How it works Features Pricing FAQ Documentation Log in
Legal

GDPR / RODO. Your data protection rights with BusyVault.

This page supplements our Privacy Policy with GDPR (EU) and RODO (Poland) specifics for BusyVault cloud SaaS customers and their end users.

Scope

Applies to personal data processed when you use BusyVault hosted at busyvault.com.

GDPR applies to individuals in the European Economic Area (EEA). RODO is the Polish implementation of GDPR. If you deploy BusyVault on-premise (Enterprise), your organization may act as controller β€” see your deployment agreement.

Roles under GDPR

Who is responsible for what depends on the data.

  • BusyVault as controller: account registration, billing, marketing (with consent), service security logs, and platform operations.
  • Customer as controller: content in workspaces (messages, files, tickets) about your employees, clients, or partners.
  • BusyVault as processor: when we process workspace content solely on your documented instructions β€” a DPA governs this relationship.

Your rights

Data subject rights under GDPR / RODO.

  • Right of access (Art. 15): confirm whether we process your data and receive a copy.
  • Rectification (Art. 16): correct inaccurate personal data.
  • Erasure (Art. 17): request deletion when no longer necessary or when you withdraw consent (where applicable).
  • Restriction (Art. 18): limit processing in defined circumstances.
  • Portability (Art. 20): receive data you provided in a structured, machine-readable format where processing is based on contract or consent.
  • Objection (Art. 21): object to processing based on legitimate interests or direct marketing.
  • Withdraw consent: where processing is consent-based, without affecting prior lawful processing.
  • Complaint: lodge a complaint with a supervisory authority β€” in Poland: Prezes UODO (uodo.gov.pl).

Workspace admins may fulfill some requests directly (e.g. removing a member). We assist controllers with subprocessors requests as required by Art. 28 GDPR.

Data subject request (DSR) process

How to submit and what to expect.

  1. Submit: email [email protected] with subject "GDPR request" or "Wniosek RODO".
  2. Identify: we verify your identity (logged-in email or reasonable proof) to prevent unauthorized disclosure.
  3. Scope: describe the right you wish to exercise and relevant workspace/account if applicable.
  4. Response: we reply within 30 days (extendable by 60 days for complex requests, with notice).
  5. Free of charge: first request is free; manifestly unfounded or excessive requests may be refused or charged per Art. 12(5).
Tip: Pro plan includes channel export (PDF/Markdown). Enterprise customers may use API export for portability needs.

EEA residency

Where your data lives in the cloud service.

BusyVault SaaS is designed with EEA data residency: application databases and primary file storage (Cloudflare R2) use EU/EEA regions. Backups and disaster recovery stay within approved regions unless you agree otherwise in writing.

Enterprise self-hosted deployments keep all data on infrastructure you control.

Subprocessors

Third parties that process personal data on our behalf (Art. 28 GDPR).

  • Stripe, Inc. β€” payment processing and subscription management (PCI-DSS compliant; card data stays with Stripe).
  • Cloudflare, Inc. β€” R2 object storage and CDN for file attachments (EEA region configuration).
  • Email providers β€” transactional email delivery.
  • Google (Firebase) / Apple (APNs) β€” push notification delivery when enabled.
  • Hosting partners β€” compute and database hosting in the EEA.

We maintain contractual data protection terms with subprocessors. An up-to-date list and advance notice of material changes are available to business customers on request or via DPA.

International transfers

When data leaves the EEA.

Some subprocessors (e.g. Stripe, Cloudflare, Apple, Google) may process data in the United States or other countries. Where required, we rely on appropriate safeguards such as EU Standard Contractual Clauses (SCCs) and supplementary measures.

Contact [email protected] for transfer impact assessments or SCC copies for vendor review.

Contact

Privacy team / DPO-style contact (operational, not a statutory DPO unless designated).

GDPR & RODO requests: [email protected]
General: [email protected]
Polish supervisory authority: UODO