StackFoundry LabsStackFoundry Labs
Managed Websites

Privacy Policy & Data Handling

How we handle your data and integrate with third-party services.

Last updated: January 2026

About This Service

StackFoundry Labs provides managed website services to business clients. This is a B2B service — the platform is not open to the general public. Each client is individually onboarded by our team.

Managed Hosting

Website hosting & SaaS platform

Calendar Integration

Appointment booking for your website

Calendar Integration

When you connect your calendar, we request access to enable appointment booking. Events are created only after explicit user action.

What We Do

  • Check availability (free/busy only)
  • Create events when bookings confirmed
  • Generate meeting links (when available)
  • Block time slots to prevent double-booking

What We Don't Do

  • Read, modify, or delete existing events
  • Access event titles or descriptions
  • Create events automatically
  • Use calendar data for third-party analytics or advertising

Data Usage for Bookings & Appointments

StackFoundry Labs provides a managed booking and appointment feature for websites built and operated by us on behalf of our clients.

When a visitor books an appointment through a client website, we may temporarily process the following information solely for the purpose of completing the booking:

  • Name
  • Email address
  • Optional phone number
  • Optional message or purpose of the meeting

This information is used only to:

  • Create a calendar event in the client's Google Calendar,
  • Add the visitor as an attendee and generate a Google Meet link (where applicable), and
  • Send the visitor (and, if configured, the session host) a confirmation email. When the client uses Gmail (OAuth) for email, that email is sent via Google's Gmail API; when the client uses another email provider (e.g. SMTP), we do not use Gmail for sending.

We do not store booking or appointment data in our own databases. Booking details are transmitted securely to the client's Google Calendar account and are retained there according to the client's Google account settings and Google's privacy policies. Confirmation emails sent via Gmail are processed by Google in accordance with Google's Privacy Policy and Google API Terms of Service.

When a visitor books an appointment, we send them a confirmation email with the session details and meeting link. A copy of this confirmation is BCC'd to the session host (the client website owner) so they can prepare for the appointment. The host receives only what is in the confirmation email; no additional visitor data is shared.

StackFoundry Labs does not:

  • Maintain a separate booking database or CRM of visitors
  • Use booking data for marketing, analytics, or profiling
  • Share booking data with third parties other than Google (Calendar and, when used for email, Gmail) for the purposes described above

Booking data is processed on behalf of the client website owner, who remains the controller of that data. Visitors who wish to modify or delete booking information should do so via the calendar invitation or by contacting the website owner directly.

Access to Google Calendar and (when the client chooses Gmail for email) Gmail is granted explicitly by the client during setup and can be revoked at any time through the client's Google Account permissions.

Google APIs We Use

We use the following Google APIs to provide booking and confirmation emails:

Google APIPurposeData involved
Google Calendar APIRead busy/free times to prevent double bookings; create calendar events; add attendees; generate Google Meet linksVisitor name, email, optional phone/message; event time and duration
Gmail API(When client uses Gmail for email) Send booking confirmation emails (and BCC to session host if configured) on behalf of the client's connected Google accountRecipient email addresses; subject and body of the confirmation email (session details and meeting link)

These APIs are used only for the purposes listed. Our use of Google APIs is subject to Google's Privacy Policy and Google API Terms of Service. We do not use Google APIs for advertising, profiling, or unrelated purposes.

Website Analytics (Insights)

For some managed client websites, we provide privacy-first website analytics so our clients can understand how visitors use their site (e.g. which pages are viewed, engagement, use of tools such as calculators). This helps improve content and user experience.

What we collect (analytics only)

  • Page paths (URL paths only, no query parameters or full URLs)
  • Approximate scroll depth (e.g. 25%, 50%, 75%, 100% per page)
  • Optional: button/tool usage (e.g. calculator used), when the client has enabled such tracking
  • Basic technical context (e.g. device type bucket: mobile/tablet/desktop)
  • Referrer category (e.g. direct, search, social) for traffic source

We do not collect names, emails, IP addresses (we use an anonymized hash only for session grouping), or any other personally identifiable information in this analytics pipeline. We do not use third-party trackers, advertising pixels, or fingerprinting.

Retention

  • Raw event data: 7–14 days, then automatically deleted.
  • Aggregated, non-identifiable summaries (e.g. daily visitor counts, top pages): may be retained longer (e.g. 6–12 months) for reporting to the client.

Who sees it

Only the client (website owner) receives summary reports (e.g. daily email). We do not share analytics data with third parties or use it for advertising or profiling.

Control

The client can disable analytics at any time via the platform. Visitors who wish to opt out may contact the client or us (e.g. contact@stackfoundrylabs.com) and we will work to exclude their sessions where technically feasible.

Data Storage

We follow a data minimization principle. Your calendar remains the single source of truth.

What We Store

  • OAuth tokens (encrypted AES-256)
  • Availability cache (date/time slots only)
  • Free/busy status (expires in 24h)

What We Don't Store

  • Event titles or descriptions
  • Attendee information
  • Personal calendar content

Booking Visitor Data

When visitors book appointments, their name, email, and message are used to create the calendar event and send confirmations. This data is passed through but not persisted as booking records.

Your Control

You retain full control over your account access at all times.

Revoke via Your Account

Revoke access directly from your calendar provider's account settings. When revoked:

  • • Tokens immediately invalidated
  • • Booking auto-disabled
  • • No further access possible

Request Disconnection

Email us to disconnect your calendar. We will:

  • • Delete stored tokens
  • • Disable booking
  • • Confirm completion via email

Security

  • Encryption: AES-256 at rest
  • Isolation: Per-client data separation
  • Server-side: Tokens never in browser
  • EU Hosting: Hetzner Cloud, Germany

We Never

  • Use third-party advertising analytics, ad pixels, or tracking for ads
  • Train AI/ML on your data
  • Share with third parties (except as required for booking and confirmation emails, e.g. Google Calendar and Gmail)
  • Sell or monetize your data (or analytics data)

For managed client sites we may offer optional, privacy-first website analytics (page views, engagement only; no PII; short raw-data retention). See Website Analytics (Insights) above.

Data Retention & Compliance

Retention Periods

  • OAuth tokens: Until revoked or disconnected
  • Availability cache: 24 hours (auto-expires)
  • Booking data: Not persisted (pass-through)

Legal Compliance

  • GDPR: EU data protection compliant
  • CCPA: California privacy rights supported
  • Data portability: Export available on request
  • Legal basis: Contractual necessity & legitimate interest

Limited Use Disclosure

Our use and transfer of information received from Google APIs (Calendar and, when used for email, Gmail) adheres to Google's Privacy Policy and Google API Terms of Service, including use limitations. This data is used solely to provide appointment booking and confirmation emails and for no other purpose.

Third-Party Services

We integrate with Google Calendar and, when the client uses Gmail for email, Gmail, solely to provide booking and appointment functionality and to send confirmation emails. Data shared with Google (e.g. calendar event details and email content/recipients) is used only for those purposes and is governed by Google's Privacy Policy and Google API Terms of Service.

Cookies & Tracking

We use necessary cookies for site functionality (e.g., session management). We do not use cookies for advertising or cross-site tracking. No third-party trackers are used for marketing purposes.

View Cookie Policy →

Children's Privacy

This service is intended for business use only. We do not knowingly collect information from children under 16. If you believe a child has provided us with personal information, please contact us immediately.

Your Data Rights

You have the right to access, correct, or delete your personal data. To exercise these rights, submit a request to:

contact@stackfoundrylabs.com

Policy Updates

We may update this policy periodically. Material changes will be communicated via email to active clients.

Update History

  • Jan 2026Added Website Analytics (Insights) section; updated We Never for consistency with privacy-first analytics.
  • Jan 2026Added Google Calendar API and Gmail API disclosure; confirmation email and Gmail revocation wording.
  • Jan 2026Added BCC / session-host disclosure for booking confirmation emails.
  • Jan 2026Added "Data Usage for Bookings & Appointments" section; added Third-Party Services disclosure.
  • Jan 2026Initial policy published with calendar integration details, GDPR/CCPA compliance, and data handling practices.

Questions?

Contact us at contact@stackfoundrylabs.com

See also: General Privacy Policy