NimbleCal
Last reviewed Apr 8, 2026

How we protect your data.

Security features

End-to-end encryption

Your calendar content is encrypted on your device before it syncs anywhere.

  • Authenticated encryption via libsodium secretbox
  • Keys derived from your password on-device
  • Servers store encrypted blobs plus limited sync metadata
  • During normal sync, NimbleCal cannot read your event titles, notes, or descriptions in plaintext

Email invites are the main exception today. If you send an Email invite, NimbleCal stores and sends a plaintext invite summary with the event title, start/end time, timezone, organizer name/email, and any event location or description.

See: Encryption overview

Local-first architecture

Your data lives in your browser first (IndexedDB), so the app stays fast and offline-friendly.

  • Local encrypted storage (RxDB / IndexedDB)
  • Offline viewing and editing (syncs when you're back online)
  • Import/export via ICS to avoid lock-in (note: .ics files are plain text outside NimbleCal)

See: Offline mode

Privacy by design

Built from the ground up with privacy as the primary concern.

  • No ads in the app
  • No third-party analytics scripts in the app
  • The website uses Plausible for cookie-free aggregate traffic and CTA measurement
  • We do not sell your calendar content

Security practices

Defense-in-depth posture

We aim to keep the attack surface small and use reputable infrastructure providers for auth, hosting, and payments.

Responsible disclosure

There is a clear process for security researchers to report vulnerabilities responsibly.

Data-minimizing defaults

Most sensitive calendar content is encrypted end-to-end. Servers only see what is required to run accounts, billing, sync, reminders, and the invite details needed to send and show an email invite.

No calendar content recovery

Because calendar content is end-to-end encrypted, we cannot decrypt or recover it on your behalf. Quick unlock is a trusted-device local unlock helper, not recovery for a brand-new device. Password resets preserve access only when you can still unlock encryption on a trusted device; if you lose your password and every trusted-device unlock path, the fallback may be to start fresh.

Report a security issue

If you discover a security vulnerability, please report it responsibly to:

security@nimblecal.com

I appreciate your help in keeping NimbleCal secure for everyone.

Related: