What we store, and what we don't.
Last updated: 2026-06-07
Kithcal is a family calendar. To do that job, it needs to store some information about you and the events you put on it. The rest of this page says exactly what — in plain English.
What Kithcal stores
- Your email address — used only to send you a sign-in link, and notification emails you've opted into.
- Your display name and color — shown to other people in your family on the calendar.
- Calendar events — date, time, title, location, notes, who's assigned, who signed up.
- Care notes — whatever you chose to write about your kids (allergies, pediatrician, routines). Visible to people you've added to your calendar.
- Sign-in sessions — to keep you logged in across visits.
- Passkey records — if you set up Face ID, Touch ID, or Windows Hello for Kithcal, we store a public key + a device label you chose (e.g., "My iPhone"). Your face or fingerprint itself never leaves your device— that data stays in your phone or computer's secure enclave. Kithcal only sees the public-key receipt your device sends.
What Kithcal doesn’t store
- Passwords. There aren't any. Sign-in is link-only — we email you a button to tap, no passwords.
- Payment information. The product is free.
- Location data, contacts, browsing history, or anything from your phone outside the app.
- Third-party analytics, tracking pixels, or external scripts. The small first-party event log Kithcal keeps for its own product judgment is described in "How we measure what's working" below.
Children's data
Kithcal doesn't collect any information directly from children. The care notes you write about your kids — allergies, pediatrician, bedtime routines, anything else — are entered by you as a parent or guardian and visible only to the family members you've added to your calendar. Kithcal does not knowingly collect personal information from anyone under 13. If you believe a child's information was added by someone other than their parent or guardian, email hello@kithcal.com and we'll remove it.
Who can see your calendar
Only the people you've added to it. Calendar data is isolated per-family at the database level (Postgres row-level security). Members can't see other families' calendars. Owners can see other members' email addresses; non-owner members cannot.
Who Kithcal shares your data with
Nobody. Your data isn't sold, rented, traded, or shared with advertisers. The infrastructure providers that run the product (Supabase for the database, Resend for email delivery, Vercel for hosting, Cloudflare for DNS) process data on Kithcal's behalf — they are not data partners and they can't use your data for anything outside of running the service.
How your data is protected
Connections to Kithcal are encrypted (HTTPS). At the database level, each family's data is isolated by Postgres row-level security — your family's events, members, and notes can only be read by accounts you've added. We don't store passwords (sign-in is link- or code-based). Internal access to production is restricted to what's needed to keep the service running.
Security alerts to the maintainer
When something high-trust happens on your account — a new Face ID / Touch ID / Windows Hello is registered, a calendar is deleted, a family member is removed, or a role is changed — Kithcal sends a short notification to the maintainer (Kenneth) at hello@kithcal.com. These alerts contain just enough to spot something fishy (your email, what happened, when) and no calendar contents. If a stranger ever gained access to your account, this is the trip-wire that catches it.
How we measure what's working
To know which parts of Kithcal people actually use, we record a small number of eventsin our own database: when someone joins a family, creates an event, claims an open slot, signs up, taps "running late," or renames themselves. We also record which page got visited (the path only, like /help or/[your-family] — never query strings, never tokens). Each row contains an event name, a timestamp, and at most a family-and-member ID (UUIDs that already live in your data) — no names, no emails, no addresses.
What Kithcal explicitly does NOTdo, and won't while we're storing kids' data:
- No session recordings (no Hotjar, no FullStory — nothing records your screen).
- No heatmaps or click-path tracking.
- No Google Analytics or third-party advertising/marketing trackers.
- No cross-site tracking, fingerprinting, or behavioral profiling.
- No cookies for tracking. The only cookies we set are the sign-in session cookie and a few in-browser preferences (like "don't show the install prompt for 14 days").
The data stays in our own Supabase database. The only person who reads it is Kenneth, via an owner-only admin page. Aggregate counts (e.g., "15 invites were redeemed this week") inform what we build next; we never single out individual usage and never share, sell, or otherwise pass this data along. If you want your activity data removed, email hello@kithcal.com and we'll delete it.
How long we keep it
Your data sticks around as long as your calendar exists. Delete the calendar from Settings → Danger Zone and everything tied to it — events, members, comments, notification logs — is removed irreversibly. Inactive accounts aren't automatically purged; if you want yours removed, email hello@kithcal.com.
Deleting your data
If you're the owner of a calendar, you can delete it from Settings → Danger Zone. That removes the calendar, every event, every member, every comment, every notification log entry — irreversibly. If you're a member of someone else's calendar and want to be removed, ask the owner to remove you (or email hello@kithcal.com and we'll handle it).
If you're in California
California's CCPA gives you specific rights: to know what personal information Kithcal collects (listed above), to ask us to delete it (via Settings or by emailing hello@kithcal.com), and to non-discrimination if you exercise those rights. Kithcal doesn't sell personal information — there's nothing to opt out of.
If something goes wrong
If Kithcal ever has a security incident that affects your data, we'll email you and post a notice on the site within a reasonable time — typically within 72 hours of discovery. We take this seriously even at family scale.
Questions
Email hello@kithcal.com. A real person reads it.