Legal

Privacy Policy

Last updated: 12 June 2026

← Back to busyfold

1. Introduction

busyfold is a hosted service that mirrors free/busy availability across your Google and Microsoft calendars and lets you share booking links. It is built and operated by Mindyield SMPC, a single-member private company established in Greece (“Mindyield”, “we”, “us”, or “our”).

This Privacy Policy explains what personal data we collect when you use busyfold (the “Service”, accessible at busyfold.cc and app.busyfold.cc), how we use it, who we share it with, and what rights you have over it. It applies to all users of the Service worldwide, with additional protections for users in the European Economic Area under the General Data Protection Regulation (GDPR).

Mindyield SMPC acts as the data controller for the personal data described in this policy. If you have any questions about this policy or how we handle your data, please contact us at [email protected].

By using the Service you acknowledge that you have read and understood this Privacy Policy. Our Terms of Use govern the conditions under which the Service is provided.

2. Information We Collect

We collect the following categories of personal data:

Account Identity

When you sign in with Google OAuth, we receive and store your Google account email address and basic profile information (display name, profile picture URL) so we can identify your account and present it to you. When you connect a Microsoft (Outlook) calendar, we likewise receive and store the email address of that Microsoft account so we can label the connected calendar.

OAuth Tokens and Calendar Authorisations

For each Google or Microsoft calendar you connect to busyfold, we store the OAuth access and refresh tokens that the provider issues. These tokens allow busyfold to read and write to your calendars in the background on your behalf. All OAuth tokens are encrypted at rest using AES-256-GCM before being stored in our database.

Calendar Busy/Free Data and Sync Metadata

To perform availability mirroring, busyfold reads your calendar events to compute busy and free time periods. We store these computed busy periods and associated sync state (such as synchronisation cursors and timestamps) to efficiently maintain up-to-date availability blocks in your destination calendars.

Scheduling and Booking Data

If you use busyfold scheduling, we store the booking types, one-time links, scheduling handle, availability rules, meeting location settings, and confirmed booking records needed to operate your booking pages. When an invitee books with you, we collect the details they submit in the booking form (such as name, email address, guests, and notes) so busyfold can create, update, cancel, or reschedule that calendar invite.

Subscription and Billing Status

We store your subscription tier (Free or Pro) and billing status so we can enforce plan limits and provide the appropriate level of service. Payment card details are handled exclusively by Paddle (our Merchant of Record) and are never stored by us.

Technical and Log Data

Like most web services, our infrastructure may collect minimal technical data such as IP addresses, browser type, and request timestamps for security monitoring, debugging, and abuse prevention. This data is not used for advertising or tracking.

Session Cookie

We use a single essential cookie (bf_session) to maintain your authenticated session. This cookie is httpOnly (not accessible to JavaScript), is transmitted only over HTTPS, and expires after approximately 30 days. See Section 12 for more detail.

3. What We Do Not Collect or Republish

This section describes the core privacy guarantee of busyfold. Please read it carefully.

busyfold is built around a fundamental principle of data minimisation: it mirrors when you are busy, not what you are busy with. The availability blocks it writes to destination calendars are intentionally generic.

The following source event details are never copied into the blocks busyfold writes, never stored long-term, and never republished to destination calendars:

  • Event titles — the subject or name of the original event
  • Guests and attendees — other people invited to the event
  • Descriptions and notes — any text or agenda content
  • Locations — physical addresses or room names
  • Attachments and links — files or URLs associated with the event
  • Video-call details — meeting links (Google Meet, Zoom, etc.)

These details may be processed transiently as busyfold reads your calendar during a sync cycle, but they are immediately discarded and are not stored beyond the busy time ranges themselves. The only information written to a destination calendar is a generic availability marker (“Busy” or a title you choose in your settings) covering the computed busy period.

This source-event minimisation rule is separate from scheduling data. If an invitee submits information through a booking page, that information is used for the calendar invite they asked busyfold to create and manage.

4. How We Use Your Information

We use the personal data we collect for the following purposes:

  • To provide the Service: Reading your calendars and writing availability blocks so busy periods are mirrored across your connected calendars, and creating or managing booking events when you or an invitee use scheduling links.
  • To maintain your session: Authenticating you when you log in and keeping you signed in during active use.
  • To manage your subscription: Enforcing plan limits (Free vs. Pro), processing billing through Paddle, and communicating plan-related changes to you.
  • To secure and operate the Service: Detecting abuse, troubleshooting technical issues, and maintaining the reliability and security of our infrastructure.
  • To communicate with you: Responding to support requests you send to [email protected] and notifying you of material changes to this policy or our Terms of Use.

We do not use your data for advertising, profiling, or any purpose beyond operating busyfold.

For users in the European Economic Area, we process personal data on the following legal bases under GDPR Article 6:

  • Consent (Art. 6(1)(a)): You provide explicit consent when you authorise busyfold to access a Google or Microsoft calendar through the OAuth flow. You may withdraw this consent at any time by disconnecting a calendar in the app or revoking access in your Google or Microsoft account security settings.
  • Contract (Art. 6(1)(b)): Processing your account data, session information, and subscription status is necessary to perform the service agreement between you and Mindyield SMPC.
  • Legitimate interests (Art. 6(1)(f)): We process minimal technical and log data to protect the security of our infrastructure and prevent abuse, where our interest in maintaining a secure service is not overridden by your rights.
  • Legal obligation (Art. 6(1)(c)): We retain billing and tax records as required by applicable Greek and EU tax law.

6. Google API Services & Microsoft Graph Data Use

busyfold’s use and transfer of information received from Google APIs adheres to the Google API Services User Data Policy , including the Limited Use requirements.

Specifically, data obtained through Google Calendar APIs is used only to provide and improve busyfold calendar availability mirroring and scheduling as described in this Privacy Policy. We do not use Google user data to serve advertising, do not allow humans to read user data (except as needed to diagnose bugs reported by that user or as required by law), and do not transfer Google user data to third parties except as described in Section 7 (sub-processors required to operate the service).

Data obtained through the Microsoft Graph / Outlook Calendar APIs is handled to the same standard: it is used only to provide the busyfold availability mirroring and scheduling service described here. We do not use Microsoft user data for advertising, do not allow humans to read it (except as needed to diagnose bugs reported by that user or as required by law), and do not transfer it to third parties except to the sub-processors described in Section 7.

7. Sharing and Sub-processors

We do not sell, rent, or trade your personal data. We share data only with the following service providers (“sub-processors”) who help us operate busyfold:

  • Google LLC — Calendar API and OAuth infrastructure. Your data is subject to Google’s Privacy Policy in addition to this policy for the data processed through their systems.
  • Microsoft Corporation — Microsoft Graph / Outlook Calendar API and OAuth infrastructure for connected Microsoft calendars. Your data is subject to Microsoft’s Privacy Statement in addition to this policy for the data processed through their systems.
  • Paddle — Payment processing and Merchant of Record. Paddle collects and processes payment card data, VAT/tax information, and purchase records on their own platform. busyfold receives only subscription status (tier and billing state) from Paddle; we never receive or store your card details.
  • Cloudflare, Inc. — CDN, DDoS protection, and secure tunnel infrastructure. Cloudflare processes network traffic to busyfold servers; it does not receive access to your calendar data beyond routing encrypted connections.
  • Managed hosting infrastructure — Our database and application servers run on managed infrastructure. Encrypted data is stored on this infrastructure and access is restricted to operational staff under confidentiality obligations.

We may also disclose personal data where required by applicable law, court order, or governmental authority, or where necessary to protect the rights, property, or safety of Mindyield, our users, or others.

8. Data Retention and Deletion

We retain your personal data for as long as your account is active or as needed to provide the Service.

  • Disconnecting a calendar: When you disconnect a Google or Microsoft calendar from busyfold, we revoke the associated OAuth tokens and delete the stored tokens and sync state for that calendar. Availability blocks that busyfold previously wrote to destination calendars are not retroactively removed (they were written at your instruction), but no new blocks will be created.
  • Deleting your account: When you delete your busyfold account, we revoke all stored OAuth tokens, delete your profile and account data, and purge associated sync state, cached busy periods, scheduling links, and booking records. Billing records may be retained for the period required by applicable tax law.

To request account deletion, contact us at [email protected].

9. Security

We take security seriously and have implemented the following measures to protect your data:

  • Encryption at rest: All OAuth tokens are encrypted using AES-256-GCM before being written to the database.
  • Encryption in transit: All connections to busyfold are made over HTTPS (TLS 1.2+). The bf_session cookie carries the Secure flag and is transmitted only over encrypted connections.
  • httpOnly cookies: The session cookie is httpOnly, preventing client-side scripts from accessing it and reducing the risk of cross-site scripting attacks.
  • Per-calendar OAuth grants: Each connected calendar uses its own OAuth grant, so a compromise of one token does not expose others.

No system is perfectly secure. If you discover a security issue, please report it responsibly to [email protected].

10. International Data Transfers

Mindyield SMPC is established in Greece and our primary data storage is within the European Union. As a result, your personal data is primarily processed within the EU/EEA, where GDPR protections apply directly.

Some of our sub-processors (notably Google, Microsoft, and Cloudflare) may process data in countries outside the EEA. Where such transfers occur, we rely on appropriate safeguards such as the EU Standard Contractual Clauses (SCCs) or adequacy decisions by the European Commission to ensure that your data receives an equivalent level of protection.

11. Your Rights

Under the GDPR and applicable data protection law, you have the following rights with respect to your personal data:

  • Right of access: You may request a copy of the personal data we hold about you.
  • Right to rectification: You may ask us to correct inaccurate data.
  • Right to erasure: You may ask us to delete your data (subject to legal retention obligations).
  • Right to data portability: You may request your data in a structured, machine-readable format.
  • Right to restriction: You may ask us to restrict how we process your data in certain circumstances.
  • Right to object: You may object to processing based on legitimate interests.
  • Right to withdraw consent: Where processing is based on your consent (e.g. connecting a Google or Microsoft calendar), you may withdraw it at any time by disconnecting the calendar in the app or by deleting your account. Withdrawal does not affect the lawfulness of processing before withdrawal.

To exercise any of these rights, contact us at [email protected]. We will respond within 30 days.

You also have the right to lodge a complaint with the Hellenic Data Protection Authority (HDPA) at www.dpa.gr if you believe your rights have been infringed.

12. Cookies

busyfold uses a single, essential cookie:

  • bf_session — an httpOnly, Secure session cookie used to authenticate you to the app. It expires after approximately 30 days of inactivity. This cookie is strictly necessary to provide the Service; without it you cannot log in.

We do not use advertising cookies, analytics cookies, or any third-party tracking scripts on the marketing site or in the app. No data is shared with advertising networks.

Because the only cookie we set is strictly necessary, EU cookie law does not require a consent banner for this cookie. If we ever add non-essential cookies in the future, we will update this policy and implement appropriate consent mechanisms.

13. Children

busyfold is not directed at children under the age of 16 (or under 13 in jurisdictions where that is the applicable minimum age). We do not knowingly collect personal data from children. If you believe a child has provided us with personal data, please contact us at [email protected] and we will delete it promptly.

14. Changes to This Policy

We may update this Privacy Policy from time to time. When we do, we will update the “Last updated” date at the top of this page. For material changes — those that significantly affect your rights or how we use your data — we will notify you directly (e.g. by email or an in-app notice) before the changes take effect.

Continued use of the Service after any update constitutes acceptance of the revised policy. We encourage you to review this page periodically.

15. Contact

If you have questions, concerns, or requests regarding this Privacy Policy or how we handle your personal data, please contact us:

You may also review the Terms of Use which govern your use of the Service.