Integrations · Google Calendar

Google Calendar integration

Northdeskconnects to Google Calendar so our AI can read a Customer’s open slots and book new appointments on the Customer’s behalf — nothing more. This page explains what we ask for, what we do with it, and what we explicitly don’t do.

At a glance

Two narrow OAuth scopes: https://www.googleapis.com/auth/calendar.events.freebusy (read busy intervals, no event details) and https://www.googleapis.com/auth/calendar.events (write appointment events). Split deliberately so each permission is at the narrowest surface Google offers for the behavior we actually need.
What we read: free/busy on the calendars you authorize, so our AI proposes times that are actually open.
What we write: single-booking appointment events, in response to specific lead or caller requests conducted through Northdesk.
What we never do: advertising, selling Google data, training AI models on Google data, or letting humans read Google data (except for the narrow exceptions Google requires us to disclose).

What Northdesk does

Northdesk is a speed-to-lead automation service for small businesses. Our Customer receives a lead — from a web form, a paid lead-form ad, or a webhook integration — and Northdeskimmediately responds with an automated AI phone call. When the lead wants to book, our AI assistant finds an open slot on the Customer’s calendar and creates the appointment. The Google Calendar integration is how the last step happens: we need to know what’s free and we need to be able to write the booking back.

The scopes we request

We request two Google OAuth scopes — split on purpose so that each permission is the narrowest Google offers for the behavior we actually need:

https://www.googleapis.com/auth/calendar.events.freebusy
Read-only. Authorizes freeBusy.query, which returns only busy start/end intervals — never event titles, descriptions, or attendees.

https://www.googleapis.com/auth/calendar.events
Write. Authorizes events.insert(and the equivalent reschedule / cancel calls) for appointments we create on the Customer’s behalf.

We do not request the full-calendar scope (calendar), the settings scope, any calendar-list scope, or the broader calendar.readonlyscope. We don’t need them and we don’t want access to data we won’t use.

How the data flows

1. A Customer connects Google Calendar

From the Northdeskdashboard, the Customer clicks “Connect Google Calendar.” They’re sent to Google’s consent screen, which shows our app name (Northdesk) and lists both the calendar.events.freebusy and calendar.events scopes. They grant or deny. Google redirects them back to our callback URL with a short-lived authorization code.

2. We exchange the code for tokens

We exchange the code for an access token and a refresh token, then store both encrypted at rest in our Postgres database (Supabase). The symmetric key that protects those tokens is held outside the database; no employee has standing access to plaintext tokens.

3. We read free/busy and create events

When a lead agrees to a booking time, our server-side code calls freeBusy.query to confirm the slot is still open — Google returns only busy intervals under the calendar.events.freebusy scope, never event titles, descriptions, or attendees — then events.insert under calendar.eventsto write the appointment. We don’t mirror the Customer’s whole calendar to our database; we don’t read event details we didn’t create.

Google API Services / Limited Use

Northdesk’s use and transfer to any other app of information received from Google APIs will adhere to the Google API Services User Data Policy, including the Limited Use requirements.

Consistent with that policy, Northdesk does not:

(a) transfer, sell, or use information received from Google APIs for serving advertising, including retargeting, personalized advertising, or interest-based advertising;
(b) transfer or sell information received from Google APIs to third parties such as advertising platforms, data brokers, or information resellers;
(c) use information received from Google APIs to develop, train, or improve generalized or non-personalized AI or machine learning models, including large language models; or
(d)allow humans to read Google user data, except (i) with the user’s explicit consent for specific records, (ii) for security investigations, (iii) to comply with applicable law, or (iv) for internal operations, and in that case only after the data has been aggregated and de-identified.

Revoking access

A Customer can revoke our access to their Google account at any time:

From within Northdesk, on the integrations page of the dashboard (“Disconnect Google Calendar”).
Directly at myaccount.google.com/permissions.

On revocation we purge the associated OAuth tokens within 7 days. Event metadata on calendar items we created is retained for audit purposes as described in Section 10 of the Privacy Policy.

Questions and reports

Questions about Google data handling: privacy@trynorthdesk.com. Security reports: legal@trynorthdesk.com. Full handling details live in Section 4 of the Privacy Policy.