Privacy Policy

What Suppy does

Suppy helps friend groups schedule group calls by reading participants' Google Calendar availability and finding times that work for everyone. We send email notifications when calls are proposed, confirmed, or cancelled.

Data we collect

When you sign in with Google, we receive your name, email address, and profile picture from your Google account. We also request access to your Google Calendar to check your availability (free/busy times) and create calendar events for confirmed calls.

We store your scheduling preferences (available days, hours, timezone, buffer settings) and your group memberships. We also store Google OAuth tokens to access your calendar on your behalf.

How we use your calendar data

We use Google Calendar's FreeBusy API to check when you're busy. We only read busy/free status — we do not read the titles, descriptions, attendees, or any other details of your calendar events. When a call is confirmed, we create a calendar event with a Google Meet link on your calendar.

Data sharing

We do not sell, share, or distribute your personal data to third parties. Your calendar availability is used only within your groups to find mutually available times. Group members can see that you're busy at certain times, but never why.

Third-party services

Suppy uses the following services to operate:

• Supabase — database and authentication

• Google Calendar API — calendar availability and event creation

• Resend — email delivery

• Vercel — hosting

Data retention

Your data is retained as long as you have an active account. If you leave all groups, your scheduling preferences and group membership data are removed. Google OAuth tokens are stored securely and can be revoked at any time through your Google Account settings.

Data protection

We implement appropriate technical and organizational measures to protect your personal data against unauthorized access, alteration, disclosure, or destruction. Specifically:

All data is transmitted over HTTPS/TLS encryption in transit. Your data is stored in Supabase's cloud infrastructure, which provides encryption at rest using AES-256. Google OAuth tokens are stored securely in our database and are only accessible via authenticated, server-side API routes using a service role key that is never exposed to the client. We do not store your Google password. Access to our database and hosting infrastructure is restricted to authorized project administrators. We follow the principle of least privilege — our application only requests the minimum Google API scopes necessary to provide scheduling functionality.

Your rights

You can revoke Suppy's access to your Google Calendar at any time by visiting your Google Account permissions page. You can leave any group at any time. To request deletion of your data, contact us at the email below.

Contact

For privacy questions or data deletion requests, email suppy559@gmail.com.