Privacy Policy

What we collect, how we use it, and what you can do about it. Short, specific, plain.

Last updated: 8 May 2026

Who we are

BookMe is operated by Shaun Godinho (Pune, India), reachable at ent.shaun@gmail.com. References to "we" / "us" / "BookMe" mean the same operator. This policy covers the BookMe product — the public booking pages under shaungodinho.com/book/<handle>/ and the host workspace at shaungodinho.com/meet/.

What we collect

From hosts (signed-in users)

• Google account info — your name, email address, and profile picture, retrieved when you sign in with Google.
• Google Calendar busy/free data — when you connect Google Calendar, we read your freeBusy endpoint to know when you're busy. We do not read event titles, descriptions, attendees, or content unless you explicitly add a calendar to your selected calendars (in which case we still only read busy/free times, never event bodies).
• Booking page configuration — handle (URL slug), display name, meeting title, duration, working hours, timezone, buffer minutes. Stored as you set them in the dashboard.
• Booking records — every confirmed booking, including the booker's name, email, and the slot they chose.

From bookers (anonymous visitors of /book/<handle>/)

• Name and email — submitted on the booking form.
• Browser timezone — to display slot times in the booker's local time.
• IP address — used only for per-IP rate limiting on the public booking endpoint (5 requests/minute). Not stored beyond the rate-limit window.

Automatic

• Server logs via our hosting provider (Cloudflare Pages). Standard request metadata: IP, user agent, path, status code, timestamp. Retained per Cloudflare's defaults.
• First-party session cookies for authentication state. No third-party tracking, no analytics, no advertising cookies.

How we use it

• Display real-time availability on your booking page. Calendar busy/free is read at request time; we don't cache it.
• Create calendar events on your primary Google Calendar when a booker confirms. The booker is added as an attendee with sendUpdates=none so Google does not send its own duplicate invite emails.
• Send confirmation emails — one to the booker and one to you (the host) for every booking. Delivered via Resend.
• Show you a bookings dashboard at /meet/ with each booking's status (email delivery, calendar push).

We do not sell your data. We do not share it with anyone except the operational third parties listed below, and only to the minimum needed to operate the service.

How we store it

• Database: PostgreSQL on Supabase. Row-Level Security ensures hosts can only read their own configuration, bookings, and calendar metadata.
• Encryption at rest: Google refresh and access tokens are encrypted with AES-256-GCM before persistence. The encryption key lives only in the edge runtime, not in the database. A database snapshot without the key cannot recover Google tokens.
• Encryption in transit: TLS 1.3 throughout. All endpoints reject non-HTTPS.
• Retention: Booking records are retained until you delete your account. Server logs follow Cloudflare's defaults (~30 days for raw HTTP logs).

Third parties

BookMe runs on top of these services. Each receives only the data needed to perform its function:

• Supabase — database, authentication, edge functions. Supabase privacy policy.
• Google — OAuth + Calendar API. Subject to Google's privacy policy and your Google account settings. You can revoke our access any time at myaccount.google.com/permissions.
• Resend — transactional email (booker confirmations + host notifications). Resend privacy policy.
• Cloudflare — DNS, CDN, static site hosting (Pages), email routing for the bookings@shaungodinho.com reply address. Cloudflare privacy policy.

We do not use any other third-party services on the BookMe surfaces. Specifically, we do not use Google Analytics, Facebook Pixel, or any other advertising or behavioural-tracking service.

Google API user data

BookMe's use of information received from Google APIs adheres to the Google API Services User Data Policy, including the Limited Use requirements.

Specifically:

• We use Google Calendar data only to provide the user-facing scheduling features described above. We do not use it to train any AI model. We do not share it with third parties beyond the operational ones listed in the previous section.
• The scopes we request are calendar.readonly (to read free/busy intervals) and calendar.events (to create events on confirmed bookings). We do not request access to any other Google data.
• You can revoke our access at any time from myaccount.google.com/permissions or from within the BookMe dashboard. Revocation removes our ability to read or write to your calendar immediately.

Your rights

• Access — request a copy of your data by emailing ent.shaun@gmail.com. We'll respond within 30 days.
• Disconnect Google Calendar — anytime from the dashboard. Removes our access tokens and stops calendar reads/writes.
• Delete your account — email ent.shaun@gmail.com. We'll purge your configuration, bookings, and auth record within 7 days. Resend / Cloudflare server logs follow their own retention windows.
• Correct your data — your display name, meeting title, and other configuration are editable from the dashboard. For anything else, email us.

Cookies

We use first-party session cookies for authentication only. No advertising, no cross-site tracking, no third-party analytics cookies.

Security

TLS 1.3 in transit. AES-256-GCM at rest for Google refresh and access tokens. Row-Level Security on every host-owned database table — a query as one host cannot see another host's rows. Per-IP rate limiting on the public booking endpoint. Service-role keys (which bypass RLS) live only in server-side edge functions, never in browser code.

If you discover a vulnerability, please email ent.shaun@gmail.com. We'll acknowledge within 48 hours.

Children

BookMe is not directed to children under 16. If you believe a child under 16 has provided us with personal information, email us and we'll delete it.

International transfers

BookMe is operated from India. Our database (Supabase) and most third-party providers operate primarily in the US and EU. By using BookMe you consent to your data being transferred to and processed in those jurisdictions.

Changes

When this policy changes materially, we'll update the "Last updated" date above and email signed-in hosts at the address on file. Continued use after the change constitutes acceptance.

Contact

Anything not covered above — email ent.shaun@gmail.com. Real human, real reply.