busyboard
← Back to home

Privacy Policy

Effective date: February 21, 2026

1. Introduction

BusyBoard ("we," "our," or "us") operates the BusyBoard web application available at busyboard.app. This Privacy Policy explains what information we collect, how we use it, and your choices regarding your data.

By using BusyBoard, you agree to the collection and use of information as described here.

2. What Is BusyBoard?

BusyBoard is a team scheduling and availability tool. It connects to your Google Calendar, reads when you are busy (not the details of your events), and lets you and your team see overlapping free windows. You can also share your availability publicly via a link, and view shared availability from people outside your organization.

3. Information We Collect

Account information (via Clerk)

When you create an account:

  • Email address
  • First and last name
  • Profile photo URL
  • Unique user ID

We do not store passwords — authentication is handled by Clerk.

Calendar data (via Google Calendar OAuth)

When you connect Google Calendar, we request read-only access to:

  • Your calendar list (names, colors — to let you choose which to include)
  • Busy time blocks — the start and end times of your events

We do not read, store, or display event titles, descriptions, attendees, locations, or any other event content. We only store when you are occupied, not why.

OAuth tokens are encrypted at rest using AES-256-GCM.

Organization and team data

  • Organization names, slugs, and membership roles
  • Team names, descriptions, colors, and member lists
  • Invitation emails and status

Availability share data

When you create a share link, we store the share token, optional slug, which calendars to include, active/paused status, and visibility settings.

Subscription and billing (via Stripe)

If you subscribe, Stripe processes your payment. We store your Stripe customer ID, subscription ID, and current plan. We do not store card numbers or payment details.

Preferences

Timezone, working hours, calendar display settings. These are stored in our database and locally in your browser (localStorage) — no sensitive data.

Error and performance data (via Sentry)

In production, Sentry collects error traces and a 10% sample of performance data to help us fix bugs. This is never used for advertising or profiling.

4. How We Use Your Information

PurposeData used
Calendar sync and availability displayOAuth tokens, busy block times
Show team availability to teammatesYour busy block times only
Public availability share pagesDisplay name, avatar, timezone, busy times
Payment processingStripe customer / subscription IDs
Enforce plan limitsPlan type, usage counts
Error and bug detectionSentry error traces
Rate limitingIP address, user ID (via Upstash Redis)
Organization invitationsInvitee email (temporary)

We do not use your data for advertising, sell it to third parties, or use your calendar data for any purpose beyond displaying availability within the Service.

5. How We Share Your Information

With other BusyBoard users

  • Organization members can see your busy time blocks (not event details)
  • Anyone with your share link can see your busy times if you have an active public share
  • External connection holders can view your busy times if they have your share token

You control all of this — pause or delete shares at any time.

With third-party service providers

ProviderPurposePrivacy policy
ClerkAuthenticationPolicy ↗
GoogleCalendar sync (OAuth2)Policy ↗
StripePayment processingPolicy ↗
SupabaseDatabase hostingPolicy ↗
VercelApp hostingPolicy ↗
SentryError monitoringPolicy ↗
UpstashRate limitingPolicy ↗

6. Data Retention

  • Data is retained while your account is active.
  • Deleting your account triggers removal of your profile, calendar accounts, busy blocks, team memberships, availability shares, and external connections.
  • Stripe retains payment history per their own legal obligations.
  • Sentry retains error data per their default retention settings (typically 90 days).

7. Data Security

  • OAuth tokens are encrypted at rest using AES-256-GCM
  • Database connections use TLS in transit
  • CSRF protection on the Google OAuth callback using a signed, httpOnly, short-lived cookie
  • Rate limiting on public-facing APIs
  • Authentication delegated to Clerk with industry-standard protections

No method of storage is 100% secure. We cannot guarantee absolute security.

8. Children's Privacy

BusyBoard is intended for users 16 years of age and older. We do not knowingly collect personal information from children under 16. If you believe a child has provided us with personal information, please contact us and we will delete it promptly.

9. Your Rights

  • Access: Request a summary of the data we hold about you.
  • Deletion: Delete your account (and associated data) via your account settings.
  • Correction: Update your name, email, or profile in your account settings.

EU/EEA users (GDPR) and California users (CCPA) may have additional rights. Contact us at [YOUR EMAIL] to exercise any of these rights.

10. Cookies and Local Storage

We use a single short-lived, httpOnly cookie (oauth_nonce) only during the Google Calendar OAuth flow for CSRF protection. Clerk sets session cookies for authentication.

Browser localStorage stores only UI preferences (sidebar state, timezone, display settings). No sensitive data is stored client-side. We do not use advertising cookies or tracking pixels.

11. Changes to This Policy

We may update this policy from time to time. For material changes, we will notify you via email or in-app notice and update the effective date at the top. Continued use after changes constitutes acceptance.

12. Contact Us

For privacy-related questions or requests: [YOUR EMAIL]

[YOUR ADDRESS]