This Privacy Policy explains how Careminds Inc. ("Careminds", "we", "us", or "our") collects, uses, stores, and protects information in connection with BookedBack, our old-lead reactivation product available at bookedback.ai (the "Service"). This single policy covers both the bookedback.ai website and the connected Google account data that BookedBack reads when you authorize it through Google OAuth.
It is written in plain English on purpose. If anything below is unclear, email support@bookedback.ai.
1. General information we collect
Website
- Cookies and analytics: bookedback.ai uses cookies and third-party analytics tools — Google Analytics 4 and Microsoft Clarity, which records anonymized session activity such as clicks and scrolling to help us improve the site — to understand how visitors use the site. We do not run advertising or retargeting pixels on the marketing site.
- Server logs: IP address, browser, referrer URL, and pages visited. Used for security and abuse prevention.
- Contact form: if you fill out a contact or demo form, we store the name, email, business name, and message you submit.
Website visitor identification
When you visit or log in to our website, cookies and similar technologies may be used by our online data partners or vendors to associate these activities with other personal information they or others have about you, including by association with your email. We use this information to understand which businesses are interested in BookedBack so we can follow up with relevant outreach.
You can opt out of this collection at any time at https://app.retention.com/optout. If you are in the EEA or UK, you can also opt out under GDPR at https://www.rb2b.com/rb2b-gdpr-opt-out.
Account and authentication data
- Email address and profile name returned by Google when you sign in with Google.
- Account configuration (campaign settings, labels, templates) that you create inside BookedBack.
- OAuth refresh and access tokens issued by Google, encrypted at rest (see Section 4).
2. Google API Services User Data
This section explains exactly what Google account data BookedBack accesses, what it does with it, how long it keeps it, and how you can delete it. BookedBack's use and transfer of information received from Google APIs to any other app will adhere to the Google API Services User Data Policy, including the Limited Use requirements.
Scopes we request and why
https://www.googleapis.com/auth/gmail.readonly— We scan your Gmail inbox and historical mail to identify "old leads": past prospects who contacted you about your services but never converted (no reply for 30+ days). We read message headers, snippets, and full message bodies for threads our filter identifies as likely lead conversations, so we can surface them to you in the BookedBack dashboard.https://www.googleapis.com/auth/gmail.modify— When you take a one-click reactivation action inside BookedBack, we apply Gmail labels (e.g., "bookedback-reactivated", "bookedback-replied") to the relevant thread so you can track outreach status inside your own Gmail. We usemodifyonly to add or remove BookedBack-managed labels. We do not delete messages and do not modify message contents.https://www.googleapis.com/auth/userinfo.emailandhttps://www.googleapis.com/auth/userinfo.profile— Standard sign-in. We read your Google account email address and basic profile (name, profile picture) to create and identify your BookedBack account.
What we read
- Message metadata (subject, sender, recipient, date, thread ID, labels) for messages in the date range you authorize for scanning.
- Message bodies for threads our filter identifies as likely lead conversations.
- Your Gmail label list, so BookedBack can create and manage its own labels without colliding with yours.
What we modify
- BookedBack-managed labels on threads you act on inside the dashboard (e.g., adding "bookedback-reactivated" when you send a one-click reactivation email through BookedBack).
- Nothing else. We do not move, archive, delete, mark as read, forward, or alter the contents of any Gmail message.
How we use Google user data — Limited Use compliance
BookedBack's use of information received from Google APIs adheres to the Google API Services User Data Policy, including the Limited Use requirements. Specifically:
- We do not use Google user data to train, develop, or improve generalized AI or machine learning models. We do not send Google user data to any third-party AI provider for training.
- We do not sell, rent, or trade Google user data to any party for any purpose.
- We do not transfer Google user data to others except (a) as necessary to provide or improve user-facing features that are prominent within the BookedBack UI, (b) for security purposes such as investigating abuse, (c) to comply with applicable law, or (d) as part of a merger, acquisition, or sale of assets with notice to users.
- We do not use Google user data to serve advertisements, including retargeting, personalized, or interest-based advertising.
- Humans do not read Google user data except (a) with your explicit consent for a specific message, (b) for security purposes such as investigating abuse, (c) to comply with applicable law, or (d) where the data is aggregated and used for internal operations in accordance with applicable privacy and other laws.
Where Google user data is processed
Google user data is fetched and processed by BookedBack's backend on our cloud servers. It is held only long enough to render the old-lead dashboard, apply labels you request, and store the summary records described below. The data is encrypted in transit (TLS 1.2+) and OAuth tokens are encrypted at rest (AES-256) in a Postgres database accessible only to the BookedBack application user.
Retention of Google user data
- OAuth tokens: stored encrypted while your account is active. Deleted within 7 days of account deletion or disconnection.
- Old-lead index (subject lines, sender addresses, dates, our scoring metadata): stored while your account is active so the dashboard works without rescanning. Deleted within 30 days of account deletion.
- Full message bodies: not stored on our servers as a persistent record. They are read on demand when you open a thread in the dashboard, held in memory during the request, and discarded.
- Labels written by BookedBack: remain in your Gmail until you remove them. Deleting your BookedBack account does not remove labels we already wrote, since they are now data inside your own Gmail. You can delete them from Gmail at any time.
How to revoke access and delete your Google data from BookedBack
- In-app: Settings → "Disconnect Google and delete my data". This revokes our OAuth token with Google and triggers deletion of all stored Google user data within 7 days.
- In Google: visit myaccount.google.com/permissions and revoke BookedBack. Our backend detects the revoked token on next API call and deletes associated data within 7 days.
- By email: send a deletion request to support@bookedback.ai from the Google account email used to sign in. We will confirm deletion within 7 days.
3. How we use information
- Deliver and operate the Service: scan your inbox, surface old leads, send reactivation outreach you trigger, write labels back to Gmail.
- Authenticate you and secure your account.
- Communicate with you about your account, billing, support, and material product updates.
- Detect and prevent abuse, debug errors, and comply with legal obligations.
- Generate aggregated, anonymized metrics about how the Service performs. These metrics never identify any user, any lead, or any message content.
4. How we store and protect data
- Encryption in transit: TLS 1.2 or higher for all connections to BookedBack and to Google APIs.
- Encryption at rest: OAuth tokens and sensitive account fields are encrypted with AES-256 in our Postgres database. Disk volumes are encrypted at the provider level.
- Access controls: production database access is limited to the application service account and to the founder (Pavlo Tantsiura) for incident response. All access is logged.
- Hosting: backend on a dedicated cloud server; marketing site on Vercel; database on the same host inside a private network. No third-party data warehouse or analytics tool receives raw Gmail data.
- Retention: see Section 2 for Google data. Other account data is retained while your account is active and deleted within 30 days of account deletion, except where we need to retain billing records for tax and accounting (up to 7 years).
5. How users can delete their data
You have two routes:
- In-app: Settings → "Delete my account" removes your account, revokes Google OAuth, and triggers deletion of all associated data within 7 days for OAuth tokens and 30 days for everything else.
- By email: send a deletion request to support@bookedback.ai from the email on your BookedBack account. We will confirm receipt within 2 business days and complete deletion within 30 days.
Deletion is permanent and unrecoverable.
6. Sub-processors
We use a small set of vendors to operate the Service. Each is bound by their own privacy and security commitments, and is used only to the extent necessary to deliver the Service:
- Google LLC — Google Workspace APIs (Gmail) and Google Identity (sign-in). Source of the Google user data described in Section 2.
- Hetzner Online GmbH — application servers and database hosting.
- Vercel Inc. — static hosting for the bookedback.ai marketing site.
- Anthropic PBC — language model API used to generate suggested reactivation email drafts. Anthropic acts as our sub-processor under our written instructions; it does not independently use, sell, or share the data we send. We send only the minimum fields needed to draft a reactivation message: sender display name, subject line, short message snippet (typically the first 200 characters), and the old-lead metadata we computed (e.g., last-contact date, lead score). We do not send full Gmail message bodies, attachments, message lists, or any other raw Google user data to Anthropic. Under Anthropic's API terms, API data is not used to train Anthropic's models; Anthropic's default retention is at most 30 days for abuse monitoring and is then deleted.
- Stripe Inc. — payment processing for paid plans.
We do not currently use any third-party analytics provider that receives Gmail content. An up-to-date list of sub-processors is available on request.
7. What we do not do
- We do not sell or rent your personal information or your Google user data.
- We do not use Google user data to train machine learning models.
- We do not show ads anywhere in the Service.
- We do not share your Google user data with other BookedBack customers.
8. Demonstration pages and third-party brands
To illustrate how the Service could be configured for a particular business, we may create a private demonstration page that temporarily displays that business's name and logo. These pages are excluded from search-engine indexing and are shared only with the business they were prepared for. They do not imply any affiliation with or endorsement by that business.
A demonstration page does not collect any personal data about the business's own clients or callers, and we do not use the business's brand assets for any purpose beyond the private demonstration. If you would like a page that references your business changed or removed, email support@bookedback.ai and we will remove it promptly.
9. Your rights
Depending on where you live, you may have rights to access, correct, delete, port, or restrict processing of your personal information, and to object to certain uses. To exercise these rights, email support@bookedback.ai. We will respond within the timeframes required by applicable law.
California, Colorado, Connecticut, Virginia, Utah, and other U.S. state residents: you may request access, correction, deletion, and to opt out of any sale or sharing of personal information. We do not sell personal information. We do not engage in cross-context behavioral advertising.
EEA, UK, and Swiss residents: you have the right to lodge a complaint with your local supervisory authority.
10. Children
The Service is intended for businesses and is not directed at children. We do not knowingly collect personal information from children under 16. If you believe a child has provided information to us, contact us and we will delete it.
11. Changes to this Policy
We may update this Policy from time to time. We will post the new version here with a revised "Last updated" date. Material changes will be communicated to active users by email at least 14 days before they take effect, unless a shorter period is required by law.
12. Limited Use disclosure
BookedBack's use and transfer of information received from Google APIs to any other app will adhere to the Google API Services User Data Policy, including the Limited Use requirements.
13. Contact for privacy requests
- Email: support@bookedback.ai
- Entity: Careminds Inc., operator of BookedBack
- Owner: Pavlo Tantsiura, Founder
Effective date: May 20, 2026