Calpado Privacy Policy
Summary
Calpado is a personal task layer for the web. When you sign in and grant the extension permission to read the pages you visit, we store the URL, title, favicon, and og:image of the pages you choose to attach a task or note to. That data is used only to make your own tasks and notes useful — it is never sold, never used for advertising, and never shared with third parties.
What we collect
| Category | What it is | Why we need it |
|---|---|---|
| Email address | The address you signed up with | Account login and password reset |
| Authentication token | A random opaque token stored in chrome.storage.local and in our database (SHA-256 hashed at rest) |
Keep you signed in across browser restarts |
| Web pages you attach to | The canonical URL, document title, favicon URL, and og:image URL | Resolve the active tab to a "resource" you can attach tasks/notes to. The badge count requires checking whether you have open tasks for the current URL. |
| Tasks, notes, comments, tags you create | Plain text plus metadata (due date, priority, assignee) | This is the product. We store it so you can read it back. |
We do not collect:
- Page contents (HTML body, form input, secrets on the page)
- Browsing history across tabs you didn't activate Calpado on
- Analytics or telemetry events
- Crash reports with personally-identifying data
How we use it
- To render your tasks, notes, and the badge count.
- To send transactional email (password reset, invites).
Who we share it with
- Nobody, by default. Calpado is single-tenant for you and anyone you explicitly invite to your workspace.
- Hosting provider (Hetzner, Germany). Hetzner processes data on our behalf under their data processing agreement.
- Legal compliance — if compelled by a valid legal order.
Where it lives
All data is stored on Hetzner Cloud servers in the European Union. All traffic is over HTTPS; refresh tokens are SHA-256 hashed at rest.
Retention
- While your account is active, data is kept indefinitely.
- When you delete a task, note, or workspace, it is soft-deleted and permanently removed after 30 days.
- If you delete your account, we remove all your data within 30 days.
Your rights
- Delete individual items from the UI
- Delete your account and have all your data removed
- Revoke the extension's site access at
chrome://extensionsat any time - Email privacy@calpado.com to exercise GDPR/CCPA rights
Children
Calpado is not directed to children under 13 and we do not knowingly collect data from them.
Contact
Changes
We will note the date at the top of this document when this policy changes materially and email registered users when changes affect how their data is processed.