Privacy policy

1. Information we collect

1.1. Account information. When you create an account, we collect your username and email address, your password (stored encrypted), and any contact information you choose to provide.

1.2. Service usage information. We collect information about how you use the Service, including email sending logs (recipients, subjects, dates), email templates you create or use, SMTP configuration and credentials (encrypted), and activity and error logs.

1.3. Gmail integration information. When you use the Gmail integration via OAuth 2.0, we request only the gmail.send permission (to send email on your behalf) and userinfo.email (to identify your Gmail account). We do not access, read, store or process your existing email; we use these permissions only to send new email that you authorize through our platform. When you connect Gmail, we store the OAuth refresh token (encrypted) to maintain the session and the associated email address. We do not store access tokens; they are obtained temporarily when needed.

1.4. Google Calendar integration information. When you use the Google Calendar integration (BookingCore booking module) via OAuth 2.0, we request only the permission https://www.googleapis.com/auth/calendar — to list the calendars in your account (names and identifiers only), create events when a booking is confirmed, and delete those same events when the booking is cancelled or deleted.

We do not read the content of your events or other calendars. We only list your calendars (metadata) so you can choose which to sync; we create events only when a booking moves to “confirmed”; we update in Google Calendar the events we created when the date or time of a confirmed booking is edited; and we delete from Google Calendar only the events we created when the booking is cancelled or deleted. Each business (tenant) connects its own Google account.

The business owner can configure, in the platform, event visibility (public, private or confidential), an optional reminder, the event title format, and whether to include client contact details (phone, email, notes) in the event description, to control how much information is sent to Google Calendar.

When you connect Google Calendar, we store: OAuth refresh token (encrypted) to maintain the session; access token and expiry (automatically renewed when needed); identifier of the chosen calendar (e.g. “primary” or a specific calendar ID); and the email address associated with the Google account.

1.5. Technical information. We automatically collect your IP address, browser type and operating system, access dates and times, and pages visited and actions performed.

2. How we use your information

We use the information we collect to: provide the Service (process and send your email; in the BookingCore booking module, sync confirmed bookings with your Google Calendar if you have configured it); manage your account and authentication; improve the Service by analyzing usage; send you important notifications; provide support; and comply with legal and regulatory obligations.

3. Sharing information

We do not sell, rent or share your personal information with third parties except: with service providers who help us operate the Service (hosting, databases, email services), under confidentiality agreements; with Google (Gmail API) when you use Gmail integration, under Google’s Terms of Service and Privacy Policy; with Google (Google Calendar API) when you use the booking module’s Calendar integration, so events can be created in the calendar you choose (tokens, calendar identifier), under Google’s terms and policy; when required by law, court order or legal process; and to protect our rights, property or safety, or that of our users.

4. Information security

We implement technical and organizational measures including: encryption of passwords and OAuth tokens; limited access for authorized staff; SSL/TLS for transmissions; continuous monitoring; and regular backups with appropriate safeguards.

No method of transmission over the Internet or electronic storage is 100% secure. While we work to protect your information, we cannot guarantee absolute security.

5. Data retention

We retain personal information for as long as needed to provide the Service and meet legal obligations. Account data: while your account is active and up to 30 days after cancellation. Email logs: 90 days by default, with an extended retention option. OAuth tokens (Gmail): removed immediately when you disconnect Gmail. OAuth tokens (Google Calendar): removed immediately when you disconnect the Calendar integration in the booking module.

You may request deletion of your data at any time by contacting us.

6. Your rights

Under the General Data Protection Regulation (GDPR), you have the right to access, rectification, erasure, objection, portability and to withdraw consent.

To exercise these rights, contact us at soporte@fastcore.es.

7. Cookies and similar technologies

We use cookies and similar technologies to keep your session active, remember your preferences and analyse use of the Service. You can set your browser to reject cookies, though some features may not work as intended.

8. Integration with third-party services

8.1. Google Gmail API. When you use Gmail integration, processing is subject to Google’s Privacy Policy; we recommend you read it. Reminder: we only request permission to send email; we do not read or access your inbox.

8.2. Google Calendar API. When you use Google Calendar in the booking module (BookingCore), processing is subject to Google’s Privacy Policy. We use calendar access only to: list calendars (names only, for you to choose where to sync — we do not read event content); create events when a booking becomes “confirmed” (manually, via deposit, or as already confirmed), with title, date, time and description per your business settings (visibility, whether to include phone, email and notes in the description, etc.); update events when the date or time of a confirmed booking that already had a Google Calendar event is changed; delete from Google Calendar only the events we created when a booking is cancelled or deleted; and maintain the session using OAuth (refresh token stored securely).

We do not read or modify events we did not create. The business chooses which client details to include in the event description to respect privacy.

9. Minors

The Service is not directed at anyone under 18. We do not knowingly collect personal information from minors. If we learn we have collected such information, we will delete it promptly.

10. International transfers

Your information may be transferred to and processed outside the European Economic Area (EEA). We ensure such transfers comply with applicable data protection law through appropriate transfer mechanisms.

11. Changes to this policy

We may update this Privacy Policy from time to time. We will notify you of material changes by posting the new policy on this page and updating the “Last updated” date. We encourage you to review this policy periodically.

12. Contact and data controller

For questions, concerns or requests about this Privacy Policy or your personal data: email soporte@fastcore.es; web https://admin.fastcore.es.

Data controller: FastCore. Email: soporte@fastcore.es.