Privacy Policy

Florin is a tool that helps shift workers understand their work hours, entitlements, and overtime using data from their own Google Calendar.

What Information We Collect

• We request read-only access to your Google Calendar
• We only access the events in calendars you choose to connect
• We do not store, share, or sell any personal data or calendar content

What we access

When you connect your Google account, Florin requests the calendar.readonly scope. This allows us to view your Google Calendar events you’ve authorised, including titles, start/end times, recurrence, description, location and attendees. We do not request any write scopes and we cannot create, edit or delete calendar events.

How we use your data

We use your calendar data solely to calculate hours worked, build shift summaries and produce personal insights for you. We don’t sell your data, and we don’t use it for ads or unrelated purposes.

Data protection & security

• Read-only by design: Only calendar.readonly is requested; your calendar cannot be modified by Florin.
• Server-side credential storage: OAuth tokens are never stored in your browser. They’re held server-side in memory and mapped to a secure random session ID.
• Secure cookies: Session cookies are Secure (HTTPS-only), HttpOnly (not available to JavaScript) and SameSite=Lax (mitigates CSRF).
• CSRF protection during login: We use cryptographically secure random state values and verify them on return from Google OAuth.
• Secret management: Google OAuth client credentials and session keys live in environment variables (Replit Secrets) and are never hard-coded.
• Automatic token refresh (fail-safe): Expired tokens are refreshed via Google; if refresh fails, we require re‑authorisation and immediately clear invalid credentials.
• No persistent storage of event content: Event data is processed in memory only for the duration of your active session. We do not write calendar event content to any database or backups.
• Transport security: All traffic between your browser, Florin and Google APIs is encrypted with TLS/HTTPS.
• Privacy-first operational choice: Because credentials are memory-only, a server restart requires you to sign in again—this ensures nothing persists beyond your session.

Retention & deletion

Event content is not persisted. Session data and credentials are cleared on logout, session expiry or server restart.

Your control

• You can revoke Florin’s access anytime at Google Account → Security & permissions.
• After revocation, Florin can no longer access your data; any in-memory session data is already cleared when the session ends.
• Questions? Email charliedixon49@gmail.com.

Compliance with Google policies (Limited Use)

Florin complies with the Google API Services User Data Policy, including the Limited Use requirements. We access, use and retain Google user data only to provide or improve the features described above; we do not transfer it except as necessary to provide the service, comply with law, or with your explicit direction.

Third Parties

We do not share your information with any third parties.

Your Control

You can revoke Florin's access to your calendar at any time via your Google Account permissions.

Contact Us

For questions, email: charliedixon49@gmail.com

Security incidents

If we ever become aware of a security incident affecting your information, we will notify affected users without undue delay and describe remediation steps.