Privacy Policy
Effective Date: March 25, 2026 · Last Updated: March 27, 2026
CoCalendar is a product of NutritionEL Health, LLC, a Texas limited liability company. This Privacy Policy governs the collection, processing, storage, and disclosure of personal information when you use CoCalendar's web application or any related services (collectively, the “Service”).
By accessing or using the Service, you acknowledge that you have read, understood, and agree to the practices described in this Policy. If you do not agree, you must discontinue use immediately.
1. Who We Are
CoCalendar is operated by NutritionEL Health, LLC (“Company,” “we,” “us,” or “our”), a limited liability company registered in the State of Texas. CoCalendar provides an AI-powered tool that parses Texas Standard Possession Orders and converts them into structured calendar events for parents and co-parents.
Contact information for privacy-related inquiries:
| Entity | NutritionEL Health, LLC (d/b/a CoCalendar) |
| Mailing Address | Texas, United States (full address provided on request) |
| Privacy Contact | privacy@cocalendar.app |
| DPO / Legal | legal@cocalendar.app |
2. Scope of This Policy
This Policy applies to all individuals who interact with CoCalendar, including:
- End users who access the CoCalendar web application directly
- Legal professionals (attorneys, mediators, guardians ad litem) using the Service
- Visitors to our marketing site
This Policy does not apply to third-party websites or services linked from CoCalendar, nor to information collected by any third-party service operating under its own privacy policy.
3. Data We Collect
3.1 Information You Provide Directly
- Email address collected at payment via Stripe; magic link tokens used for return access
- School district selection (used to populate school-year calendar data)
- State waitlist email (if you join the waitlist for an unsupported state)
- Court order documents: PDF files, photographs, or plain-text copies of Texas Standard Possession Orders uploaded by the user
- Manual corrections: edits made to AI-parsed schedule data before calendar export
- Payment information: billing details processed exclusively by Stripe; CoCalendar does not store card numbers
- Communications: support requests, feedback submissions, and correspondence with our team
3.2 Information Collected Automatically
- IP address and approximate geolocation (country/region level only)
- Browser type, operating system, and device identifiers
- Usage logs: pages visited, features used, timestamps, and error events
- Session tokens managed via Supabase Auth
3.3 Sensitive and Special-Category Data
Court orders processed by CoCalendar may contain sensitive personal information, including but not limited to: names of minor children, custody schedules, visitation restrictions, allegations of domestic violence or abuse, mental health findings, and financial support amounts. This data is classified as sensitive by CoCalendar and is subject to heightened protection measures described in Section 7.
CoCalendar does not intentionally collect data directly from children under 13 years of age. Children's names and identifying information may appear incidentally within uploaded court orders. See Section 9 for our children's data policy.
3.4 Information From Third Parties
- Google Calendar OAuth tokens (when user authorizes calendar sync)
- Stripe payment confirmation and one-time payment status
4. How We Use Your Data
| Purpose | Legal Basis | Data Used |
|---|---|---|
| Parse uploaded court orders into calendar events | Contract performance | Document content, correction logs |
| Generate and serve calendar files (.ics, Google) | Contract performance | Parsed schedule data |
| Authenticate users via magic link | Contract performance | Email, session tokens |
| Process one-time payments | Contract performance | Stripe tokens, payment status |
| Improve parsing accuracy and fix errors | Legitimate interest | Anonymized correction logs |
| Detect abuse and fraud | Legitimate interest | IP, request metadata, usage logs |
| Communicate service updates and security notices | Legitimate interest | |
| Comply with legal obligations | Legal compliance | As required by law |
CoCalendar does not sell personal data. CoCalendar does not use uploaded court order content for advertising, profiling, or any purpose other than those listed above.
5. Third-Party Services and Data Processors
CoCalendar relies on the following sub-processors to deliver the Service. Each is bound by a Data Processing Agreement (DPA) or equivalent contractual obligation:
| Processor | Role | Data Shared | Location |
|---|---|---|---|
| Vercel | Hosting and serverless compute | Request metadata, logs | USA (SOC 2 Type II) |
| Supabase | Database, file storage, authentication | User accounts, documents, parsed data | USA (SOC 2 Type II) |
| Google Gemini | AI parsing via Gemini API (paid tier) | Court order text / images | USA (Cloud DPA) |
| Stripe | Payment processing | Billing info only | USA (PCI DSS Level 1) |
| Calendar sync (user-authorized) | Parsed calendar events | Global (OAuth scoped) |
6. AI Processing and Google Gemini
CoCalendar uses the Google Gemini API (paid tier, accessed via a Google Cloud Platform project with an active billing account) to extract schedule rules from court order documents. When you upload a document, its text or image content is transmitted to Google's servers for processing. The following disclosures apply:
- Paid tier policy:CoCalendar accesses the Gemini API through a GCP project with an active billing account. Under Google's paid tier terms and Cloud Data Processing Addendum, Google does not use your prompts or responses to train or fine-tune its AI models.
- Abuse monitoring retention: Google retains prompt data for up to 55 days for the purpose of detecting violations of its Acceptable Use Policy. This data is used solely for policy enforcement and is not used for model training.
- In-memory caching: By default, Google caches prompt data in-memory for up to 24 hours to reduce latency. This data is isolated at the project level and is not stored at rest beyond that window unless explicitly configured.
- CoCalendar operates under Google's Cloud Data Processing Addendum (CDPA), available at cloud.google.com/terms/data-processing-addendum.
- Document content is transmitted over encrypted TLS connections.
- CoCalendar strips all personally identifiable metadata (filename, user ID) before transmitting document content to the API.
- If you are an attorney or legal professional uploading documents that may constitute attorney work product, you should independently assess whether transmitting that content to a third-party AI provider is consistent with your professional obligations.
CoCalendar does not use Gemini API outputs to build user profiles, infer personal characteristics, or make automated decisions with legal or significant effects on users.
7. Data Storage, Encryption, and Security
7.1 Technical Safeguards
CoCalendar implements industry-standard technical and organizational measures to protect personal data against unauthorized access, disclosure, alteration, and destruction. These measures include encryption of data at rest and in transit, strict access controls ensuring each user can only access their own data, and regular security reviews.
7.2 Breach Notification
In the event of a security incident involving personal data, CoCalendar will notify affected users without undue delay, and no later than 72 hours after confirmation of the breach. Notification will be provided via email to the address on file and posted to our status page.
8. Data Retention and Deletion
CoCalendar uses a single-tier model: $7 per document, one-time payment via Stripe.
| Data Type | Retention Period | Deletion Method |
|---|---|---|
| Uploaded court order documents | 12 months from payment date; annual renewal extends retention | Automated hard delete 30 days after expiry |
| Parsed calendar data (living calendar) | 12 months from payment; deleted 30 days post-expiry if not renewed | Automated delete |
| Email address | Duration of active access + 30 days | Hard delete on request or inactivity |
| Usage and audit logs | 12 months | Rolling automated purge |
| Payment records | 7 years | Required by US tax law |
| Correction feedback (anonymized) | Indefinite (no PII) | Not applicable |
Users may request deletion of their data at any time by contacting privacy@cocalendar.app. Requests will be fulfilled within 30 days except where retention is required by law.
9. Children's Information
CoCalendar does not knowingly collect personal information directly from children under 13 years of age. The Service is intended for use by adults (parents and legal professionals).
Court orders processed by CoCalendar may contain the names, ages, and identifying information of minor children. This information is processed solely for the purpose of generating calendar events and is not used for any other purpose. Children's information contained in court orders is subject to the same encryption, access controls, and deletion policies described in Sections 7 and 8.
CoCalendar does not create profiles of minor children, share children's information with third parties for marketing, or retain children's information beyond the periods specified in Section 8.
10. California Residents (CCPA)
If you are a California resident, the California Consumer Privacy Act (CCPA), as amended by the California Privacy Rights Act (CPRA), grants you the following rights:
- Right to Know: You may request disclosure of the categories and specific pieces of personal information we have collected about you.
- Right to Delete: You may request deletion of personal information we have collected, subject to certain exceptions.
- Right to Correct: You may request correction of inaccurate personal information.
- Right to Opt-Out of Sale: CoCalendar does not sell personal information. This right is not applicable.
- Right to Non-Discrimination: Exercising your privacy rights will not result in denial of service or different pricing.
- Right to Limit Use of Sensitive Personal Information: You may request that we limit the use of sensitive personal information to purposes necessary to provide the Service.
To exercise any of these rights, submit a verifiable consumer request to privacy@cocalendar.app. We will respond within 45 days. We do not charge a fee for one request per 12-month period.
11. Sharing and Disclosure of Data
CoCalendar does not share, sell, or rent personal data except in the following circumstances:
- Sub-processors: as described in Section 5, solely to provide the Service
- Legal compliance: in response to a valid court order, subpoena, or legal process
- Protection of rights: to prevent fraud, abuse, or violations of our Terms of Service
- Business transfers: in connection with a merger, acquisition, or asset sale, with advance notice to users
Uploaded court order documents are never shared with any third party other than Google (for AI parsing) and Supabase (for storage), both under binding data processing agreements.
12. Your Rights and Choices
- Access: Request a copy of the personal data we hold about you
- Correction: Request correction of inaccurate or incomplete data
- Deletion: Request deletion of your account and associated data
- Portability: Request an export of your parsed calendar data in .ics or JSON format
- Withdraw consent: Disconnect Google Calendar integration at any time via account settings
- Opt out of communications: Unsubscribe from non-transactional emails at any time
To exercise any right, contact privacy@cocalendar.app with the subject line “Privacy Request.” We will verify your identity before processing requests involving personal data.
13. Cookies and Tracking
CoCalendar uses a minimal set of cookies and similar technologies:
- Session cookies: required for authentication; expire when the browser is closed
- Preference cookies: store user interface preferences (optional; deletable)
- Analytics: CoCalendar may use privacy-preserving analytics (no cross-site tracking, no fingerprinting)
CoCalendar does not use third-party advertising cookies, tracking pixels, or behavioral profiling. You may disable cookies in your browser settings; note that disabling session cookies will prevent login.
14. Changes to This Policy
CoCalendar may update this Privacy Policy as the Service evolves, as required by law, or in response to feedback. Material changes will be communicated by:
- Email notification to the address on file, at least 14 days before the change takes effect
- Prominent notice on the CoCalendar web application
- Updated “Effective Date” and “Last Updated” fields at the top of this document
Continued use of the Service after the effective date constitutes acceptance of the revised Policy.
15. Contact Us
For privacy-related questions, requests, or complaints:
| Privacy inquiries | privacy@cocalendar.app |
| Legal / DPA requests | legal@cocalendar.app |
| Security disclosures | security@cocalendar.app |
| Postal address | NutritionEL Health, LLC, Texas, United States |