How SteeleSchedule keeps your calendar data encrypted and private.
Zero-knowledge encryption means we mathematically cannot read your data—even if we wanted to. Your calendar events are encrypted on your device before they reach our servers. Only you hold the decryption keys.
Unlike Calendly or Cal.com (which store your events in plain text), SteeleSchedule only sees encrypted blobs. We compute availability using privacy-preserving cryptographic techniques.
When you create an account, your password is hashed using Argon2id (winner of the Password Hashing Competition). This produces your User Master Key (UMK).
UMK = Argon2id(password, salt, params)Your calendar events (title, location, attendees) are encrypted using XChaCha20-Poly1305, an authenticated encryption algorithm from libsodium.
encrypted_event = XChaCha20-Poly1305.encrypt(event_data, UMK)The server stores only the ciphertext. Without your UMK, the data is unreadable.
To show availability without decrypting your events, we use Bloom filters— a probabilistic data structure that reveals time slots without exposing event details.
Others see "available" or "busy" windows, but never your event titles or meeting participants.
When you connect Google or Microsoft calendars, their OAuth tokens are encrypted with your UMK before storage. We never have plaintext access to your calendar credentials.
If our servers are hacked, attackers get encrypted blobs—useless without your password.
We can't hand over data we can't read. Law enforcement gets encrypted ciphertext.
Our engineers cannot access your calendar events. Zero knowledge means zero privilege.
No Google Analytics, no Facebook Pixel. Your scheduling activity is private.
Our encryption implementation uses libsodium.js, an audited library trusted by Signal, 1Password, and Bitwarden. All cryptographic algorithms are public and peer-reviewed.