Momentum Calendar — Legal
PRIVACY POLICY
Summary: Momentum Calendar reads your device calendar to display events. It never sells your data, never uses it for advertising, and your calendar events never leave your device. You control everything.
1. Who We Are
Momentum Calendar is developed and operated by Hayden Mason-Bedford, trading as HMB Digital, a sole trader based in Worcester, United Kingdom.
Data Controller: Hayden Mason-Bedford (HMB Digital)
Contact: [email protected]
This policy applies to the Momentum Calendar Android application and describes how we collect, use, store, and protect personal data in accordance with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018.
2. Data We Access
2.1 Calendar Data (via Android CalendarContract)
What we access: event titles, descriptions, locations, attendee email addresses and names, start and end times, recurrence rules, and calendar account metadata (name, colour, account type) from all calendars synced to your Android device — including Google Calendar, Microsoft Outlook, and any other provider you have configured.
How it is accessed: using the Android OS CalendarContract content provider via the device_calendar Flutter plugin. This is a local, on-device read. Your calendar data is never transmitted to our servers or any third party.
Why: to display your events, create new events, edit existing events, and delete events — the core function of the app.
Legal basis (UK GDPR): legitimate interests (providing core calendar functionality you have expressly requested).
2.2 Google Account (Google Sign-In)
What we access: your Google account email address, display name, and profile picture.
Why: to authenticate your identity and to sync your personal app preferences (default calendar view, travel settings, saved home address) to the Momentum backend so they are available across reinstalls.
Data flow: your Google account token is exchanged with Google's OAuth 2.0 servers. We receive and store only your email address as a user identifier on our backend.
Legal basis (UK GDPR): consent — you initiate Google Sign-In by tapping "Sign in with Google".
2.3 Google Places API (Pro and Advanced tiers)
What we access: location search queries you type into address fields (event location, home address in settings, travel block origin).
Why: to return address autocomplete suggestions as you type, making it faster to add accurate locations.
Data flow: your typed query is sent securely to the Google Places API. Only the text you type is transmitted — no background location tracking occurs.
Legal basis (UK GDPR): contract performance (this is a Pro/Advanced subscription feature you have opted into).
2.4 Google Maps Directions API (Advanced tier)
What we access: the origin address (e.g., your home address or a manually entered address) and the destination address of an event when you tap "Add Travel Block".
Why: to calculate realistic journey time and automatically create a travel buffer event in your calendar before the meeting.
Data flow: origin and destination are sent securely to the Google Maps Directions API. Results are used only to compute journey duration and are not stored by us.
Legal basis (UK GDPR): contract performance (Advanced subscription feature).
2.5 Google Play Billing
What we access: your subscription status (Free, Pro, or Advanced) and a purchase verification token issued by Google Play.
Why: to determine which features you have access to. We verify your subscription status on app launch and during purchase flows.
Data flow: the purchase token is validated against our backend, which queries the Google Play Developer API. We store only your subscription tier and its expiry date — not your payment details.
Legal basis (UK GDPR): contract performance.
2.6 Google Tasks API
What we access: your Google Task lists (names), and individual tasks within those lists — specifically: task title, notes/details, due date, and completion status.
Why: to display, create, edit, complete, and delete your Google Tasks directly within Momentum, so you can manage tasks alongside your calendar.
Data flow: task data is read from and written back to the Google Tasks API using your authenticated Google account. Task content is displayed in the app only — it is never transmitted to or stored on our servers.
Legal basis (UK GDPR): consent — Tasks access is part of the Google Sign-In flow you initiate.
2.7 Device Contacts (optional)
What we access: names and email addresses from your device contacts, with your explicit permission.
Why: to provide autocomplete suggestions in the attendees field when creating or editing an event.
Data flow: contacts are read locally on-device for autocomplete filtering. Contact data is not transmitted to our servers.
Legal basis (UK GDPR): consent (the app requests the READ_CONTACTS permission at runtime).
3. How We Use Your Data
| Data | Purpose | Sent to server? |
|---|---|---|
| Calendar events | Display in calendar views; create / edit / delete on device | No |
| Google account email | User authentication and identity on Momentum backend | Yes — identifier only |
| Location search queries | Address autocomplete via Google Places | To Google (Places API) |
| Origin/destination addresses | Travel time calculation via Google Maps Directions | To Google (Directions API) |
| Saved home address | Default travel origin in travel block feature | Yes — Momentum backend |
| App preferences | Persist settings across reinstalls | Yes — Momentum backend |
| Subscription token | Verify subscription tier (Free / Pro / Advanced) | To Google Play API (via our backend) |
| Google Tasks (lists, titles, notes, due dates) | Display and manage tasks within the app | No — synced to Google Tasks only |
| Device contacts | Attendee autocomplete in event forms | No |
We do not use your data for advertising, behavioural profiling, or marketing of any kind.
4. Data Sharing
We share data with third parties only to the extent required to provide the service:
| Third Party | Data Shared | Purpose |
|---|---|---|
| Google LLC — Places API | Location search text | Address autocomplete (Pro/Advanced) |
| Google LLC — Directions API | Origin and destination addresses | Journey time calculation (Advanced) |
| Google LLC — Sign-In / OAuth | OAuth token exchange | User authentication |
| Google LLC — Tasks API | Task list names, task titles, notes, due dates, completion status | Read and write your Google Tasks (create, update, complete, delete) |
| Google LLC — Play Billing | Purchase verification token | Subscription validation |
| Momentum Backend (VPS, EU) | Email address, preferences, saved home address, subscription tier | Account sync and feature access |
Google's use of data received via their APIs is governed by the Google Privacy Policy and the Google API Services User Data Policy.
We do not sell, rent, or trade your personal data. We do not share your data with advertisers or data brokers.
5. Data Storage and Security
| Data Type | Where Stored | Protection |
|---|---|---|
| Calendar events | Your device only (Android CalendarContract) | Android OS security model |
| App settings (offline) | Device SharedPreferences | Android app sandboxing |
| Account preferences, saved locations | Momentum backend VPS (EU) | TLS in transit; encrypted storage at rest; access-controlled |
| Subscription status | Momentum backend VPS (EU) | TLS in transit; no payment card data stored |
| Payment / billing details | Google Play (not our servers) | Google's PCI-DSS compliant infrastructure |
Our backend server is hosted within the European Union. All communication between the app and our backend uses HTTPS/TLS 1.2 or higher. We apply the principle of least privilege — only the data necessary to deliver each feature is stored.
6. Data Retention and Deletion
- Calendar data: never stored by us; lives only on your device and is governed by your calendar provider's retention policy.
- Local app settings: deleted automatically when you uninstall Momentum Calendar.
- Backend account data (preferences, saved home address, subscription record): retained for as long as your account is active, and for up to 90 days after your last sign-in.
To request deletion of your backend data: email [email protected] with the subject line "Momentum Data Deletion Request". We will delete your data and confirm within 30 days.
7. Your Rights Under UK GDPR
If you are located in the UK or EEA, you have the following rights in relation to your personal data:
| Right | What It Means |
|---|---|
| Access | Request a copy of the personal data we hold about you |
| Rectification | Request correction of inaccurate or incomplete data |
| Erasure | Request deletion of your personal data ("right to be forgotten") |
| Restriction | Request that we limit how we use your data in certain circumstances |
| Portability | Receive your data in a structured, machine-readable format |
| Objection | Object to processing based on legitimate interests |
| Withdraw consent | Withdraw consent at any time (e.g., revoke Google Sign-In via your Google Account settings) |
To exercise any right, contact [email protected]. We will respond within 30 days.
You also have the right to lodge a complaint with the Information Commissioner's Office (ICO), the UK's supervisory authority for data protection: ico.org.uk | 0303 123 1113.
8. Google API Services — Limited Use Disclosure
Momentum Calendar's use of information received from Google APIs adheres to the Google API Services User Data Policy, including the Limited Use requirements.
Google APIs used and the user data accessed from each:
| Google API | Data Accessed | Purpose |
|---|---|---|
| Google Sign-In / OAuth 2.0 | Email address, display name, profile picture | User authentication and account identity |
| Google Calendar API | Event details (title, time, location, attendees, reminders) for the signed-in Google account | Display and manage calendar events |
| Google Tasks API | Task lists, task titles, notes, due dates, completion status | Display, create, update, complete, and delete tasks |
| Google Places API | Location search text entered by the user | Address autocomplete (Pro / Advanced subscription feature) |
| Google Maps Directions API | Origin and destination addresses for a journey | Travel time calculation (Advanced subscription feature) |
| Google Play Billing API | Purchase verification token | Subscription tier validation (Free / Pro / Advanced) |
Specifically:
- We use Google user data only to provide or improve user-facing features that are prominent in the Momentum Calendar interface.
- We do not use Google user data for serving advertisements.
- We do not allow humans to read Google user data unless we have your affirmative agreement, it is necessary for security purposes, it is required by law, or our use is limited to internal operations as described in the policy.
- We do not transfer Google user data to third parties except as necessary to provide or improve the features described in this policy.
- Google Tasks data is read directly from and written back to the Google Tasks API. It is never stored on our servers or shared with any third party.
9. Children's Privacy
Momentum Calendar is not directed at children under the age of 13. We do not knowingly collect personal data from children under 13. If you believe a child has provided us with personal data, please contact us at [email protected] and we will delete it promptly.
10. Changes to This Policy
We may update this Privacy Policy from time to time. When we make material changes, we will update the "Last updated" date at the top of this page. Continued use of the app after changes are posted constitutes acceptance of the updated policy. We recommend reviewing this page periodically.
11. Contact Us
For any questions about this Privacy Policy, to exercise your data rights, or to submit a deletion request:
Hayden Mason-Bedford
Trading as HMB Digital
Worcester, United Kingdom
Email: [email protected]
We aim to respond to all enquiries within 72 hours and will resolve data requests within 30 days.