BookingCalendar - Privacy Policy

Effective date: 20th August 2025
Last updated: 2nd September 2025

This Privacy Policy explains how CST Group Limited (we, us, our) collects and uses personal data when you use BookingCalendar (the Service). The Service lets you authorise us to add bookings automatically to a Google Calendar that you nominate.

We aim to be fair and transparent. We have no interest in your data beyond operating the calendar functions you ask us to perform.

If you are a consumer, nothing in this Policy affects your legal rights. If you use the Service for business purposes, you confirm you have authority to bind the organisation you represent.

We act as data controller for account and support information ("Service Data"). For booking content you submit for insertion into your calendar, we process that data solely to provide the Service and, where applicable, act as your processor.

1. The data we process

1.1 Google user data (via OAuth)

If you grant access, we receive tokens and limited access to your Google Calendar to:

  • show the list of calendars you can use; and
  • create/update events in the calendar(s) you nominate.

Event content: When you send us booking details (e.g. title, start/end time, attendees, location, description), we transmit them to Google to create or update the event. We do not otherwise use this content and we avoid storing it unless strictly necessary for retries or support you have asked for. We keep minimal metadata such as calendar IDs, event IDs we created, and operational logs.

1.2 Shopify store data (via Shopify APIs)

If you install our Shopify app and connect your shop, we process data strictly to create and manage calendar bookings from qualifying orders:

  • Order data: order number/ID, created/updated time, line items (product/variant IDs, titles, quantities), booking-related options or metafields (e.g. selected slot/date/party size), and fulfilment/delivery method where relevant.
  • Product & variant data: titles, IDs, variant attributes, and booking-rule metafields used to determine duration, capacity, or resource allocation.
  • Customer contact: name, email, phone— to populate the calendar event title/description or attendees.
  • Shop metadata: shop domain and app configuration (e.g. nominated calendar, mapping rules).

We do not modify your catalogue or orders. We avoid storing full order payloads and keep only minimal identifiers and mappings required to operate the Service and to support you when requested.

1.3 Service Data (account & operations)

  • Contact details you provide (e.g. name, email).
  • Authentication data (OAuth tokens/refresh tokens).
  • Configuration (which calendar(s) you nominated, preferences).
  • Technical logs (timestamps, API status, error codes, IP address for security).
  • Billing details if you have a paid plan.

We do not collect special category data intentionally. Please avoid including sensitive content in event descriptions.

2. Our purposes and lawful bases (UK GDPR)

Purpose

Data

Lawful basis

Provide and operate the Service (create/update events, show calendars)

OAuth tokens, calendar list, booking details, minimal metadata

Performance of a contract

Secure the Service and prevent abuse

Technical logs, IP address, event IDs

Legitimate interests

Support you (when you ask)

Relevant logs, event metadata; in rare cases event content if you expressly request

Legitimate interests; Performance of a contract

Billing and account management

Contact/billing details

Performance of a contract; Legal obligation

Legal and compliance

Minimal necessary records

Legal obligation

Where we rely on Google OAuth, your consent at the Google consent screen also applies to the specific scopes granted. You can withdraw that at any time by revoking access (see Section 8).

Additional purposes when connected to Shopify:

  • Create bookings from Shopify orders and maintain mappings between order IDs and calendar event IDs — Performance of a contract.
  • Derive booking details from product/variant data and booking-rule metafields — Performance of a contract.
  • Prevent abuse and ensure accurate reconciliation (e.g. duplicate detection, retries) — Legitimate interests.

3. Google API Services User Data Policy (Limited Use)

We comply with Google’s Limited Use requirements. In short:

  • We use Google user data only to provide or improve user‑facing features you interact with.
  • We do not sell Google user data.
  • We do not use Google user data for advertising or marketing.
  • We do not allow people to access Google user data unless you ask us to, it’s necessary for security or compliance, or required by law.
  • We only transfer Google user data as permitted by Google’s policies and as described in this Policy.

4. Tokens, storage and security

  • OAuth tokens (and refresh tokens if used) are stored securely and encrypted at rest.
  • We separate tokens from operational logs and restrict internal access on a need‑to‑know basis.
  • We apply industry‑standard security controls, including TLS in transit, network segmentation, access logging and review, and regular patching.

5. Data sharing and sub‑processors

We do not sell your data. We share it only as needed to run the Service:

  • Cloud hosting and infrastructure providers (to store encrypted tokens, run our servers, and send API requests).
  • Customer support or error monitoring tools (metadata only where possible).
  • Payment processor (billing data only, if you subscribe to a paid plan).

We also share data where required by law, to protect rights and safety, or to investigate abuse or security incidents.

We do not “share” Shopify data with third parties beyond the sub-processors listed. Shopify itself acts as a separate controller for the Shopify platform; our app reads data you already hold there under your Shopify agreement.

6. International data transfers

Where data is transferred outside the UK (or EEA), we rely on appropriate safeguards, such as the UK Addendum to the EU Standard Contractual Clauses (SCCs) or the International Data Transfer Agreement (IDTA), and additional measures where necessary.

7. Retention

  • Tokens and Google user data: deleted promptly when you disconnect the Service, your account is closed, or tokens become invalid/unused.
  • Shopify tokens & cached Shopify data: deleted when you disconnect the app or your shop uninstalls. Minimal operational logs may be retained for security and audit for up to 30 days, then deleted or aggregated.
  • Operational logs/metadata: kept for up to 30 days for troubleshooting and security, then deleted or aggregated.
  • Billing records: kept as required by law (typically up to 6 years in the UK).
  • Calendar events already created remain in your Google Calendar until you delete them or ask the Service to do so.

8. Your choices and controls

  • Revoke access: You can remove the Service’s access in your Google Account → Security → Third‑party access.
  • Disconnect: You can disconnect your account under the Google Calendar section of the Service.
  • Deletion: You can request deletion of your account and associated data by contacting us. We will delete tokens and cached Google data promptly, subject to legal retention requirements. When your Shopify shop uninstalls the app, we receive Shopify’s app/uninstalled webhook and will promptly delete tokens and cached Shopify data within 7 days. This does not remove events already created in your Google Calendar; you can delete them in Google Calendar or via the Service while access remains.
  • Access and corrections: See your rights below.

9. Your rights (UK GDPR)

You have the right to request access, rectification, erasure, restriction, objection, and data portability. Where we rely on consent, you can withdraw consent at any time (this won’t affect processing that has already happened). To exercise your rights, contact us. We may need to verify your identity. You also have the right to complain to the Information Commissioner’s Office (ICO). See https://ico.org.uk/ for details.

10. Children’s data

The Service is not directed to children under 16 and should not be used by them. If you believe a child has provided us with personal data, please contact us and we will delete it.

11. Cookies and analytics

The Service does not use advertising cookies. If we use strictly necessary cookies (e.g. to keep you signed in) or privacy‑preserving analytics, details will be provided in our Cookie Notice. We will not use Google user data for advertising or analytics.

12. Automated decision‑making

We do not use personal data for automated decision‑making that produces legal or similarly significant effects.

13. Changes to this Policy

We may update this Policy to reflect changes in law, security, or the Service. If changes are material, we will provide reasonable notice. Please check this page from time to time.

Cookie preferences

We'd like to know more about the pages you visit on our site to help improve it. If you're happy for us to collect this information please click accept all. Our full Privacy policy can be found here.