Sherbrooke Holding LLC d/b/a Optivo (“Optivo,” “we,” “us,” or “our”) respects your privacy. This Privacy Policy explains how we collect, use, disclose, and safeguard personal information when you use the Optivo scheduling and communications platform, our website at https://www.joinoptivo.com (the “Site”), and related services (collectively, the “Services”).If you connect a Google account: Please see Section 12 (Google User Data) for disclosures required by the Google API Services User Data Policy (including Limited Use).1) Information We CollectCategoryExamplesSourceAccount DataName, work email, company name, password, roleYou or your employerCalendar & Event DataEvent titles, participants, attachments, meeting linksMicrosoft 365, Google Workspace, Zoom, or manual entryUsage DataLog files, device identifiers, IP address, browser type, pages visited, time spentAutomatic (cookies, logs, analytics)Payment DataBilling contact, last-4 of card, transaction IDs (processed by Stripe)You / StripeSupport DataChat transcripts, screenshots, error reportsYou (when contacting support)We do not intentionally collect sensitive personal information (e.g., health or biometric data). Please do not store such data in the Services.2) How We Use InformationWe use personal information to:Provide and maintain the Services (e.g., scheduling, notifications, integrations).Process payments and manage subscriptions.Monitor performance, debug, and improve the Services.Communicate about updates, security alerts, and administrative matters.Send marketing emails (with your consent or where permitted; you can opt out anytime).Comply with legal obligations and enforce our Terms of Service.EEA/UK legal bases: contract performance; legitimate interests (service improvement, security); consent (marketing cookies/emails); legal compliance.3) Sharing & DisclosureWe do not sell personal information. We disclose it only to:Service Providers & Sub-processors strictly to operate the Services (see list below).Integration Partners when you connect third-party accounts (e.g., Microsoft 365, Google, Zoom) to sync or perform actions you request; we share the minimum necessary.Legal/Safety to comply with law or protect you, us, or the public.Corporate Transactions (e.g., merger/acquisition), subject to confidentiality.Sub-Processor List (last updated July 14, 2025)ProviderPurposeLocationAmazon Web Services (AWS)Hosting, databasesUSAMicrosoft AzureOptional hosting / AI workloadsUSAStripePayment processingUSAMicrosoft GraphCalendar & email integrationUSA/EU datacentersGoogle Workspace APIsCalendar/email integrationUSAZoom Video CommunicationsMeeting link creationUSAPostmark / Twilio SendGridTransactional emailUSASentryError monitoringUSADatadogLogs & performance metricsUSA(If you publish a live subprocessors page, link it here.)4) Cookies & TrackingWe use first-party cookies for login sessions and CSRF protection, and third-party cookies for anonymous analytics (e.g., Google Analytics). You can control cookies via browser settings; disabling some may affect functionality.5) Data RetentionActive account data: retained for the life of the subscription.Backups: retained 30 days after deletion, then purged.Audit logs: retained 90 days.Payment/tax records: retained 7 years (compliance).Upon written request or within 30 days after account closure, we delete personal data from production systems, except where retention is required by law or legitimate business needs (e.g., billing records).6) SecurityWe employ safeguards including:TLS 1.2+ encryption in transit; AES-256 encryption at restNetwork firewalls and access controlsAnnual penetration testingSOC 2 Type 2 compliant data centers (AWS & Azure)No system is 100% secure; we cannot guarantee absolute security.7) Your RightsDepending on your jurisdiction, you may have rights to:Access/obtain a copy of your dataCorrect inaccurate dataDelete your dataPort your dataObject to or restrict processingWithdraw consent (for marketing)California residents can request the categories of personal information disclosed for business purposes in the past 12 months.8) International TransfersWe store data in the United States. For EU/UK personal data transferred outside those regions, we rely on Standard Contractual Clauses or other lawful mechanisms.9) ChildrenThe Services are not directed to children under 16, and we do not knowingly collect their data.10) Changes to This PolicyWe may update this Policy from time to time. Material changes will be notified by email or in-app at least 30 days before taking effect.11) Contact UsSherbrooke Holding LLC d/b/a Optivo
Burlington, VT 05401 USA
Email: support@joinoptivo.comIf you have unresolved privacy concerns, you may contact your local data-protection authority.12) Google User Data (Google API Services)This section applies only if you connect your Google account to Optivo.12.1 Data We Access (Scopes)Depending on features you enable, Optivo may request the following Google scopes:Gmail (Restricted):gmail.readonly – read message metadata and content.gmail.modify – apply/remove labels and mark read/unread.gmail.send (or gmail.compose) – send messages you author in Optivo.
We request only the scopes necessary for the features you use.Google Calendar (Sensitive):calendar.readonly and/or calendar.events – read/create events to support scheduling.Specific data elements (as applicable): message/thread IDs, headers (to/from/subject), label IDs/names, message bodies, attachments (only when you initiate related actions), draft content, and calendar event fields (title, time, attendees, conference link).12.2 How We Use Google User DataDisplay relevant messages/threads to assist with scheduling and client work you initiate.Create/send emails only when you request it in Optivo.Apply labels you choose (e.g., categorize client mail).Read/create calendar events you request to keep schedules in sync.Diagnose sync errors and improve reliability (e.g., deduplicate threads).We do not use Google user data for advertising or to build advertising profiles.12.3 Sharing of Google User DataWe do not share Google user data with third parties except:With the subprocessors in Section 3 to provide the Services (under data-processing agreements), andWhen required by law.
We never sell Google user data.12.4 Storage & Protection of Google User DataOAuth tokens are stored encrypted.To render inbox and labels efficiently, Optivo may store limited metadata (e.g., message ID, thread ID, label IDs).Message bodies/attachments are either
(a) streamed on demand without persistent storage, or
(b) temporarily cached, encrypted at rest, for up to 7 days strictly to power features you enable (e.g., search/summaries).Access to Google user data is role-based, logged, and audited.If your organization prefers no server-side caching of Gmail content beyond transient processing, you can disable caching in tenant settings.12.5 Retention & Deletion (Google)Revoking Google from Optivo or disconnecting within the app immediately invalidates OAuth tokens.Cached content (if enabled) is purged within 7 days; metadata is retained only as needed to provide your account’s functionality or until you delete it.You can request deletion at https://www.joinoptivo.com/support or by emailing support@joinoptivo.com; we fulfill within 30 days.12.6 User Choices & RevocationYou grant access via Google OAuth and can view/revoke Optivo’s access anytime in your Google Account (Security → Third-party access).You can disconnect Google inside Optivo at Settings → Integrations → Google.12.7 Limited Use, Human Access, and Prohibited PracticesOptivo’s use and transfer of information received from Google APIs will adhere to the Google API Services User Data Policy, including the Limited Use requirements. We do not:use Google user data for ads or personalized advertising;sell Google user data;permit human access to the content of your Google data except (i) with your explicit consent, (ii) to comply with applicable law, or (iii) for security/abuse prevention, in which case access is limited to the necessary scope and is logged.13) Data Subject Requests & ContactTo exercise your rights (access, correction, deletion, portability, objection/restriction) or to request Google-data deletion, contact support@joinoptivo.com or visit https://www.joinoptivo.com/support. We will respond within the timeframes required by applicable law.Quick checklist before you re-submit to GoogleThis policy is live at /privacy, linked in your footer alongside /termsofservice and /support.Your OAuth Authorized domains include joinoptivo.com, and the homepage on your consent screen matches this policy.The scopes listed in Section 12.1 exactly match what you request today (start with read-only if possible).Reviewer access: allowlist their test account or provide demo credentials in your email reply.If you want me to tune this for read-only-first (no gmail.modify/send yet) or change the 7-day cache / 30-day deletion numbers, say the word and I’ll adjust instantly.