Skip to content

Security

Security & Privacy

Last updated: May 7, 2026

OnCall by CastGlobe is an AI receptionist for small service businesses. We connect to Google Calendar so the AI can book real appointments. This page explains exactly what we access, how we store it, and how to revoke access.

1. Overview

When a tenant connects their Google Calendar to OnCall, our AI receptionist gains the ability to create, update, and delete calendar events on the calendar the tenant chooses. We do not read other people's calendars, browse files, send mail on the tenant's behalf, or look at any data outside what's needed to keep bookings in sync.

2. Data we access from Google

We request the narrowest scopes that allow OnCall to do its job:

  • userinfo.email + userinfo.profile — so we know which Google account is connected and can show that on the Settings page.
  • auth/calendar.events — lets us create/edit/delete events on the calendar you select. This scope does not let us read other people's calendars.

We deliberately do not request auth/calendar (the broader scope), auth/calendar.readonly, Drive, Gmail, or Contacts.

3. How we store OAuth tokens

  • Access tokens and refresh tokens are encrypted at rest using Fernet (AES-128-CBC + HMAC-SHA256). The encryption key lives in our backend environment, never in the database.
  • Access tokens expire every hour. Refresh tokens are used to mint new access tokens just-in-time, and are never sent to your browser.
  • Token usage is logged with timestamps so you can audit when bookings actually called Google's API.
  • Disconnecting in OnCall calls Google's OAuth revocation endpoint and removes our credentials from your Google account permissions page.

4. Retention and revocation

We retain encrypted tokens until you disconnect. There are three ways to revoke OnCall's access:

  1. From OnCall — Settings → Integrations → Disconnect. We revoke with Google and delete the tokens immediately.
  2. From your Google Account — visit myaccount.google.com/permissions, find OnCall, and click Remove.
  3. By cancelling your OnCall account — token data is removed as part of account closure.

Bookings created in your calendar before disconnection remain on your calendar. We never bulk-delete events when you disconnect.

5. Google app verification status

OnCall is currently undergoing Google's app verification review. Verification typically takes 4–6 weeks. While we're under review, the first time you connect Google Calendar you'll see an "unverified app" warning — that's a Google-side screen, not anything wrong with OnCall. Click "Advanced" → "Continue to OnCall" to proceed.

Live status is at /google-verification.

6. Incident handling

If we detect that a refresh token has been revoked or a Google API call returns 401/403, we mark the integration as disconnected, fall back to email-based .ics calendar invites so bookings keep working, and notify the tenant by email so they can reconnect. Suspected security incidents are escalated to hello@castglobe.com and disclosed within 72 hours where applicable.

7. Contact

Security questions: hello@castglobe.com. See also our Privacy Policy and Terms of Service.