What is Simple Calendars?

Simple Calendars is a web app for building personalised countdown calendars — between 1 and 31 daily doors, each holding a note, photo, voice message, short video, or link. You share one link; each door opens on its date in the recipient's timezone.

How do countdown calendars work?

Pick a start and end date. For each day in between, fill a door with whatever you want (text, image, audio, video, link). Share the one link. Recipients can only open each door when its date arrives — so day six stays locked until day six.

Is Simple Calendars free to try?

Yes — you can build any calendar anonymously, with every feature, for seven days. When you're ready to send it, you pay: $5 for that one calendar (permanent), $36 per year for unlimited calendars, or $99 once for lifetime access. There is no persistent free tier.

What occasions can I use Simple Calendars for?

Any countdown that ends in a moment worth marking — birthdays, Advent, weddings, graduations, anniversaries, trips, moves. The calendar can run between 1 and 31 days, and the theme and door content are entirely up to you.

What content can I put behind each door?

Cards designed in our canvas editor (text and shapes), photos, voice messages recorded in the browser, short video messages, external links, or YouTube videos. Mix formats — day one can be a card, day six a voice memo, day seven the real gift.

Legal

Privacy Policy

Effective 27 April 2026 · Last updated 27 April 2026

This Privacy Policy explains how Paperfoot AI (SG) Pte. Ltd. (“Paperfoot”, “we”) collects, uses, shares, and protects personal data when you use Simple Calendars at simplecalendars.com (the “Service”). It is written to meet our obligations under Singapore's Personal Data Protection Act 2012 (“PDPA”), the EU and UK General Data Protection Regulation (“GDPR”), and the California Consumer Privacy Act / California Privacy Rights Act (“CCPA/CPRA”).

1. Who We Are

The data controller for the Service is Paperfoot AI (SG) Pte. Ltd., a private limited company incorporated in Singapore. You can reach us — including for privacy questions, rights requests, and PDPA Data Protection Officer enquiries — at our contact form.

2. What We Collect

We collect only what we need to run Simple Calendars.

2.1 Account data

When you register, we collect your email address, a bcrypt hash of your password (work factor 12; we never receive or store the plaintext), an optional display name, an optional avatar URL you provide, and a flag indicating whether your email has been verified via the 6-digit code we send through Resend.

2.2 Calendar content

When you build a calendar, we store calendar metadata (name, start/end dates, timezone, theme), door content (text designed in our canvas editor, image files, voice recordings, short videos, external links, YouTube embed URLs), and any recipient name you enter. Recipient names are shown only on the calendar itself. If you password-protect a calendar, we store only a server-side hash of that password.

2.3 Anonymous creators

If you create a calendar without signing up, we do not have your email. We identify your draft only through the sc_anon cookie value and link it to the calendar record in our database. Anonymous calendars are automatically deleted 7 days after creation unless claimed by a paid account.

2.4 Payment data

Stripe processes payments. We never receive or store your card number, CVC, or bank details. We keep only the Stripe Customer ID and, for subscriptions, the Stripe Subscription ID, together with payment status, plan, and amounts needed for invoicing and accounting.

2.5 Transactional and product logs

When you or a recipient open a calendar, we record a per-calendar view count. To de-duplicate repeat views from the same browser without retaining the visitor’s IP address, we keep only a keyed hash of the IP (HMAC-SHA-256 with a server-side secret); the raw IP is not written to disk. We also log the user agent string for debugging and abuse detection.

We also keep first-party operational events so we can run and improve the product: signup, signin, verification email status, onboarding progress, route views, visible time on a route, calendar creation, door saves, checkout starts, and Stripe purchase results. These logs may include your user ID, a consented session ID, a hashed anonymous-creator token, a hashed IP, route name, event status, and small structured metadata such as theme, day count, plan, or content type. We do not store passwords, verification codes, raw IP addresses, calendar content, media URLs, contact-message bodies, or recipient names in product analytics metadata. Passive page-view and time-on-page analytics run only after you choose “Accept all” in the cookie banner.

2.6 Cookies

We use first-party cookies and browser storage. We do not use advertising cookies, third-party tracking pixels, or cross-site analytics trackers.

Cookie	Purpose	Lifetime	SameSite
`sc_session`	Keeps you signed in to your dashboard after login.	30 days	Lax
`sc_anon`	Lets an anonymous creator return to and edit their draft calendar.	14 days	Lax
`sc_csrf`	Double-submit token to protect against CSRF on state-changing requests.	24 hours	Strict
`sc_cookie_consent`	Stores whether you chose essential-only or all cookies.	1 year	Lax

If you accept analytics cookies, we also store sc_analytics_session_id in session storage so page views in a single browser tab can be grouped during that session. It is not an authentication token and is cleared by the browser when the tab session ends.

3. Legal Bases (GDPR)

Where GDPR applies, we rely on the following legal bases:

Performance of a contract — to create your account, host and deliver your calendars, process payments, and send service emails.
Legitimate interests — to keep the Service secure, prevent fraud and abuse, count per-calendar views, log key product actions, and improve the product. We balance these interests against your rights.
Consent — for any optional marketing communications (we currently do not send marketing, and will request opt-in before we do), passive page-view and time-on-page analytics, and where consent is otherwise required.
Legal obligation — to retain financial records and respond to lawful requests.

For Singapore users, we rely on the equivalent PDPA bases: consent (including deemed consent from using the Service for its described purposes) and contractual necessity.

4. How We Use Your Data

We use personal data to:

register and authenticate you, and maintain your session;
host, render, and deliver your calendars to recipients you share links with;
send transactional email (verification codes, password resets, receipts, service notices);
process payments and manage subscriptions through Stripe;
count per-calendar views using hashed IPs;
understand onboarding, creation, editing, checkout, and route usage so we can improve the Service;
detect, investigate, and prevent fraud, abuse, and security incidents;
comply with our legal, tax, and accounting obligations.

We do not sell, rent, or share your personal data for cross-context behavioural advertising, and we do not run ads.

5. Who We Share Data With

We use a small number of trusted processors, each bound by contract to protect your data and act only on our instructions:

Stripe, Inc. — payment processing. stripe.com/privacy
Resend — transactional email delivery. resend.com/legal/privacy-policy
Vercel, Inc. — application hosting and Vercel Blob file storage (photos, voice, video). vercel.com/legal/privacy-policy
Neon, Inc. — managed Postgres database (us-east-1). neon.com/privacy-policy

We may disclose personal data if required to comply with law, a lawful request, court order, or to protect the rights, property, or safety of Paperfoot, our users, or the public. If we are ever involved in a merger, acquisition, or asset sale, we will ensure personal data continues to be protected under terms consistent with this Policy.

6. International Transfers

Our infrastructure providers process data in the United States (Neon us-east-1 AWS, Vercel, Stripe, and Resend). If you are in the EEA, UK, or Switzerland, we rely on the European Commission's Standard Contractual Clauses (SCCs) (and the UK IDTA/Addendum where applicable) with each processor as the transfer safeguard, supplemented by technical measures (encryption in transit, hashing, access controls). If you are in Singapore, we transfer data in reliance on your consent and the contractual protections required under the PDPA, ensuring a comparable standard of protection.

7. Retention

Accounts — retained until you delete your account or request deletion.
Trial (anonymous) calendars — automatically deleted 7 days after creation if not claimed by a paid account.
Calendar content (paid) — retained until you delete the calendar, delete your account, or your subscription ends (annual plan) as described in the Terms.
Blob files (images, voice, video) — cascade-deleted when their calendar is deleted.
Financial records — retained for 7 years to comply with Singapore tax and accounting law.
Hashed IP view logs and product event logs — retained for 24 months, then deleted.
Backups — encrypted operational backups may persist up to 30 days after deletion before rotation overwrites them.

8. Your Rights

Depending on where you live, you have some or all of the following rights:

Access — request a copy of the personal data we hold about you.
Rectification — correct inaccurate or incomplete data.
Erasure / Deletion — ask us to delete your account and data. You can self-serve this through the in-app Delete Account function; cascade deletion removes your calendars and blobs.
Portability — receive your data in a structured, machine-readable format.
Restriction / Objection — pause or object to certain processing based on legitimate interests.
Withdraw consent — where we rely on consent, you may withdraw it at any time without affecting prior processing.
CCPA/CPRA rights (California) — know what personal information is collected, request deletion, correct inaccurate information, and opt out of sale or sharing. We do not sell or share personal information for cross-context behavioural advertising. We will not discriminate against you for exercising these rights.
PDPA rights (Singapore) — access and correction of your personal data held by us.
Lodge a complaint — with the Singapore Personal Data Protection Commission (PDPC), your EU/UK supervisory authority, or the California Privacy Protection Agency, as applicable.

To exercise any right, use our contact form. We will respond within 30 days (or as otherwise required by law). We may need to verify your identity, typically by sending a confirmation code to the email on file.

9. Children

The Service is not intended for children under 13, and we do not knowingly collect personal data from them. If you believe a child under 13 has provided us personal data, notify us through our contact form and we will promptly delete the account and its content.

10. Security

We use HTTPS/TLS for all traffic, store passwords as bcrypt hashes (work factor 12), keep only keyed hashes of IP addresses (HMAC-SHA-256), and use HttpOnly, SameSite cookies with CSRF double-submit protection for state-changing requests. We apply least-privilege access controls for staff, rely on our infrastructure providers to encrypt data at rest, and keep logs of administrative access. No system is perfectly secure; if you believe your account has been compromised, contact us through our contact form immediately.

11. Data Breach Notification

If we detect a personal data breach that is likely to result in a risk to your rights and freedoms, we will notify the relevant supervisory authority within 72 hours of becoming aware of it (GDPR Article 33) and the Singapore PDPC and affected individuals where required under the PDPA's Data Breach Notification Obligation. We will notify affected users without undue delay where the breach is likely to result in a high risk.

12. Do Not Track and Global Privacy Control

We do not currently respond to browser Do Not Track (“DNT”) signals because no common industry standard has been agreed. We do honour Global Privacy Control (GPC) signals as an opt-out of sale/sharing under CCPA/CPRA. Since we do not sell or share personal information for targeted advertising, GPC does not change how we process your data, but we treat its presence as a valid opt-out signal.

13. Changes to This Policy

We may update this Policy from time to time. If changes are material, we will notify registered users by email and update the “Last Updated” date at the top at least 14 days before the changes take effect, unless applied sooner for legal or security reasons. Your continued use of the Service after the effective date means you accept the revised Policy.

14. Contact

Paperfoot AI (SG) Pte. Ltd. — Singapore
Privacy enquiries and rights requests: our contact form