How Hetk handles your data
Hetk syncs calendar events between your accounts. Here’s how we protect your data at every step.
Authentication
- Google and Microsoft: Hetk uses OAuth 2.0 to connect to your calendars. We never see or store your Google or Microsoft password. You grant access through the provider’s own consent screen, and you can revoke access at any time from your Google or Microsoft account settings.
- Apple iCloud: Apple doesn’t offer OAuth for calendar access. Hetk connects via CalDAV using an app-specific password that you generate in your Apple ID settings. This password only grants calendar access. You can’t use it to sign in to your Apple account, make purchases, or reach other Apple services.
What data we access
Hetk reads and writes calendar events in the calendars you select. Specifically:
- Event title, description, location, start/end times, and timezone
- Free/busy status and privacy/visibility settings
- Attendee list and organizer
- Event creation and modification timestamps
We do not access your email, contacts, files, or anything else outside the calendars you selected.
What data we store
- OAuth tokens: Encrypted at rest, used to maintain your calendar connections. Refreshed automatically.
- Synced event metadata: We track which events Hetk has synced to prevent duplicates and enable accurate updates. This includes event IDs, ETags, start/end times, and sync timestamps. We do not store event titles, descriptions, locations, or attendees.
Encryption
- In transit: All connections use TLS 1.2+ (HTTPS). API calls to Google, Microsoft, and Apple are encrypted end-to-end.
- At rest: We host the database on Azure SQL with transparent data encryption (TDE) enabled. OAuth tokens are encrypted before storage.
Infrastructure
- Hosting: Azure App Service (North Europe region), with automatic OS and runtime patching.
- Database: Azure SQL Database with automated backups and point-in-time restore.
- DNS and CDN: Cloudflare with strict SSL, DNSSEC, and DDoS protection.
Data retention and deletion
- Account deletion: You can delete your account at any time from the app settings. This permanently removes all your data: OAuth tokens, sync relationships, synced event metadata, and account information. There is no undo.
- Sync relationship deletion: Deleting a sync relationship removes all associated metadata. Events that were already synced to your target calendar remain there (they are now regular events in your calendar).
Third-party services
| Service | Purpose | Data shared |
|---|---|---|
| Google Calendar API | Calendar sync | Calendar events in selected calendars |
| Microsoft Graph API | Calendar sync | Calendar events in selected calendars |
| Apple CalDAV | Calendar sync | Calendar events in selected calendars |
| Stripe | Payment processing | Email, subscription plan, payment method (Hetk does not store card numbers) |
| Azure | Hosting and database | All application data (encrypted at rest) |
| Cloudflare | DNS, CDN, SSL | HTTP request metadata (IP, headers) |
Organization-wide privacy policy
IT admins at organisations using Google Workspace or Microsoft 365 can enforce a domain-wide privacy policy via DNS. When enabled, all calendar events synced from users at that organisation are automatically marked as private, with titles and details stripped. The policy is controlled by a DNS TXT record and requires no admin login or OAuth approval. See Domain-verified Privacy Policy for details and setup.
Company
Hetk Technologies OÜ is registered in Estonia (Registry Code: 17181483). For security questions, contact [email protected]. See our Privacy Policy for how we handle personal data.