← Back to Booking

Privacy Policy

Last updated: April 11, 2026

This Privacy Policy explains what information Booking ("we", "us", "the service") collects when you create an account, connect a Google account, or book an appointment, and how we use, share, store, retain, and delete that information. It applies to all users of the service and to people who book appointments through it.

1. Information We Collect

We collect the following categories of information:

• Account information: Your name, email address, and a hashed password when you create an account.
• Booking data: Names, email addresses, appointment times, meeting type, and any notes submitted by people booking appointments with you.
• Google user data: If you choose to connect a Google account, we access the specific Google user data described in Section 2 below.

2. Google User Data We Access

When you connect a Google account, you are asked to grant the following OAuth scopes. We only request these scopes; nothing more.

• https://www.googleapis.com/auth/calendar — used to (a) read free/busy time ranges on your primary calendar and any additional calendars you explicitly select, so we can compute which booking slots are available, and (b) create a confirmed booking event on your primary calendar when a guest books with you, including a Google Meet conference link on that event so you and the guest can join the meeting.
• https://www.googleapis.com/auth/userinfo.email — used to retrieve the email address associated with each connected Google account so that, if you connect more than one Google account, you can tell them apart in your dashboard.

What we explicitly do not access:

• We do not read the titles, descriptions, attendees, locations, or attachments of your existing Google Calendar events. The Google Calendar free/busy API returns only busy time ranges, which is all we request.
• We do not access your Gmail, Drive, Contacts, Photos, or any Google service other than Google Calendar and the userinfo email endpoint.
• We do not use the connected account to send email on your behalf.
• We only read back the booking events that we ourselves created on your calendar (for example, to update or cancel them).

3. How We Use Google User Data

We use Google user data solely to provide the scheduling features you requested:

• To compute your available booking slots by subtracting your busy time ranges from your configured availability window.
• To create a confirmed Google Calendar event, with a Google Meet link, on your primary calendar when a guest books an appointment. The event includes the guest's name, email, meeting type, and any notes they submitted so you have context for the meeting.
• To display the email address of each connected Google account in your dashboard so you can manage multiple connections.

Limited Use. Booking's use and transfer of information received from Google APIs to any other app adheres to the Google API Services User Data Policy, including the Limited Use requirements. Specifically, Google user data is not used for advertising, not sold, not used to develop, improve, or train generalized AI or machine learning models, and not read by humans except (i) with your explicit consent, (ii) as strictly necessary for security purposes such as investigating abuse, (iii) to comply with applicable law, or (iv) for internal operations in accordance with the Limited Use requirements (e.g., aggregated and anonymized).

4. Data Sharing

We do not sell personal information, and we do not share Google user data with third parties for their own purposes. Google user data flows only to the following specific recipients, and only for the purposes listed:

• Google, when we write the booking event back to your calendar on your behalf and when we call Google Meet to generate a conference link for that event. If you have enabled attendee notifications, Google will send the event invitation to the guest on your behalf.
• The guest who booked with you, who receives the calendar invitation (containing your name and the meeting details) and the Google Meet link for the appointment they booked.
• Infrastructure sub-processors strictly necessary to operate the service (server hosting and transactional email delivery for booking confirmations). These providers act only on our instructions and are bound by confidentiality obligations.

We do not share Google user data with advertising networks, data brokers, analytics vendors, or AI model training providers.

5. Data Storage & Protection

We take the following measures to protect your data:

• Encryption in transit. All traffic to and from the service, and all calls to Google APIs, are transmitted over TLS (HTTPS).
• OAuth token storage. Google OAuth access tokens and refresh tokens are stored server-side in our database, scoped to the individual user account that authorized them. Tokens are never exposed to the browser or to other users. Tokens are refreshed automatically using Google's standard refresh token flow so you do not need to re-authorize routinely.
• Password storage. Account passwords are hashed using bcrypt. We do not store plaintext passwords.
• Access controls. Access to production systems and databases is restricted to authorized operators, and requests are authenticated per user.
• Minimization. We do not persist the contents of your Google Calendar events. Free/busy queries are made in real time each time a booking page is viewed, and the response is used only to compute available slots; it is not written to our database.

6. Data Retention & Deletion

We retain data only as long as we need it to provide the service, and we give you clear ways to delete it.

• OAuth tokens are retained for as long as you keep the Google account connected. You can disconnect a Google account at any time from Dashboard → Integrations → Disconnect Google, which immediately removes the stored access token and refresh token for that account from our database.
• You may additionally revoke our access directly at https://myaccount.google.com/permissions at any time.
• Booking records (guest name, email, appointment time, notes) are retained while your account is active so you have a history of your appointments. They are deleted when you delete your account.
• Account deletion. You can request full deletion of your account and all associated data — account information, booking records, OAuth tokens, and connected account records — by emailing support@basic-booking.net from the email address on your account. We will complete deletion within 30 days of receiving a verified request and confirm by reply.
• Events already written to your Google Calendar. When you disconnect a Google account or delete your Booking account, any calendar events that Booking previously created on your behalf remain on your Google Calendar, because they belong to your Google account once created. You can remove them yourself in Google Calendar at any time.

7. Children

The service is not directed to children under 13, and we do not knowingly collect personal information from children under 13. If you believe a child has provided us with personal information, please contact us and we will delete it.

8. Changes to This Policy

We may update this Privacy Policy from time to time. When we do, we will revise the "Last updated" date at the top of this page. Material changes that affect how we handle Google user data will be announced on this page before they take effect.

9. Contact

For privacy questions, data access requests, or data deletion requests, contact us at support@basic-booking.net.