Privacy Policy
Effective Date: April 2, 2026 | Last Updated: April 2, 2026
Operated by K.K. Kiruck (株式会社キラック)
1. Introduction
K.K. Kiruck (株式会社キラック) ("Company," "we," "us," or "our") operates the Tenbin scheduling platform ("Service") at tenbin.link.
This Privacy Policy explains what personal information we collect, how we use and protect it, who we share it with, and what rights you have regarding your data. It applies to all users of the Service, including registered account holders ("Users") and external guests who book time through Tenbin booking pages ("Guests").
By using the Service, you agree to the collection and use of information as described in this Privacy Policy.
2. Information We Collect
2.1 Information You Provide
| Category | Data Collected | Purpose |
|---|---|---|
| Account registration | Name, email address, password (hashed with bcrypt), timezone, language preference | Account creation, authentication, Service personalization |
| Google account connection | Google email address, OAuth access token, OAuth refresh token | Calendar free/busy retrieval, event creation, account identification |
| Booking page configuration | Page title, description, slug, available hours, meeting duration, buffer settings | Generating and operating booking pages |
| Guest booking information | Guest name, email address, optional notes, timezone; for paid bookings, transaction metadata (amount, currency, payment and refund status) on Tenbin. | Creating calendar events, sending notifications, operating paid bookings |
| Payment information | Subscription: processed by Stripe; we receive customer IDs and subscription metadata. Paid guest bookings: charges and refunds are processed by Stripe Connect; Tenbin stores payment intent IDs, amounts, fee estimates, and payout-related status for support. | Subscription billing and paid booking settlement |
2.2 Information Collected Automatically
| Category | Data Collected | Purpose |
|---|---|---|
| Usage data | Pages viewed, features used, booking page interactions | Service improvement, analytics |
| Device & browser data | Browser type, operating system, screen resolution, language settings | Service compatibility, localization |
| Network data | IP address, approximate geographic location (country/region level from Cloudflare) | Security, rate limiting, timezone detection |
| Log data | Server access logs, error logs, timestamps | Debugging, security monitoring, service reliability |
2.3 Information We Do NOT Collect
We do not read your calendar event details.The Google Calendar FreeBusy API returns only whether a time slot is "busy" or "free." We never access or store the titles, descriptions, attendees, locations, or any other details of your existing calendar events for availability checks.
We also do not collect or store credit card numbers, bank account details, or other financial instrument data. All payment information is handled exclusively by Stripe.
3. How We Use Your Information
We use your personal information for the following purposes:
- Providing the Service: Aggregating free/busy status across your connected Google accounts, generating booking pages, creating calendar events, and processing bookings.
- Communications: Sending transactional emails including booking confirmations, reschedule/cancellation notifications, reminders, and account-related communications. All transactional emails are sent from noreply@tenbin.link.
- Billing: Processing subscription payments and managing your billing account through Stripe.
- Security: Detecting and preventing fraud, unauthorized access, and abuse of the Service.
- Improvement: Analyzing usage patterns to improve the Service, fix bugs, and develop new features.
- Legal compliance: Complying with applicable laws, regulations, and legal processes.
We do not use your personal information for behavioral advertising, profiling for marketing purposes, or selling to third parties.
5. Data Storage and Security
5.1 Storage Location
Your data is stored on servers operated by Supabase and Cloudflare. Servers may be located in the United States, the European Union, and other regions. By using the Service, you consent to the transfer of your data to these locations.
5.2 Security Measures
We implement the following security measures to protect your data:
- Encryption at rest: Google OAuth tokens are encrypted using AES-256-GCM. Encryption keys are managed via environment variables and are never stored in application code or version control.
- Encryption in transit: All data transmitted between your browser and our servers is encrypted using TLS (HTTPS), managed automatically by Cloudflare.
- Database security: Supabase Row Level Security (RLS) ensures that each user can only access their own data.
- Password hashing: User passwords are hashed using bcrypt and are never stored in plaintext.
- Rate limiting: API and booking page endpoints are rate-limited to prevent abuse.
- Minimal OAuth scopes: We request only the minimum Google OAuth permissions necessary to provide the Service.
5.3 Breach Notification
In the event of a data breach that affects your personal information, we will notify affected users by email within 72 hours of becoming aware of the breach, in accordance with applicable laws including GDPR.
6. Data Retention
| Data Type | Retention Period |
|---|---|
| Account data (name, email, settings) | Retained while your account is active. Deleted within 90 days of account deletion. |
| Google OAuth tokens | Deleted immediately when you disconnect a Google account, or within 90 days of account deletion. |
| Booking records | Retained while your account is active. May be retained in anonymized form after account deletion for aggregate analytics. |
| Guest information (name, email, notes) | Retained as part of booking records. Deleted when the associated booking record is deleted. |
| Guest data without a Tenbin account | Booking and payment-support records are generally deleted or anonymized within 90 days after the meeting end time unless a longer period is required for legal, accounting, or fraud-prevention reasons. |
| Payment records | Retained by Stripe in accordance with Stripe's data retention policy and applicable financial regulations. |
| Server logs | Retained for up to 90 days, then automatically deleted. |
8. Your Rights
Depending on your jurisdiction, you may have some or all of the following rights regarding your personal information:
| Right | Description |
|---|---|
| Access | Request a copy of the personal information we hold about you. |
| Correction | Request correction of inaccurate or incomplete personal information. |
| Deletion | Request deletion of your personal information, subject to legal retention requirements. |
| Portability | Request a machine-readable export of your personal information. |
| Restriction | Request that we limit the processing of your personal information. |
| Objection | Object to certain types of processing of your personal information. |
| Withdrawal of consent | Withdraw consent for processing where consent is the legal basis, without affecting prior processing. |
To exercise any of these rights, contact us at privacy@tenbin.link. We will respond to your request within 30 days (or within the timeframe required by applicable law).
Guests without a Tenbin account may request access, correction, or deletion of personal data related to a booking by writing to privacy@tenbin.link from the email used for the booking where possible; we may ask for reasonable proof that the request relates to your booking.
You may also disconnect your Google accounts at any time from your Tenbin account settings, which immediately revokes our access to your calendar data. Additionally, you can revoke Tenbin's access from your Google Account permissions page.
9. International Data Transfers
K.K. Kiruck is based in Japan. Your data may be processed in Japan, the United States, and other countries where our service providers operate. When we transfer data outside of your country of residence, we ensure appropriate safeguards are in place, including:
- Using service providers that participate in recognized data protection frameworks;
- Implementing standard contractual clauses where required;
- Relying on the adequacy decisions recognized by applicable data protection authorities.
Japan has been recognized by the European Commission as providing an adequate level of data protection under GDPR.
10. GDPR Compliance (EEA/UK Users)
10.1 Legal Basis for Processing
| Processing Activity | Legal Basis |
|---|---|
| Account creation & authentication | Performance of contract (Art. 6(1)(b) GDPR) |
| Calendar free/busy access & event creation | Performance of contract (Art. 6(1)(b) GDPR) |
| Transactional emails | Performance of contract (Art. 6(1)(b) GDPR) |
| Payment processing | Performance of contract (Art. 6(1)(b) GDPR) |
| Security & fraud prevention | Legitimate interest (Art. 6(1)(f) GDPR) |
| Service improvement & analytics | Legitimate interest (Art. 6(1)(f) GDPR) |
| Legal compliance | Legal obligation (Art. 6(1)(c) GDPR) |
10.2 Data Protection Officer
For GDPR-related inquiries, you may contact us at privacy@tenbin.link.
10.3 Supervisory Authority
If you are in the EEA or UK, you have the right to lodge a complaint with your local data protection supervisory authority.
11. Japanese Data Protection (APPI Compliance)
K.K. Kiruck complies with the Act on the Protection of Personal Information (個人情報保護法, "APPI") of Japan. In accordance with APPI:
- We specify the purposes for which we use personal information and do not use it beyond those purposes without your consent;
- We take necessary and appropriate measures to ensure the security of personal information;
- We do not provide personal information to third parties without your consent, except as permitted by law;
- We respond to requests for disclosure, correction, or deletion of personal information in accordance with APPI.
12. Children's Privacy
The Service is not intended for individuals under the age of 18 (or the age of majority in your jurisdiction). We do not knowingly collect personal information from children. If we become aware that we have collected personal information from a child, we will take steps to delete that information promptly. If you believe we have collected information from a child, please contact us at privacy@tenbin.link.
13. Google API Services User Data Policy
Tenbin's use and transfer to any other app of information received from Google APIs will adhere to the Google API Services User Data Policy, including the Limited Use requirements.
Specifically:
- We only request access to the Google API scopes that are necessary to provide the Service (calendar.readonly, calendar.events, openid, email, profile);
- We use Google user data only to provide and improve the Service as described in this Privacy Policy;
- We do not use Google user data for advertising purposes;
- We do not allow humans to read Google user data unless with your affirmative consent, for security purposes, to comply with applicable law, or if the data is aggregated and anonymized;
- We do not transfer Google user data to third parties except as necessary to provide the Service, as required by law, or in a merger/acquisition with adequate data protection commitments.
14. Changes to This Privacy Policy
We may update this Privacy Policy from time to time to reflect changes in our practices, technologies, legal requirements, or other factors. When we make material changes:
- We will post the updated Privacy Policy on this page with a revised "Last Updated" date;
- We will notify you by email at least 14 days before the changes take effect;
- We will display a notice within the Service.
Your continued use of the Service after the effective date constitutes acceptance of the updated Privacy Policy.
Please also review our Terms of Service.
15. Contact Us
If you have questions, concerns, or requests regarding this Privacy Policy or your personal data, please contact us:
- Company: K.K. Kiruck (株式会社キラック)
- Privacy inquiries: privacy@tenbin.link
- Emergency contact (phone) / 緊急時の問い合わせ: +81 50 1784 2750
For urgent privacy-related or safety-related matters when email is not practical. メールでの対応が困難な、個人情報・安全に関する緊急の事案用です。
- General support: support@tenbin.link
- Website: https://tenbin.link