← Back to Home

Privacy Policy

Last updated: March 16, 2026

1. Introduction

CarsonBot (“we,” “our,” or “us”) provides a lead qualification and appointment booking platform. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our service.

2. Information We Collect

We collect information that you provide directly to us, including:

  • Account information (name, email address, password)
  • Workspace and team member data
  • Flow configurations and content you create
  • Chat session data including responses from end users
  • Calendar booking information
  • Payment information (processed by Stripe)
  • Analytics and usage data

3. How We Use Your Information

  • To provide and maintain our service
  • To process transactions and send related information
  • To send administrative notifications (booking confirmations, reminders)
  • To analyze usage patterns and improve our service
  • To protect against unauthorized use of our service

4. Data Sharing

We do not sell your personal information. We share data only with:

  • Service providers who assist in operating our platform (Supabase, Stripe, DodoPayments, SendGrid, Twilio)
  • Third-party integrations you explicitly connect (Google Calendar, HubSpot, Pipedrive, Zoom)
  • As required by law or to protect our rights

5. Google Calendar Data

CarsonBot integrates with Google Calendar to enable appointment booking within conversational flows. When you connect your Google Calendar account, we request the following permissions:

What We Access

  • Calendar list — We read the list of calendars on your Google account so you can select which calendar to use for bookings.
  • Free/busy information — We read your existing calendar events' time ranges (not their content) to determine your available time slots.
  • Calendar events — We create, update, and cancel calendar events when leads book, reschedule, or cancel appointments through your flows.

What We Do NOT Access

  • We do not read the titles, descriptions, attendees, or content of your existing calendar events. We only query free/busy time ranges.
  • We do not modify or delete any events that were not created by CarsonBot.
  • We do not access calendars you have not explicitly selected.

How We Store This Data

  • OAuth tokens (access token and refresh token) are encrypted at rest using AES-256-GCM and stored in our database. They are never logged or exposed in client-side code.
  • Calendar event IDs for bookings created by CarsonBot are stored to support cancellation and rescheduling. No event content is stored.
  • Availability data (free/busy time slots) is computed in real time and is never persisted.

How to Revoke Access

You can disconnect your Google Calendar at any time from CarsonBot Settings. This deletes your stored OAuth tokens immediately. You can also revoke access from your Google Account at myaccount.google.com/permissions. Upon revocation, CarsonBot can no longer access your calendar. Calendar events previously created by CarsonBot remain on your calendar — you can delete them manually if desired.

6. Google Sheets Data

CarsonBot integrates with Google Sheets to sync lead data collected through conversational flows. When you connect your Google Sheets account, we request spreadsheet read/write access.

What We Access

  • We append rows to spreadsheets you specify. Each row contains lead data from a single flow session (e.g., name, email, responses).

What We Do NOT Access

  • We do not read existing data in your spreadsheets.
  • We do not access spreadsheets other than those you explicitly configure in your flow.
  • We do not delete or modify existing rows.

How We Store This Data

  • OAuth tokens are encrypted at rest using AES-256-GCM.
  • Spreadsheet IDs you configure are stored as part of your flow definition.
  • The actual lead data written to your spreadsheet is not separately stored by CarsonBot — your Google Sheet is the system of record.

How to Revoke Access

You can disconnect Google Sheets at any time from CarsonBot Settings, which deletes your stored OAuth tokens. You can also revoke access from myaccount.google.com/permissions. Data already written to your spreadsheets remains there — CarsonBot does not delete it upon disconnection.

7. Google API Services — Limited Use Disclosure

CarsonBot's use and transfer of information received from Google APIs adheres to the Google API Services User Data Policy, including the Limited Use requirements. Specifically:

  • We only use Google user data for the purposes described in this privacy policy (appointment booking and spreadsheet data sync).
  • We do not transfer Google user data to third parties except as necessary to provide the service (e.g., creating a calendar event requires sending attendee information to Google's Calendar API).
  • We do not use Google user data for advertising or to build user profiles for advertising purposes.
  • We do not allow humans to read Google user data unless (a) we have your explicit consent, (b) it is necessary for security purposes, (c) it is necessary to comply with applicable law, or (d) our use is limited to internal operations and the data has been aggregated and anonymized.

8. Data Security

We implement industry-standard security measures including AES-256-GCM encryption for stored API keys, HTTPS for all communications, and secure authentication via Supabase Auth. However, no method of transmission over the internet is 100% secure.

9. Data Retention

We retain your data for as long as your account is active. Chat session data and analytics events are retained according to your plan. You may request deletion of your data at any time.

For Google integrations specifically: OAuth tokens are retained as long as the integration is connected and deleted immediately when you disconnect. Calendar event IDs are retained for the lifetime of the associated booking. No Google user data is retained after you delete your CarsonBot account.

10. Your Rights

You have the right to:

  • Access and receive a copy of your personal data
  • Request correction of inaccurate data
  • Request deletion of your data
  • Object to processing of your data
  • Export your data in a portable format

11. Cookies

We use cookies for authentication session management and to remember your preferences. We use a third-party cookie consent manager. You can manage your cookie preferences at any time.

12. Contact Us

If you have questions about this Privacy Policy or wish to exercise your data rights, please contact us at [email protected].

Terms of Service