← Back to BookLeaf

Privacy Policy

Effective: April 15, 2026

BookLeaf (bookleaf.us) is a scheduling tool that connects with Google Calendar and, optionally, Zoom to help you share availability and accept bookings. This policy explains what information we collect, how we use it, and your choices.

Information We Collect

Account Data

When you sign in with Google, we receive and store your name, email address, profile image, and basic profile information. If you connect Zoom, we also receive the basic Zoom user profile needed to link the account. You also provide a username and timezone within BookLeaf.

Booking Data

When someone books time with you, we collect their name, email address, optional notes, selected time slot, timezone, and meeting URL details generated for the booking, including Google Meet or Zoom when enabled.

Calendar Data

We access your Google Calendar to check free/busy status and create calendar events for confirmed bookings. We store connected calendar names, availability rules, and scheduling preferences you configure.

OAuth Tokens

We store Google and Zoom OAuth refresh and access tokens server-side to maintain connected service access on your behalf. We never see or store your Google or Zoom password.

Technical Data

We collect error logs through Sentry, which may include IP addresses, browser information, and technical details about errors encountered. We use a session cookie for authentication.

How We Use Your Information

  • Provide the scheduling service — check availability, create calendar events, and create/update/delete Zoom meetings when enabled
  • Send transactional emails — reminders (24 hours before), cancellation and rescheduling notifications
  • Monitor and fix errors to keep the service running

Google API Access

We request the following Google API permissions, each for a specific purpose:

  • Calendar access — read and create events on your calendar for confirmed bookings
  • Calendar list — display your calendars so you can choose which ones to check for conflicts
  • Free/busy access — check your availability without reading event details
  • Calendar settings — read your calendar timezone and preferences

You can revoke BookLeaf's access at any time from your Google Account permissions.

Zoom API Access

If you connect Zoom, we request Zoom permissions only for the meeting actions BookLeaf performs on your behalf:

  • Meeting management — create, update, and delete Zoom meetings for bookings, reschedules, and cancellations
  • Meeting read access — read meeting metadata and invitation links needed to return the join URL
  • User profile read — confirm the signed-in Zoom account while linking the integration

You can disconnect Zoom from BookLeaf Settings or by removing BookLeaf from Zoom App Marketplace Manage > Installed Apps.

Third-Party Services

  • Google — authentication (OAuth) and calendar operations (Google Calendar API)
  • Zoom — authentication (OAuth) and Zoom meeting management for enabled bookings
  • Sentry — error monitoring and diagnostics
  • PostHog — analytics and product event tracking
  • Email delivery — transactional emails sent via SMTP

Each service operates under its own privacy policy. We only share the minimum data necessary for each service to function.

Data Sharing

We do not sell your personal information. Information is shared only with the third-party services listed above to operate the platform. If Zoom is enabled for a booking, the host, booking title, start time, duration, timezone, and optional agenda are sent to Zoom to create the meeting. When someone books time with you, their name, email, and notes are visible to you as the host, and your name is visible to them.

Data Retention

Account data is kept while your account is active. Booking records are retained for historical reference. To request deletion of your data, contact us at privacy@bookleaf.us.

Cookies

We use a single session cookie for authentication and PostHog analytics cookies for aggregate usage events. These are not used for advertising.

Security

All connections use HTTPS. OAuth tokens are stored server-side and never exposed to browsers. Google and Zoom API permissions are scoped to only what is needed for the service.

Children

BookLeaf is not intended for children under 13. We do not knowingly collect information from children under 13.

Changes

We may update this policy from time to time. Changes will be posted on this page with a revised effective date.

Contact

Questions about this policy? Email privacy@bookleaf.us.