Back to home

Privacy Policy

Last updated: May 19, 2026

1. Who we are

TeamFore ("we", "our", "us") is a workspace-based leave and availability management platform built for teams. This Privacy Policy explains how we collect, use, and protect your information when you use our service at teamfore.vercel.app.

2. Google User Data

TeamFore uses Google APIs for two purposes: authentication (Google Sign-In) and optional Google Calendar integration. The following discloses how we handle Google user data in compliance with the Google API Services User Data Policy.

a) Data Accessed

Google Sign-In (all users): When you authenticate with Google we receive your name, email address, and Google account ID. We do not receive your Google password or access to any other Google service.

Google Calendar (optional — only after explicit consent): If you connect your Google Calendar we request the https://www.googleapis.com/auth/calendar scope to read and write calendar events so we can sync your approved leave requests. We do not access any other Google service or scope.

b) Data Usage

  • Name & email: used to create and identify your TeamFore account and to send leave-related email notifications.
  • Google account ID: used solely to link your Google identity to your TeamFore account during sign-in. It is never exposed to other users.
  • Google Calendar OAuth tokens: used only to create, update, and delete leave events on your own Google Calendar. We never read calendar content for any purpose beyond leave synchronisation.

We do not use Google user data to serve advertisements, build user profiles, or train AI or ML models. Google user data is not transferred to third parties for purposes unrelated to providing TeamFore.

c) Data Sharing

Google user data is never sold or shared with third parties except as strictly necessary to operate the service:

  • Neon (PostgreSQL): your encrypted account data and tokens are stored in their managed database. Neon does not process Google data independently.
  • Brevo (email): your name and email address are passed to Brevo only to deliver transactional leave notifications. Brevo does not receive Google OAuth tokens or calendar data.

No Google user data is shared with analytics providers, advertisers, or any other third party beyond those listed above.

d) Data Storage & Protection

  • Google OAuth access and refresh tokens are encrypted at rest using AES-256-GCM before being written to our database. The encryption key is stored separately and never alongside the ciphertext.
  • All data is transmitted over HTTPS / TLS 1.2+. Strict-Transport-Security (HSTS) headers are enforced in production.
  • Database access is restricted to our backend application server. No direct public access is permitted.
  • Sessions use short-lived access tokens (15 minutes) and rotating refresh tokens stored as httpOnly cookies to minimise the impact of token leakage.

e) Data Retention & Deletion

  • Google Sign-In data (name, email, Google account ID): retained for the lifetime of your account. Permanently deleted when your account is removed.
  • Google Calendar OAuth tokens: deleted immediately when you disconnect Google Calendar from your TeamFore settings, or when your account is deleted, whichever comes first.
  • To delete your account and all associated Google data, contact us at support@teamfore.com. You can also revoke calendar access at any time via myaccount.google.com/permissions.

3. Information we collect

We collect only the information necessary to provide the service:

  • Account information: your name and email address, provided directly or via Google OAuth sign-in.
  • Google OAuth data: when you sign in with Google, we receive your name, email address, and Google account ID. We do not receive your Google password or access to your Google account beyond authentication.
  • Usage data: leave requests, availability status, workload status, and other actions you take within the app.
  • Workspace data: team names, user roles, leave type configurations, and related settings created by your workspace admin.

4. How we use your information

  • To authenticate you and manage your session securely.
  • To provide leave management, team calendar, and availability features.
  • To send email notifications related to your leave requests and approvals (via Brevo).
  • To generate analytics and reports scoped to your workspace.
  • To maintain audit logs of key actions for governance and compliance within your workspace.

We do not sell your personal data. We do not use your data for advertising.

5. Data sharing

We share your data only with the following third-party services required to operate the platform:

  • Neon (PostgreSQL): our database provider. Your data is stored in their managed PostgreSQL service.
  • Brevo (Sendinblue): used to send transactional emails (leave notifications). We share only your email address and name for this purpose.
  • Google OAuth: used for authentication. We receive basic profile data (name, email) from Google only when you choose to sign in with Google.
  • PostHog: used for product analytics. We may share anonymized usage events. No personally identifiable information is sent to PostHog.

6. Cookies and sessions

We use a single httpOnly, secure cookie to maintain your authenticated session. This cookie is strictly necessary for the service to function. We do not use tracking cookies or advertising cookies.

7. Data retention

Your data is retained for as long as your account and workspace exist. When a workspace is deleted, associated user records and leave data are removed. Audit logs are retained for compliance purposes. You may request deletion of your account by contacting us at the email below.

8. Your rights

You have the right to:

  • Access the personal data we hold about you.
  • Request correction of inaccurate data (you can update your profile directly in the app).
  • Request deletion of your account and associated data.
  • Withdraw consent for Google OAuth by revoking access via your Google account settings at myaccount.google.com/permissions.

9. Security

We use industry-standard security practices: encrypted connections (HTTPS/TLS), httpOnly session cookies, Helmet security headers, rate limiting, and workspace-level data isolation. No system is completely secure; if you believe your account has been compromised, contact us immediately.

10. Changes to this policy

We may update this Privacy Policy from time to time. Material changes will be noted by updating the date at the top of this page. Continued use of TeamFore after changes constitutes acceptance of the updated policy.

11. Contact

For any privacy-related questions or data requests, contact us at: vivekanandagodi@gmail.com