← Psst

Privacy Policy

Last updated: 6 June 2026

Psst is a cross-platform desktop application (macOS, Windows, and Linux) that shows you a full-screen reminder shortly before your meetings. This policy explains exactly what data Psst accesses and how it is used, stored, protected, and shared. The short version: Psst reads your calendar on your device, protects it with encryption, and never shares your calendar data with anyone. Psst also collects anonymous, opt-out usage analytics that never include your calendar contents — see Analytics below.

What we access

With your explicit consent on Google's sign-in screen, Psst requests the following Google OAuth scopes:

• openid and email — to identify your Google Account and read your email address, which is shown in the app so you know which account is connected.
• https://www.googleapis.com/auth/calendar.readonly — read-only access to your calendar list and upcoming events (titles, times, locations, conferencing links, and attendees), used solely to schedule and render your reminders.

These scopes are read-only. Psst cannot create, modify, send, or delete anything in your Google Account.

How we use and store your data

• Calendar events are fetched directly from Google to your device and held only in memory to render your reminders. They are never written to disk and never transmitted to us or any third party, and they are cleared when you disconnect your account or quit the app.
• OAuth tokens (both the access token and the refresh token) and your account email address are stored encrypted at rest using your operating system's secure storage via Electron's safeStorage (Keychain on macOS, DPAPI on Windows, libsecret on Linux).
• Your calendar selections (which calendars you choose to watch) are stored locally on your device.
• Your Google data stays between you and Google. Your calendar data only ever travels between your device and Google — it is never sent to a Psst server, to our analytics, or to any other third party, and we do not use it for advertising or profiling. (Anonymous, non-calendar usage analytics are described under Analytics.)

How we protect your data

We use encryption to protect your information, and security procedures are in place to protect the confidentiality of your Google user data and to guard against unauthorized or unlawful access, use, alteration, loss, or disclosure. Specifically:

• Encryption in transit. All communication with Google is over TLS/HTTPS.
• Encryption at rest. OAuth tokens and your account email are encrypted using your operating system's secure key store (Keychain / DPAPI / libsecret), so they are not readable as plaintext on disk.
• Data minimization. Psst requests only read-only access and reads only your upcoming events.
• On-device processing. Your event details are processed in memory on your own device and are never sent to a Psst server — there isn't one.

How we share, transfer, or disclose your data

We do not share, transfer, sell, rent, or disclose your Google user data to any third party. Your calendar data never leaves your device except to communicate directly with Google's own APIs. We never transfer or sell your data to advertising platforms or data brokers, and we never use it for advertising, profiling, or to determine credit-worthiness.

The only external service Psst relies on is our license and payment provider, Lemon Squeezy, which receives your license key and a device name in order to activate and validate your license. Lemon Squeezy never receives any Google user data — not your calendar, your email address, or your tokens.

The only exceptions to the above are narrow and standard: where we are required to do so to comply with applicable law or a valid legal request, or as part of a merger or acquisition under equivalent privacy protections.

Limited Use

Psst's use and transfer of information received from Google APIs adheres to the Google API Services User Data Policy, including its Limited Use requirements. Google user data is used only to provide the user-facing reminder feature and is not transferred to others except as described in the section above.

Data retention & deletion

Cached events live only in memory and are cleared when you disconnect your account or quit the app. Your tokens and account email live only on your device; disconnecting your account in Psst, or quitting and removing the app, deletes this local data. You can revoke Psst's access at any time from your Google Account permissions.

Payments

License purchases are processed by Lemon Squeezy, our third-party payment provider. We receive order and license information (such as your email and license key) to deliver and support your license; we never receive your full payment card details. This is separate from, and never combined with, your Google user data.

Analytics

To understand how Psst is used and where to improve it, we collect anonymous usage analytics via PostHog. This never includes your calendar contents (titles, times, attendees, or links), your email address, or your OAuth tokens.

• This website uses Google Tag Manager, Vercel Web Analytics, and PostHog to measure page views and interactions such as which links and buttons are clicked.
• The desktop app sends anonymous product-usage events — which features and settings you use — identified only by a random per-install ID, with no personal or calendar data. It is on by default and can be turned off at any time in the app's Settings.

Contact

Questions about privacy? Email conderbuilds@gmail.com.