Privacy Policy
Last updated: 22 March 2026
1Gesture ("we", "our", "us") operates a meeting reminder and impact gesture service. This Privacy Policy explains what data we collect, why we collect it, how we protect it, and the rights you have over it. We are committed to transparency and to handling your data responsibly under the General Data Protection Regulation (GDPR) and the California Consumer Privacy Act (CCPA).
1. Data We Collect
Account Data
When you create an account via Google OAuth, we receive and store:
- Your name and email address
- Your profile avatar (provided by Google)
Calendar Event Data
With your explicit consent, we access your Google Calendar in read-only mode. We retrieve:
- Event titles
- Event times (start and end)
- Attendee information (names and email addresses)
We never modify your calendar, create events, or send emails from your account. Calendar access is strictly read-only.
Attendee Interaction Data
When attendees receive reminder emails sent by 1Gesture on your behalf, we collect:
- Email open events
- Link click events
- Gesture claim activity
Payment Data
Subscription and gesture funding payments are processed by Stripe. We receive confirmation of payment status and subscription details. We never receive, process, or store your full card numbers. Stripe handles all sensitive payment data under PCI DSS Level 1 compliance.
Usage Analytics
We collect anonymised usage analytics to improve the service. Email addresses used in analytics are hashed using SHA-256 before storage. We use Plausible Analytics, which is a privacy-first, cookie-free analytics platform that does not track individuals across sites.
2. Legal Basis for Processing
Under GDPR, we process your personal data based on the following legal grounds:
| Legal Basis | GDPR Article | Purpose |
|---|---|---|
| Consent | Art. 6(1)(a) | Accessing your Google Calendar data; processing impact gesture funding on your behalf |
| Legitimate Interest | Art. 6(1)(f) | Service operation, security, error monitoring, and anonymised analytics to improve the product |
| Contract | Art. 6(1)(b) | Processing subscription billing and delivering the services you have signed up for |
You may withdraw your consent at any time by revoking calendar access in your account settings or by contacting us. Withdrawing consent does not affect the lawfulness of processing carried out before withdrawal.
3. Third-Party Data Processors
We share data with the following third-party processors, each under appropriate data processing agreements:
| Processor | Purpose | Data Shared |
|---|---|---|
| Google (Calendar API, OAuth) | User authentication and calendar data access | OAuth tokens, calendar event metadata |
| Stripe | Subscription and gesture funding payment processing | Email, payment intent details (card data held by Stripe only) |
| Resend | Transactional email delivery (meeting reminders, receipts) | Recipient email, email content |
| Plausible | Privacy-first website and product analytics | Anonymised page views (no personal data, no cookies) |
| Sentry | Application error monitoring and performance tracking | Error stack traces, anonymised user context |
| Cloudflare | Content delivery network and security (DDoS protection, WAF) | IP addresses (processed transiently for security) |
We do not sell your personal data to any third party. We do not share personal data with advertisers.
4. Data Retention
- Active account data is retained for as long as your account remains active.
- Gesture claim records are retained for 3 years to support Impact Partner auditing requirements.
- Deleted accounts: upon account deletion, your personal data is removed within 30 days. Anonymised analytics data (which cannot be linked back to you) is retained indefinitely.
- Payment records: retained as required by applicable tax and financial regulations.
5. Your Rights
Under GDPR, you have the following rights regarding your personal data:
- Right of Access (Art. 15): request a copy of all personal data we hold about you.
- Right to Rectification (Art. 16): request correction of inaccurate personal data.
- Right to Erasure (Art. 17): request deletion of your personal data ("right to be forgotten").
- Right to Restriction of Processing (Art. 18): request that we limit how we use your data.
- Right to Data Portability (Art. 20): receive your data in a structured, machine-readable format.
- Right to Object (Art. 21): object to processing based on legitimate interest.
For CCPA residents (California): you have the right to know what personal information we collect, to request its deletion, and to opt out of the sale of personal information. We do not sell personal information. To exercise any CCPA right, contact us at the address below.
To exercise any of these rights, email privacy@internal-demo.1gesture.com. We will respond within 30 days.
6. Attendee Privacy
Gesture choices are private by default. An attendee's selected gesture is never visible to the meeting organiser or other attendees unless the attendee explicitly enables sharing via the privacy consent toggle.
When attendees interact with 1Gesture reminder emails:
- Their gesture selection is stored privately and is not disclosed to the meeting host.
- Sharing of gesture choices requires the attendee to explicitly enable privacy_share_consent.
- Attendee email addresses are hashed using SHA-256 for analytics purposes, meaning we do not store raw attendee emails in our analytics systems.
7. Google OAuth Scopes
1Gesture requests the following Google OAuth scopes:
- Calendar read-only (
calendar.readonly) -- to retrieve upcoming meeting details. - Profile and email -- for account creation and authentication.
We do not request write access to your calendar. We will never create, edit, or delete events. We will never send emails from your Google account.
8. Cookies
1Gesture uses a minimal set of essential and functional cookies. We do not use third-party tracking cookies. Plausible Analytics, our analytics provider, operates without cookies entirely.
For full details on the cookies we set, their purpose, and duration, see our Cookie Policy.
9. Children's Privacy
1Gesture is not intended for use by anyone under the age of 18. We do not knowingly collect personal data from individuals under 18. If you believe we have inadvertently collected data from a minor, please contact us immediately at privacy@internal-demo.1gesture.com and we will delete the data promptly.
10. Data Security
We implement appropriate technical and organisational measures to protect your personal data, including:
- Encryption in transit (TLS) and at rest
- Access controls and least-privilege principles
- Regular security reviews
- Cloudflare WAF and DDoS protection
- Sentry-based error monitoring for rapid incident detection
11. International Data Transfers
Some of our third-party processors operate outside the European Economic Area (EEA). Where this occurs, we ensure appropriate safeguards are in place, such as Standard Contractual Clauses (SCCs) approved by the European Commission, or the processor's participation in recognised data protection frameworks.
12. Changes to This Policy
We may update this Privacy Policy from time to time. When we make material changes, we will notify you via email or a prominent notice within the service. The "Last updated" date at the top of this page reflects the most recent revision.
13. Contact Us
If you have questions about this Privacy Policy or wish to exercise your data rights, contact us at:
Email: privacy@internal-demo.1gesture.com
Service: 1Gesture
If you are not satisfied with our response, you have the right to lodge a complaint with your local data protection authority. In the UK, this is the Information Commissioner's Office (ICO).