Back

Privacy Policy

Privacy Notice

This Privacy Notice applies to AppoTo-operated product, marketing, onboarding, account, and related legal pages that link to this document.

1. Controller

Controller: Marek Minar

Company registration number: 24023353

Registered office: Gajdosova 2422/12, Ostrava 70200, Czech Republic

Contact email: info@appo.to

2. Categories of personal data

We may process identification and contact data, business account data, team member and permission data, booking and scheduling data, communication records, SMS usage and billing usage records, authentication data, device and usage data, log and security data, and information submitted in support requests or forms. When a customer or staff member connects Google Calendar, we may also process Google account identifiers, Google Calendar list metadata, calendar IDs, selected calendar settings, availability and free/busy information, event IDs, event start and end times, event status, event titles and descriptions where needed for appointment sync or event import, event attendee names and email addresses where events are imported, calendar watch channel metadata, sync tokens, and OAuth access and refresh tokens.

3. Purposes and legal bases

We process personal data:

  • to create and manage user accounts, provide booking and scheduling features, and operate the service under Article 6(1)(b) GDPR;
  • to connect and synchronize Google Calendar when a user chooses that integration, including listing writable calendars, creating or selecting calendars, creating, updating, deleting, and importing calendar events, calculating availability, detecting calendar changes, and sharing calendars with staff where enabled under Article 6(1)(b) GDPR;
  • to meet legal, accounting, tax, fraud-prevention, and record-keeping obligations under Article 6(1)(c) GDPR;
  • to protect the security, availability, and integrity of the service, handle support, enforce our terms, and improve the product under Article 6(1)(f) GDPR;
  • to process marketing preferences only where consent is required and has been obtained under Article 6(1)(a) GDPR.

4. Google User Data

If you choose to connect AppoTo to your Google Account, including Google Calendar, AppoTo accesses and processes Google user data only with your authorization and only as necessary to provide AppoTo's appointment scheduling and calendar synchronization features.

For AppoTo's current Google integration, Google user data may include:

  • Google account identifiers and email address used to connect the account;
  • Google Calendar list metadata, calendar IDs, selected calendar settings, availability and free/busy information;
  • calendar event data needed for AppoTo scheduling features, such as event IDs, titles, descriptions, start and end times, status, attendee names and email addresses where events are imported, sync tokens, watch channel metadata, and OAuth access and refresh tokens.

How AppoTo uses Google user data:

  • to connect a Google account chosen by the user;
  • to list writable calendars and let the user select or create calendars for AppoTo bookings;
  • to create, update, delete, watch, and synchronize appointment events and busy blocks;
  • to import calendar events when the user requests import features;
  • to calculate availability, prevent double bookings, show sync status, and troubleshoot calendar-related support requests.

AppoTo does not sell personal data, including Google user data. AppoTo does not share, transfer, or disclose Google user data to advertising platforms, data brokers, information resellers, or for personalized advertising, retargeting, credit-worthiness, lending, or unrelated marketing purposes.

AppoTo shares, transfers, or discloses Google user data only with the recipients and in the situations listed below:

  • to Google Cloud services, including Firebase, as infrastructure providers that host AppoTo services, databases, authentication, cloud functions, storage, logs, and operational monitoring;
  • to Google APIs as necessary to read, create, update, delete, watch, and synchronize Google Calendar calendars and events requested by the user;
  • to authorized members of the same AppoTo tenant, such as business owners, administrators, or staff, only where the product feature requires it, for example showing availability, booking events, calendar assignments, or staff calendar sharing configured by the customer;
  • to service providers that process data on AppoTo's behalf solely to operate AppoTo, such as secure cloud hosting, database storage, logging, transactional email/SMS delivery, customer support, and security providers;
  • to support, security, legal, or compliance personnel only where necessary to operate, secure, troubleshoot, enforce terms, or comply with law;
  • to a third party only if the user gives explicit direction, if required by law, if necessary to protect the rights, safety, and security of users, AppoTo, or the public, or as part of a merger, acquisition, financing, reorganization, or sale of assets only after obtaining explicit prior consent from the affected user where the transfer involves Google user data, and subject to appropriate confidentiality protections.

All service providers are required to process Google user data only for the purposes described in this Privacy Notice and are not permitted to use Google user data for their own purposes.

5. Processors and recipients

Based on the current implementation, personal data may be processed by:

  • Google Cloud services, including Firebase, for hosting, authentication, cloud functions, database, file storage, and operational performance and error monitoring;
  • Google APIs and Google Calendar integration where a customer connects Google services;
  • Google Maps APIs for address and place lookup features where those features are used;
  • payment processors for subscription billing, payment method handling, invoices, seat charges, and usage-based SMS overage billing;
  • Resend for transactional email delivery;
  • BulkGate for transactional SMS delivery.

6. Google API Limited Use, human access, AI/ML, retention, and deletion

AppoTo accesses Google Calendar data only after a user connects a Google account and grants consent.

AppoTo uses Google user data only to provide or improve user-facing AppoTo calendar features that are visible in the application, including:

  • selecting or creating calendars;
  • synchronizing appointments and busy blocks;
  • importing calendar events when requested by the user;
  • calculating availability and preventing double bookings;
  • receiving calendar change notifications and showing sync status;
  • sharing calendars with staff where the customer enables that feature.

Human access to Google user data is restricted:

  • AppoTo personnel do not access Google user data unless it is necessary to provide support requested by the user, investigate security or abuse issues, or comply with applicable law;
  • AppoTo may use aggregated and de-identified information for internal operations in accordance with applicable law.

AI/ML model training:

  • AppoTo does not use Google user data, including data obtained from Google Workspace APIs, to create, train, or improve generalized artificial intelligence or machine learning models.

OAuth tokens and Google API Limited Use:

  • OAuth access and refresh tokens are stored server-side, encrypted at rest, and are not exposed to browser clients;
  • access to Google Calendar data and tokens is limited to automated service operation and to authorized support, security, or legal access where necessary;
  • AppoTo does not sell Google user data, does not use Google user data for advertising, does not use Google user data to train generalized AI models, and does not transfer Google user data to third parties except as necessary to provide or secure AppoTo, comply with law, or with the user's explicit direction;
  • AppoTo's use and transfer of information received from Google APIs follows the Google API Services User Data Policy, including the Limited Use requirements.

Retention and deletion:

  • users can disconnect Google Calendar in AppoTo, revoke AppoTo's access in their Google Account permissions, or request deletion by contacting info@appo.to;
  • after disconnection or revocation, AppoTo stops new Google Calendar sync operations for that connection and deletes or no longer uses stored OAuth tokens unless retention is required for security, legal, or accounting reasons.

7. Data protection and security

AppoTo applies technical and organizational safeguards designed to protect personal data, including Google user data and OAuth tokens, against unauthorized access, disclosure, alteration, or loss. These safeguards include:

  • encryption in transit using HTTPS/TLS for app, API, and Google API communications;
  • encryption at rest provided by Google Cloud services, including Firebase, for stored databases, files, logs, and operational data;
  • OAuth access and refresh tokens are stored server-side, encrypted at rest, and are not exposed to browser clients;
  • Firebase Authentication, tenant-based authorization checks, Firestore security rules, and role-based access controls to limit access to customer workspaces;
  • restricted employee and contractor access based on least-privilege principles, with access limited to support, security, legal, or service-operation needs;
  • separation of tenant data so one customer's users cannot access another customer's workspace data through normal product flows;
  • operational logging, monitoring, abuse-prevention controls, and procedures for reviewing and responding to security incidents;
  • retention limits, disconnection flows, revocation support, and deletion request handling as described in this Privacy Notice.

8. International transfers

Some providers used by AppoTo may process or make personal data accessible outside the EU or EEA, including from third countries such as the United States. Where this happens, AppoTo relies on the transfer mechanism documented by the relevant provider, such as an adequacy decision, standard contractual clauses, or another lawful safeguard under Chapter V GDPR.

9. Retention

Unless a longer period is required by law or needed to protect legal claims, AppoTo currently retains data for the following periods:

  • account and tenant setup data: for the duration of the account and up to 3 years after closure;
  • booking and scheduling records: up to 3 years after the appointment date;
  • Google Calendar OAuth tokens: while the calendar integration remains connected, and deleted or disabled after disconnection, revocation, account closure, or a verified deletion request unless a longer period is required for security, legal, or abuse-prevention reasons;
  • Google Calendar sync metadata, such as selected calendar IDs, remote event IDs, sync tokens, and watch channel metadata: while needed to provide sync and for up to 3 years with the related booking or scheduling record, unless deleted earlier or retained longer where legally required;
  • support and operational communication: up to 2 years after the last communication;
  • security and application logs: normally up to 90 days unless investigation or abuse prevention requires longer retention;
  • accounting and tax records: 10 years where required by Czech accounting or tax law;
  • marketing consent records: until consent is withdrawn, plus up to 3 years to demonstrate compliance.

10. AppoTo AI

When a signed-in user chooses to use AppoTo AI, AppoTo processes the user's prompt and only the account data needed to answer the request or carry out an authorized booking-rule change. Depending on the request, this may include limited client contact and visit data, procedure details, appointment details, monthly report summaries, worker names, permissions, and booking settings. AppoTo AI is designed not to send client notes, photos, consultation answers, message contents, attachments, bank details, or payment identifiers to the model.

AppoTo uses Google Cloud Vertex AI to generate AppoTo AI responses. Google Cloud's service terms state that Customer Data is not used to train or fine-tune AI/ML models without the customer's prior permission or instruction. Model processing is configured for an EU region. The existing AppoTo Firebase database is hosted in a North American multi-region, so AppoTo AI must not be understood or advertised as fully EU-resident.

Each signed-in user has a private AppoTo AI conversation that is not automatically visible to the tenant owner, administrators, other team members, or support. Chat messages are kept for up to 90 days unless the user clears them earlier. A minimal action audit containing the actor, tenant, command, affected record, before/after values, and outcome—but not chat text—is kept for up to 12 months for security and accountability. Technical telemetry is designed not to contain prompt text. Google may retain limited prompt data where necessary for abuse monitoring under its applicable cloud terms.

11. Local storage and cookies

Based on the current codebase, AppoTo stores language preferences, onboarding draft progress, and booking form convenience data in local storage or session storage. AppoTo uses Firebase Performance Monitoring to measure operational performance such as page load timing, route timing, and network request timing. AppoTo also uses Firebase Crashlytics and Google Cloud Error Reporting to collect technical crash and application-error reports needed to keep the service reliable. These reports are designed to contain technical context such as the affected app section, app version, device type, and error stack, and not customer messages, notes, payment details, names, email addresses, or phone numbers. AppoTo does not currently initialize Google Analytics, Meta Pixel, or similar marketing analytics scripts in the application. If non-essential marketing analytics tools are added later, consent will be obtained where required by law before those tools are activated.

12. Your rights

Subject to applicable law, you may request access, rectification, erasure, restriction, portability, or object to processing. Where processing is based on consent, you may withdraw consent at any time without affecting prior lawful processing. You may also disconnect Google Calendar in AppoTo or revoke AppoTo's Google access through your Google Account at any time.

13. Complaints

If you believe your personal data is processed unlawfully, you may lodge a complaint with the Czech supervisory authority, the Office for Personal Data Protection (UOOU), Pplk. Sochora 727/27, 170 00 Praha 7, Czech Republic, or via https://uoou.gov.cz/verejnost/stiznost-na-spravce-nebo-zpracovatele.

14. Contact

For privacy requests, contact info@appo.to.

14. Mobile app, Apple sign-in, notifications, and App Store privacy information

When you use AppoTo on iOS or another mobile platform, we may process:

  • Sign in with Apple data, such as Apple user identifier, email address or private relay address, display name if Apple provides it during first sign-in, and authentication provider metadata. We use this to create, link, secure, and support your AppoTo account.
  • Authentication provider data for other sign-in methods, such as Google or email/password, so that accounts using the same email can be linked or sign-in method guidance can be shown.
  • Push notification data, including Firebase Cloud Messaging/APNs registration tokens, device or platform identifiers needed to deliver notifications, notification permission status, and notification preferences. We use these to send transactional appointment, waitlist, account, calendar, and reminder notifications that you enable or that are needed to operate the service.
  • Live Activity and widget data on supported Apple devices, such as procedure or appointment status, start and end timing, worker or business context, and local shared App Group state needed to show the activity on the Lock Screen, Dynamic Island, or widgets. This data is used only for the visible app feature and is not used for advertising.
  • Device and app state needed for security, diagnostics, fraud prevention, account deletion, and support, including app version, platform, crash or diagnostic logs if provided by the platform, and operational logs.

Apple Calendar integration is separate from Sign in with Apple. If you connect Apple Calendar with an app-specific password, we process the Apple Account email address, app-specific password or credential stored server-side, selected calendar metadata, availability and free/busy information, and calendar event data needed to sync appointments if that feature is enabled.

App Store privacy information: For iOS distribution, App Store Connect privacy responses and App Privacy labels must describe the data collected by the AppoTo app and its SDKs. Those labels are a summary and should be kept consistent with this Privacy Notice, including account identifiers, contact information, user content and booking data, device identifiers or push tokens, diagnostics, and payment or subscription data where collected. AppoTo does not use this data for third-party advertising or tracking unless a future version explicitly says so and obtains any required consent.