Your data stays
in your browser.
Last updated: April 2026
The short version
This policy covers the LookOut Chrome extension and its associated backend services. The lookout.events website uses PostHog (EU-hosted, proxied through our backend) for analytics — including page views, interaction tracking, session recordings, and heatmaps — and Vercel Analytics for performance metrics. Website analytics use in-memory storage only — no cookies or persistent identifiers are stored on your device. These are separate from the extension analytics described below.
Your calendar data never leaves your browser. LookOut reads Outlook Web App calendar events and writes them directly to your Google Calendar. The data flows from Outlook to Google — our servers never see it.
We collect only what's necessary to run the service: your email address for authentication and pseudonymous usage analytics (linked to your account but never to your name or email) for improving the product. That's it.
What we access
LookOut reads your Outlook Web App calendar data — event titles, times, locations, attendees, and meeting links — and syncs it directly to your Google Calendar.
This data is cached temporarily in chrome.storage.local on your device only. Outlook calendar data is never sent to our servers or any third party other than Google Calendar.
Google Calendar authentication uses Chrome's launchWebAuthFlow for OAuth sign-in. The authorization code is exchanged for tokens via our backend proxy, so the client secret never reaches your browser. The resulting access and refresh tokens are stored only in your browser's local storage.
Analytics & error reporting
We use PostHog (EU-hosted) for usage analytics and Sentry for crash reporting.
Extension analytics (linked to your account):
- Pseudonymous usage events (e.g. "sync completed", "settings changed") — no calendar content
- Extension version and browser environment
Website analytics (lookout.events visitors):
- Page views and event tracking — which pages you visit, CTA button clicks, FAQ interactions, and how far you scroll. No personally identifiable information is collected.
- Session recordings — anonymised recordings of mouse movements, clicks, and scrolling on the marketing website. Input fields (email addresses, form text) are masked and never recorded. Session recordings help us understand usability issues and improve the site.
- Heatmaps — aggregated click and scroll patterns across the website. No individual sessions are identified; heatmaps show patterns across all visitors.
All analytics data is pseudonymous. Extension analytics are linked to an internal account identifier but never to your name, email, or calendar content. Website analytics use in-memory identifiers that do not persist between visits — no cookies or local storage are written to your device. We cannot see event titles, attendee names, meeting descriptions, locations, or Teams links from any analytics data.
Error reports sent to Sentry include technical stack traces, extension version, and browser environment. No calendar content is included.
Google Calendar access
We request the minimum OAuth scopes needed to sync events:
calendar.events— create, update, and delete synced eventscalendar.calendars— create a dedicated LookOut calendarcalendar.calendarlist.readonly— list your calendars so you can pick a sync targetuserinfo.emailanduserinfo.profile— display your name and email in the extension
Chrome extension permissions:
storage— cache event data and sync settings locallyalarms— schedule automatic sync intervalstabs— detect when Outlook Web is open to trigger data captureidentity— Google OAuth sign-in flow
We only write events synced from Outlook. We never read, modify, or delete events that weren't created by LookOut.
Google user data sharing
LookOut accesses your Google name, email address, and Google Calendar data. This data is used solely to operate the sync service.
Google user data is transmitted to:
- Google Calendar API — to create, update, and delete synced events on your behalf
- Convex (our backend, EU region) — your name and email are stored for authentication and account management only
We do not sell, transfer, or disclose your Google user data to any other third party, including advertising platforms, data brokers, or analytics services. No Google user data is shared with PostHog, Sentry, or Stripe.
LookOut's use and transfer of information received from Google APIs adheres to the Google API Services User Data Policy, including the Limited Use requirements.
Data protection
All data transmitted between LookOut and our backend (Convex) and between LookOut and Google APIs is encrypted in transit via HTTPS/TLS. OAuth tokens and sync settings stored in your browser are protected by Chrome's chrome.storage.local API, which is sandboxed to the extension and inaccessible to other extensions or websites.
Server-side data (your name, email, subscription status, and sync settings) is stored on Convex infrastructure with encryption at rest. Access to production systems is restricted to authorized personnel only.
We take reasonable and appropriate technical and organisational measures to protect your data against unauthorised access, disclosure, alteration, or destruction.
Account & billing
We use Google Sign-In for authentication and Convex as our backend. The only personal data stored server-side is:
- Your name and email address (from your Google profile, for sign-in and account recovery)
- Subscription status (managed by Stripe — we never see your card details)
- Sync settings and preferences
- Daily sync statistics (event counts per day — no event content)
- Feedback submissions (message text, optional name/email, device info — only when you choose to send feedback)
- Contact form submissions from the website (name, email, message — only when you choose to contact us)
No calendar content (titles, descriptions, attendees) is ever sent to our backend. Our servers store authentication data, subscription status, sync settings, aggregate sync statistics, and any feedback you choose to submit.
Data retention
Google user data (your name and email address obtained via Google Sign-In):
- Retained for the lifetime of your account
- Deleted within 30 days of receiving a deletion request
Local calendar data cached in your browser:
- Retained for up to 7 days and automatically pruned
- Uninstalling the extension removes all local data immediately
Server-side data (subscription status, sync settings, daily sync statistics, feedback and contact form submissions):
- Retained for the lifetime of your account
Analytics & error data:
- PostHog analytics retained per PostHog's retention policy (EU-hosted)
- Sentry error reports retained for 90 days
To request deletion of your account and all associated data — including Google user data — contact us via the contact page. Deletion requests are fulfilled within 30 days.
Third-party services
| Service | Purpose | Google data? | Outlook data? |
|---|---|---|---|
| Google Calendar API | Write synced events | Yes — calendar events | Yes — synced events |
| PostHog (EU) | Usage analytics, session recordings, heatmaps (website); pseudonymous usage events (extension) | No | No |
| Sentry | Error tracking | No | No |
| Google Identity Services | Authentication | Yes — name, email | No |
| Stripe | Payment processing | No | No |
| Convex | Backend (auth, subscriptions, settings, sync stats) | Yes — name, email | No |
What we don't do
- We don't sell, share, or monetize your data
- We don't read your Outlook emails or contacts
- We don't store calendar data on our servers
- We don't track your browsing activity outside the extension
- We don't use your data for advertising or profiling
Data deletion & contact
Uninstalling the extension removes all locally stored data (cached events, tokens, settings). To request deletion of your account and all server-side data — including Google user data (name and email) — contact us via the contact page. Deletion requests are fulfilled within 30 days.
You can also revoke LookOut's access to your Google account at any time via Google Account Permissions.
Questions about this policy? Reach out via our contact page.