Privacy Policy

Effective: 2026-05-01

1. Who we are

Busypus (the “Service”) is operated by Andres Canella, an individual based in Miami, Florida, USA. We control how your personal data is processed in connection with the Service. Contact: meet@busypus.com.

2. What we collect

To operate Busypus we collect the following:

  • From hosts: email address, password (stored only as a one-way argon2id hash), chosen username, IANA timezone, optional newsletter opt-in.
  • From guests: chosen nickname, optional email address, IANA timezone, optional newsletter opt-in. Email is not required to use the Service as a guest.
  • Meeting data: meeting titles, availability windows, time intervals you mark as available, and finalized meeting times.
  • Technical: IP address and request metadata (HTTP method, path, timestamp, user agent) processed by AWS for service delivery, security, abuse prevention, and rate limiting.

3. What we don’t do

  • We don’t use third-party advertising or behavioral tracking pixels.
  • We don’t sell your data.
  • We don’t share your data with advertisers or data brokers.
  • We don’t store your password in plain text or in any reversible form.
  • We don’t connect to or read your calendar; the Service does not integrate with Google Calendar, Apple Calendar, or any other calendar account.

4. How we use your data

  • Operating the Service: creating meetings, displaying availability, computing overlap, and finalizing times.
  • Sending transactional email related to your account (verification, password reset) and your meetings (host notifications when guests respond, calendar invite emails with .ics attachments when a meeting is finalized; delivery is not guaranteed).
  • Sending occasional product newsletters via Resend, only if you opt in.
  • Security, abuse prevention, debugging, and meeting our legal obligations.

5. Service providers and disclosures

We share the minimum data necessary with the following service providers to operate the Service:

  • Amazon Web Services (AWS), USA: hosts the application and stores data (DynamoDB, Lambda, API Gateway, Amplify, Route 53, ACM). Primary region: US-East-1 (Northern Virginia). Some AWS edge and DNS services are global.
  • Resend (resend.com), USA: delivers transactional email and stores newsletter audience contact lists (email addresses of users who opted in).

We may also disclose your data: (a) to comply with applicable laws, court orders, subpoenas, or other legal process; (b) to protect the rights, property, or safety of Busypus, our users, or the public, including to prevent or investigate fraud or abuse; or (c) in connection with a sale, merger, financing, or transfer of all or part of the Service, in which case the recipient will be bound by terms at least as protective as these. We do not sell your data to third parties.

6. Cookies

We use a small number of essential cookies. None are used for advertising, cross-site tracking, or third-party analytics:

  • bp_session — host authentication token (httpOnly, Secure, SameSite=Lax). Keeps you logged in for up to 30 days.
  • bp_username — your username, used to render “logged in as <username>” without a server round-trip. Not used for authentication and readable by the page’s scripts.
  • bp_guest_<host>_<meeting> — guest authentication token, scoped to a single meeting. Lets you return to edit your availability without re-entering your nickname.
  • bp_guest_nick_<host>_<meeting> — your guest nickname for that meeting, used for display.

Authentication cookies use the SameSite=Lax attribute to mitigate cross-site request forgery; we do not use a separate CSRF cookie.

7. Your controls

We provide the following controls over your data, subject to verification of your identity and any applicable legal exceptions:

  • Access: view your account profile at any time via the account page.
  • Delete: use the “delete my account” control on the account page. This removes your profile, every meeting you created, and your guest responses from our active database. Best-effort removal from our newsletter audience (Resend) is also performed.
  • Newsletter opt-out: click the unsubscribe link in any newsletter email, or toggle the newsletter setting off on the account page. We will stop sending you newsletters within a reasonable time.
  • Data export: not yet self-serve. Email meet@busypus.com and we will provide a copy of your data within a reasonable time, subject to verification.
  • Other requests (correction, restriction, objection, portability): contact us at the email above.

Depending on where you live, additional rights may apply under laws such as the GDPR (EU/UK), the CCPA/CPRA (California), or similar state laws. We will respond to verified requests as required by applicable law.

8. Data retention

We retain account data for as long as your account is active. Meetings you create are retained until you or we delete them.

When you delete your account, your profile, username reservation, and all meetings you created are removed from our active database promptly. Database backups, application logs, and email-delivery logs (Resend) may retain copies for a limited period (typically up to 90 days) before they age out naturally. We may also retain data longer where required by law or for legitimate purposes such as fraud prevention, dispute resolution, security, or enforcing our agreements.

9. International users

Busypus is operated from the United States and primarily stores data in AWS’s US-East-1 (Northern Virginia) region. If you access the Service from outside the US, you consent to your data being transferred to and processed in the United States.

10. Children

Busypus is not intended for and may not be used by anyone under the age of 13, whether as a host or a guest. We do not knowingly collect personal data from children under 13. If you believe a child has provided us with personal data, contact us and we will delete it.

11. Security

We implement reasonable technical and organizational measures to protect your data, including: hashing passwords with argon2id (a memory-hard hashing function), signing authentication cookies and serving them with the httpOnly, Secure, and SameSite=Lax attributes, and serving the Service over HTTPS. No method of transmission or storage is perfectly secure, and we cannot guarantee absolute security. If you suspect unauthorized access to your account, contact us immediately.

12. Changes

We may update this Privacy Policy. Material changes will be communicated by posting the updated policy on the Service and updating the effective date above.

13. Contact

Privacy questions and requests can be sent to meet@busypus.com.