Privacy Policy

Effective April 18, 2026

1. Introduction

This Privacy Policy describes how Time Boxing Life ("we," "us," or "the Service"), operated as an individual sole proprietorship based in the United States, collects, uses, and protects information when you use timeboxinglife.com and related services (the "Service"). By using the Service, you agree to the practices described here.

2. Information We Collect

2.1 Account information

When you sign up, we collect your email address and an encrypted password (or, if you sign in with Google, your Google account email and basic profile information). We may also store a display name and timezone you provide.

2.2 Application data

We store the tasks, time blocks, schedules, tags, modes, priorities, and notes you create in the app. This data is necessary to provide the core planning functionality.

2.3 Google account & Calendar data

If you connect your Google account, we request access to the following Google API scopes:

  • openid, userinfo.email, userinfo.profile — to identify you and display your account email.
  • https://www.googleapis.com/auth/calendar — to create and manage a dedicated "TimeBox" calendar in your Google account.
  • https://www.googleapis.com/auth/calendar.events — to read events from your existing calendars (so we can show conflicts) and write your time blocks back to your TimeBox calendar.

We receive an OAuth refresh token from Google so that scheduled syncing can run in the background. This refresh token is encrypted at rest in our database using a server-side encryption key (pgcrypto) and is never exposed to client-side code or third parties.

2.4 Technical data

We collect basic server logs (IP address, request paths, error messages) to operate and secure the Service. We do not use third-party analytics or advertising trackers.

3. How We Use Your Information

  • To authenticate you and provide the planning features you request.
  • To synchronize your time blocks with your Google Calendar and detect scheduling conflicts with your existing events.
  • To debug errors, prevent abuse, and maintain Service security.
  • To respond to your support inquiries.

We do not sell your data. We do not share it with advertisers. We do not use it to build advertising profiles.

4. Google API Services User Data Policy

Time Boxing Life's use and transfer of information received from Google APIs to any other app adheres to the Google API Services User Data Policy, including the Limited Use requirements.

Specifically, Google user data we receive is used only to:

  • Provide or improve user-facing features visible in the Time Boxing Life UI.
  • Read calendar events to detect conflicts with the time blocks you schedule.
  • Create and update events on a dedicated "TimeBox" calendar you authorize.

We will never:

  • Transfer your Google user data to others, except as needed to provide or improve the user-facing features, comply with applicable law, or as part of a merger, acquisition, or sale of assets with notice to you.
  • Use your Google user data for serving advertisements.
  • Allow humans to read your Google user data, except: (a) with your explicit consent for specific data items; (b) when necessary for security purposes such as investigating abuse; (c) to comply with applicable law; or (d) for internal operations where the data has been aggregated and anonymized.
  • Use your Google user data to train generalized AI or machine learning models.
  • Sell your Google user data.

5. Data Storage & Security

Your data is stored in a managed Postgres database hosted by Supabase in a US region. All data in transit is encrypted via TLS. Your Google OAuth refresh token is encrypted at rest with a key held only on the server. Database access is gated by row-level security policies that restrict each user to their own rows.

No system is perfectly secure. If we become aware of a breach affecting your data, we will notify you and the appropriate authorities as required by applicable law.

6. Data Retention & Deletion

We retain your data for as long as your account is active. You can:

  • Disconnect Google Calendar at any time from the Settings page. This revokes our refresh token and stops all syncing. We will delete the encrypted refresh token from our records.
  • Delete your account by emailing romo@happyendings.com. We will delete your application data and Google tokens within 30 days, except where retention is required by law.

You can also revoke our access directly from your Google Account permissions page.

7. Subprocessors

We rely on the following third parties to operate the Service:

  • Supabase — database, authentication, and file storage (US).
  • Cloudflare — edge hosting and TLS termination.
  • Google — OAuth identity and Google Calendar API (only when you connect your Google account).

8. Your Rights

Depending on where you live, you may have rights under laws such as the CCPA or GDPR, including the right to access, correct, export, or delete your personal information, and to object to certain processing. To exercise any of these rights, email us at romo@happyendings.com.

9. Children

The Service is not directed to children under 13, and we do not knowingly collect personal information from children under 13. If you believe a child has provided us information, please contact us so we can delete it.

10. Changes to This Policy

We may update this Privacy Policy from time to time. We will post the new effective date at the top of this page and, for material changes, notify you by email or in-app notice.

11. Contact

For privacy questions or requests, email romo@happyendings.com.