Privacy Policy
Transparent, readable and focused on what matters.
Controller
Company / Controller, Address, Contact, Email: info@fruitly.ai
Processing Activities
- Operating the chatbot (Art. 6(1)(b), (f) GDPR)
- Handling support/contact requests (Art. 6(1)(b) GDPR)
- Sending verification and confirmation emails (Art. 6(1)(b),(c) GDPR)
- Usage analytics (message/token counts) to improve the service (Art. 6(1)(f) GDPR)
Categories of Data
- Chat content (history), chatbot ID, session ID
- Support/contact details (email, subject, message/details)
- Usage data (message counts, token usage, timestamps)
- Technical data: IP address and user agent (security and troubleshooting)
Recipients
- OpenAI (US) for responses; transfers based on Art. 46 GDPR (SCCs)
- Mailgun (EU/US) for email delivery
- Hosting/infrastructure providers (data processing agreements in place)
Google Calendar data
Scope requested
We request the minimal scope https://www.googleapis.com/auth/calendar.events to create and manage events on your primary calendar and to read event metadata needed to avoid double‑booking.
Google user data we access
- Event metadata from your primary calendar within selected dates: start time, end time, and event ID (for availability checks). We do not read event descriptions, titles, attachments, or attendee lists beyond what is necessary to determine busy time.
- When creating an event: title/summary, optional description (from notes you provide), attendees (your email and the invitee’s email), start/end time, and conference data to generate a Google Meet link.
- OAuth credentials: access token, refresh token, and token expiry (used solely to call Google Calendar APIs on your behalf).
- When you explicitly trigger a calendar sync in the dashboard: title/summary, location, short description (up to 500 characters), first non‑organizer attendee email (if present), start/end time, event ID, and Meet URL. These are limited to a rolling date range used by your in‑app calendar.
How we use the data
- Check availability by listing events for a specific day and comparing time windows.
- Create calendar events on your primary calendar and include Google Meet conferencing.
- Render your in‑app calendar and prevent double‑booking when you choose to sync events.
- Retrieve the event ID, event URL, and Meet URL returned by Google for your records and reminders.
What we store
- Event ID, Google Meet URL, and start/end timestamps related to the booked appointment.
- If you choose to sync your calendar in the dashboard (user‑initiated): minimal event details for the selected range to power the in‑app calendar and avoid double‑booking, namely event ID, start/end, title/summary, location (if present), up to 500 characters of description (if present), first non‑organizer attendee email (if any), and Meet URL (if present). These records are flagged as Google‑synced and can be removed via the “Reset” action on the calendar page.
- OAuth tokens (access/refresh) and expiry metadata, stored encrypted at rest.
We do not store your full calendar contents or unrelated event details.
Security
OAuth tokens are stored encrypted at rest (AES‑256‑GCM). Access is restricted to essential personnel and services. Transport is encrypted (TLS).
Retention and deletion
Tokens and appointment/synced event records are retained only as long as necessary to provide the integration. You can disconnect the integration in the app or revoke access anytime in your Google Account (myaccount.google.com/permissions). Disconnecting removes our stored tokens and stops any future access. Synced items can be removed at any time using “Reset” on the calendar page; otherwise they may be refreshed on subsequent syncs for the rolling date window. Events already in your Google Calendar remain in your Google account unless you delete them there.
Sharing
We do not sell or share Google user data. Data is transmitted only to Google to perform the requested actions on your behalf.
Policy compliance
We adhere to the Google API Services User Data Policy, including the Limited Use requirements. We do not use or transfer Google user data for ads or for purposes unrelated to the app’s user‑facing features.
Retention
Data are retained as long as necessary for the purposes above. You can request deletion unless legal retention obligations apply.
Legal Bases
- Art. 6(1)(b) GDPR (contract/performance) – e.g., handling support/contact
- Art. 6(1)(f) GDPR (legitimate interests) – operation, security, improvement
- Art. 6(1)(c) GDPR (legal obligation) – e.g., documentation/retention
- Art. 46 GDPR (SCCs) / Art. 49(1)(b),(c) GDPR – third country transfers to OpenAI/Mailgun if applicable
Your Rights
- Access, rectification, erasure, restriction, data portability, objection
- Withdrawal of consent with future effect
- Complaint to a supervisory authority
Cookies & Storage
No third‑party tracking cookies by default. Technically necessary cookies/storage (e.g., session/localStorage for UI features like panel width/chat history) are used (Art. 6(1)(f) GDPR; §25(2) TTDSG).
Security Measures
We implement appropriate technical and organizational measures (TOMs), including access controls, logging, and transport encryption.
Contact
For privacy concerns, contact info@fruitly.ai.