byKUTT - Robin Kütt

Privacy Policy

Application Privacy Policy

Last updated: 9 June 2026

This Privacy Policy applies to byKUTT web applications that use the central Google Gateway hosted on kutt.ee, including booking and work-time management applications operated by licensed client websites.

1. Who operates the application

The application is operated by byKUTT / Robin Kütt. The central Google authentication gateway is hosted on kutt.ee and is used only to authenticate users or connect Google Calendar for licensed client websites.

2. Information we collect

Depending on the enabled features, the application may process:

  • Google account identification data, such as your e-mail address, Google user ID and display name.
  • Booking information entered into the client website, such as selected products, dates, times, contact details, addresses and order notes.
  • Google Calendar connection data for administrators, such as access tokens, refresh tokens, granted scopes and selected calendar ID.
  • Technical data required for security and licensing, such as domain, source page, return URL, request ID, timestamp and license validation status.

3. How Google data is used

Google Sign-In data is used to authenticate you and create or access your account on the originating client website.

Google Calendar access, when enabled by an administrator, is used only to create, update, list and delete booking-related calendar events for orders handled by the booking system.

4. Google API scopes

The application may request the following Google permissions:

  • openid, email, profile — used for Google Sign-In and user identification.
  • https://www.googleapis.com/auth/calendar.events — used to create, update and delete booking-related calendar events.
  • https://www.googleapis.com/auth/calendar.calendarlist.readonly — used to show the administrator a list of calendars that can be selected for booking sync.

5. Data sharing

Google authentication is routed through kutt.ee and returned to the original licensed website. Data is not sold to advertisers. Data may be shared only with the relevant client website where the user started the authentication or calendar connection flow, and only for the feature being used.

6. Data storage

Client websites store the account, booking and calendar connection data required for their own service. The central gateway may temporarily store OAuth state data for security during the authentication flow. Temporary state data expires automatically.

7. Data retention and deletion

Booking and account data is retained according to the originating client website’s operational, accounting and legal requirements. Google Calendar connection tokens can be removed by disconnecting Google Calendar in the application settings. Users may request deletion of their account data by contacting the website operator or byKUTT.

8. Security

Authentication requests include signed HMAC validation, licensed-domain validation and return URL checks. Access tokens are used only for the requested Google integration and are not publicly displayed.

9. Contact

For privacy questions or deletion requests, contact: kuttrobin@gmail.com.

Scroll to Top