Narrow meeting write access
BookableCheck can update only the HubSpot CRM meeting owner in its automated remediation flow. Scheduling pages and external calendar invitations are never mutated.
Security & data handling
BookableCheck limits write access to confirmed CRM meeting-owner reassignment, with portal isolation and minimal storage built into the service architecture.
BookableCheck can update only the HubSpot CRM meeting owner in its automated remediation flow. Scheduling pages and external calendar invitations are never mutated.
Operational records and queries are keyed by HubSpot portal ID, with explicit tests against cross-tenant access.
OAuth credentials are encrypted with authenticated encryption, portal-bound context, random nonces, and versioned keys.
HubSpot, Stripe, and SendGrid signatures are validated. OAuth state is one-time, expiring, and protected against replay.
Resolved findings and scan history are removed after 90 days. Uninstall removes active operational data within 24 hours.
This public website uses no analytics, advertising pixels, or cookies. The application logs are designed to exclude sensitive payloads.
The initial OAuth grant requests only owner and meeting-link read access. Pro meeting automation uses a separate same-app authorization for crm.objects.contacts.read and crm.objects.contacts.write because HubSpot's official Meetings API specification maps meeting search and update to those scopes. BookableCheck never calls a Contacts endpoint or retrieves contact records. It reads only allowlisted meeting fields and writes only hubspot_owner_id after a managing admin confirms the replacement and exact records.
Detailed in-app endpoints require the exact HubSpot integration-management permission from a signed request context. Users without it receive only an aggregate summary.
The planned production service uses Cloudflare Workers, D1, and Queues for application hosting and data processing; HubSpot for authorization and source records; Stripe for subscription billing; and SendGrid for transactional alerts. See the Privacy Notice for their roles.
Confirmed uninstall disables scheduled work immediately and removes operational records from active systems within 24 hours. Cloudflare D1 Time Travel may hold recoverable encrypted database states for up to 30 days on Workers Paid. Minimal Stripe-linked billing records follow a separate accounting and subscription retention policy.
Email support@bookablecheck.com with “Security” in the subject. Include reproduction steps and impact, but do not include real OAuth tokens, customer data, or destructive proof-of-concept activity. A formal security contact and response SLA will be finalized before Marketplace submission.