Privacy Policy

Last updated: March 5, 2026

1. Introduction

AuthBlock, Inc. ("we," "us," or "our") operates Temporal Cortex, a calendar scheduling infrastructure platform for AI agents. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our Service, including our API, MCP server, portal dashboard, and related integrations.

AuthBlock, Inc. is the data controller for the purposes of applicable data protection laws. If you have questions about this Privacy Policy, please contact us at [email protected].

2. Information We Collect

2a. Information You Provide

When you create an account, we collect information provided through our authentication provider (Clerk), which may include:

  • Email address
  • Name
  • Profile information
  • Organization or team details (for enterprise accounts)

2b. Calendar Data Accessed via OAuth

When you connect a calendar provider (such as Google Calendar or Microsoft Outlook) via OAuth, we access the following data from your calendar accounts:

  • Calendar event titles, descriptions, start/end times, and locations
  • Event attendees and organizer information
  • Calendar metadata (calendar names, IDs, timezone settings)
  • Free/busy information across connected calendars
  • Recurring event rules (RRULE data as defined by RFC 5545)

We store encrypted OAuth tokens (access and refresh tokens) to maintain your calendar connection. These tokens are encrypted at rest using our credential vault.

2c. Automatically Collected Information

When you use the Service, we automatically collect:

  • IP address and approximate geolocation
  • Device type, browser type, and operating system
  • Usage logs (API requests, feature usage, error logs)
  • Cookies and similar tracking technologies

We use Google Analytics (measurement ID: G-KLP21YS0Q2) on our marketing website for aggregate analytics. Google Analytics may collect additional information as described in Google's Privacy Policy.

2d. Data from AI Agents

When AI agents interact with our Service through the MCP (Model Context Protocol) server or API, we collect:

  • Requests made by the agent on your behalf (scheduling queries, booking requests)
  • Agent identifiers and authentication credentials
  • Interaction logs for security and audit purposes

3. How We Use Your Information

We use the information we collect to:

  • Provide core features: Compute availability across calendars, book meetings, manage events, resolve temporal context, and expand recurring event rules
  • Maintain and improve the Service: Monitor performance, diagnose issues, and develop new features
  • Security and fraud prevention: Detect and prevent unauthorized access, abuse, and prompt injection attacks
  • Comply with legal obligations: Respond to lawful requests from authorities and enforce our Terms of Service
  • Communicate with you: Send service-related notices, security alerts, and respond to support inquiries

We do NOT use your information for:

  • Advertising, ad targeting, or interest-based profiling
  • Selling or renting your data to third parties
  • Determining creditworthiness or for lending purposes
  • Training general-purpose AI or machine learning models

4. Google API Services User Data Policy Compliance

Temporal Cortex's use and transfer to any other app of information received from Google APIs will adhere to the Google API Services User Data Policy, including the Limited Use requirements.

In accordance with Google's Limited Use requirements:

  • We only use Google user data to provide and improve the user-facing features of the Service (availability computation, event management, and scheduling)
  • We do not transfer Google user data to third parties except as necessary to provide the Service, with user consent, or as required by law
  • We do not use Google user data for serving advertisements
  • We do not allow humans to read Google user data unless: (a) we have the user's explicit consent for specific data; (b) it is necessary for security purposes (e.g., investigating abuse); (c) it is necessary to comply with applicable law; or (d) the data is aggregated and anonymized for internal operations

You can revoke Temporal Cortex's access to your Google data at any time through your Google Account permissions page.

5. Legal Basis for Processing (GDPR)

If you are located in the European Economic Area (EEA), United Kingdom, or Switzerland, we process your personal data on the following legal bases:

  • Contract performance: Processing necessary to provide the Service you have requested (e.g., computing availability, booking meetings)
  • Consent: Where you have given explicit consent (e.g., connecting your calendar via OAuth)
  • Legitimate interest: Processing necessary for our legitimate interests (e.g., improving the Service, preventing fraud), provided these interests are not overridden by your rights
  • Legal obligation: Processing necessary to comply with applicable law

6. Data Sharing and Disclosure

We do not sell, rent, or lease your personal data. We may share your information only in the following circumstances:

  • Service providers (sub-processors): We use trusted third-party providers to operate the Service, including Fly.io (hosting infrastructure), Clerk (authentication), Google Analytics (website analytics), and Neon (database hosting). These providers process data solely on our behalf and under contractual obligations to protect your data.
  • AI agents via MCP: When you authorize an AI agent to connect to Temporal Cortex through the MCP protocol, the agent accesses your calendar data on your behalf. Only the minimum data required for each request is returned.
  • Enterprise administrators: If you use Temporal Cortex through an enterprise or team account, your organization's administrator may have access to account activity and usage data.
  • Legal requirements: We may disclose your information if required by law, subpoena, court order, or government request, or if we believe disclosure is necessary to protect our rights, your safety, or the safety of others.
  • Business transfers: In the event of a merger, acquisition, or sale of all or a portion of AuthBlock, Inc.'s assets, your data may be transferred to the acquiring entity. We will notify you via email and/or a prominent notice on our website before your data is transferred and becomes subject to a different privacy policy.

7. International Data Transfers

Your data is processed and stored in the United States (Fly.io IAD region, Ashburn, Virginia). If you are located outside the United States, your information will be transferred to and processed in the United States.

For users in the EEA, UK, or Switzerland, we rely on Standard Contractual Clauses (SCCs) approved by the European Commission to ensure adequate protection for international data transfers. You may request a copy of these clauses by contacting us.

8. Data Retention and Deletion

We retain your data only as long as necessary to provide the Service and fulfill the purposes described in this policy:

Data Category Retention Period
Calendar event data Duration of active connection + 30 days after disconnection
OAuth tokens Until revoked by user or account deletion (encrypted at rest)
Account and profile data Duration of account + 30 days after deletion request
Usage and analytics logs 12 months
Backup copies 30-day rolling purge after primary data deletion

You can request deletion of your account and associated data at any time by contacting us at [email protected]. Upon receiving a verified deletion request, we will delete your data within 30 days from our primary systems. Backup copies are purged within an additional 30 days.

9. Your Rights

GDPR Rights (EEA, UK, Switzerland)

You have the right to:

  • Access your personal data and obtain a copy
  • Rectify inaccurate or incomplete data
  • Erase your personal data ("right to be forgotten")
  • Restrict processing in certain circumstances
  • Data portability — receive your data in a structured, machine-readable format
  • Object to processing based on legitimate interest
  • Withdraw consent at any time where processing is based on consent
  • Lodge a complaint with your local data protection supervisory authority

CCPA/CPRA Rights (California Residents)

If you are a California resident, you have the right to:

  • Know what personal information is collected, used, shared, or sold
  • Delete personal information held by us
  • Correct inaccurate personal information
  • Opt out of the sale or sharing of personal information (we do not sell your data)
  • Non-discrimination for exercising your rights

We will respond to verified requests within 45 calendar days, with the possibility of a 45-day extension where necessary. We honor Global Privacy Control (GPC) signals.

To exercise any of these rights, contact us at [email protected]. You may also revoke calendar access directly through your Google Account or Microsoft Account permissions pages.

10. Self-Hosted (Local) Mode

Temporal Cortex can be run in a self-hosted local mode where all data remains on your own machine. In local mode:

  • No data is transmitted to AuthBlock, Inc. or any third-party server
  • OAuth tokens and calendar data are stored locally on your device
  • AuthBlock has no access to or visibility into your locally stored data
  • You are solely responsible for the security and backup of your local data

This Privacy Policy primarily applies to the cloud-hosted platform mode. If you use only the self-hosted local mode, Sections 6–8 of this policy regarding data sharing, international transfers, and retention do not apply to your locally stored data.

11. Security Measures

We implement appropriate technical and organizational measures to protect your personal data, including:

  • Encryption of data in transit (TLS/HTTPS) and at rest
  • OAuth tokens encrypted using a dedicated credential vault with AES encryption
  • API key hashing (SHA-256) — we never store plaintext API keys
  • Role-based access controls and least-privilege principles
  • Audit logging of all data access and modifications
  • Content safety systems including prompt injection detection and content sanitization
  • Rate limiting and abuse prevention mechanisms
  • PKCE (Proof Key for Code Exchange) for OAuth flows to prevent authorization code interception

While we strive to protect your data, no method of transmission over the Internet or electronic storage is 100% secure. We cannot guarantee absolute security.

12. Children's Privacy

The Service is not directed to children under the age of 13, and we do not knowingly collect personal information from children under 13. If we learn that we have collected personal information from a child under 13, we will promptly delete that information. If you believe a child under 13 has provided us with personal information, please contact us at [email protected].

13. AI Agents and the MCP Protocol

Temporal Cortex provides an MCP (Model Context Protocol) server that enables AI agents to interact with calendar data on your behalf. Regarding AI agent data processing:

  • User authorization required: AI agents can only access your calendar data when you have explicitly authorized the connection and provided valid credentials
  • Data minimization: Only the minimum calendar data necessary to fulfill each specific agent request is returned
  • No model training: Calendar data processed through MCP interactions is not used to train AI or machine learning models
  • Safety controls: Our platform includes configurable safety policies (content filtering, action guardrails) that you can customize to control what AI agents can do with your data
  • Audit trail: All AI agent interactions are logged for security and compliance purposes
  • Revocable access: You can disconnect AI agent access or revoke credentials at any time through the portal

14. Third-Party Calendar Providers

Temporal Cortex integrates with third-party calendar providers including Google Calendar and Microsoft Outlook. Your use of these providers is subject to their respective terms of service and privacy policies:

AuthBlock, Inc. is not responsible for the privacy practices of third-party calendar providers. Changes to their APIs, terms, or data access policies may affect the Service's functionality. We are not liable for any disruptions resulting from third-party provider actions.

15. Changes to This Policy

We may update this Privacy Policy from time to time. For material changes, we will notify you via email at least 30 days before the changes take effect. Non-material changes will be reflected by updating the "Last updated" date at the top of this page.

Your continued use of the Service after any changes to this Privacy Policy constitutes your acceptance of the updated policy.

16. Contact Information

If you have questions or concerns about this Privacy Policy or our data practices, please contact us:

AuthBlock, Inc.

Email: [email protected]

Website: temporal-cortex.com