Privacy Policy
Last updated: July 10, 2026
Stintt (“we”, “our”, or “us”) is committed to protecting your privacy. This Privacy Policy explains how we handle information when you use our timesheet automation tool at stintt.com. The key takeaway: your personal timesheet preview and export are processed in your browser. Calendar data is stored on our servers only when you opt in to features that need it — Workspace team analytics, automated email reports, or AI processing — and it is never sold or used for advertising.
Google User Data We Access
When you connect your Google Calendar, Stintt accesses the following Google Calendar event data:
- Event titles (summary)
- Start and end date/time
- Event descriptions
- Organizer name and email
- Attendee names and emails
- Event location
- All-day event status
- Event recurrence information
We also access data from other connected sources (Microsoft Teams, Jira, ClickUp) when you connect them. Zoom, Asana, Monday.com, and Toggl Track integrations are coming soon and cannot currently be connected. For each available source, we access only the event, task, or time entry data needed to generate your timesheet.
When you click "Connect" for any source, you will be redirected to that provider's authorization page (e.g., Google's consent screen) where you can review and approve the specific permissions before granting access.
How We Use Your Data
We use your calendar data solely to:
- Generate timesheet entries by converting calendar events into time-tracking rows.
- Display events for your review on the Preview screen before export.
- Export your timesheet to an Excel (.xlsx) file.
- Power team analytics (hours, capacity, meeting load) when you enable Workspace team features — see "Server-Side Data for Optional Features" below.
- Provide AI-powered categorization and summaries when you opt in — see "AI Features & Data Processing" below.
We only request read-only access to your Google Calendar data. Stintt cannot create, modify, or delete any calendar events.
How We Store Your Data
By default, Stintt processes your personal timesheet data entirely within your web browser. Google and Microsoft calendar events are fetched directly from their APIs to your browser and are not sent to our servers during standard timesheet generation. (Some sources, such as ClickUp and Monday.com, are fetched through a server-side relay because their APIs block direct browser requests — that data is forwarded to your browser in real time and is not stored.)
Your OAuth tokens are stored in your browser's local storage and encrypted at rest using AES-256-GCM via the Web Crypto API, using a key stored locally in your browser (or a key configured by the operator). Application settings such as export preferences are stored unencrypted. Once you are signed in and connect a source, your OAuth tokens are also uploaded to our encrypted server store (AES-256-GCM, Supabase) to enable cross-device sync and reliable background fetching of your events; they are deleted when you disconnect the source or delete your account.
For personal preview and export, calendar data is held in your browser's memory only during your active session and is cleared when you close the app or use the "Delete All My Data" function. If you enable Workspace team features, calendar event data is also synced to and stored on our servers, as described in "Server-Side Data for Optional Features" below.
For authentication, we use Supabase Auth to manage your account (sign-up, login, password reset). Supabase stores your email address, hashed password, and authentication session tokens on their servers. Supabase acts as a data processor on our behalf under a Data Processing Agreement (DPA) that ensures GDPR-compliant handling of EU user data. You can review Supabase's privacy practices at supabase.com/privacy and their DPA at supabase.com/legal/dpa.
When you enable optional features, some data is stored or processed server-side (see "Server-Side Data for Optional Features" below).
Server-Side Data for Optional Features
When you opt in to certain features, limited data is stored or processed on our servers:
- Server-Stored OAuth Tokens: When you connect a source while signed in, your OAuth tokens (access and refresh tokens) are uploaded and stored encrypted (AES-256-GCM) on our servers in Supabase so we can sync across your devices and fetch calendar events on your behalf for features such as workspace team analytics and automated email reports. Stored tokens are deleted when you disconnect the source or delete your account.
- AI Features (Smart Categorization, AI Summary): When you trigger an AI action, event metadata is forwarded through our server to Google Gemini for real-time processing — see "AI Features & Data Processing" below for full details. We log AI token usage metadata (feature type, token count, timestamp, and minimal feature context such as a teammate name or team size) in Supabase for usage tracking.
- Workspace Team Analytics (Workspace plan only): When you track calendars from the Workspace dashboard, a background sync on our servers uses your stored OAuth token to fetch events from those calendars and stores them in our database (Supabase) — including event titles, start/end times, and the complete event record returned by the provider, which may include descriptions, organizer and attendee details, meeting join links, attendee response status, attachments, and other event metadata — to power the team dashboard, insights, recurring meeting audit, capacity briefings, and 1:1 prep. The list of tracked calendars (calendar ID, name, email, access role) is also stored server-side. Synced events older than approximately 18 months are automatically deleted. When you delete your account, the events synced from calendars you connected yourself are deleted; events synced into a Workspace you are a member of belong to that Workspace's owner and are retained under their account until they remove the calendar or delete their account — email privacy@stintt.com to request removal.
- Account Data: Your email address, hashed password, subscription status, and AI token usage are stored in Supabase.
Outside of these optional features, your calendar data is processed entirely in your browser and is not stored on our servers. (Some non-calendar sources, such as ClickUp and Monday.com, are fetched through a server-side relay because their APIs block direct browser requests — that data is forwarded to your browser in real time and is not stored.)
Data Sharing
We do not share, sell, rent, or transfer your Google user data to any third party, except:
- With your explicit consent.
- To our sub-processors (listed in the "Sub-Processors" section below) solely to provide the features you have opted into — such as AI categorization via Google Gemini and email delivery via Mailtrap.
- As required by applicable law, regulation, or legal process.
- To protect our rights, privacy, safety, or property, and/or that of our users.
Sub-Processors
The following third-party services process user data on our behalf:
- Supabase — database and authentication. Stores user profiles, encrypted OAuth tokens, synced workspace calendar events, email schedules, AI usage logs, and subscription data. GDPR-compliant with DPA.
- Google Gemini API — AI processing. Receives event metadata for real-time categorization and summary generation when you opt in to AI features (Smart Categorization, AI Summary), and — on the Workspace plan — for AI capacity briefings, the meeting kill list (recurring meeting audit), 1:1 prep insights, and the Allocation Radar. We use the paid Gemini API tier; under that tier the provider does not use this data to train its models or for human review, and retains it only transiently for abuse monitoring.
- Mailtrap — email delivery. Processes and delivers automated email reports containing your timesheet data. Does not store your calendar data.
- PostHog — product analytics. Before you respond to the cookie banner, analytics runs in cookieless mode: anonymous page views and campaign attribution (e.g. UTM parameters) with nothing stored on your device. If you accept analytics cookies, PostHog additionally uses cookies for more accurate measurement and receives account identifiers (user ID, email, name, plan, role) for signed-in users. If you reject, analytics is disabled entirely. Does not receive your calendar data and is not used for advertising.
- Dodo Payments — our Merchant of Record and payment provider. As Merchant of Record, Dodo Payments is the seller of record for Pro and Workspace purchases: it operates the hosted checkout, processes card data under PCI-DSS standards, appears on your card/bank statement, collects and remits applicable sales tax / VAT / GST, and issues refunds. We never receive or store your full card details.
We do not transfer user data to any other third parties except as described above or as required by law.
AI Features & Data Processing
Stintt offers optional AI-powered features that use Google's Gemini API to analyze your calendar events and generate insights. These include Smart Categorization and AI Summary on all plans, and — on the Workspace plan — AI Capacity Insights (burnout / rebalance briefings), the Meeting Kill List (recurring meeting audit), One-on-One Prep (per-teammate context for 1:1s), and the Allocation Radar (project staffing "Explain & prioritize").
- What data is sent: Event titles, aggregated per-category and per-person hours, team-member display names, recurring-meeting titles, and — for the recurring-meeting audit — the meeting organizer (the display name the calendar provides, or the organizer's email address where the calendar gives no display name) are sent to Google Gemini for processing. Event descriptions, attendee lists, and event locations are not sent.
- Opt-in only: AI features are never triggered automatically. Processing only occurs when you take an explicit action — clicking a dashboard AI action such as "AI Categorize", "Generate Summary", "Generate Capacity Briefing", "Run Meeting Audit", or "Prep 1:1", or sending a message to the Stintt assistant.
- The Stintt assistant: If you message the Stintt assistant (in the in-app chat or the connected Telegram bot), the text you send is processed by Google Gemini in real time to interpret your request — for example, to turn a free-text update like "2h on the Acme deck" into timesheet entries, or to answer a question about your own logged time. These messages are processed under the same paid-tier terms (no training, no human review) and are not used for any other purpose.
- Retention by the AI provider: We use the paid Gemini API tier, under which your data is not used to train Google's models or for human review, and is retained only transiently for abuse monitoring per the provider's terms. AI-generated outputs (summaries, briefings, audit results, 1:1 notes) are returned to your browser and are not stored on our servers, with one exception: when you use Smart Categorization, the learned mapping of event title to category is stored on our servers (Supabase) to auto-categorize similar future events, and is deleted when you delete your account.
- No AI/ML training: Your data is never used to train AI models. Your Google user data is not used to develop, improve, or train generalized or non-personalized AI or machine learning models.
No Credit/Lending Use
Your Google user data is not used to determine creditworthiness or for lending purposes.
Data Retention & Deletion
Retention: For personal preview and export, Google Calendar data is not retained beyond your browser session. If you use Workspace team features, synced calendar events are stored on our servers to power team analytics: events older than approximately 18 months are automatically deleted; events synced from calendars you connected yourself are deleted when you delete your account, while events synced into a Workspace you are a member of are retained under that Workspace owner's account until they remove the calendar or delete their account (or on request to privacy@stintt.com). OAuth access tokens stored in your browser expire after 1 hour. Encrypted tokens stored on our servers (for workspace analytics or automated email reports) are retained until you disconnect the source or delete your account. AI usage metadata (feature type, token count, timestamp, and minimal feature context such as a teammate name or team size) is retained for usage tracking and billing purposes. Payment records are retained as required by applicable tax and accounting laws. Account data (email, profile) is retained until you delete your account.
You can disconnect your Google account at any time using the "Disconnect Google Account" button below. This programmatically revokes the OAuth token via Google's revocation endpoint (https://oauth2.googleapis.com/revoke) and removes all Google-related credentials from your browser.
You can use the "Delete All My Data" button below to revoke all Google OAuth tokens and remove all application data from your browser and our servers — including stored tokens, email schedules, AI usage records, synced workspace calendar events, and your profile.
You can also revoke access manually at any time by visiting https://myaccount.google.com/permissions.
For data deletion requests, email privacy@stintt.com.
Data Export & Portability
Export your timesheet data anytime as an Excel (.xlsx) file via the Export feature on the Preview page.
For GDPR data portability, you can download all server-side data we hold about you (profile, subscriptions, payment history, email schedules, AI usage logs, and connected source metadata) as a structured JSON file using the "Export My Data" button below.
Security Measures
All data uses TLS 1.2+ encryption in transit. The app is served over HTTPS only.
Sign-in to Stintt uses OAuth 2.0 with PKCE (Proof Key for Code Exchange) via Supabase Auth. Provider calendar connections use the standard OAuth 2.0 authorization-code flow with the client secret held server-side. Access tokens expire after 1 hour.
Authentication with Google, Microsoft, and other providers is handled through their official OAuth 2.0 flows. We never see or store your account passwords.
We use Content Security Policy (CSP) headers to protect against cross-site scripting and other attacks.
OAuth tokens are encrypted at rest using AES-256-GCM — via the Web Crypto API in the browser, and on our servers for tokens uploaded when you connect a source.
Google API Services User Data Policy
Stintt's use and transfer to any other app of information received from Google APIs will adhere to the Google API Services User Data Policy, including the Limited Use requirements.
In accordance with Google's Limited Use requirements:
- We only use Google user data (calendar events) to provide the timesheet generation functionality described in this policy.
- We do not transfer Google user data to any third parties, except as necessary to provide or improve user-facing features, with user consent, or for security/legal purposes.
- We do not use Google user data for serving advertisements.
- We do not allow humans to read Google user data unless: (a) you have given affirmative consent, (b) it is necessary for security purposes (e.g., investigating abuse), (c) it is necessary to comply with applicable law, or (d) the data is aggregated and anonymized for internal operations.
- Google user data for personal preview and export is processed in your browser. When you opt in to AI features, event metadata is sent to Google's Gemini API for real-time processing. When you enable automated email reports or Workspace team analytics, encrypted tokens are stored server-side to fetch events on your behalf, and — for Workspace analytics — calendar event data is stored in our database to power team reports. All server-side processing and storage adheres to the same Limited Use restrictions.
Employee & Contractor Compliance
All employees and contractors with potential access to user data are bound by confidentiality obligations and must comply with this Privacy Policy and Google's Limited Use requirements.
Cookies & Essential Storage
Stintt uses essential cookies for authentication session management via Supabase Auth. These are strictly necessary for the app to function and cannot be disabled.
We use PostHog for product analytics — page views, feature usage, and campaign attribution. Until you respond to the cookie banner, analytics runs cookieless: anonymous measurement with nothing stored on your device. Accepting enables analytics cookies for more accurate measurement; rejecting disables analytics entirely, and you can change your choice at any time. We do not use advertising cookies, and no data is shared with advertisers or data brokers.
Creator / referral attribution: if you arrive through a creator or partner referral link (e.g. Stintt.com/r/<code>), we store a first-party cookie (“stintt_attr”/“stintt_vid”, up to 60 days) so that, if you later subscribe, we can credit the referring creator under our revenue-share arrangement. This is a functional cookie tied to that arrangement: it is first-party only, is never shared with advertisers or data brokers, and holds only the referral code plus a random identifier. If you sign up, the referral is linked to your account server-side (so the credit survives a device change) and, only if you subscribe, we record the subscription's currency and amount, plus a snapshot of your account email, against the referring creator — solely to compute and audit their commission. We also keep a hashed (not plaintext) IP address and browser identifier on the referral click itself, for fraud detection. If you delete your account, this link to you is removed and the email snapshot is redacted; the underlying commission record is retained, like other payment records, for accounting purposes. You can clear these cookies at any time; see “Your Rights” to delete associated data.
Contact Us
For privacy-related questions or data deletion requests, please contact us at:
Email: privacy@stintt.com
OAuth Scopes We Request
For a detailed breakdown of every scope including data retention policies, see our OAuth Scope Justification page.
| Provider | Scope | Purpose | Data Accessed |
|---|---|---|---|
calendar.readonly | Read-only access to calendar events | Event titles, times, descriptions, organizer, attendees, location | |
userinfo.email | Identify the connected Google account | Account email address | |
| Microsoft | Calendars.Read | Read-only access to calendar events | Event titles, times, descriptions, organizer, attendees, location |
| Microsoft | Calendars.Read.Shared | Read-only access to calendars shared with you | Event titles, times, descriptions, organizer, attendees, location |
| Microsoft | User.Read | Display your email address in the app | Email address, display name |
| Microsoft | OnlineMeetings.Read | Read-only access to Teams meeting details | Meeting titles, times, duration, attendees |
Export My Data
Download all server-side data we hold about you as a structured JSON file (profile, subscriptions, payment history, email schedules, AI usage, connected sources).
Disconnect Google Account
Revoke Stintt's access to your Google account. This programmatically revokes the OAuth token via Google's revocation endpoint and removes all Google-related credentials from your browser.
You can also revoke access manually at myaccount.google.com/permissions
Delete All My Data
Revoke all Google OAuth tokens and remove your data from your browser and our servers — including cached events, export settings, stored tokens, email schedules, synced workspace events, and your profile.