How Hetk handles your data
Hetk syncs calendar events between your accounts. Here’s how we protect your data at every step.
The guiding principle is to hold as little as possible. Hetk needs enough to keep your calendars in step and nothing more, so the system is built to read what it must, store the minimum required to avoid duplicates and stay accurate, and forget the rest. The sections below spell out exactly what that means in each phase: how we connect, what we touch, what we keep, and what we deliberately don’t.
Authentication
- Google and Microsoft: Hetk uses OAuth 2.0 to connect to your calendars. We never see or store your Google or Microsoft password. You grant access through the provider’s own consent screen, and you can revoke access at any time from your Google or Microsoft account settings.
- Apple iCloud: Apple doesn’t offer OAuth for calendar access. Hetk connects via CalDAV using an app-specific password that you generate in your Apple ID settings. This password only grants calendar access. You can’t use it to sign in to your Apple account, make purchases, or reach other Apple services.
What data we access
Hetk reads and writes calendar events in the calendars you select. Specifically:
- Event title, description, location, start/end times, and timezone
- Free/busy status and privacy/visibility settings
- Attendee list and organizer
- Event creation and modification timestamps
We do not access your email, contacts, files, or anything else outside the calendars you selected.
What data we store
- OAuth tokens: Encrypted at rest, used to maintain your calendar connections. Hetk refreshes them automatically in the background so you don’t have to reconnect every hour. When you revoke access from your Google or Microsoft account, or delete your Hetk account, the tokens stop working and are removed. We never store the refresh token in plain text.
- Synced event metadata: We track which events Hetk has synced to prevent duplicates and enable accurate updates. This includes event IDs, ETags, start/end times, and sync timestamps. We do not store event titles, descriptions, locations, or attendees.
That last point is worth dwelling on, because it’s the part people assume can’t be true. To copy an event from one calendar to another, Hetk reads its content at the moment of the sync, writes it to the target, and keeps only the bookkeeping needed to recognise the same event next time it changes. The title of your 3 PM meeting passes through; it does not land in a database row with your name on it. If Hetk’s database were somehow exposed, what an attacker would find is a list of opaque identifiers and timestamps, not the substance of anyone’s schedule.
Encryption
- In transit: All connections use TLS 1.2+ (HTTPS). API calls to Google, Microsoft, and Apple are encrypted end-to-end.
- At rest: We host the database on Azure SQL with transparent data encryption (TDE) enabled. OAuth tokens are encrypted before storage.
Infrastructure
- Hosting: Azure App Service (North Europe region), with automatic OS and runtime patching.
- Database: Azure SQL Database with automated backups and point-in-time restore.
- DNS and CDN: Cloudflare with strict SSL, DNSSEC, and DDoS protection.
Data retention and deletion
- Account deletion: You can delete your account at any time from the app settings. This permanently removes all your data: OAuth tokens, sync relationships, synced event metadata, and account information. There is no undo.
- Sync relationship deletion: Deleting a sync relationship removes all associated metadata. Events that were already synced to your target calendar remain there (they are now regular events in your calendar).
Third-party services
| Service | Purpose | Data shared |
|---|---|---|
| Google Calendar API | Calendar sync | Calendar events in selected calendars |
| Microsoft Graph API | Calendar sync | Calendar events in selected calendars |
| Apple CalDAV | Calendar sync | Calendar events in selected calendars |
| Stripe | Payment processing | Email, subscription plan, payment method (Hetk does not store card numbers) |
| Azure | Hosting and database | All application data (encrypted at rest) |
| Cloudflare | DNS, CDN, SSL | HTTP request metadata (IP, headers) |
Organization-wide privacy policy
IT admins at organisations using Google Workspace or Microsoft 365 can enforce a domain-wide privacy policy via DNS. When enabled, all calendar events synced from users at that organisation are automatically marked as private, with titles and details stripped. The policy is controlled by a DNS TXT record and requires no admin login or OAuth approval. See Domain-verified Privacy Policy for details and setup.
Responsible disclosure
If you find a security issue, we want to hear about it before anyone else does. Email security@hetk.io with steps to reproduce, and we’ll confirm receipt and work with you on a fix. We ask only that you give us a reasonable window to investigate and patch before disclosing publicly, and that you avoid accessing or modifying other people’s data while testing. Reports made in good faith are welcome; we won’t pursue action against researchers who follow these guidelines.
Your controls
Security isn’t only what we do on our side. The settings that matter most are in your hands:
- Revoke any time: Google and Microsoft both let you revoke Hetk’s access from your account’s security settings, independently of Hetk. Apple app-specific passwords can be deleted from your Apple ID page. Revoking access stops sync immediately.
- Choose what syncs: Hetk only touches the calendars you explicitly select. A calendar you don’t add is a calendar Hetk never sees.
- Limit what travels: Per-sync privacy controls let you reduce events to a plain “Busy” block on any calendar you don’t fully trust, so the time is reserved without the details following along.
Company
Hetk Technologies OÜ is registered in Estonia (Registry Code: 17181483). For security questions, contact security@hetk.io. See our Privacy Policy for how we handle personal data, and the Contact page for support and privacy requests.