Am I Free Legal Framework

2.1 To use the Service, you must be at least 18 years old or the age of majority in your place of residence, whichever is higher. By creating an account, you represent and warrant that you meet this requirement.

2.2 If you create an account on behalf of a company or other legal entity, you represent and warrant that you have the authority to bind that entity to these Terms. In such cases, “you” and “your” will refer to both you as an individual user and the entity you represent.

2.3 You agree to provide accurate, complete, and up-to-date information when creating your account and to keep it updated at all times. We may suspend or terminate your account if we reasonably believe that the information you provided is false, misleading, or incomplete.

2.4 You are responsible for maintaining the confidentiality of your login credentials and for all activities that occur under your account. If you suspect any unauthorized use of your account, you must notify us immediately.

2.5 Your account is personal to you and may not be sold, transferred, or shared with any other person or entity without our prior written consent.

3.1 The Service is the Am I Free software-as-a-service application and related services, including the website, web application, APIs, and integrations provided by SHFT SDK (Pty) Ltd. The Service enables you to connect and synchronize multiple calendar accounts, such as Google Calendar, Microsoft Outlook, and Apple iCloud. It allows you to configure one-way or multi-way syncs, apply preferences and settings, and view your schedules in a unified way.

3.2 The Service is intended to simplify scheduling and help prevent conflicts between your connected calendars. It is not designed or intended to serve as a permanent data store, backup service, or record-keeping system. You remain responsible for maintaining copies of your calendar data in your source accounts.

3.3 Your use of the Service may involve integration with Third-Party Services, including but not limited to Google, Microsoft, Apple, and Stripe. We do not control or guarantee the availability, accuracy, or reliability of Third-Party Services, and your use of them is subject to their own terms and conditions.

3.4 We may, from time to time, make available experimental, beta, or future features (such as multi-way sync or enterprise APIs). These features may be offered on a preview basis, may not be fully supported, and may be changed or discontinued at any time without notice. You acknowledge that you should not rely on beta or future features for production use.

3.5 We reserve the right to modify, suspend, or discontinue any part of the Service at any time, with or without notice, provided that such changes do not materially reduce the core functionality of your active Subscription Plan.

4.1 We offer different Subscription Plans, including a Free Plan and a Standard Plan. The features, limits, and pricing for each Subscription Plan are described on our website and may change from time to time.

4.2 Free Plan and Trials. You may use the Free Plan at no cost. We may also offer a trial period for paid Subscription Plans. Unless you upgrade to a paid Subscription Plan before the trial ends, your access will automatically revert to the Free Plan.

4.3 Billing and Payment. Paid Subscription Plans are billed in advance, either monthly or annually, depending on the billing option you select. All payments are processed securely by Stripe, our third-party payment processor. By providing your payment information, you authorize us (and Stripe) to charge the applicable fees to your chosen payment method. We do not store full payment card details on our systems.

4.4 Auto-Renewals. Your paid Subscription Plan will automatically renew at the end of each billing cycle unless you cancel before the renewal date. By subscribing, you authorize recurring charges until you cancel.

4.5 Upgrades and Downgrades. If you upgrade your Subscription Plan, the change will take effect immediately and any difference in fees will be prorated. If you downgrade or cancel, you will retain access to the features of your current plan until the end of the billing period, after which your account will move to the new plan or the Free Plan, as applicable.

4.6 Refunds. Payments are non-refundable, except where required by law or where we determine, at our sole discretion, that a refund is appropriate.

4.7 Price Changes. We may change the fees for any Subscription Plan by giving you reasonable prior notice. Any price changes will take effect at the start of your next billing cycle. If you do not wish to continue at the new price, your only remedy is to cancel your Subscription Plan before the renewal date.

5.1 You agree to use the Service only for lawful purposes and in accordance with these Terms. You may not use the Service:

5.2 Unlawful or harmful use. To engage in any unlawful, fraudulent, infringing, defamatory, abusive, harassing, or otherwise harmful activity.

5.3 Circumventing limits. To create multiple accounts or otherwise attempt to bypass or circumvent limits or restrictions associated with your Subscription Plan.

5.4 Account misuse. To sell, resell, rent, lease, transfer, share, or otherwise make your account available to any third party without our prior written consent.

5.5 Automated access. To access, query, or collect information from the Service by means of bots, scrapers, automated scripts, or similar technologies, except through our officially provided APIs.

5.6 Security interference. To probe, scan, or test the vulnerability of the Service or any related system or network, or to attempt to gain unauthorized access to the Service or related systems.

5.7 Disruption. To interfere with or disrupt the operation of the Service or the use of the Service by others, including by transmitting viruses, malware, or other harmful code.

5.8 Intellectual property violations. To upload, transmit, or share any content that infringes the rights of others, including copyright, trademark, trade secret, or privacy rights.

5.9 Third-Party Services abuse. To misuse or violate the terms of any Third-Party Services (such as Google, Microsoft, Apple, or Stripe) connected through the Service.

5.10 We may suspend or terminate your access to the Service immediately, without prior notice, if we reasonably believe you have violated this Section.

6.1 The Service, including all software, source code, databases, functionality, designs, text, images, graphics, audio, video, trademarks, service marks, and logos (together, “Am I Free Content”), is and remains the exclusive property of SHFT SDK (Pty) Ltd and its licensors. Except as expressly set out in these Terms, you are not granted any rights in or to the Am I Free Content.

6.2 We grant you a limited, revocable, non-exclusive, non-transferable license to use the Service strictly in accordance with these Terms and your active Subscription Plan. This license is solely for your personal or internal business use and does not include any right to:

6.2.1 copy, reproduce, distribute, sell, sublicense, or otherwise exploit the Service or Am I Free Content for commercial purposes;

6.2.2 modify, adapt, translate, reverse engineer, decompile, disassemble, or attempt to derive the source code of the Service;

6.2.3 remove, alter, or obscure any proprietary notices (including copyright or trademark notices); or

6.2.4 use the Am I Free name, trademarks, or branding without our prior written consent.

6.2.5 All rights not expressly granted under these Terms are reserved by SHFT SDK (Pty) Ltd and its licensors.

6.3 User Content You retain ownership of all Customer Data you provide to the Service, including your calendar events and related information. By submitting Customer Data, you grant us a limited, worldwide, non-exclusive license to process and transmit such data solely as necessary to provide the Service. We do not claim ownership of your Customer Data.

6.4 Feedback If you provide us with any suggestions, ideas, feedback, or recommendations, you grant us a worldwide, perpetual, irrevocable, royalty-free license to use and exploit such feedback for any purpose without restriction or obligation to you.

7.1 Your privacy is important to us. We process your Personal Data in accordance with applicable data protection laws, including the General Data Protection Regulation (GDPR) and the California Consumer Privacy Act (CCPA).

7.2 We do not permanently store the contents of your calendar events. Customer Data is transmitted securely between your connected calendars solely for the purpose of providing the Service and is deleted once the sync is complete. Account information (such as your name, email address, and billing details) may be stored as necessary to operate your account and Subscription Plan.

7.3 Our detailed practices will be described in our Privacy Policy, which forms part of this Agreement. Where we process Personal Data on your behalf, the terms of our Data Processing Agreement (DPA) apply.

7.4 We use trusted third-party service providers (“subprocessors”) to help us provide the Service, such as Stripe for payment processing and hosting providers for infrastructure. A current list of subprocessors will be maintained and made available to you.

7.5 If we become aware of a Personal Data breach that is likely to result in a risk to your rights and freedoms, we will notify you without undue delay and provide information required by applicable law.

7.6 Your Personal Data may be transferred to and processed in countries other than your country of residence. Where we transfer Personal Data internationally, we will ensure that appropriate safeguards are in place to protect it, such as the use of the European Commission’s Standard Contractual Clauses or equivalent legal mechanisms.

7.7 By using the Service, you consent to our collection, use, transfer, and disclosure of your Personal Data as described in the Privacy Policy and the DPA.

8.1 We implement reasonable and appropriate technical and organizational measures designed to protect Personal Data and Customer Data against unauthorized access, alteration, disclosure, or destruction. These measures include encryption of data in transit, use of OAuth for secure authentication with calendar providers, and limited access controls within our systems.

8.2 You acknowledge that no method of transmission over the internet or method of electronic storage is completely secure, and we cannot guarantee absolute security.

8.3 The Service integrates with and depends upon Third-Party Services, including but not limited to Google Calendar, Microsoft Outlook, Apple iCloud, and Stripe. While we take steps to safeguard connections to these services, we do not control and are not responsible for the availability, performance, or security of Third-Party Services. Your use of Third-Party Services is subject to their respective terms and policies.

8.4 We require our subprocessors and service providers to implement security measures consistent with industry standards and to process Personal Data only for the purposes of providing their services to us.

8.5 Your responsibilities. You are responsible for maintaining the security of your devices, systems, and networks that you use to access the Service, and for safeguarding your login credentials. You must use strong passwords, keep them confidential, and notify us promptly if you suspect unauthorized access to your account.

9.1 We aim to provide the Service on a continuous basis; however, we do not guarantee uninterrupted availability. The Service may be subject to interruptions, delays, or errors due to maintenance, upgrades, system or network failures, or factors beyond our reasonable control.

9.2 We reserve the right to modify, suspend, or discontinue any part of the Service at any time, with or without notice. If we make changes that materially reduce the core functionality of your active Subscription Plan, you may cancel your subscription and we will provide a prorated refund for the unused portion of the billing period.

9.3 We are not responsible for any loss, damage, or inconvenience suffered by you or others as a result of downtime, errors, or modifications to the Service, except as expressly provided in these Terms.

10.1 By you, You may cancel your Subscription Plan or close your account at any time through your account settings. Cancellation of a paid Subscription Plan will take effect at the end of the current billing period, unless otherwise specified.

10.2 By us, We may suspend or terminate your account, with or without notice, if we reasonably believe that you have:

10.2.1 violated these Terms (including the Acceptable Use requirements);

10.2.2 failed to pay applicable fees when due;

10.2.3 created risk or possible legal exposure for us or other users; or

10.2.4 engaged in fraudulent, abusive, or unlawful activity.

10.2.5 We may also suspend or terminate the Service, in whole or in part, for operational, security, or legal reasons.

10.3 Effect of termination Upon termination of your account, your right to access and use the Service will end immediately. Customer Data associated with your account may be deleted, subject to any retention required by law. We are not responsible for providing you with copies of Customer Data after termination.

10.4 Survival The provisions of these Terms that, by their nature, should survive termination will continue to apply, including those relating to intellectual property, payment obligations, disclaimers, limitations of liability, and indemnification.

11.1 To the maximum extent permitted by law, SHFT SDK (Pty) Ltd and its directors, officers, employees, agents, partners, and licensors will not be liable for:

11.1.1 any indirect, incidental, consequential, special, exemplary, or punitive damages, including but not limited to loss of profits, loss of data, business interruption, or goodwill;

11.1.2 damages resulting from your use of, or inability to use, the Service;

11.1.3 damages resulting from the actions or omissions of Third-Party Services, including calendar providers and payment processors;

11.1.4 damages resulting from unauthorized access, alteration, loss, or deletion of Customer Data; or

11.1.5 damages resulting from interruptions, delays, or errors beyond our reasonable control.

11.1.6 You acknowledge that while the Service assists with synchronizing and managing your calendars, the accuracy, completeness, and reliability of your calendar information remains your responsibility. You are solely responsible for verifying that synced events are correct and up to date in your connected calendars.

11.1.7 For users of a paid Subscription Plan, our total liability to you for any claim arising out of or relating to these Terms or the Service, regardless of the form of the action, will not exceed the greater of:

11.1.7.1 the amount you paid to us for the Service during the three (3) months immediately preceding the event giving rise to the claim; or twelve U.S. dollars (US $12).

11.1.8 For users of the Free Plan, the Service is provided strictly “as is” and “as available.” To the fullest extent permitted by law, we assume no liability to you of any kind arising from your use of the Free Plan.

11.2 Nothing in these Terms excludes or limits liability that cannot be excluded or limited under applicable law, such as liability for death or personal injury caused by negligence, or for fraud or fraudulent misrepresentation.

12.1 These Terms are governed by and will be construed in accordance with the laws of the Republic of South Africa, without regard to its conflict of laws principles.

12.2 If any dispute arises out of or relates to these Terms or the Service, the parties must first attempt to resolve the dispute through good-faith negotiations. If the dispute cannot be resolved within thirty (30) days, the parties agree to submit the matter to mediation in Cape Town, South Africa, under the rules of a recognized mediation body or a mediator agreed between the parties.

12.3 If the dispute is not resolved through mediation, the matter will be submitted to the exclusive jurisdiction of the courts of Cape Town, South Africa, and you consent to the personal jurisdiction of those courts.

12.4 Nothing in this section prevents either party from seeking interim or urgent relief in a court of competent jurisdiction, including injunctive relief to protect intellectual property rights or to maintain the status quo pending resolution of a dispute.

12.5 These Terms apply globally. However, nothing in them limits any mandatory legal protections you may have under the laws of your country of residence, where such protections cannot be waived by contract.

13.1 We may revise or update these Terms from time to time to reflect changes in the Service, our business, or applicable laws. The updated version will be effective as of the date stated at the top of the Terms (“Effective Date”).

13.2 If we make material changes to these Terms, we will notify you by reasonable means, which may include email notice, a notice on our website, or in-app notifications. It is your responsibility to review the Terms regularly.

13.3 By continuing to access or use the Service after the updated Terms become effective, you agree to be bound by the revised Terms. If you do not agree to the updated Terms, you must stop using the Service and may close your account.

14.1 Entire Agreement These Terms, together with our Privacy Policy and Data Processing Agreement, constitute the entire agreement between you and SHFT SDK (Pty) Ltd regarding the Service, and supersede any prior agreements or understandings, whether written or oral.

14.2 No Waiver Our failure to enforce any provision of these Terms will not be considered a waiver of our rights. Any waiver must be in writing and signed by us.

14.3 Severability If any provision of these Terms is held invalid or unenforceable, the remaining provisions will remain in full force and effect.

14.4 Assignment You may not assign, transfer, or sublicense your rights or obligations under these Terms without our prior written consent. We may assign or transfer our rights and obligations without restriction, including in connection with a merger, acquisition, or sale of assets.

14.5 Force Majeure We are not responsible or liable for any delay or failure to perform caused by events beyond our reasonable control, including acts of God, natural disasters, government actions, labor disputes, internet or telecommunications failures, or power outages.

14.6 Notices We may provide notices to you by email, in-app notification, or posting on our website. You must send notices to us at support@amifree.co

2.1 Account Information: When you create an account, we collect personal details such as your name, email address, authentication credentials, and related identifiers necessary to establish and maintain your account.

2.2 Calendar Connection Data: To provide the Service, we collect authorization tokens and metadata that enable secure connections to third-party calendar providers (e.g., Google, Microsoft Outlook, Apple iCloud). We do not collect or store your passwords.

2.3 Calendar Event Data: In the course of providing synchronization services, we may temporarily access event information (such as event title, time, date, recurrence, and metadata) strictly for the purpose of completing the sync. Event contents are not permanently stored in our systems and are deleted once synchronization is completed.

2.4 Payment Information: If you subscribe to a paid plan, payment card details, billing addresses, and related information are processed securely by our third-party payment processor (currently Stripe). We do not retain your full payment card details.

2.5 Device and Usage Information: We may collect technical and usage information, including Internet Protocol (IP) address, device type, operating system, browser information, error logs, and performance data. This information is collected for security, troubleshooting, and Service improvement purposes.

2.6 Communications: If you contact us directly (for example, through support requests, emails, or feedback forms), we collect the information you choose to provide, including the content of your communications and any attachments.

2.7 Cookies and Similar Technologies: We use cookies, web beacons, and similar technologies to authenticate sessions, maintain security, and improve the functionality of the Service. Further details are set out in Section 5 (Cookies & Tracking Technologies).

3.1 To Provide and Operate the Service: We use your Account Information, Calendar Connection Data, and Calendar Event Data to enable synchronization between your connected calendars, maintain your account, and deliver the features of the Service. Legal basis (GDPR/POPIA): Processing is necessary for the performance of a contract with you.

3.2 We use technical and usage information (including logs, device identifiers, and access tokens) to authenticate sessions, detect unauthorized access, prevent abuse, and protect the integrity of our systems. Legal basis (GDPR/POPIA): Processing is necessary for our legitimate interests in ensuring the security and proper functioning of the Service, and to comply with applicable legal obligations.

3.3 To Communicate With You: We may use your contact details to: Send administrative and transactional messages (e.g., account confirmations, subscription notices, billing updates, service alerts); Provide customer support and respond to enquiries; Where permitted, send product updates, feature announcements, or newsletters that relate to the Service. You may opt out of non-essential communications at any time. Legal basis (GDPR/POPIA): Processing is necessary for the performance of a contract and for our legitimate interests in maintaining customer relationships; in some cases, your consent may be required.

3.4 To Process Payments: We use payment and billing information to process subscription fees, manage invoices, and comply with financial record-keeping requirements. Legal basis (GDPR/POPIA): Processing is necessary for the performance of a contract and to comply with legal obligations.

3.5 To Improve and develop the Service: We may use aggregated and anonymized usage information, error logs, and feedback to analyze performance, identify trends, fix issues, and develop new features. Individual calendar event content is not permanently stored or used for these purposes. Legal basis (GDPR/POPIA): Processing is necessary for our legitimate interests in improving and expanding the Service.

3.6 To Comply With Legal Requirements: We may process and, where required, disclose information to comply with applicable laws, lawful requests, and regulatory obligations, including tax, accounting, and data protection requirements. Legal basis (GDPR/POPIA): Processing is necessary to comply with a legal obligation imposed on us.

3.7 Other Lawful Purposes: We may also process your personal information for other purposes that are compatible with those set out above, provided such processing is permitted under applicable data protection laws.

4.1 Service Providers and Sub-Processors: We may share your personal information with trusted third-party service providers who perform services on our behalf, such as: Cloud hosting and infrastructure providers; Payment processors; Customer support and communication tools; Security and analytics providers. These service providers may only access and process your personal information to the extent necessary to perform their contractual obligations to us and are bound by confidentiality and data protection commitments.

4.2 Legal Compliance and Protection of Rights: We may disclose personal information where required to do so by law, regulation, or legal process, or to protect our rights, safety, or property, and that of our users or others.

4.3 Business Transfers: If SHFT is involved in a merger, acquisition, restructuring, sale of assets, or other corporate transaction, your personal information may be transferred to the successor entity as part of that transaction. In such cases, this Privacy Policy will continue to apply unless amended by the successor entity.

4.4 With Your Consent: We may share your information with third parties when you give us your explicit consent to do so.

5.1 No Permanent Storage of Event Data: Am I Free is designed on a privacy-first principle. We do not permanently store the contents of your calendar events. Event information is temporarily processed only as necessary to complete synchronization and is automatically deleted once the sync has been executed.

5.2 Retention of Other Personal Information: Account Information: Retained for as long as your account remains active and for a limited period thereafter where required by law or legitimate business needs (e.g., dispute resolution, enforcement of our agreements); Payment and Billing Information: Retained as required under applicable financial, tax, and accounting laws; Logs and Usage Data: Retained for up to three (3) months, unless a longer retention period is required for security, compliance, or legitimate business purposes.

5.3 Security Measures: We implement appropriate technical and organizational measures to protect personal information against unauthorized access, alteration, disclosure, or destruction, including but not limited to: Encryption of data in transit and at rest; Secure OAuth2 authentication for calendar connections (no passwords are stored); Role-based access controls(RBAC) and restricted employee access; Firewalls, intrusion detection, and monitoring of suspicious activity; Regular security reviews, audits, and vendor due diligence.

5.4 Data Location: Personal information may be processed and stored on secure cloud infrastructure operated by reputable third-party providers. These providers are subject to contractual obligations requiring compliance with applicable data protection standards.

5.5 Shared Responsibility: While we take appropriate steps to protect your data, you remain responsible for safeguarding access to your accounts and verifying the accuracy of your calendar information.

6.1 Use of cookies may include:

• Authentication and Session Management: To recognize you when you sign in and maintain your session;
• Security: To detect fraudulent activity and protect user accounts;
• Performance and Functionality: To monitor Service stability, error rates, and usage patterns for troubleshooting and improvement.

6.2 No Targeted Advertising: We do not use cookies or similar technologies for targeted advertising, profiling, or the sale of personal information.

6.3 Control of Cookies: Most web browsers automatically accept cookies, but you can usually modify your browser settings to decline cookies or alert you when cookies are being placed. If you choose to disable cookies, some features of the Service may not function properly.

6.4 Other Tracking Technologies: We may use web beacons, log files, and similar tools in connection with cookies for limited technical and analytical purposes, as described above. These technologies do not collect calendar event contents.

7.1 European Union / United Kingdom (GDPR / UK GDPR): If you are located in the European Economic Area (EEA) or the United Kingdom, you have the following rights under the General Data Protection Regulation (GDPR) and UK GDPR: Access: Request confirmation of whether we process your personal data and obtain a copy; Correction: Request that inaccurate or incomplete personal data be corrected; Erasure (“Right to be Forgotten”): Request deletion of your personal data where legal grounds permit; Restriction: Request limitation of how your personal data is processed; Portability: Receive your personal data in a structured, commonly used, machine-readable format and transmit it to another controller; Objection: Object to processing of your personal data where our lawful basis is legitimate interests or for direct marketing; Consent Withdrawal: Withdraw consent at any time where processing is based on consent, without affecting the lawfulness of processing before withdrawal. You also have the right to lodge a complaint with your local data protection authority.

7.2 South Africa (POPIA): If you are located in South Africa, the Protection of Personal Information Act, 2013 (“POPIA”) grants you the following rights: Access: Request confirmation that we hold personal information about you and obtain a copy; Correction / Deletion: Request correction or deletion of personal information that is inaccurate, irrelevant, excessive, out of date, incomplete, misleading, or unlawfully obtained; Objection: Object to the processing of your personal information on reasonable grounds relating to your particular situation; Direct Marketing: Object to the processing of personal information for purposes of direct marketing; Complaints: Lodge a complaint with the Information Regulator (South Africa) if you believe your rights under POPIA have been infringed.

7.3 California and Certain U.S. States (CCPA / CPRA and Similar Laws): If you are a resident of California, or other U.S. states with comparable privacy laws, you may have rights including: Access: Request disclosure of the categories and specific pieces of personal information we have collected about you; Deletion: Request deletion of personal information, subject to applicable exceptions; Correction: Request correction of inaccurate personal information; Opt-Out of Sale/Sharing: Request that we do not “sell” or “share” your personal information, as defined by law. (We do not sell or share personal information.); Non-Discrimination: Exercise your rights without receiving discriminatory treatment.

7.4 Exercising Your Rights: To exercise any of the rights described above, please contact us at support@amifree.co. We may need to verify your identity before fulfilling your request. We will respond within the timeframes required under applicable law.

8.1 General Principle: As SHFT is established in South Africa, your personal information may be transferred to and processed in countries outside of your country of residence. These countries may have data protection laws that are different from those in your jurisdiction and may not provide the same level of protection.

8.2 Safeguards for Transfers from the EEA, UK, and Switzerland: Where we transfer personal data from the European Economic Area (EEA), the United Kingdom (UK), or Switzerland to a country that has not been recognized as providing an adequate level of protection by the relevant authority (such as the European Commission, UK Information Commissioner’s Office, or Swiss Federal Data Protection and Information Commissioner), we rely on lawful transfer mechanisms, including: Standard Contractual Clauses (SCCs) adopted by the European Commission (Decision 2021/914/EU), supplemented by the UK International Data Transfer Addendum where applicable; Swiss Addendum to the SCCs where required for transfers subject to Swiss data protection law; Data Privacy Framework participation or other recognized transfer frameworks, where applicable.

8.3 South African Users: Where personal information is transferred outside of South Africa, such transfers are conducted in compliance with the Protection of Personal Information Act, 2013 (POPIA), which requires that the recipient jurisdiction or recipient entity provides an adequate level of protection or that appropriate contractual safeguards are in place.

8.4 Other Jurisdictions: For users in other regions, we implement appropriate technical, contractual, and organizational safeguards consistent with applicable law to ensure that personal information remains protected when transferred internationally.

9.1 No Use by Minors: The Service is not directed to, and may not be used by, individuals under the age of eighteen (18). We do not knowingly collect personal information from anyone under 18 years of age.

9.2 Parental or Guardian Responsibility: By using the Service, you represent that you are at least 18 years old or that you are the parent or legal guardian of a minor who is at least 16 years old and that you consent to such minor’s use of the Service. If you are a parent or guardian and believe your child has provided us with personal information in violation of this Policy, you should contact us immediately at support@amifree.co so that we can take steps to delete such information.

9.3 Legal Compliance: If we become aware that we have inadvertently collected personal information from a person under 18 without appropriate consent, we will promptly delete such information in accordance with applicable laws, including GDPR, POPIA, and relevant U.S. state laws.

10.1 We may update or amend this Privacy Policy from time to time to reflect changes in our practices, technologies, legal requirements, or other factors.

10.2 If we make material changes, we will provide you with reasonable notice, such as by email, through the Service, or by updating the “Last Updated” date at the top of this Policy.

10.3 Your continued use of the Service after the effective date of any revised Privacy Policy constitutes your acceptance of its terms. If you do not agree with the updated Policy, you must discontinue use of the Service.

11.1 Am I Free Support: Email: support@amifree.co

11.2 SHFT SDK (Pty) Ltd: Email: support@shft.tech | Website: www.shft.tech

11.3 We will respond to all legitimate requests within the timeframes required under applicable data protection laws, including GDPR and POPIA.

1.1 This DPA sets out the terms under which SHFT Processes Personal Data on behalf of the Customer in connection with the provision of the Service.

1.2 This DPA should be read in conjunction with SHFT’s Terms and Conditions and Privacy Policy, which together with this DPA form the overall Agreement between SHFT and the Customer. While the Terms govern general use of the Service and the Privacy Policy explains SHFT’s handling of Personal Data in its capacity as a controller, this DPA applies specifically where SHFT acts as a processor on behalf of the Customer.

1.3 Am I Free is a privacy-first calendar synchronization service that enables Customers to securely connect multiple calendar accounts (such as Google, Microsoft Outlook, and Apple iCloud) and keep events up-to-date across them. The Service is designed to prevent double-bookings and scheduling conflicts, while ensuring that event details are only processed transiently and not permanently stored by SHFT.

1.4 By entering into this DPA, the Parties establish the framework required by applicable data protection laws for the secure and lawful Processing of Personal Data in connection with the Service.

2.1 Incorporation; Order of Precedence

• This DPA is incorporated into and forms part of your overall Agreement with SHFT. Capitalized terms not defined in this DPA shall have the meaning given in the Agreement.
• In the event of any conflict between this DPA and the remainder of the Agreement, this DPA shall prevail solely with respect to the Processing of Personal Data.

2.2 Parties and Roles

• Roles: For the purposes of Applicable Data Protection Laws, Customer acts as Controller (or Responsible Party under POPIA) and SHFT acts as Processor (or Operator/Service Provider) when Processing Personal Data on behalf of Customer.
• Instructions: SHFT shall Process Personal Data only on documented instructions from Customer, unless required to do so by law.

2.3 Customer Responsibilities

• Lawful Basis: Customer shall ensure it has a valid legal basis for the Processing of Personal Data and has provided all necessary notices and obtained all required consents.
• Accuracy: Customer remains responsible for the accuracy, quality, and legality of the Personal Data and the means by which it is acquired.
• Data Minimization: Customer acknowledges that the Service is not designed to serve as a permanent data store. Customer is responsible for maintaining copies of its calendar data in its source systems.

2.4 SHFT Responsibilities

• Purpose Limitation: SHFT shall Process Personal Data only for the purposes set out in this DPA, the Agreement, or the Customer’s documented instructions.
• Restricted Use: SHFT shall not retain, use, or disclose Personal Data for any purpose other than providing the Service, meeting legal obligations, or as otherwise expressly permitted under this DPA.
• Confidentiality: SHFT shall ensure that persons authorized to Process Personal Data are subject to binding confidentiality obligations.
• Policies: SHFT shall implement and maintain appropriate internal policies, controls, and safeguards to comply with its obligations under this DPA.

2.5 Details of Processing The subject matter, duration, nature and purpose of Processing, the categories of Data Subjects, and the types of Personal Data are set out in Annexure 1 Description of Processing.

2.6 Sub-Processors

• Customer authorizes SHFT to engage Sub-Processors to perform Processing activities on SHFT’s behalf, provided SHFT imposes data protection obligations on such Sub-Processors that are no less protective than those set out in this DPA.
• SHFT remains liable for the acts and omissions of its Sub-Processors.

2.7 International Transfers Where Personal Data is transferred across borders, SHFT shall ensure that such transfers are carried out in compliance with Applicable Data Protection Laws, using appropriate safeguards such as Standard Contractual Clauses or equivalent mechanisms.

2.8 Service Boundaries and Age Restrictions The Service is intended for use by individuals aged eighteen (18) years and older. Customer must ensure its use of the Service aligns with this requirement.

2.9 Data Protection Contact

• SHFT has appointed Stanley Greenwood as Data Protection Officer (“DPO”) to oversee compliance with this DPA and with Applicable Data Protection Laws.
• The DPO may be contacted by emailing stanley@shft.tech
• The Customer shall designate a contact point for data protection matters and provide SHFT with up-to-date details.
• All notices, requests, or inquiries relating to Personal Data or the exercise of Data Subject rights under this DPA should be directed to the respective contacts above, unless otherwise agreed in writing.

3.1 Subject Matter of Processing The Processing of Personal Data by SHFT on behalf of the Customer is limited to the provision of the Am I Free service, which enables the synchronization of calendar events between the Customer’s connected accounts and provides related account management, billing, and support functionality.

3.2 Duration of Processing Processing will continue for the Subscription Term of the Agreement and any de-provisioning period necessary to close the Customer’s account, comply with legal obligations, and perform secure deletion.

3.3 Nature and Purpose of Processing

Processing activities include:

• Establishing and maintaining secure connections to third-party calendar providers through OAuth or similar protocols.
• Temporarily accessing and Processing calendar event metadata in order to complete synchronization between connected accounts.
• Managing user Accounts, Subscription Plans, and billing records.
• Providing support, security monitoring, troubleshooting, and service communications.
• Maintaining limited operational logs for diagnostic and security purposes.
• Complying with legal, regulatory, and contractual obligations.

3.4 Categories of Data Subjects

• Authorized users who create and manage accounts.
• Invitees and meeting participants whose details appear in calendar events.
• Customer personnel whose information appears in billing or account records.

3.5 Types of Personal Data

• Account Information: name, email address, authentication credentials, and related identifiers.
• Calendar Connection Data: OAuth tokens, calendar identifiers, and metadata needed to enable synchronization.
• Calendar Event Metadata: event titles, dates, times, recurrence patterns, organizer and attendee identifiers, and related header information (processed only as needed to perform synchronization).
• Billing Information: payment method identifiers, billing addresses, and related details (processed by third-party payment providers; SHFT does not store full card data).
• Device and Usage Data: IP address, device type, operating system, browser type, and error/performance logs.

3.6 Special Categories of Data The Service is not intended to collect or Process sensitive or special categories of Personal Data (such as health, racial, biometric, or financial data beyond payment identifiers). SHFT does not intentionally Process such data and instructs the Customer not to include it in event content or otherwise submit it through the Service.

3.7 Retention and Deletion

• Calendar event contents are processed only transiently and deleted once synchronization is complete.
• Operational and diagnostic logs are retained for a limited period (generally up to three months) before being deleted or anonymized.
• Account and billing information is retained for as long as necessary to maintain the Customer’s account, comply with legal obligations, or resolve disputes.

4.1 Organizational Controls

• Policies and procedures governing data protection, information security, and incident response.
• Role-based access controls ensuring that only authorized personnel with a business need can access Personal Data.
• Confidentiality obligations imposed on all personnel with access to Personal Data.
• Regular employee training on security awareness, privacy obligations, and secure handling of Personal Data.

4.2 Access and Authentication

• Secure authentication mechanisms, including OAuth2 for third-party calendar integrations.
• Strong password requirements and session management controls.
• Logging and monitoring of access to systems handling Personal Data.

4.3 Data Minimization and Retention

• Processing of calendar event data only on a transient basis, with automatic deletion once synchronization is complete.
• Retention of operational logs for a limited period (generally up to three months) for troubleshooting and security purposes.
• Defined procedures for the secure deletion or anonymization of Personal Data after the retention period.

4.4 Encryption and Transmission Security

• Encryption of Personal Data in transit using TLS/SSL protocols.
• Encryption of Personal Data at rest where storage is required (e.g., account and billing records).
• Use of secure cryptographic standards in line with industry best practices.

4.5 Infrastructure and Network Security

• Hosting of the Service on reputable cloud infrastructure providers with established security certifications (such as ISO 27001, SOC 2, or equivalent).
• Firewalls, intrusion detection/prevention systems, and network segmentation.
• Continuous monitoring of infrastructure for vulnerabilities and suspicious activity.

4.6 Application Security

• Secure software development lifecycle practices, including code reviews and vulnerability scanning.
• Regular patching and updates to address security vulnerabilities.
• Use of API rate limiting and input validation to prevent abuse or unauthorized access.

4.7 Incident Management

• Documented incident response plan, including procedures for identifying, reporting, and responding to Personal Data Breaches.
• Notification to Customer of any Personal Data Breach without undue delay, in accordance with Section 12 of this DPA.
• Post-incident review and remediation measures to prevent recurrence.

4.8 Vendor and Sub-Processor Management

• Due diligence and security reviews of third-party service providers before engagement.
• Written agreements with Sub-Processors requiring compliance with data protection and security obligations.
• Ongoing monitoring of vendor performance and security practices.

4.9 Business Continuity and Disaster Recovery

• Regular backups of essential service data (excluding transient calendar event content).
• Redundancy and failover mechanisms within the hosting infrastructure.
• Tested disaster recovery and business continuity procedures.

4.10 SHFT may update or modify these Security Measures from time to time, provided that such updates do not materially reduce the overall level of protection for Personal Data.

5.1 Approved Sub-Processors

Customer authorizes SHFT to engage the following categories of Sub-Processors to support the provision of the Service:

• Cloud Hosting and Infrastructure Providers – to host the Service and store limited account and system data (e.g., Amazon Web Services, Microsoft Azure, or equivalent).
• Payment Processors – to process subscription payments (e.g., Stripe).
• Customer Support and Communication Tools – to provide support, email notifications, and other communications.
• Security and Analytics Providers – to monitor Service performance, detect abuse, and maintain system integrity.

5.2 A current list of specific Sub-Processors will be maintained and made available upon request. SHFT may update this list from time to time, provided that SHFT notifies Customer in advance and Customer may reasonably object to any new Sub-Processor on legitimate data protection grounds.

5.3 Sub-Processor Obligations

SHFT shall ensure that each Sub-Processor:

• is subject to a written agreement imposing data protection and security obligations no less protective than those set out in this DPA; and
• provides sufficient guarantees to implement appropriate technical and organizational measures to ensure that Processing will meet the requirements of Applicable Data Protection Laws.

5.4 SHFT remains fully liable for the performance of its Sub-Processors.

6.1 Safeguards may include:

• Standard Contractual Clauses (SCCs) – The European Commission’s SCCs (Commission Implementing Decision (EU) 2021/914) for Controller-to-Processor transfers, including any necessary modular options.
• UK Addendum – The International Data Transfer Addendum issued by the UK Information Commissioner under s119A(1) of the Data Protection Act 2018.
• Swiss Addendum – Adjustments required by the Swiss Federal Data Protection and Information Commissioner (FDPIC), ensuring Swiss Data Subjects can enforce their rights locally.
• Other Mechanisms – Where applicable, certification under an approved data transfer framework (e.g., the EU-US Data Privacy Framework), or binding corporate rules if adopted in the future.

6.2 Upon request, SHFT will provide Customer with information reasonably necessary to demonstrate compliance with cross-border transfer obligations.

7.1 Scope of Rights

Depending on Applicable Data Protection Laws, Data Subjects may have rights including (but not limited to):

• Right of access to Personal Data;
• Right to rectification of inaccurate or incomplete data;
• Right to erasure (“right to be forgotten”);
• Right to restriction of Processing;
• Right to data portability;
• Right to object to Processing, including Processing for direct marketing purposes;
• Right not to be subject to automated decision-making or profiling;
• Right to withdraw consent, where Processing is based on consent;

7.2 Allocation of Responsibilities

• The Customer, as Controller/Responsible Party, is primarily responsible for responding to Data Subject requests.
• SHFT, as Processor/Operator/Service Provider, shall provide reasonable assistance to the Customer to enable compliance with such requests, taking into account the nature of the Processing.

7.3 Procedure for Handling Requests

Receipt of Request

• If SHFT receives a request directly from a Data Subject relating to Customer Data, SHFT will, without undue delay, forward the request to the Customer.
• SHFT will not respond to such a request directly, unless legally required to do so, in which case SHFT shall notify the Customer (unless prohibited by law).

7.4 Customer Instructions

• SHFT will act only on documented instructions from the Customer regarding how to assist with the request.
• Assistance may include providing access to, correcting, deleting, or exporting Customer Data from the Service.

7.5 Timing SHFT shall provide assistance promptly, to enable the Customer to meet applicable statutory deadlines (e.g., one month under GDPR, 45 days under CCPA/CPRA, or as otherwise required by law).

7.6 Costs

• Assistance will be provided at no additional cost where requests can be handled through self-service functionality or standard processes.
• Where assistance requires significant time or resources, SHFT may charge a reasonable fee, provided such fee is agreed in advance with the Customer.

7.7 Technical and Organizational Measures

To support the exercise of Data Subject rights, SHFT will:

• Provide tools or functionality within the Service that allow Customers to manage and export data;
• Maintain records of Processing activities to support transparency;
• Restrict access to Personal Data to authorized personnel only;
• Ensure secure deletion of Personal Data upon Customer’s instruction or account termination, subject to retention obligations.