Privacy Policy

Effective date: March 6, 2026

1. Who we are

Whensday ("we", "us", "our") is a freelancer availability scheduling tool. This policy explains how we collect, use, and protect personal data when you use our service.

2. Data we collect

Account data (administrators)

When you sign in with Google or Microsoft, we receive your name, email address, and OAuth tokens. OAuth tokens are encrypted at rest (AES-256-GCM) and used solely to sync availability entries to your calendar.

Freelancer data

Freelancers access schedules via a shared link and password. We store the freelancer's name or nickname (if provided), email address, and the availability entries they submit. Passwords are hashed with bcrypt and never stored in plain text.

Availability entries

We store the start time, end time, and optional note for each availability entry. All times are stored in UTC.

Technical data

Our hosting provider (Vercel) may collect standard server logs including IP addresses, browser user-agent strings, and request timestamps. We do not add any additional tracking, analytics scripts, or third-party cookies.

3. How we use your data

  • To authenticate administrators via Google or Microsoft OAuth
  • To create and manage availability schedules
  • To sync availability entries to the administrator's connected Google or Outlook calendar
  • To send invitation emails to freelancers via our email provider (Resend)
  • To send failure-notification emails to administrators when calendar sync encounters an error

4. Data sharing

We do not sell, rent, or share your personal data with third parties for marketing purposes. Data is shared only with the following service providers, strictly to operate the service:

  • Vercel — hosting and serverless execution
  • Neon — PostgreSQL database hosting
  • Google / Microsoft — OAuth authentication and calendar API integration
  • Resend — transactional email delivery

5. Data retention

Availability entries are retained for as long as the schedule exists. When an administrator deletes a schedule, all associated freelancer records and availability entries are permanently deleted. Administrator accounts and their encrypted OAuth tokens persist until the administrator requests deletion.

6. Security

We take reasonable measures to protect your data, including:

  • AES-256-GCM encryption of stored OAuth tokens
  • bcrypt hashing of schedule passwords
  • httpOnly, SameSite cookies for both admin and freelancer sessions
  • HTTPS enforced on all connections
  • Path-scoped, short-lived JWTs for freelancer access

7. Cookies

We use the following cookies, all httpOnly and essential to the service:

  • Auth.js session cookie — authenticates administrator sessions (30-day expiry)
  • Freelancer JWT cookie — authenticates freelancer access to a specific schedule (7-day expiry, path-scoped)

We do not use advertising or analytics cookies.

8. Your rights

Depending on your jurisdiction, you may have the right to access, correct, or delete your personal data. Administrators can delete their schedules (and all associated data) at any time from the dashboard. For account deletion or data export requests, please contact us.

9. Changes to this policy

We may update this policy from time to time. Changes will be posted on this page with an updated effective date.

10. Contact

If you have questions about this privacy policy or your data, please contact us.