Skip to main content
Momentarily
Last updated · 22 April 2026

Privacy notice.

What we collect, what we don't, and what you can do about it.

1. Who we are

“Momentarily” (“we”, “us”, “our”) operates the scheduling service available at momentarily.onlineand associated subdomains (the “Service”). We're based in Manchester, United Kingdom.

This notice explains what personal data we collect when you use the Service, why we collect it, how we use it, who we share it with, and the rights you have over it. It applies to everyone who interacts with Momentarily — whether you've created a host account, connected your calendar via an invite link, or simply visited our marketing pages.

For the purposes of the UK GDPR, the EU GDPR, and comparable data-protection laws, Momentarily is the data controller for the personal data described below. You can reach our privacy contact at hello@momentarily.online.

2. Information we collect

We collect only what we need to run the Service. Everything below falls into one of three buckets: what you give us, what's created when you use the product, and what we're told by third parties you've chosen to connect.

Information you provide directly
  • Account profile. Name, email address, and profile image from your Google account when you sign in. We never see your Google password — Google issues us a refresh token under your explicit consent.
  • Group and plan content.The group names, plan titles, and the text you type into the Service. These are used only to show you and your guests the plan you've made; they aren't read, mined, or shared outside that purpose.
  • Away periods.Dates you mark yourself away and the optional label you attach (“Tokyo trip”, etc.). The label is visible only to you — hosts see only that you're unavailable for those days.
  • Subscription details. If you upgrade to a paid plan, Stripe collects your payment information (card, billing address, VAT details). We receive a Stripe customer ID, your plan state, and renewal dates. We never touch the card itself.
  • Support correspondence. Messages you send us by email or in-product feedback.
Information generated by using the Service
  • Usage records. When you submit a plan query, we store the parameters (group ID, duration, range, threshold, selected guests) so we can rank availability and enforce monthly caps. Internal error messages and the outcome of each calendar API call are logged for debugging.
  • Picked events. When you commit to a window, we store the start and end timestamps, the timezone, the optional event title, and — if you chose to push to Google Calendar — the resulting event ID and link.
  • Technical data. IP address, browser and device fingerprint, referrer, and request timing. Collected via our hosting provider (Vercel) and database provider (Neon) for abuse detection, performance monitoring, and basic security logging.
  • Authentication cookies. A signed, HTTP-only session cookie so you stay signed in, plus a short-lived cookie used during the OAuth handshake. We do not use cross-site tracking cookies.
Information we receive from third parties
  • Google (Calendar API). Under the scopes you grant — calendar.freebusy, calendar.calendarlist.readonly, and optionally calendar.events — Google sends us whether you're busy or free for the date windows we query, a list of your connected calendars, and (only when you pick a plan and opt to push it) the ability to create a single event on your behalf. Google does notshare event titles, attendees, locations, or descriptions with us, because we don't ask for those permissions.
  • Apple iCloud (ICS subscription).If you connect using a public ICS URL, we fetch the iCalendar file on demand. We parse only the start, end, duration, and transparency fields of each event — enough to know whether you're busy. Event titles or descriptions that appear in the feed are ignored and never stored.
  • Stripe. Plan tier, cadence, subscription status, and renewal dates via webhook. We store only what we need to confirm your entitlement.

3. What we do and don't see on your calendar

This is the part people ask about most, so we'll be plain. Momentarily asks Google (or reads your public iCloud feed) for free/busy data only. That means we can tell whether a given half-hour on your calendar is “busy”, “tentative”, or “free”. We cannot see:

  • event titles or descriptions,
  • locations or video-call links,
  • the other people invited to a meeting,
  • attachments or notes,
  • calendars you haven't connected.

If you grant the optional calendar.eventsscope, we can create a single event on your primary calendar when you explicitly click “Lock it in & send invites”. We don't read any of your other events under that scope.

You can revoke our access at any time from myaccount.google.com/permissions (Google) or by deleting your account with us. Access removal propagates within minutes.

4. How we use your information

We use the data described above only for the purposes listed here. We do not sell your data, and we do not train machine-learning models on your calendar.

  • To run the Service.Sign you in, show overlaps between your calendar and your friends', create events you've picked, and enforce your current plan's limits.
  • To keep it working. Detect abuse, rate-limit bots, fix bugs, and recover from errors.
  • To communicate with you. Transactional emails about plan confirmations, payment receipts (via Stripe), subscription changes, and occasional updates about the Service itself. You can opt out of non-essential emails at any time.
  • To comply with law. Respond to lawful requests, enforce our terms, and retain financial records as required by UK tax law.

6. Who we share information with

We share personal data only with the service providers (“processors”) who help us run Momentarily. Each is bound by a written data processing agreement and acts only on our instructions.

  • Google LLC — OAuth sign-in and Google Calendar free/busy + events API.
  • Stripe, Inc. / Stripe Payments Europe Ltd — subscription billing, payment processing, and tax calculation.
  • Neon, Inc. — managed Postgres database hosting (data stored in a US region under Standard Contractual Clauses).
  • Vercel Inc. — application hosting, edge delivery, and server logs.
  • Apple Inc.— only to the extent that we fetch the public iCloud ICS feed you've explicitly shared with us.

We may also disclose information to comply with a valid court order, regulatory request, or law-enforcement demand; to enforce our terms; or to protect our or a third party's rights, property, or safety. If Momentarily is ever acquired or merged with another business, your data would transfer under the same privacy commitments in force at the time, and we would notify you.

7. How long we keep things

  • Account data. Until you delete your account. Deletion from Settings → Danger zone removes your user row, groups, connections, picks, queries, tokens, away periods, and theming preferences. Group connections from friends are removed along with the group.
  • Calendar tokens. Until you disconnect, revoke access from Google, or we detect the token has been invalidated — whichever happens first. Refresh tokens are stored encrypted at rest (AES-256-GCM) with a key held outside the database.
  • Billing records. Stripe retains payment records for the period required by applicable tax law (currently up to seven years in the UK), even after you delete your Momentarily account. Your local subscription row is removed; the Stripe customer object remains.
  • Server and security logs. Thirty days at the hosting layer, then rotated.
  • Support emails. Up to two years, or until you ask us to delete them.

8. International transfers

Our primary infrastructure is hosted in the United States (Neon, Vercel). Where personal data is transferred outside the UK or the European Economic Area, we rely on the UK International Data Transfer Addendum and the EU Standard Contractual Clauses, together with supplementary measures — encryption in transit and at rest, access controls, and data-minimisation practices. You can request a copy of the relevant transfer mechanism by emailing us.

9. Your rights

If you're in the UK, the EEA, or a jurisdiction with comparable data-protection laws, you have the following rights:

  • Access. Ask for a copy of the personal data we hold about you.
  • Rectification.Correct any information that's inaccurate or incomplete.
  • Erasure. Delete your account and ask us to remove personal data. Some records (e.g., billing) may be retained where law requires.
  • Restriction. Limit how we process your data while a complaint or request is resolved.
  • Objection. Object to processing based on legitimate interests.
  • Portability. Receive your data in a structured, machine-readable format.
  • Withdraw consent. Revoke calendar access and any opt-ins at any time, without affecting the lawfulness of prior processing.

To exercise any of these rights, email hello@momentarily.online. We'll respond within one month. If you believe our processing breaches the UK GDPR, you can lodge a complaint with the UK Information Commissioner's Office at ico.org.uk/make-a-complaint.

10. Cookies and local storage

We use the minimum cookies needed to run the Service:

  • Session cookie. Signed, HTTP-only. Stores your Auth.js session. Set at sign-in, cleared on sign-out.
  • OAuth state cookie. A short-lived value used to protect the Google / iCloud authorisation handshake from cross-site request forgery. Cleared on completion.
  • Friend session cookie.If you've connected your calendar via an invite link, this keeps you signed in to the friend dashboard so you can manage your away periods.
  • Stripe cookies. Set during checkout and customer-portal sessions by Stripe. Subject to Stripe's privacy policy.

We do not run advertising pixels, behavioural-tracking scripts, or third-party analytics that build a profile of your browsing behaviour across the web.

11. Security

We take reasonable technical and organisational measures to protect your data, including:

  • TLS 1.2+ for all traffic in transit.
  • AES-256-GCM encryption at rest for sensitive credentials (Google refresh tokens, Apple ICS URLs). Encryption keys live outside the database.
  • Scoped calendar permissions — we never request more than free/busy access.
  • Least-privilege access controls for anyone on the team who can reach production data.
  • Automated vulnerability alerts on our dependencies and third-party security reviews on our critical integrations.

No system is perfectly secure. If we ever discover a personal-data breach affecting you, we'll notify you and the relevant regulator as required by law.

12. Children

Momentarily is not intended for children under 16. We do not knowingly collect personal data from anyone under 16. If you believe a child has provided us with personal data, email us and we'll delete it.

13. Changes to this notice

We may update this notice from time to time. When we make material changes — for example, using data for a new purpose or adding a new processor — we'll update the “last updated” date at the top of this page and, where appropriate, notify active users by email or in-product banner before the changes take effect.

14. Contact

Questions, concerns, or requests about this notice or how we handle your data: email hello@momentarily.online. We read every message and aim to reply within a few working days.