Privacy Policy

Last updated: April 2026

In plain English

MintCal is a booking platform. We collect the minimum data needed to run the service. We don't sell your data, we don't run ads, and we don't share your information with third parties except the ones needed to make the product work (email delivery, payment processing, calendar sync). You can export or delete all your data at any time.

What we collect

Account information

Name, email address, and password (hashed, we can't read it). If you sign in with Google, we receive your name, email, and profile picture from Google.

Booking data

Event types you create, bookings you receive, attendee names and emails, meeting notes, and any custom questions/answers.

Calendar integration

If you connect Google Calendar, we store OAuth tokens (encrypted at rest) to create and manage calendar events on your behalf. We only access your calendar with the permissions you grant.

Payment information

If you connect a payment provider, we store API credentials (encrypted at rest) to process payments. We never see or store credit card numbers — those are handled by your payment provider (Stripe, PayFast, etc.).

Usage data

Page views on your booking page (anonymized visitor hash from IP + user agent — we don't store raw IPs), booking analytics, and feature usage.

How we use your data

  • To provide the booking service (creating events, managing bookings, sending emails)
  • To sync with your calendar (Google Calendar events, Meet links)
  • To process payments on your behalf (via your connected payment provider)
  • To send transactional emails (booking confirmations, reminders, cancellations)
  • To show you analytics about your booking page performance
  • To improve the product (aggregate, anonymized usage patterns)

Third parties

We use these services to run MintCal:

  • Resend — email delivery
  • Google — calendar sync and OAuth login
  • Payment providers (Stripe, PayFast, DodoPayments, Yoco, etc.) — payment processing
  • Hetzner — server hosting (EU-based, GDPR compliant)

We do not sell, rent, or share your data with advertisers or data brokers.

Data security

  • Passwords hashed with bcrypt (12 salt rounds)
  • OAuth tokens and payment credentials encrypted at rest (AES-256-GCM)
  • All traffic encrypted with HTTPS (TLS)
  • Session cookies: httpOnly, secure, SameSite=Lax
  • Rate limiting on authentication and booking endpoints
  • Security headers: HSTS, CSP, XSS protection

Your rights

  • Access — view all data we have about you (Settings)
  • Export — download all your data in JSON format (Settings → Export My Data)
  • Delete — permanently delete your account and all data (Settings → Delete Account)
  • Correct — update your information at any time
  • Withdraw consent — disconnect integrations or delete your account

Cookies

We use one essential cookie:

  • mintcal-session — keeps you logged in. Essential. Expires after 30 days.

We do not use advertising cookies, tracking pixels, or analytics cookies.

Data retention

We keep your data while your account is active. When you delete your account, all data is permanently removed within 30 days.

Where your data lives

Our servers are hosted by Hetzner in Helsinki, Finland (EU). Your data is subject to GDPR protections.

Contact

For privacy questions: privacy@mintcal.app