Legal
Privacy Policy
Last updated: June 16, 2026
Gestru ("we", "us", or "our") operates a business platform for real estate teams, including property management, client relationship management, calendar scheduling, and related collaboration tools.
Data controller: Gestru. Questions about this policy or your personal data: team@gestru.com.
Personal Information
- Name, email address, and profile information when you register or sign in
- Team membership, role, and workspace settings you configure in Gestru
- Communication preferences and notification settings
- Usage data and analytics to improve our services
Google Sign-In (Authentication)
If you choose "Login with Google", Our Auth engine uses a separate login OAuth client to authenticate you. We receive basic account information needed to sign you in (such as your name and email address). This login flow does not access your Google Calendar.
Google OAuth Scopes and Data
When you connect Google services in integrations settings, Gestru requests only the permissions listed below. We access Google user data only after you grant consent on Google's OAuth screen. We do not access Google data without your explicit permission.
https://www.googleapis.com/auth/calendar.calendarlist.readonly
Data accessed: the list of Google Calendars you are subscribed to (calendar names and identifiers).
How we use it: to let you choose which calendar to connect for scheduling and import.
How we store it: selected calendar metadata is stored with your integrations settings; OAuth tokens are encrypted at rest.
https://www.googleapis.com/auth/calendar.events (sensitive scope)
Data accessed: Google may grant access to events on any calendar you can access. Gestru only processes the calendar or calendars you explicitly select for scheduling and synchronization, including titles, times, descriptions, locations, and related metadata needed for sync.
How we use it: to display, create, update, and delete calendar events within Gestru and keep them synchronized with your Google Calendar (two-way sync for connected calendars).
How we store it: event data needed for bookings and sync is stored in our database; OAuth refresh and access tokens are encrypted at rest.
How We Access, Share, and Retain Google Data
- Access:via OAuth 2.0 after you approve scopes on Google's consent screen; server-side API calls only (never exposed to the browser)
- Sharing: we do not sell, rent, or disclose Google user data for advertising, retargeting, data brokering, or information resale. Data may be processed by service providers for hosting, storage, logging, support, and security solely to operate Gestru under contract and confidentiality obligations
- Retention: Google-derived calendar and profile data is kept only as long as needed to provide the service, maintain your account, and comply with legal obligations. When you disconnect Google Calendar, we immediately stop synchronization and delete OAuth access and refresh tokens. Google-derived calendar event data is deleted within 30 days unless it has been converted into a Gestru CRM booking, audit record, or another record that must be retained for service, legal, dispute-resolution, or security purposes
- Revocation: disconnect Google Calendar in Gestru integrations, or revoke Gestru at Google Account permissions
Google API Services β Limited Use
Gestru's use of information received from Google APIs adheres to the Google API Services User Data Policy, including the Limited Use requirements.
- Google user data is used only to provide or improve user-facing features that are prominent in Gestru (calendar sync and scheduling)
- We do not sell, transfer, or use Google user data for advertising, retargeting, interest-based advertising, data brokering, information resale, or creditworthiness purposes
- We do not allow humans to read your Google Calendar content except with your explicit consent, for security or abuse investigation, or as required by law
- Google sign-in for authentication uses a separate OAuth client from Google Calendar integration; each permission set is requested and controlled independently
- We do not use Google Calendar content to train generalized AI or machine learning models
- If we change how we use Google user data, we will update this policy and obtain your consent where required before new uses
Cookies and Tracking
- Session cookies for authentication and security
- Analytics cookies to understand usage patterns
- Preference cookies to remember your settings
- Google Sign-In and OAuth consent flows may use Google cookies as part of the authorization process
Service Provision
- Authenticate and authorize your access
- Sync calendar events and appointments
- Manage your profile and preferences
- Provide customer support
Improvement & Analytics
- Analyze usage patterns and trends
- Improve user experience and features
- Identify and fix technical issues
- Develop new functionality
Encryption
- All data transmitted over HTTPS/TLS
- OAuth tokens encrypted at rest
- Database-level encryption
- Secure key management
Access Control
- Role-based access controls
- Multi-factor authentication
- Session management
- Regular security audits
We DO NOT sell, rent, or trade your personal information
Your personal information is only shared in the following limited circumstances:
- Google Services: Only when you explicitly grant permission for calendar integration
- Service Providers: Trusted third parties who help us operate our services (hosting, analytics, etc.)
- Legal Requirements: When required by law or to protect our rights and safety
- Business Transfers: In case of merger, acquisition, or sale of assets (with notice)
Access and Control
- View and update your profile information
- Download your data (GDPR compliance)
- Delete your account and data
- Disconnect Google Calendar in integrations settings
- Revoke Google access at myaccount.google.com/permissions
Communication Preferences
- Opt-out of marketing communications
- Control notification settings
- Manage cookie preferences
- Update privacy settings
Active Accounts: Data is retained while your account is active
Google integrations: Calendar event data and encrypted OAuth tokens are retained while the integration is connected; disconnecting removes tokens and stops sync
Inactive Accounts: Data is deleted after 2 years of inactivity
Deleted Accounts: Data is permanently deleted within 30 days
Legal Requirements: Some data may be retained longer if required by law
We do not knowingly collect personal information from children under 13. If we become aware that we have collected such information, we will take steps to delete it promptly.
We will notify you of any material changes to this policy by:
- Posting the updated policy on our website
- Sending an email notification to registered users
- Displaying a notification in the application
Important: Continued use of our services after changes constitutes acceptance of the updated policy.
If you have any questions about this privacy policy or our data practices, please contact us:
- Email: team@gestru.com
- Terms of Service: /terms