This policy applies to Desenrasca.me and its products, including Unloki and Vitaform. References to “we”, “us”, or “our” mean Desenrasca.me, the operator identified for these services. Product customers may also act as controllers of information they enter about their own staff, clients, or business operations.
Information we process
Depending on the product and features used, we may process:
- Account information such as names, email addresses, authentication records, and roles.
- Business information such as locations, rooms, services, professionals, schedules, and settings.
- Client information entered by an authorized business user, including contact and booking details.
- Booking, class, package, membership, credit, and payment-reference information.
- For Vitaform, client follow-up records, questionnaire answers, professional comments, plans, payment records, and expenses.
- Technical information such as timestamps, security logs, device/browser details, and errors required to operate and protect the services.
- Support communications and information supplied in a privacy or deletion request.
How we use information
We use information to:
- Provide, secure, maintain, and improve the product features requested by users.
- Authenticate users and enforce tenant, role, and permission boundaries.
- Operate scheduling, bookings, forms, client follow-up, payments, and integrations.
- Respond to support, privacy, security, and legal requests.
- Prevent abuse, investigate incidents, and maintain service reliability.
- Meet applicable contractual and legal obligations.
Google user data used by Unloki
An authorized Unloki tenant administrator may choose to connect a Google account and select a Google calendar for one-way event synchronization. Unloki requests only the permissions needed to identify the connected account, list writable calendars, and manage Unloki-generated events in the selected calendar.
Google data accessed
- The connected Google account identity and email address.
- Calendar-list metadata such as calendar identifier, name, time zone, primary status, and access role.
- Unloki-generated event records when needed to create, inspect, update, or delete those events.
Unloki does not use the integration to read the content of unrelated Google Calendar events or to treat Google availability as Unloki availability.
How Google data is used
Google data is used only to connect the administrator-selected account and calendar, display the connected account and available writable calendars, and operate the visible one-way synchronization feature. Unloki remains the scheduling source of truth.
Information written to Google Calendar
A synchronized event may contain a service or block title, a client display name for a private session, a professional display name, space and room names, event times, entry type, and an internal Unloki schedule-entry identifier.
Unloki does not add email addresses, phone numbers, payment details, internal notes, cancellation reasons, or Google attendees to synchronized events.
Google data stored
We may store the connected account email, selected calendar identifier/name/time zone, granted permission list, encrypted OAuth refresh token, synchronization state, Google event linkage identifiers, timestamps, and sanitized error status.
We do not receive or store the user’s Google password. Google access tokens are short-lived and are not persisted by Unloki.
Google data sharing and transfer
We do not sell Google user data, use it for advertising, or transfer it to data brokers or information resellers. It may be processed by service providers only when necessary to operate or secure the requested feature, disclosed when legally required, or transferred as part of a permitted corporate transaction subject to applicable notice and consent requirements.
Protection of Google user data
OAuth refresh tokens are encrypted at rest using AES-256-GCM. Deployed connections use HTTPS, access is tenant-scoped, and integration management is limited to authorized administrators. Security and error logs are designed not to contain plaintext OAuth credentials.
Retention and deletion of Google user data
Connection information is retained while it is needed to provide the integration or meet legitimate security and legal requirements. Disconnecting Google Calendar removes the stored connection credentials from Unloki. Events already created in Google Calendar may remain there and can be deleted by the user in Google Calendar.
See our Data deletion page for the in-product disconnect process and instructions for a broader deletion request.
Google API Services User Data Policy
Our use and transfer of information received from Google APIs adheres to the Google API Services User Data Policy, including the Limited Use requirements.
Service providers and necessary disclosures
We may use infrastructure, database, email, payment, monitoring, and integration providers to deliver the services. Providers receive only the information necessary for their role and are expected to protect it. We may also disclose information to comply with law, protect users and services, or establish and defend legal claims.
Security
We use technical and organizational safeguards appropriate to the information and service, including access controls, tenant isolation, encrypted transport in deployed environments, credential encryption where specified, backups, and operational logging. No system is completely secure, and users should protect their credentials and report suspected misuse promptly.
Retention and deletion
We retain information for as long as needed to provide the products, maintain security and business records, resolve disputes, and meet legal obligations. Retention differs by data type and customer relationship. When information is no longer required, we delete, anonymize, or securely dispose of it according to applicable requirements.
Your choices and rights
Depending on applicable law, a person may have rights to access, correct, delete, restrict, or object to processing, and to request a portable copy of certain information. A business customer may need to handle requests concerning information it controls. We may verify the requester’s identity and authority before acting.
International processing
Service providers may process information in countries other than the user’s own. Where required, we use appropriate contractual or legal safeguards for international transfers.
Children
Our business products are not directed to children creating accounts independently. Customers are responsible for ensuring they have an appropriate legal basis and any required guardian authorization when entering information about minors.
Changes to this policy
We may update this policy when products, legal requirements, or data practices change. Material changes will be communicated where required. The date at the top identifies the current published version.
Contact
The public privacy contact will be added before this policy is published.