Security
How Hetk protects your calendar data — OAuth authentication, encryption, data handling, and infrastructure.
How Hetk handles your data
Hetk syncs calendar events between your accounts. Here’s how we protect your data at every step.
Authentication
- Google and Microsoft: Hetk uses OAuth 2.0 to connect to your calendars. We never see or store your Google or Microsoft password. You grant access through the provider’s own consent screen, and you can revoke access at any time from your Google or Microsoft account settings.
- Apple iCloud: Apple doesn’t offer OAuth for calendar access. Hetk connects via CalDAV using an app-specific password that you generate in your Apple ID settings. This password only grants calendar access — it cannot be used to sign in to your Apple account, make purchases, or access other Apple services.
What data we access
Hetk reads and writes calendar events in the calendars you select. Specifically:
- Event title, description, location, start/end times, and timezone
- Free/busy status and privacy/visibility settings
- Attendee list and organizer
- Event creation and modification timestamps
We do not access your email, contacts, files, or any other data outside of your selected calendars.
What data we store
- OAuth tokens: Encrypted at rest, used to maintain your calendar connections. Refreshed automatically.
- Synced event metadata: We track which events have been synced to prevent duplicates and enable accurate updates. This includes event IDs, ETags, start/end times, and sync timestamps. We do not store event titles, descriptions, locations, or attendees.
Encryption
- In transit: All connections use TLS 1.2+ (HTTPS). API calls to Google, Microsoft, and Apple are encrypted end-to-end.
- At rest: The database is hosted on Azure SQL with transparent data encryption (TDE) enabled. OAuth tokens are encrypted before storage.
Infrastructure
- Hosting: Azure App Service (North Europe region), with automatic OS and runtime patching.
- Database: Azure SQL Database with automated backups and point-in-time restore.
- DNS and CDN: Cloudflare with strict SSL, DNSSEC, and DDoS protection.
Data retention and deletion
- Account deletion: You can delete your account at any time from the app settings. This permanently removes all your data — OAuth tokens, sync relationships, synced event metadata, and account information. This is irreversible.
- Sync relationship deletion: Deleting a sync relationship removes all associated metadata. Events that were already synced to your target calendar remain there (they are now regular events in your calendar).
Third-party services
| Service | Purpose | Data shared |
|---|---|---|
| Google Calendar API | Calendar sync | Calendar events in selected calendars |
| Microsoft Graph API | Calendar sync | Calendar events in selected calendars |
| Apple CalDAV | Calendar sync | Calendar events in selected calendars |
| Stripe | Payment processing | Email, subscription plan, payment method (Hetk does not store card numbers) |
| Azure | Hosting and database | All application data (encrypted at rest) |
| Cloudflare | DNS, CDN, SSL | HTTP request metadata (IP, headers) |
Company
Hetk Technologies OÜ is registered in Estonia (Registry Code: 17181483). For security questions, contact privacy@hetk.io. See our Privacy Policy for how we handle personal data.