Travel time

Privacy Policy

Only the data we need to make Travel Time work — nothing more. This policy covers what Google user data we access, what else we collect, how we protect it, and how long we keep it.

Last updated: June 12, 2026

Google User Data We Access and Store

Stored: your Google profile (name, email, profile image); OAuth access and refresh tokens; which calendars you enable (calendar ID and name); your travel and account settings (starting address, travel mode, buffer time, return-travel preferences, business-hours rules, and related options); for calendar events that trigger travel blocks — the source event ID, location, start and end times, and recurrence metadata; travel events we create on your calendar (title, times, IDs, origin and destination addresses, route duration and distance); short-lived event ID and etag records used to deduplicate webhook notifications (deleted within 24 hours); and your Stripe customer ID for billing.

Read from Google but not stored: your main calendar event titles and attendee response status — used in memory to decide whether to create travel blocks, then discarded. We do not persist your meeting titles, guest lists, or full event descriptions.

We do not use Google user data to train models, sell your calendar, or for purposes beyond operating Travel Time.

Other Data We Collect

  • Contact form: if you reach out via our contact page, we receive your email and message. These are emailed to our team via Resend and are not stored in our database.
  • Billing: payment and subscription details are handled by Stripe. We store only your Stripe customer ID — not card numbers or billing addresses.
  • Product email: if you sign up, we may send onboarding and trial-related messages via Resend, such as reminders to set your starting address or upgrade before your trial ends.
  • Analytics: we use Vercel Analytics and Google Tag Manager on our website. These services may collect page-view and usage data according to their own policies.
  • Route cache: when enabled, we may temporarily cache route calculation results in Redis using hashed address pairs to reduce repeat calls to Google's routing API.

How We Use It

Google user data and account data are used only to provide and improve Travel Time:

  • Authenticate your account and connect to your Google Calendar
  • Read event times and locations, calculate travel duration via Google Routes, and create, update, or remove travel blocks on your calendar
  • Store your settings and preferences
  • Process subscriptions and free trials via Stripe
  • Send product and support emails via Resend
  • Generate mileage reports on the Business plan from stored travel data
  • Operate and troubleshoot the service (server logs may include user emails, calendar IDs, addresses, and event IDs)

We don't sell or share Google user data for ads, use your calendar to target ads, transfer it to third parties except to operate the service or when required by law, or store more than needed to run the product.

Third-Party Services

We share data with these providers only as needed to run Travel Time:

  • Google — OAuth sign-in, Calendar API, Routes API, Geocoding API, and Maps Places (address autocomplete in your browser)
  • Stripe — subscription billing and payment processing
  • Resend — product, contact form, and account-deletion request emails
  • Vercel — hosting, analytics, and scheduled tasks (such as renewing calendar webhooks and lifecycle emails)
  • Redis — optional route result caching

Data Protection

  • Encryption in transit: HTTPS (TLS) between your browser, our servers, and third-party APIs
  • Encryption at rest: industry-standard encryption on our hosted database
  • Access controls: data is per-account and only reachable via authenticated API requests
  • Credential security: OAuth tokens stay server-side and are used only for calendar operations you authorized
  • Session security: signed session cookies with a limited lifetime
  • Least-privilege access: only calendar.readonly and calendar.events scopes, plus basic profile and email for sign-in. Revoke access anytime via Google account permissions.
  • Security procedures: production access limited to authorized personnel

Cookies

We use session cookies to keep you signed in (via NextAuth), and a plan-preference cookie so the site remembers whether you selected Personal or Business. Google Tag Manager may set additional cookies according to its configuration.

Retention, Deletion, and Google Policy

We keep Google user data while your account is active and delete or anonymize it within a reasonable period after you revoke calendar access or request deletion, except where law requires otherwise. Travel Time adheres to the Google API Services User Data Policy (Limited Use): Google user data is used only for user-facing features in Travel Time.

To request account deletion, use the button below if you are signed in, or contact us. Deletion requests are processed manually by our team.

Account Management

You have full control over your account and data.

Questions?

Reach out via our contact page. We're real humans and happy to help.