NimbleCalSecurity
How we protect your data.
Security features
End-to-End Encryption
Your calendar content is encrypted on your device before it syncs anywhere.
- Authenticated encryption via libsodium secretbox
- Keys derived from your password on-device
- Servers store encrypted blobs plus limited sync metadata
- We cannot read your event titles, notes, or descriptions in plaintext
Local-First Architecture
Your data lives in your browser first (IndexedDB), so the app stays fast and offline-friendly.
- Local encrypted storage (RxDB / IndexedDB)
- Offline viewing & editing (syncs when you're back online)
- Import/export via ICS to avoid lock-in
Privacy by Design
Built from the ground up with privacy as the primary concern.
- No ads in the app
- No third-party analytics scripts in the app
- The marketing site uses Plausible (cookie-free analytics)
- We do not sell your calendar content
Security practices
Defense-in-depth posture
We aim to keep the attack surface small and use reputable infrastructure providers for auth, hosting, and payments.
Responsible Disclosure
There is a clear process for security researchers to report vulnerabilities responsibly.
Data-minimizing defaults
Most sensitive calendar content is encrypted end-to-end. Servers only see what is required to run accounts, billing, and sync.
No calendar content recovery
Because calendar content is encrypted end-to-end, we cannot recover encrypted event content if you lose the keys needed to decrypt it.
Report Security Issues
If you discover a security vulnerability, please report it responsibly to:
security@nimbledot.comI appreciate your help in keeping NimbleCal secure for everyone.