Back to Meeting Planner

Meeting Planner - Privacy

// WHAT IS SENT / WHAT IS STORED / HOW LONG

Meeting Planner is not a local-only tool. It sends event and participant data over HTTPS to the Meeting Planner backend at scheduler.jesse-anderson.net so a shared schedule can work across people and devices. This page explains what is sent, what is stored, who can see it, and how long it remains. Use a nickname if you do not want to enter your real name; opening an event without signing in does not create a participant row.

1. What is sent and stored

  • Event details supplied by the creator: title, date/time settings, event time zone, visibility, expiry, and optional description.
  • Participant details you enter: display name, time zone, availability bitfield, and optional comment.
  • Optional row password protection: the browser sends SHA-256(eventId + ":" + password); the raw password never leaves your browser.
  • Admin access data: the admin link contains a secret token. The raw token is kept in the creator's URL fragment and this browser's localStorage when saved; the application database stores verification material rather than the raw token.
  • Timestamps such as createdAt, updatedAt, and expiresAt.
  • When an event is created, a Cloudflare Turnstile token is sent for abuse prevention.

2. What we do not intentionally store

  • Email addresses or user accounts.
  • Raw row passwords.
  • Raw admin tokens in the application database.
  • Browser fingerprints, device IDs, or analytics identifiers.
  • Meeting Planner application cookies. This site uses localStorage only for recent events and admin tokens on your own device.
  • IP addresses in the application database. Cloudflare may process request metadata at the edge for security, abuse prevention, and operations.

3. Where data is sent

  • Meeting Planner API requests go to https://scheduler.jesse-anderson.net.
  • The backend runs on Cloudflare Workers with Cloudflare D1 storage.
  • The Cloudflare Turnstile widget loads from https://challenges.cloudflare.com only during event creation. Cloudflare's Turnstile Privacy Addendum describes the signals Turnstile processes.
  • Web fonts load from Google Fonts (fonts.googleapis.com / fonts.gstatic.com). Because the fonts are fetched from Google's servers, Google receives your IP address and request headers when a page loads. We do not send any name, availability, or event data to Google.
  • API requests use credentials: "omit"; the app does not send browser cookies with Meeting Planner API requests.

4. How long we keep it

  • Default event retention: 90 days from creation.
  • Creators can extend retention up to 2 years in the Advanced tab; up to 5 years behind an explicit confirmation step.
  • After expiresAt, a daily job deletes the event and its participant rows from live storage.
  • Admins can delete an event at any time. Participants can delete their own row at any time.

5. Who can see it

  • Public events: anyone with the share link can see participant names and availability.
  • Heatmap only events: counts and the heatmap are visible to anyone; participant names are hidden until a viewer signs in as a participant.
  • Blind events: each participant sees only their own row; only the admin sees the full result.
  • Anyone with the admin link can edit settings, lock the event, remove participants, or delete the event.
  • The tool operator has technical access to the Cloudflare D1 database. Individual event data is not reviewed except when necessary to investigate abuse, security issues, or operational problems.

6. Your controls

  • Export: the "Export my data" button next to your row downloads a JSON file of the participant data held for you.
  • Delete: "Delete my row" removes your row from live storage. Product commitment: deleted within 24 hours; in normal operation the row is gone when the API call returns. Platform-level point-in-time backups age out within 30 days (see section 7).
  • Edit: change your availability by re-painting the grid, or change your time zone by signing in again from the relevant browser/time zone.
  • Sign out: signing out clears the active browser session but does not delete your stored row. Use "Delete my row" if you want the row removed.
  • Local browser data: clearing this site's local storage removes recent-event history and saved admin tokens from this device.

7. Platform processing and backups

Data is processed through Cloudflare's global edge network. The D1 database backing this tool is configured in the Americas. Reads may be served through Cloudflare infrastructure; writes go to the backing D1 database. Cloudflare D1 Time Travel keeps an up-to-30-day point-in-time recovery window for platform durability. These backups are not user-accessible, are not queried by the application, and age out automatically within that platform window.

8. Security

  • All traffic to the backend is over HTTPS; data in transit is encrypted.
  • Row passwords are never stored or transmitted in plaintext. Only SHA-256(eventId + ":" + password) is sent, and there is no password recovery.
  • Share and admin links use unguessable random tokens (capability URLs) carried in the URL fragment, so they are not sent to the server in request paths or logs. Treat these links like passwords.
  • The backend enforces rate limits and abuse checks; no public endpoint is fully abuse-proof, so do not put sensitive information in names, comments, or descriptions.

9. Children

This tool is not directed at children and collects no age information. If you're under 16, please ask a parent or guardian before entering your name or any other details.

10. Changes to this policy

Material changes will be reflected by updating the "Last updated" stamp at the bottom of this page and, where appropriate, surfacing a notice inside the tool.

11. Contact

Questions, data requests, or anything else: email [email protected].

Last updated: 2026-05-23