Privacy Policy. How BusyVault handles your data.
This policy describes how BusyVault (also referred to as VAULT in product materials) processes personal data when you use our web app, mobile apps, and related services.
Overview
BusyVault is a B2B team communication platform (workspaces, channels, chat, files, tickets, and automations). We process personal data to provide the service, secure accounts, and comply with applicable law.
This policy applies to users of busyvault.com/app and our Android and iOS apps. Enterprise self-hosted deployments may have separate agreements; contact [email protected] for on-premise terms.
Data controller
The operator of BusyVault is the data controller for account and usage data on the cloud service.
Privacy and data protection inquiries: [email protected]. For GDPR-specific requests and RODO procedures, see also our GDPR / RODO page.
Data we collect
Categories depend on how you use BusyVault. We collect only what is needed to run the service.
- Account data: email address, display name, user ID, password hash, workspace memberships, role assignments.
- Communication content: messages, attachments, channel metadata, tickets, tasks, and webhook payloads you submit.
- Billing data: subscription plan, Stripe customer reference, invoices (payment card details are handled by Stripe β we do not store full card numbers).
- Technical data: IP address, device/browser type, session identifiers, security and audit logs.
- Push notifications: device push tokens (FCM/APNs) linked to your account when you enable notifications.
- Preferences: language, theme, notification settings stored on your account or locally in the browser.
We do not sell personal data to third parties for their marketing purposes.
Purposes & legal bases
Under GDPR, we rely on the following bases (see our RODO page for detail).
- Contract performance (Art. 6(1)(b)): providing BusyVault, account management, support, billing.
- Legitimate interests (Art. 6(1)(f)): security monitoring, fraud prevention, service improvement, aggregated analytics.
- Legal obligation (Art. 6(1)(c)): tax, accounting, and regulatory requirements where applicable.
- Consent (Art. 6(1)(a)): optional marketing communications and non-essential cookies where required.
Storage & EEA residency
Cloud data is stored in infrastructure designed for European customers.
Primary cloud storage and processing for BusyVault SaaS is hosted in the European Economic Area (EEA) or with providers that offer EU/EEA data residency. File objects may be stored via Cloudflare R2 in EEA regions. Enterprise customers can deploy entirely on their own infrastructure.
Cookies & similar tech
We use cookies and local storage for essential functionality and preferences.
- Strictly necessary: session authentication, CSRF protection, load balancing.
- Functional: language preference, theme (light/dark), dismissed UI notices.
- Analytics (if enabled): aggregated usage metrics to improve reliability β no cross-site ad tracking.
You can control non-essential cookies via browser settings. Blocking essential cookies may prevent login.
Subprocessors
Trusted providers process data on our behalf under contractual safeguards.
- Stripe β subscription billing and payment processing.
- Cloudflare R2 β object storage for files and attachments (EEA regions).
- Email delivery β transactional email (verification, password reset, billing notices).
- Firebase Cloud Messaging / Apple Push Notification service β mobile push delivery.
- Hosting providers β application servers and databases in the EEA.
A current subprocessor list is available on request. Material changes are communicated to workspace owners where required.
Retention
We keep data only as long as needed for the purposes above.
- Active accounts: account and workspace content retained while your subscription or Free trial is active.
- Free trial: if you do not upgrade within 3 days, Free accounts and associated data are automatically deleted.
- After cancellation: data is deleted or anonymized within a reasonable technical window, subject to backups and legal holds.
- Security logs: typically up to 90 days, longer if needed for incident investigation or legal claims.
- Billing records: retained as required by tax and accounting law (often 5β7 years in Poland/EU context).
Your rights
Depending on your location, you may have rights to access, correct, delete, or export your data.
EU/EEA users have rights under GDPR including access, rectification, erasure, restriction, portability, objection, and withdrawal of consent. You may lodge a complaint with your supervisory authority (in Poland: UODO β uodo.gov.pl).
To exercise rights, email [email protected] or follow the process on GDPR / RODO. We respond within statutory timeframes (typically 30 days).
Security
We apply industry-standard measures to protect your data.
- Encryption in transit: TLS 1.3, HSTS on public endpoints.
- Encryption at rest: provider-level encryption for databases and object storage.
- Access controls: role-based permissions at workspace and channel level.
- Monitoring: security logging, abuse detection, and incident response procedures.
Changes
We may update this policy to reflect product or legal changes. Material updates are announced in the app or by email. The current version is always at busyvault.com/privacy.html.
Contact
Privacy: [email protected]
General support: [email protected] Β· Support page