Privacy Policy
Last updated: July 16, 2026
GrabTime ("we", "us") is a scheduling service available at grabtime.me. This policy explains what personal data we collect, why we collect it, and what rights you have over it. It applies to account holders ("hosts") and to people who book an appointment through a GrabTime link ("guests").
The short version: we collect only what the service needs to work, we do not run analytics or advertising trackers, and we never sell your data.
1. Who is responsible for your data
GrabTime is the data controller for the personal data described in this policy. You can reach us at support@grabtime.me for any privacy question or request.
When a host collects your booking details through their GrabTime page, that host also acts as a controller for how they use your appointment information (for example, how they follow up with you after a meeting).
2. What we collect
If you create an account (hosts)
- Your name, email address, and password (stored hashed — we never see or store it in plain text).
- Your timezone, and optionally a profile description and avatar image.
- Two-factor authentication secrets and recovery codes, if you enable two-factor authentication (stored encrypted).
- Team details you create: team name, members, roles, and the email addresses of people you invite.
- Session types you configure: titles, descriptions, durations, availability, and meeting links.
If you book an appointment (guests)
- Your name and email address.
- The date and time slot you pick, and any notes you choose to add to the booking.
Guests do not need an account, and we create no profile of guests beyond the bookings they make.
If you connect an integration (hosts)
You can optionally connect Google (for Google Calendar and Google Meet) or Zoom. When you do, we store the account identifier and email of the connected account, the permissions (scopes) you granted, and the access and refresh tokens needed to act on your behalf. Tokens are stored encrypted. You can disconnect an integration at any time, which deletes the stored tokens.
3. Why we use it (and the legal basis)
- Running the service — showing your booking page, processing appointment requests, sending booking emails and calendar invites (performance of a contract, Art. 6(1)(b) GDPR).
- Integrations you connect — creating meeting links and calendar events via Google or Zoom (your consent, Art. 6(1)(a) GDPR; withdraw it by disconnecting the integration).
- Keeping the service secure — session management, two-factor authentication, abuse prevention (legitimate interest, Art. 6(1)(f) GDPR).
We do not use your data for advertising, profiling, or automated decision-making, and we do not sell it to anyone.
4. Google user data
GrabTime's use and transfer of information received from Google APIs adheres to the Google API Services User Data Policy, including the Limited Use requirements. We use Google data only to create calendar events and Google Meet links for your confirmed appointments. We do not use it for advertising, and we do not allow humans to read it except with your consent, for security purposes, or where required by law.
5. Who we share data with
We share data only with the service providers we need to operate GrabTime:
- Our hosting provider, which stores the application database.
- Our email delivery provider, which sends transactional emails (booking requests, confirmations, cancellations, invitations).
- A cloud storage provider, if you upload an avatar image.
- Google or Zoom, only if you connect them, and only to perform the actions you asked for.
These providers process data on our instructions under data processing agreements. Some may process data outside the European Economic Area; where that happens, transfers are covered by the European Commission's Standard Contractual Clauses or an adequacy decision.
6. Cookies
GrabTime uses only functional cookies — no tracking or advertising cookies:
- A session cookie and a CSRF protection cookie, required to keep you signed in and secure.
- Small preference cookies that remember your theme (light/dark) and sidebar state.
7. How long we keep data
- Account data is kept for as long as your account exists. Deleting your account removes your personal data.
- Appointments and the guest details in them are kept until the host deletes them or deletes their account.
- Integration tokens are deleted when you disconnect the integration or delete your account.
Guests: if you want a booking removed, ask the host you booked with, or contact us at support@grabtime.me and we will handle it.
8. Your rights
Under the GDPR you can ask us to:
- Access the personal data we hold about you, and receive a copy in a portable format.
- Correct inaccurate data, or delete your data.
- Restrict or object to certain processing.
- Withdraw consent at any time (for example, by disconnecting an integration).
Send requests to support@grabtime.me. You also have the right to lodge a complaint with your data protection authority — in the Netherlands, the Autoriteit Persoonsgegevens.
9. Security
All traffic to GrabTime is encrypted with HTTPS. Passwords are hashed, and integration tokens and two-factor secrets are encrypted at rest. Access to production data is restricted to what is necessary to operate the service.
10. Changes to this policy
If we change this policy in a meaningful way, we will update the date at the top and, for significant changes, notify hosts by email or in the app before the change takes effect.
11. Contact
Questions about this policy or your data: support@grabtime.me.