Sweepfor Mac
Free Download

Privacy & permissions

Which Apps Have Access to Your Mac's Calendar?

Find every app reading your Mac's Calendar, learn what events and metadata they see, and revoke access from apps that don't need it.

8 min read

Your calendar is one of the most revealing things on your Mac. It says where you’ll be, who you’re meeting, what you’re working on, and — through recurring events — when you’re vulnerable to social engineering (“they’re in their weekly standup right now”). When an app asks for Calendar access, the data behind that toggle is genuinely sensitive, even if the prompt feels routine.

Here’s a tour of the permission, who legitimately needs it, and how to clean up.

What Calendar permission grants

When an app has Calendar access on macOS 14 Sonoma or 15 Sequoia, it can:

  • Read every event across every calendar you’ve added (iCloud, Google, Exchange, local)
  • Read titles, locations, attendees, notes, attachments
  • Read recurrence rules and exceptions
  • Write new events or edit existing ones if granted write access

It does not:

  • Touch Reminders (separate permission)
  • Touch Mail or Messages
  • Read other apps’ files

Important to know: Calendar access is all calendars at once. If you have a personal iCloud calendar, a work Exchange calendar, and a shared family calendar, an app with Calendar permission sees all three. There’s no per-calendar scoping.

Where to find the list

Open System Settings → Privacy & Security → Calendars. Each app has a toggle. Recent macOS versions show “Full Access,” “Add Only,” or no access for each app — a useful refinement.

  • Full Access lets the app read and write all events
  • Add Only lets the app create new events but not read existing ones
  • None is no access

Who legitimately needs Calendar access

A short list:

  • Calendar clients — Fantastical, BusyCal, Calendar.app (system, no toggle), Notion Calendar (formerly Cron)
  • Conferencing tools — Zoom, Teams, Google Meet (if scheduling), Webex, Around
  • Scheduling assistants — Reclaim, Motion, Clockwise, Akiflow
  • CRM tools that sync meetings — HubSpot, Salesforce
  • Time-tracking tools — Timing, Toggl Track, Tyme, Clockify
  • Task and note apps with calendar integrations — Things, Todoist, Notion, Obsidian Calendar plugin

Outside those, the justification is usually weak. A photo editor doesn’t need it. A music app doesn’t. A “free utility” doesn’t.

Audit your permissions in one screenSweep shows every app’s permissions on one page. Revoke in one click. Get Sweep free →

When Add Only is the right choice

If an app’s job is to create calendar events from things — booking forms, ticket purchases, restaurant reservations — Add Only is sufficient. The app can drop the event into your calendar without reading what’s already there.

Examples where Add Only fits:

  • Travel booking apps (Expedia, Kayak)
  • Restaurant reservation apps
  • Ticketing apps
  • Some appointment-booking helpers

Whenever you see an app with Full Access that only ever adds things, downgrade it to Add Only. The app continues working; the privacy footprint shrinks.

Why event metadata matters

A typical event includes:

  • Title (often summarizes the meeting purpose)
  • Location (a physical address, a Zoom link, or a private URL)
  • Attendees with email addresses
  • Notes (sometimes including agenda items, dial-in numbers, sensitive context)
  • Attachments (sometimes documents)

For corporate users, the attendees list is the most sensitive — it’s an accurate map of who’s collaborating with whom. Anyone with Calendar access can read that map.

How to revoke

In System Settings → Privacy & Security → Calendars, click the row for the app. Choose “None” or change between “Full Access” and “Add Only.” The app may need to relaunch.

If you’re not sure which apps actively use the permission vs. which ones requested it once and never used it, the simplest test is to revoke and see what breaks. Anything that was actively using it will prompt you again the next time you trigger the relevant feature.

See what your apps actually accessSweep surfaces every camera, mic, file, and location permission on your Mac. Download Sweep free →

Exchange and Google Calendar via accounts

If you’ve added work calendars via System Settings → Internet Accounts, those calendars feed into Apple’s Calendar database. Apps with Calendar permission see them. There’s no separate toggle for “third-party calendar accounts” vs “iCloud calendars.”

If you want a clean separation — work calendar visible only to work apps, personal calendar visible to everything else — the cleanest path is two macOS user accounts. That’s heavier-handed than most users want, but it’s the only way to fully partition.

A middle-ground approach: don’t add the work calendar to Calendar.app. Use a dedicated client like Outlook, which keeps the data in its own database. Apps reading from Calendar.app then only see your iCloud and personal accounts.

Sandbox containers

App Store apps need the com.apple.security.personal-information.calendars entitlement to ask for Calendar access. With it, they can read the full database the same as non-sandboxed apps.

What the sandbox helps with is what the app can do after reading. A sandboxed app can only make network requests to declared endpoints, so it can’t quietly stream your calendar to an arbitrary third party without that being visible in entitlements. Non-sandboxed direct-download apps have no such limit.

Tip: If you find an app's name unfamiliar in the Calendar list, look at the path with right-click → Reveal in Finder. The path tells you whether it's a system service, an Apple app, a Mac App Store app, or a direct download.

What about Spotlight?

Spotlight indexes your calendar so it can show events in search results. This is system-level, doesn’t go through Calendar permission, and you can’t really turn it off without disabling Spotlight indexing entirely. The data stays on-device unless you’ve enabled Apple Intelligence and chosen to share specific things.

The “schedule a meeting” prompt

A common pattern: you click “Add to Calendar” in an email or a web page, and the relevant app prompts to add the event. If that flow uses macOS’s standard Add to Calendar handler, it doesn’t need persistent Calendar access — it goes through a one-time system dialog. So an app you only use that way can have Calendar set to None and still work.

Apps that need persistent access are the ones doing ongoing reads (showing your schedule, syncing with their backend, suggesting time slots). Those genuinely need the toggle on.

Audit checklist

Once per quarter:

  • Open System Settings → Privacy & Security → Calendars
  • For each app: confirm you actively use it for a calendar workflow
  • Downgrade Full Access to Add Only where appropriate
  • Toggle to None for apps you can’t justify
  • Remove ghost entries with the minus button if any

Skip System Settings — see it all at onceSweep collapses the privacy maze into one screen. Try Sweep free →

Calendar is sensitive because of who’s on it more than what’s on it — meeting attendees and their email addresses, your physical location at every hour of every day, your routines. The audit is fast, the categories of legitimate apps are narrow, and Add Only is the right setting for more apps than people use it for.

← Back to all guides