Google Calendar integration

North Deskconnects to Google Calendar so our AI can read a Customer’s open slots and book new appointments on the Customer’s behalf — nothing more. This page explains what we ask for, what we do with it, and what we explicitly don’t do.

What North Desk does

North Desk is a speed-to-lead automation service for small businesses. Our Customer receives a lead — from a web form, a paid lead-form ad, or a webhook integration — and North Deskimmediately responds by SMS. When a lead indicates they want to book, our AI assistant finds an open slot on the Customer’s calendar and creates the appointment. The Google Calendar integration is how the last step happens: we need to know what’s free and we need to be able to write the booking back.

The scope we request

We request exactly one Google OAuth scope:

This scope lets us read events on the calendars the user authorizes and create new events on those calendars. We do not request the full-calendar scope (calendar), the settings scope, or any calendar-list scope. We don’t need them and we don’t want access to data we won’t use.

How the data flows

1. A Customer connects Google Calendar

From the North Deskdashboard, the Customer clicks “Connect Google Calendar.” They’re sent to Google’s consent screen, which shows our app name (North Desk) and lists the calendar.events scope. They grant or deny. Google redirects them back to our callback URL with a short-lived authorization code.

2. We exchange the code for tokens

We exchange the code for an access token and a refresh token, then store both encrypted at rest in our Postgres database (Supabase). The symmetric key that protects those tokens is held outside the database; no employee has standing access to plaintext tokens.

3. We read free/busy and create events

When a lead agrees to a booking time, our server-side code calls freeBusy.query to confirm the slot is still open, then events.insertto write the appointment to the primary calendar of the account the Customer connected. We don’t mirror the Customer’s whole calendar to our database; we don’t read event details we didn’t create, except the minimum needed to avoid double-booking.

Google API Services / Limited Use

North Desk’s use and transfer to any other app of information received from Google APIs will adhere to the Google API Services User Data Policy, including the Limited Use requirements.

Consistent with that policy, North Desk does not:

• (a) transfer, sell, or use information received from Google APIs for serving advertising, including retargeting, personalized advertising, or interest-based advertising;
• (b) transfer or sell information received from Google APIs to third parties such as advertising platforms, data brokers, or information resellers;
• (c) use information received from Google APIs to develop, train, or improve generalized or non-personalized AI or machine learning models, including large language models; or
• (d)allow humans to read Google user data, except (i) with the user’s explicit consent for specific records, (ii) for security investigations, (iii) to comply with applicable law, or (iv) for internal operations, and in that case only after the data has been aggregated and de-identified.

Revoking access

A Customer can revoke our access to their Google account at any time:

• From within North Desk, on the integrations page of the dashboard (“Disconnect Google Calendar”).
• Directly at myaccount.google.com/permissions.

On revocation we purge the associated OAuth tokens within 7 days. Event metadata on calendar items we created is retained for audit purposes as described in Section 10 of the Privacy Policy.

Questions and reports

Questions about Google data handling: privacy@trynorthdesk.com. Security reports: legal@trynorthdesk.com. Full handling details live in Section 4 of the Privacy Policy.