OnePage← Back home

Legal

Privacy Policy

Last updated: May 22, 2026

Summary

OnePage is a personal dashboard that brings together your feeds, calendar, tasks, ideas, and (optionally) third-party meeting providers like Zoom, Google Meet, and Microsoft Teams. We collect the minimum data needed to run those features. We do not sell your data, we do not show you advertising, and we do not share your data with third parties except as described below.

  • We store your email and a unique public booking handle (e.g. alice-x7k4q).
  • If you connect Zoom, Google Meet, or Microsoft Teams, we store an encrypted OAuth token so we can create meetings on your behalf when someone books time with you.
  • You can disconnect any integration, delete bookings, or delete your account at any time from Settings.

Who we are

"OnePage", "we", "us", and "our" refer to the operator of onepage.com. Contact us at privacy@onepage.com with any privacy question or request.

What we collect

Account data

  • Email address — used to sign you in via magic-link auth and to identify your account. Stored by our auth provider (Supabase) and in our user_profiles table.
  • Display name, bio, avatar URL, timezone — you control these in Settings. Display name and avatar appear on your public booking page if you create one.
  • Public handle / slug — auto-generated from your email local-part plus a random 5-character suffix (e.g. alice-x7k4q). Used in URLs like /meet/{handle}. Anyone with the link can view your active booking page.

Content you create

  • Feeds, snippets, tasks, notes, ideas, memories, pages, calendars, agents — the content of your workspace. Stored in our database under your user ID and visible only to you, plus anyone you explicitly share with.
  • Scheduling configuration — event types, availability windows, and bookings made on your public booking page.

Connected accounts (OAuth)

When you connect Zoom, Google, or Microsoft from Settings → Scheduling, we receive and store:

  • Your access token and refresh token for that provider, both encrypted at rest with AES-256-GCM using a server-side key you never see.
  • Your email address on that provider, shown in the Settings UI so you know which account is connected.
  • The provider user id for the connected account.
  • Token expiry so we know when to refresh.

We never receive your provider password. We do not read your existing meetings, calendar events, recordings, chat messages, contacts, or files on the provider. The only call we ever make is to create a single meeting in response to someone booking time with you.

Operational data

  • Server logs — IP address, user agent, timestamp, and the URL path for each request, kept up to 30 days for security and debugging.
  • Cookies — auth session cookies set by Supabase Auth, an oauth_state_* cookie used during OAuth redirects (CSRF protection, 10-minute lifetime), and small client-side preference cookies for things like theme and text size. No third-party tracking or advertising cookies.

How we use your data

  • To run the features you explicitly use.
  • To create meetings on Zoom, Google Meet, or Microsoft Teams — but only when someone books time with you and only with the provider you chose.
  • To send transactional emails (sign-in links, booking confirmations). We do not send marketing email.
  • To investigate abuse, debug errors, and keep the service running.

We do not use your content to train machine-learning models. AI features inside OnePage call third-party model providers (e.g. Anthropic) on a per-request basis under their no-training data terms; we don't fine-tune on your workspace.

How we share your data

We share data only in these narrow cases:

  • With sub-processors required to operate the product: Supabase (database + auth), our hosting provider, and the AI model providers we proxy your AI requests to. Each runs under a data-processing agreement and processes data only on our instructions.
  • With meeting providers you connect (Zoom, Google, Microsoft) when we create a meeting on your behalf. Data sent: meeting title, description (if you allow it), start/end time, timezone, and the booker's name + email as an invitee.
  • With people you explicitly share with — anyone you grant access to a page, calendar, or folder.
  • When legally required — to comply with a valid subpoena, court order, or similar legal process, after reviewing the request.

We do not sell your personal data. We do not share it for cross-context behavioral advertising.

How long we keep it

  • Account + content — until you delete it or close your account.
  • OAuth tokens — until you disconnect the integration (immediate deletion) or your account is closed.
  • Bookings + calendar events — until you delete them.
  • Server logs — up to 30 days.

When you delete your account, we remove your data within 30 days, except for the minimum we're required to retain for legal compliance (e.g. records of payments or abuse reports).

Your choices

  • Access & export — Email us and we will provide a copy of your data within 30 days.
  • Correction — Update profile fields in Settings; contact us for anything else.
  • Deletion — Disconnect integrations and delete bookings from Settings → Scheduling. Email us to close your account entirely.
  • Disconnect a meeting provider — At any time from Settings → Scheduling. We immediately delete both the access and refresh tokens for that provider. You can also revoke OnePage from the provider's own connected- apps page (Zoom Marketplace, Google Account Security, Microsoft Account → Privacy).
  • GDPR / UK GDPR rights — If you are in the EEA or UK, you have the right to access, rectify, erase, restrict, port, and object to processing of your personal data. You also have the right to lodge a complaint with your supervisory authority. Contact us first and we'll do our best to resolve the issue.
  • CCPA rights — If you are a California resident, you have the right to know what we collect, to delete it, to correct it, and to opt out of "sale" or "share" of personal data. We do not sell or share personal data for advertising.

Security

All traffic is served over HTTPS. OAuth tokens for connected meeting providers are encrypted at rest with AES-256-GCM using a server-side key. Access to the production database is restricted to a small operations team, logged, and audited. We follow the principle of least privilege for both employees and sub-processors.

No system is perfectly secure. If you believe you've found a vulnerability, please email admin@onepage.com and we'll respond promptly.

Children

OnePage is not intended for children under 13 (or under 16 in the EEA). We do not knowingly collect personal data from children. If you believe a child has provided us data, contact us and we'll delete it.

International transfers

OnePage is operated from the United States. If you access it from elsewhere, your data will be transferred to and processed in the United States and other countries where our sub-processors operate. Where required, we rely on Standard Contractual Clauses for transfers out of the EEA/UK.

Changes to this policy

We may update this policy from time to time. When we make material changes we'll update the "Last updated" date at the top and, where appropriate, notify you in-app or by email. Continued use of OnePage after an update means you accept the revised policy.

Contact

Privacy questions or requests: privacy@onepage.com.