Trust & transparency

Google API scopes & data use

Last updated: 28 April 2026

RingBack connects to Google services so it can book appointments on your calendar after answering a call. This page explains exactly which Google API scopes we request, why each one is necessary, what we do with the data, and how we comply with the Google API Services User Data Policy, including the Limited Use requirements.

1. Limited Use disclosure

RingBack's use and transfer to any other app of information received from Google APIs will adhere to the Google API Services User Data Policy, including the Limited Use requirements.

Concretely, this means we do not:

• use Google user data to train, fine-tune or evaluate generalised AI/ML models;
• transfer Google user data to third parties except as needed to provide or improve user-facing features, comply with applicable law, or as part of a merger, acquisition or sale of assets with user consent;
• use or transfer Google user data for serving advertisements, including retargeted, personalised or interest-based advertising;
• allow humans to read Google user data, unless we have your explicit consent for specific messages, doing so is necessary for security purposes (e.g. investigating abuse), to comply with applicable law, or for internal operations on data that has been aggregated and anonymised.

2. Scopes we request

openid

Why we ask for it: standard OpenID Connect identifier — required by Google in order to start an OAuth login flow.

What we do with it: we receive a Google-issued user ID. We use it solely to recognise your account on subsequent logins.

https://www.googleapis.com/auth/userinfo.email

Why we ask for it: to identify the Google account that connected to RingBack.

What we do with it: we store your primary email address against your RingBack account so we can send you booking notifications and security alerts. We do not email you marketing without separate consent.

https://www.googleapis.com/auth/userinfo.profile

Why we ask for it: to display your name and avatar inside the RingBack dashboard, so you and your team can see who connected which Google account.

What we do with it: we store your given name, family name and profile picture URL. Nothing else.

https://www.googleapis.com/auth/calendar.events

Why we ask for it: RingBack's core feature is booking appointments after answering an inbound call. To do that we need permission to read your free/busy availability and create or modify events on your primary Google Calendar.

What we do with it:

• Read free/busy windows for the next 14 days so the AI agent can offer real available slots to a caller.
• Create a new calendar event when the caller confirms a booking, with the caller's name, contact details and a short summary of the request.
• Modify or cancel an event we created, if the caller calls back to reschedule.

What we never do:

• read or store the contents of events RingBack didn't create;
• write to secondary calendars without explicit configuration in your dashboard;
• delete events that were not created by RingBack.

We deliberately request calendar.events rather than the broader calendar.readonly scope, in line with Google's minimum-scope guidance.

3. How long we keep Google data

• Access & refresh tokens — encrypted at rest (AES-256). Deleted within 24 hours of you disconnecting your Google account or closing your RingBack account.
• Free/busy and event data — held only in volatile memory while the AI is on a call; not persisted to disk.
• Confirmed bookings — the booking summary is stored against your RingBack account so the booking can be reviewed, edited or cancelled. Retained according to the retention period configured by you (default 90 days), then permanently deleted.

4. How to revoke access & delete your data

You can disconnect RingBack from your Google account at any time:

1. Sign in to RingBack and click Settings → Integrations → Disconnect Google; or
2. Visit myaccount.google.com/permissions and revoke RingBack's access directly with Google.

To request deletion of all data we hold about you, including any cached Google data, email privacy@ringbackai.co.uk. We respond to verified deletion requests within 30 days.

5. Security controls protecting Google data

• OAuth tokens stored in an encrypted secrets vault, accessible only by the small subset of RingBack production services that handle Calendar calls.
• All Google API traffic terminated over TLS 1.2+.
• Access to production systems gated by hardware security keys and short-lived credentials.
• Audit logging on every read and write operation against Google APIs.

More detail is on our security page.

6. Contact

Questions about how RingBack uses Google APIs?
Email security@ringbackai.co.uk.

← Back to home