How shenas ai, Inc. ("shenas", "we") handles your personal data, including data accessed from connected services such as Google Calendar. This policy describes what shenas does and does not do with your information. Technical claims here are verifiable against our open-source code; see security for the implementation details.
shenas ai, Inc. ("shenas") is the company that develops the Shenas application. Shenas is a self-hosted personal data store: it runs on devices you control (laptop, server, phone) and aggregates data from services you already use into a local, encrypted database on those devices.
The Shenas application is open source. The current source lives at github.com/shenas-org/shenas; documentation for developers lives at shenas.org. This policy covers shenas ai, Inc.'s collection and handling of personal data through the shenas.ai website and the Shenas application's connections to third-party services we offer OAuth integrations for.
shenas separates three kinds of data: data accessed from connected sources, data stored in your Shenas instance, and data shenas ai, Inc. operates as a company. Each is handled differently.
When you connect a source (for example Google Calendar, Garmin, or Spotify) to your Shenas instance, the Shenas application requests access to that source on your behalf using OAuth or an API key you provide. The application then contacts the source's API directly from your device, using your credentials, to fetch the data you authorized. This fetched data is written to the encrypted database on your device. It is not routed through any shenas-operated server, and shenas ai, Inc. does not retain a copy of it on our infrastructure.
The specific Google data we access, the scope we request, and the use we make of it is described in the Google user data section below. Other sources are governed by the same principles.
All personal records synced into Shenas — calendar events, health metrics, journal entries, finance records, anything else a source pulls — live in a DuckDB database file on the device that runs your Shenas instance, encrypted at rest with AES-256-GCM. The encryption key is held by your operating system's secret store (Keychain, DPAPI, or libsecret) or derived from a password you set; shenas does not hold a copy. See where data lives in our security documentation for specifics.
The shenas.ai website (this site) and the shenas coordination server collect a limited set of operational data needed to run the service: account email and display name (if you sign in), device public keys and a non-identifying device name used for peer-to-peer sync discovery, opaque encrypted relay messages used to deliver sync events between your own devices (the contents of which we cannot read), server-side request logs, and standard web analytics-free access logs. The coordination server does not receive, store, or process the records inside your Shenas database.
If you contact us by email, we retain that correspondence for as long as needed to respond to it and meet any legal obligations.
Shenas's use of information received from Google APIs adheres to the Google API Services User Data Policy, including the Limited Use requirements.
When you connect Google Calendar to Shenas, the Shenas
application requests the
https://www.googleapis.com/auth/calendar.readonly
scope. This is read-only access to calendars and events on
your Google account. We do not request write or
event-management scopes. We do not request access to other
Google services (Gmail, Drive, Contacts, Photos) as part of
the Calendar integration. If you connect additional Google
sources (for example Google Takeout), the scopes requested
for those are disclosed at the moment of connection.
The Shenas application uses calendar event data solely to display, search, and analyze your own schedule alongside other personal data sources inside your Shenas instance. The data is stored in your local Shenas database and is shown back to you.
We do not, and will not:
Calendar data fetched from Google is stored only in the encrypted local database on the device that runs your Shenas instance. It is not uploaded to shenas-operated infrastructure. The shenas coordination server does not receive, store, or process Google Calendar events. If a shenas server were breached, the attacker would find no Google Calendar data belonging to any user.
You can revoke Shenas's access to your Google account at any time from myaccount.google.com/permissions. Revocation immediately stops Shenas from being able to fetch new calendar data.
Calendar data already synced to your Shenas instance lives in your own encrypted database. To delete it:
Because Shenas is self-hosted, calendar data fetched from Google is retained for as long as you choose to keep it in your Shenas instance. shenas ai, Inc. does not hold a separate copy on its servers and therefore has no server-side retention period for Google Calendar event content.
When you remove the Google Calendar source from your Shenas instance, the locally cached records are purged immediately from the local database. When you revoke Shenas's access from your Google account, the application can no longer fetch new events; previously fetched events remain in your local instance until you remove the source or delete the database, as above.
Account-level operational data held by shenas ai, Inc. (such as account email, device public keys, and coordination-server logs) is retained while your account is active. On account deletion request, that operational data is purged within 30 days, except where retention is required by law or to resolve a security incident.
Personal records in your Shenas instance are encrypted at rest with AES-256-GCM. Encryption keys are held in your operating system's native secret store or derived from a local password you set; shenas does not hold a copy. Coordination-server traffic is over TLS, and relayed sync messages between your own devices are end-to-end encrypted — the relay sees opaque ciphertext, not record content. Full details are in the security and privacy page.
No system is perfectly secure. If you believe you have identified a vulnerability that affects shenas or its users, please contact [email protected].
You have rights over your personal data, including (depending on your jurisdiction) rights of access, correction, deletion, portability, and objection. Because shenas is self-hosted, many of these rights are exercised directly in your own instance.
To exercise any of these rights or to ask a question about how shenas handles your data, contact [email protected].
Shenas is not directed at children under 13 (or the equivalent age threshold in your jurisdiction). We do not knowingly collect personal data from children. If you believe a child has provided personal data to shenas ai, Inc., contact [email protected] and we will investigate.
When this policy changes in a way that materially affects how we handle your personal data, we will update the effective date at the top of the page and, where appropriate, notify you through the application or by email. The current version always lives at shenas.ai/privacy-policy.
For data questions, deletion requests, or to exercise any of the rights described above: