same event link to manage the event and view results.
• Participant edit links allow a participant to edit their availability.

Important: Anyone who has an event link or participant edit link may be able to act as the organizer or participant for that event. Please treat these links as confidential and do not share them publicly.

3) Information We Collect

A. Information you provide directly

Organizers (event creators)

• Event details you enter (e.g., event name, description, time zone, dates/times).
• Your availability you submit for an event.
• If you sign in: your email address (for magic-link authentication).
• If you purchase a paid plan: information related to the purchase (see "Payments" below).

Participants (guests)

• Name (required to submit availability).
• Availability responses (dates/times selected).
• Email address (optional) if you choose to provide it (for example, to receive an edit link or invitations/reminders, depending on features and flows).

B. Information collected automatically

Device and usage data

Basic device, browser, and usage information that may be collected through standard logs and analytics (e.g., IP address, browser type, pages visited, approximate time of visit, referring/exit pages).

Local storage

To help participants return on the same device, the Service may store a participant token in the browser's local storage so you can edit your availability without re-entering an email on that same device. If you use a shared device, others who use that device/browser may be able to access that participant editing experience.

C. Information from third parties

Payments

If you purchase a paid plan, payments are processed by Stripe. We do not store full payment card numbers. Stripe may process your payment information according to its own privacy practices.

We may receive limited payment-related information from Stripe (e.g., subscription status, purchase confirmation, and identifiers needed to manage your plan).

4) How We Use Information

We use information to:

• provide and operate the Service (create events, collect responses, display heatmaps/results to organizers, allow edits, etc.);
• authenticate users who choose to sign in (magic link);
• send transactional emails you request or that are necessary to provide the Service (e.g., magic links, edit links, invitations, reminders, confirmations, calendar attachments when applicable);
• process purchases and manage paid plan access (if applicable);
• prevent abuse, spam, and fraud (including rate limiting and blocking disposable email domains);
• maintain, debug, secure, and improve the Service (including customer support, troubleshooting, and product analytics);
• comply with legal obligations and enforce our terms.

5) How We Share Information

We share information in these ways:

A. With other users as part of the Service

Organizers can view participant names and availability responses for their event.

Participants generally submit their own availability; the organizer controls the event and has access to responses.

B. With service providers ("processors")

We use vendors to help us run the Service, such as:

• hosting and infrastructure;
• databases and authentication;
• email delivery;
• payment processing;
• rate limiting / abuse prevention;
• analytics.

These providers may process information only to perform services for us and under appropriate contractual restrictions.

C. For legal and safety reasons

We may disclose information if we believe it is necessary to:

• comply with law, regulation, legal process, or governmental request;
• protect the rights, safety, and security of WhenItWorks, our users, or the public;
• detect, prevent, or address fraud, abuse, security, or technical issues.

D. Business transfers

If we are involved in a merger, acquisition, financing, reorganization, or sale of assets, information may be transferred as part of that transaction.

6) Analytics, Cookies, and Similar Technologies

We may use analytics tools to understand how the Service is used and to improve performance and user experience.

• Current analytics: We use Vercel Analytics to measure site usage and performance.
• Possible future analytics: We may implement additional product analytics (for example, PostHog) in the future.

Cookies or similar technologies may be used by our website and vendors. You can usually control cookies through your browser settings. If we implement new analytics that materially change our practices (for example, enabling targeted advertising), we will update this Privacy Policy.

7) Data Retention

We retain information as long as reasonably necessary to provide the Service and for legitimate business purposes (such as security, fraud prevention, resolving disputes, and enforcing agreements), unless a longer period is required by law.

Event retention (typical):

• Free events: data may be purged after approximately 3 months.
• Paid/Pro events: data may be retained/archived for up to 1 year.

We may retain limited records longer where necessary for legal, accounting, or security purposes.

8) Security

We take reasonable measures designed to protect information from unauthorized access, use, alteration, and disclosure. However, no online service is 100% secure, and we cannot guarantee absolute security.

Because the Service uses secret token links (participant edit links and organizer access via the event link), you should protect those links and avoid sharing them publicly.

9) Your Choices and Rights

A. Access, updates, and deletion

At this time, the Service may not provide self-serve account deletion or full self-serve deletion workflows for all data. You may contact us at privacy@whenitworks.app to request access to, correction of, or deletion of information, and we will consider and respond consistent with applicable law and the nature of the Service.

B. Email preferences

Some emails are transactional (e.g., magic link sign-in, edit link requests, invites/reminders you initiate) and may be necessary to provide the Service. If we offer marketing emails in the future, you will be able to opt out using unsubscribe instructions.

10) California Privacy Notice (CCPA/CPRA)

This section applies to California residents to the extent the CCPA/CPRA applies to our processing.

A. Categories of personal information we collect

Depending on how you use the Service, we may collect:

• Identifiers (e.g., email address; online identifiers; IP address)
• Internet/electronic network activity (e.g., usage data, page interactions)
• Commercial information (e.g., plan status and transaction confirmation from Stripe, if you purchase)
• Event and scheduling information you provide (event name/description, time zone, availability selections)

B. Purposes

We use personal information for the purposes described in Section 4 (operating the Service, authentication, communications, payments, security, and improvement).

C. Sources and disclosures

We collect information from you, your device/browser, and service providers (e.g., infrastructure, analytics, payment processors). We disclose information to service providers and as required for legal/safety reasons (Section 5).

D. "Sale" or "sharing" of personal information

We do not sell personal information for money. We also do not share personal information for cross-context behavioral advertising in the way California law defines "share," based on our current configuration. If our practices change, we will update this policy.

E. Your California rights

Subject to certain exceptions, you may have the right to:

• know what personal information we collect, use, disclose;
• request deletion of personal information;
• request correction of inaccurate personal information;
• access or obtain a copy of certain personal information;
• not receive discriminatory treatment for exercising your privacy rights.

To submit a request, email privacy@whenitworks.app. We may need to verify your identity before fulfilling a request.

11) Children's Privacy

The Service is not intended for children under 13, and we do not knowingly collect personal information from children under 13. If you believe a child has provided personal information, contact us at privacy@whenitworks.app

12) International Users

The Service is intended for use in the United States. If you access the Service from outside the United States, you understand that information may be processed in the United States or other locations where our service providers operate.

13) Changes to this Privacy Policy

We may update this Privacy Policy from time to time. We will post the updated version on this page and update the "Effective Date" above. Material changes will be communicated in a reasonable manner (for example, via the website or email if appropriate).

14) Contact Us

Email: privacy@whenitworks.app