Natty the Nocrastinator™ — Privacy Policy
Effective date: 2026-04-26 Operator: JJJJJ Enterprises, LLC ("we", "us", "our") Service: Natty the Nocrastinator™, a Google Workspace Add-on for Google Calendar (the "Service")
This Privacy Policy explains what data the Service accesses, how it is used, and with whom it is shared. By installing or using the Service you agree to the practices described below.
1. Architecture Summary
Natty the Nocrastinator™ runs entirely inside your own Google Apps Script environment, under your own Google account credentials. We do not operate any server, database, or backend that receives or stores your data. All persistent data resides in PropertiesService.getUserProperties(), which is private to your Google account and script project. You can view and audit all data stored by the Service by inspecting UserProperties in the Apps Script editor.
2. Data We Access
| Data | How it is used |
|---|---|
| Google Calendar event details — title, start date/time, calendar ID | Read when you open a Calendar event in the side panel. The event title is sent to the Google Gemini API (Pro plan) to generate contextually relevant milestone titles and descriptions. |
Google Calendar events (write) — creates events prefixed [NC™] |
Created as 30-minute calendar blocks on the dates of each milestone. Deleted when you use "Remove All Natty the Nocrastinator™ Items." |
Google Tasks (write) — creates tasks tagged #nocrastinator |
Created in your default task list (or one you configure) as milestone reminders. Deleted when you use "Remove All." |
| Google Account email address | Read at install time via userinfo.email scope, required by the Google Workspace Marketplace for subscription management. Not stored in UserProperties. |
The Service does not read or transmit: - Gmail messages or any email content; - contacts, address book, or Calendar event attendees; - Calendar events you have not opened in Natty the Nocrastinator™ side panel; - any data from Google Drive, Sheets, or Docs.
3. Data You Provide
| Data | Where stored |
|---|---|
| Gemini API key | Encrypted-at-rest in UserProperties (per-user, per-script). Sent only to generativelanguage.googleapis.com as a URL parameter over HTTPS. |
| SMS provider credentials (credentials for whichever SMS provider you choose) | Encrypted-at-rest in UserProperties. Sent only to your chosen provider's API endpoint over HTTPS. |
| Google Chat webhook URL | Stored in UserProperties. Used to POST milestone messages to your Chat space. |
| SMS recipient phone numbers | Stored as part of Settings in UserProperties. Passed to your configured SMS provider when a milestone fires. |
| Event tracking records | Stored in UserProperties. One record per tracked event, containing event metadata, effort level, event type, notes, and the IDs of created milestone Calendar events and Tasks. Stored under nocrastinator.events.{calendarEventId}. |
| Settings (Gemini model, default effort, SMS provider, channel config) | Stored in UserProperties. Not shared with any third party. |
| Activity log | Stored in UserProperties as a ring buffer of up to 60 entries. Entries contain timestamps and action descriptions; no Calendar event content. |
| License tier | Stored in UserProperties to gate feature access. No personal information is included. |
4. Google API Services User Data Policy
The Service's use and transfer of information received from Google APIs adheres to the Google API Services User Data Policy, including the Limited Use requirements. Specifically:
- The Service only accesses, uses, stores, and shares Google user data for the purposes described in this Privacy Policy and that are necessary to provide user-facing functionality of the Service.
- The Service does not use Google user data for advertising.
- The Service does not sell Google user data.
- The Service does not use Google user data for generalized AI model training.
- The Service does not allow humans to read Google user data, except (a) with your affirmative agreement, (b) as necessary for security purposes, (c) to comply with applicable law, or (d) for internal operations on aggregated, de-identified data.
- The Service does not transfer Google user data to third parties except as necessary to provide the Service or as required by law.
4.1 OAuth Scopes and Restricted Scope Status
The Service uses the following OAuth scopes:
| Scope | Why |
|---|---|
https://www.googleapis.com/auth/calendar |
Read Calendar event details; create and delete milestone Calendar events |
https://www.googleapis.com/auth/tasks |
Create and delete milestone Tasks |
https://www.googleapis.com/auth/script.external_request |
Call the Gemini REST API and SMS provider APIs via UrlFetchApp |
https://www.googleapis.com/auth/script.scriptapp |
Reserved for trigger management if required by future features |
https://www.googleapis.com/auth/userinfo.email |
Required by Marketplace for user identification |
None of the scopes used are classified as restricted scopes by Google (the Service does not use gmail.readonly or other restricted scopes). No Cloud Application Security Assessment (CASA) is currently required. The Service is not subject to the annual CASA cycle applicable to restricted-scope applications.
4.2 Gemini API — Content Handling and Retention
When you generate AI milestones (Pro plan), the Service sends the event title, event type, effort level, and any notes you enter to the Google Gemini API. This data is governed by Google's Gemini API Additional Terms of Service, not by this Privacy Policy.
- The Gemini paid API does not use your prompts or responses to train Google's generative models.
- The Gemini free tier may cache prompts and responses for a limited period and Google may use free-tier content to improve Google services, consistent with the Gemini API Additional Terms.
If your Calendar events contain sensitive information, use a paid Gemini API key (which opts into paid-tier data protections), or use template milestones (which make no Gemini calls). Verify current policy at ai.google.dev/gemini-api/terms.
5. Third-Party Data Sharing
The Service shares data with third-party services only when you explicitly enable the integration:
| Third party | What is shared | When |
|---|---|---|
| Google Gemini API | Event title, event type, effort level, notes you enter | Only when generating AI milestones (Pro plan with API key configured) |
| Your SMS provider | Recipient phone number, milestone message text (prefixed [Natty]) |
Only when SMS is configured and a milestone reminder fires |
| Google Chat | Milestone message text, event title | Only when a Chat webhook URL is configured and a milestone fires |
We do not share data with any other third party unless required by law.
6. Subprocessors
The following subprocessors may process data on your behalf when you use the Service:
| Subprocessor | Role | Location |
|---|---|---|
| Google LLC | Google Apps Script hosting, Calendar, Tasks, Gemini API | United States (and globally per Google's infrastructure) |
| Your chosen SMS provider (Textbelt, Telnyx, Plivo, Twilio, ClickSend, Vonage, or a webhook endpoint you configure) | SMS delivery | Provider-dependent |
We will provide 30 days' advance notice before adding or replacing a subprocessor that processes personal data. If you object, you may cancel your subscription for a pro-rata refund within the notice period.
7. Payment Data
At Marketplace launch, Google LLC processes all subscription payments and one-time purchases. We receive only subscription status metadata (active/cancelled/tier) from Google's Marketplace API — not your payment card information. Payment data is governed by Google's Privacy Policy.
8. Data Retention and Deletion
All data is stored in UserProperties under your own Google account. You can delete all Natty the Nocrastinator™ data at any time:
- One event: Open the Calendar event → "Remove All Natty the Nocrastinator™ Items" — deletes milestone Calendar events, Tasks, and the tracking record for that event.
- All data: Run
resetUserPropertiesForTesting()from the Apps Script editor, or uninstall the add-on (which triggersonUninstall()and callsdeleteAllProperties()).
Retention schedule:
| Data | Retained until |
|---|---|
| Event tracking records | Until you use "Remove All" or uninstall |
| Settings and credentials | Until you clear them in Settings or uninstall |
| Activity log | Ring buffer, last ~60 entries; oldest entries overwritten automatically |
| Calendar event IDs (for cleanup) | Until event is removed or tracking is deleted |
| Event content (title, notes) | Processed in-memory for Gemini; only the event ID, dates, and metadata stored in UserProperties, not raw text of Calendar event body |
9. Data Security
- Encryption at rest: AES-256 (Google infrastructure default for UserProperties).
- Encryption in transit: HTTPS / TLS for all external API calls.
- Credential handling: API keys and SMS credentials are stored in UserProperties alongside other settings; they are not separately masked in the Settings UI for usability reasons, but are never logged to the activity log or transmitted to any service other than the intended provider.
- Attack surface: No backend, no database, no server, no staff access to your data. The only external services that receive your data are those you explicitly configure.
- Operational telemetry: Uncaught exceptions may flow to Google Cloud Logging via
exceptionLogging: STACKDRIVERin the manifest. Logged information includes stack traces, function names, and timestamps; no Calendar event content, credentials, or phone numbers are included in exception logs. - No tracking: No cookies, no third-party analytics, no pixels, no third-party CDNs in the add-on or its in-app help.
10. Incident Notification
In the event of a security incident affecting your personal data, we will notify you via email to the address associated with your Google account within 72 hours of becoming aware of the incident, to the extent required by applicable U.S. state law.
11. Children's Privacy
The Service is not directed to children under 13. We do not knowingly collect information from children under 13. If you believe a child under 13 has provided personal information through the Service, contact legal@jjjjjenterprises.com and we will delete it promptly.
12. Geographic Scope and User Rights
The Service is currently offered exclusively to users located in the United States. We do not currently maintain an EU/UK representative, Data Processing Agreement (DPA), or Standard Contractual Clauses (SCCs).
Controller/processor roles: - You are the controller of your own data (you determine which Calendar events to open, what effort level to assign, and which alert channels to enable). - JJJJJ Enterprises, LLC is the processor executing your directions. - Google and your SMS provider are subprocessors.
13. California Privacy Rights (CCPA/CPRA)
California residents have the following rights under the California Consumer Privacy Act (CCPA) and the California Privacy Rights Act (CPRA):
- Right to know what personal information is collected, used, disclosed, or sold.
- Right to delete personal information (exercise by uninstalling the add-on or emailing legal@jjjjjenterprises.com with "CCPA Request").
- Right to correct inaccurate personal information.
- Right to opt out of sale or sharing — we do not sell or share personal information.
- Right to non-discrimination for exercising these rights.
Categories of personal information collected: Identifiers (Google account email); Calendar event metadata (title, date — processed transiently, not stored in full); commercial information (subscription tier); inferences (Gemini milestone schedule, which reflects effort level and event type you enter).
No sale or sharing: We have not sold or shared personal information in the past 12 months, and we do not sell or share personal information.
To exercise California rights, email legal@jjjjjenterprises.com with "CCPA Request" in the subject line. We will respond within 45 days (extendable by 45 days with notice).
14. Other U.S. State Privacy Rights
Residents of Virginia, Colorado, Connecticut, Texas, and other states with comprehensive privacy laws have similar rights to access, correct, delete, and port their personal data, and to opt out of the sale of personal data (which we do not engage in). To exercise these rights, email legal@jjjjjenterprises.com with your state name and request. We will respond within 45 days.
15. Do Not Track and Global Privacy Control
The Service does not use tracking cookies or cross-site tracking. We honor Global Privacy Control (GPC) signals by not selling or sharing personal information regardless of browser setting.
16. Changes to This Policy
We may update this Privacy Policy at any time. For material changes, we will notify you by email at least 30 days before the change takes effect. Non-material changes take effect when posted. Continued use after the effective date constitutes acceptance of the revised policy.
We commit to reviewing this Privacy Policy at least annually.
17. Contact
| Purpose | Address |
|---|---|
| Privacy questions and rights requests | legal@jjjjjenterprises.com |
| User support | support@jjjjjenterprises.com |
| General inquiries | admin@jjjjjenterprises.com |