1. Information I Collect

Google Account Information (via OAuth 2.0): When you authenticate with Google, the Extension initiates a standard OAuth 2.0 authorization code flow using chrome.identity.launchWebAuthFlow. The authorization code is sent securely to my backend (Cloudflare Workers), which exchanges it with Google for the following tokens:

• Access token: used to make Google Calendar API calls on your behalf.
• Refresh token: used to obtain a new access token when the current one expires, so you don't need to re-authenticate every session.
• ID token: decoded server-side to extract your Google account's display name, email address, and unique account identifier (sub). This is used to identify your account in the system.

Data stored in the backend database (Supabase): The following information is stored securely on my backend to enable the OAuth session management:

• users table: Your Google email address, display name, and Google account sub (a unique, opaque identifier assigned by Google).
• oauth_tokens table: Your access token, refresh token, token expiry timestamp, and the list of OAuth scopes granted.
• sessions table: A randomly generated session token (UUID), session expiry time (30 minutes), your IP address at the time of login, and your browser's User-Agent string. These are used solely to validate active sessions and prevent session hijacking.

Data stored locally in your browser: The Extension stores the following in chrome.storage.local (on your device only):

• Your session token and its expiry time.
• Your Google email address (for display purposes in the extension UI).

Timetable Data: The Extension reads your timetable from the CliC page you have open and uses it to construct calendar events. This data is processed locally in your browser and sent directly to the Google Calendar API — it is never stored on my servers.

2. How I Use Your Information

Authentication & Session Management: Your Google account details and tokens are stored on the backend solely to manage your authenticated session. When you open the Extension, it validates your session token against the database. If your session has expired (after 30 minutes), the backend uses your refresh token to obtain a new access token automatically — so you stay logged in without going through the Google consent screen again.

Google Calendar Integration: Your access token is used server-side to make authorised requests to the Google Calendar API — specifically, to add your timetable events to your chosen calendar or to retrieve your calendar list.

Security: Your IP address and User-Agent are recorded at login time to help detect and prevent session hijacking. They are never used for tracking, profiling, or advertising.

Timetable Processing: Timetable data scraped from CliC is processed locally in your browser or sent directly to Google Calendar. It is never stored on or transmitted to my servers.

3. Data Sharing and Disclosure

I do not sell, rent, or share your personal data with any third parties for commercial or marketing purposes. Your data is used exclusively within Schedulr to provide the timetable import service. The only external service that receives your data is:

• Google: your access token is used to call the Google Calendar API on your behalf, in accordance with Google's Privacy Policy.
• Supabase: used as the backend database provider to store the account, token, and session data described in Section 1. Supabase processes data in accordance with its own Privacy Policy.
• Cloudflare: the backend API runs on Cloudflare Workers. Request metadata (such as IP address) may be processed by Cloudflare as part of network routing, in accordance with Cloudflare's Privacy Policy.

4. Data Retention and Deletion

Your account information (name, email, sub), OAuth tokens, and session data are retained in the database for as long as you use the Extension. Sessions automatically expire after 30 minutes of inactivity; at that point, a new session is issued the next time you open the Extension (using your stored refresh token).

To delete your data: If you wish to have all your data removed from the backend database, please contact me at aidenchan0397@gmail.com with your Google email address and I will delete your records promptly.

Additionally, you can revoke the Extension's access to your Google account at any time via your Google Account settings: Security > Third-party apps with account access > Manage third-party access, then remove Schedulr. This will invalidate your access and refresh tokens.

Removing the Extension from your browser will also clear any locally stored data (chrome.storage.local), but will not automatically remove your records from the backend database — please contact me if you'd like that done as well.

5. Security

I take reasonable steps to protect your data:

• All communication between the Extension and the backend uses HTTPS.
• OAuth tokens and session data are stored in a secured Supabase database with access restricted to the backend API only.
• Session tokens are randomly generated UUIDs and expire after 30 minutes to limit exposure in the event of a compromise.
• The backend uses state verification during the OAuth flow to prevent CSRF attacks.

However, no system is 100% secure, and I cannot guarantee absolute security over the internet.

6. Your Consent

By installing and using the Schedulr extension, you consent to this Privacy Policy and the handling of your data as described above.

7. Changes to This Privacy Policy

I may update this Privacy Policy from time to time and will update the effective date accordingly. You are advised to review this page periodically for any changes. Continued use of the Extension after changes are posted constitutes acceptance of the revised Policy.

8. Contact Me

If you have any questions, concerns, or data deletion requests regarding this Privacy Policy, please contact me at aidenchan0397@gmail.com.