Last updated: 6 June 2026
LeapSync ("LeapSync", "we", "us", "our") provides a two-way calendar synchronisation service that mirrors events between calendar accounts you choose to connect — Google Calendar and Microsoft 365 / Outlook.com — and an optional read-only Apple/ICS feed. This policy explains what we collect, why, how we protect it, and the choices you have. Questions: hello@leapsync.app.
Your email address, and an optional display name, used to create your account and sign you in. LeapSync is passwordless — we never collect or store a password. You sign in with a one-time email magic link or with "Sign in with Google/Microsoft".
When you connect a calendar, the provider gives us an OAuth access/refresh token scoped to your calendar. We store the refresh token encrypted at rest (AES-256-GCM) so we can keep your calendars in sync without asking you to reconnect.
To mirror an event we read the fields needed to recreate it on the other calendar: title/subject, start and end times, location, description, recurrence, free/busy status, and the provider's event identifier. Depending on the sync mode you choose, a mirrored copy may show only "Busy" rather than these details.
We request calendar scopes only. We do not read your email, contacts, files/Drive, or any data outside the calendars you explicitly connect.
Paid plans are processed by Stripe. We store your Stripe customer and subscription identifiers and your plan status. We never see or store your card number — Stripe handles payment details directly.
Standard request logs (e.g. IP address, timestamp, error traces) generated by our infrastructure provider for security and reliability, retained only as long as needed for those purposes.
We do not sell your personal data, and we do not use your calendar content for advertising or to train machine-learning models.
LeapSync is designed to hold as little as possible. The mirrored events themselves live in your connected calendars, not on our servers. In our database we keep the mapping between an original event and its mirror (provider event IDs), change markers (etag / changeKey), and a one-way content hash used to detect duplicate writes and stop sync loops. We do not retain a copy of your event titles, descriptions, or attendee lists in our database.
How we use Google user data. When you connect a Google account, LeapSync accesses your Google Calendar data (event title/subject, start and end times, location, description, recurrence, free/busy status, and event identifiers) and the OAuth token Google issues, solely to:
We do not use Google user data for advertising, and we do not use it to train, develop, or improve generalised AI/ML models.
With whom we share, transfer, or disclose Google user data. We do not sell, rent, or share your Google user data with any third party for their own purposes. We do not transfer it to advertisers, data brokers, analytics providers, or AI/ML training pipelines. The only party that ever processes Google user data is our hosting subprocessor, Cloudflare, which securely hosts the Service and stores your encrypted authorization token in our database strictly on our behalf and under our instructions; it may not use Google user data for any other purpose. Beyond this, we disclose Google user data only with your consent, or where required by law (e.g. a valid legal request). Our other service providers — Stripe (billing) and Resend (email) — do not receive any Google user data.
When you connect a Microsoft account we use Microsoft Graph calendar permissions only (read/write your calendar, plus basic profile to identify the connected account). We handle this data on the same Limited-Use basis described above and in accordance with the consent you grant at sign-in.
Each processes data only to provide its service to us.
Refresh tokens are encrypted at rest; access is over TLS; admin access is separated from user accounts. We keep your data while your account is active. If you disconnect a calendar or delete your account, the associated tokens and sync state are deleted within 30 days. Mirror events LeapSync already created remain in your calendars — you can keep or delete them.
You can access, export, correct, or delete your data, and withdraw calendar access at any time (disconnect in the app, or revoke from your Google/Microsoft account security settings). Depending on where you live (e.g. EEA/UK under GDPR, or California under CCPA/CPRA) you may have additional rights. To exercise any of them, email hello@leapsync.app and we will respond within 30 days.
LeapSync runs on globally distributed infrastructure, so your data may be processed in countries other than your own, with appropriate safeguards. The service is not directed to children under 16, and we do not knowingly collect their data.
We may update this policy as the product evolves. Material changes will be reflected by the "Last updated" date above and, where appropriate, by email.
LeapSync — hello@leapsync.app.