Privacy Policy

Last updated: April 10, 2026

Une version française de cette politique est disponible sur demande à hello@all-apps.org.

All-Apps.org is operated by a company incorporated in Montreal, Quebec, Canada. This policy explains what personal information we collect, why we collect it, and how we protect it. It covers all products and services available through all-apps.org, myaccount.all-apps.org, and all product subdomains.

The short version: We collect only what we need to run the service. We don't sell your data, we don't show ads, and we don't track you across the web. We make money from subscriptions, not from your personal information.

1. Information we collect

Information you provide

  • Account information: name, email address, and password (stored hashed, never in plain text)
  • Profile information: profile picture (optional)
  • Payment information: processed by Stripe — we do not store credit card numbers, only a reference to your Stripe customer record
  • Referral codes: if you participate in our referral program

Information collected automatically

  • Session data: IP address and browser user agent, stored with your session for security purposes (e.g., detecting unauthorized access)
  • Request logs: HTTP method, path, status code, response time, and IP address — retained for debugging and abuse prevention
  • Product usage events: anonymized feature usage events to understand how products are used (e.g., "calendar synced", "alert created")

Information from third parties

If you sign in with a social account (Google, Apple, Facebook, LinkedIn, TikTok, or Instagram), we receive your name, email, and profile picture from that provider. We also store OAuth tokens needed to maintain the connection. We never post on your behalf or access data beyond what's needed for authentication.

2. How we use your information

  • To provide the Service: authenticate you, manage subscriptions, process payments, and deliver product features
  • To communicate with you: send email verification, password reset links, and service-related notifications
  • To protect the Service: detect fraud, prevent abuse, and enforce our Terms of Service
  • To improve the Service: understand usage patterns and fix bugs (using aggregated, non-personally-identifiable data)

We do not use your information for advertising, profiling, or any purpose unrelated to providing and improving the Service.

3. Cookies and session management

We use a single session cookie to keep you logged in. This cookie is scoped to the .all-apps.org domain so your session works across all our subdomains (myaccount, product apps) without requiring separate logins.

  • Session cookie: expires after 30 days of inactivity, refreshed automatically while you're active
  • Theme preference: a local cookie to remember your light/dark mode choice

We do not use tracking cookies, analytics cookies, or any third-party cookies. There are no advertising trackers on our site.

4. How data flows across our products

All-Apps.org uses a centralized identity model. Your account, subscriptions, and billing are managed at myaccount.all-apps.org — the single source of truth for your identity.

Individual products (Sync Calendars, Job Alerts, etc.) can verify your subscription and track usage events via our internal API, but they cannot create accounts, modify your profile, or access your payment information. Each product only receives the minimum information needed: your user ID and subscription status.

Product-specific preferences and settings are stored in each product's own database, separate from your identity data.

5. Product-specific data

Sync Calendars

Connects to your Google Calendar accounts using OAuth 2.0 to sync events between calendars. Permissions depend on the account role:

  • Source account (read-only): reads your calendar events. We never modify your source calendar.
  • Destination account (read/write): creates a dedicated calendar and manages synced events within it. We never touch your existing calendars.

What we store: sync rule configuration (which calendars, field preferences), connected account metadata (Google email, encrypted OAuth tokens), and an activity log (sync actions with event IDs, not event content). OAuth tokens are encrypted at rest using AES-256-GCM.

What we do NOT store: event content. Titles, descriptions, locations, and attendees are read from Google and written to Google in real time — nothing is cached on our servers.

Field-level privacy control: time and duration are always synced. Title is on by default (can be replaced with "Busy"). Location is off by default (opt-in per rule). Description is never synced.

You can revoke access from the Connected Accounts page in the app or from your Google Account permissions. We never access Gmail, Drive, or any other Google service.

Job Alerts

Stores your job search preferences (target companies, job titles, locations) and sends email notifications when matching positions are found. Your resume data, if uploaded, is stored securely and used only for matching — it is never shared with employers or third parties.

Gamify Your Life

Stores your goals, habits, milestones, and progress data. This information is private to your account and is not shared with other users or third parties.

6. Third-party services

We share your information with the following third parties, only as needed to operate the Service:

  • Resend (email delivery) — receives your email address and name to send transactional emails (verification, password reset). Resend's privacy policy
  • Stripe (payment processing) — receives your payment details when you subscribe. We never see or store your full card number. Stripe's privacy policy
  • Cloudflare (CDN and DNS) — routes traffic to our servers. Cloudflare may process your IP address and request metadata. Cloudflare's privacy policy
  • Social login providers (Google, Apple, Facebook, LinkedIn, TikTok, Instagram) — only if you choose to sign in with one of these services. We receive basic profile information; each provider's own privacy policy governs their handling of your data.

We do not sell or rent your personal information to anyone. We do not use any advertising networks or analytics platforms that track users across websites.

7. Data security

  • All data is encrypted in transit (TLS/HTTPS)
  • Passwords are hashed using industry-standard algorithms — we cannot read your password
  • OAuth tokens are stored encrypted at rest
  • API keys are stored as SHA-256 hashes — the original key cannot be recovered
  • Our infrastructure is self-managed on Hetzner Cloud servers in Finland (EU)

No system is perfectly secure. If we discover a data breach that affects your personal information, we will notify you and the relevant authorities as required by law.

8. Data retention

  • Account data: retained while your account is active, deleted within 30 days of account deletion
  • Session data: automatically expired after 30 days of inactivity
  • Request logs: retained for up to 90 days for debugging and security, then deleted
  • Payment records: retained as required by tax and financial regulations (typically 7 years)
  • Fraud signals: retained for up to 2 years to protect the Service from repeat abuse

9. Your rights

Regardless of where you live, you can:

  • Access your data: view your profile, subscriptions, and activity from your dashboard
  • Correct your data: update your name, email, and password from your profile
  • Export your data: request a copy of all data we hold about you
  • Delete your account: request full deletion of your account and personal data
  • Withdraw consent: revoke social login connections or opt out of non-essential communications

For residents of Quebec and Canada

Under Quebec's Act respecting the protection of personal information in the private sector (Law 25) and Canada's Personal Information Protection and Electronic Documents Act (PIPEDA), you have the right to access, correct, and request deletion of your personal information. We process your data based on your consent and our contractual obligations to provide the Service.

For residents of the European Union

Under the General Data Protection Regulation (GDPR), you have additional rights including data portability, restriction of processing, and the right to object. Our legal basis for processing is contractual necessity (to provide the Service you signed up for) and legitimate interest (security and fraud prevention). You may lodge a complaint with your local supervisory authority.

For residents of California

Under the California Consumer Privacy Act (CCPA), you have the right to know what personal information we collect, request its deletion, and opt out of its sale. We do not sell personal information.

10. Children's privacy

The Service is not intended for anyone under 16 years of age. We do not knowingly collect personal information from children. If you believe a child has created an account, please contact us and we will promptly delete it.

11. International data transfers

Our servers are hosted on Hetzner Cloud in Finland (EU). Your data is stored and processed within the European Union. Our company is incorporated in Montreal, Quebec, Canada — a jurisdiction recognized by the European Commission as providing an adequate level of data protection for any operational data processed outside the EU.

12. Changes to this policy

We may update this policy from time to time. When we make material changes, we will notify you by email or through the Service at least 14 days before they take effect. The previous version will remain available so you can see what changed.

13. Contact

For any privacy-related questions, data requests, or concerns, contact us at hello@all-apps.org.

If you are not satisfied with our response, you may file a complaint with the Commission d'accès à l'information du Québec or the Office of the Privacy Commissioner of Canada.