Privacy Policy

Busy Mirror is operated by LTE Ventures LLC ("we," "us," or "our"), a limited liability company. Busy Mirror is a product of LTE Ventures LLC.

Our service mirrors the times of events from your personal Google Calendar into your work Google Calendar as private "Busy" blocks, so colleagues know you're unavailable without seeing any personal details.

For privacy inquiries or to exercise your rights, contact us at: gcalbusymirror@gmail.com

If you are located in the European Economic Area (EEA) or the United Kingdom, LTE Ventures LLC acts as the data controller for your personal data under the GDPR and UK GDPR.

We collect the following categories of personal data. An important distinction applies throughout: some data is processed transiently in memory during syncing and immediately discarded; other data is stored persistently in our database. These are clearly distinguished below.

During each sync, our system reads the following from your personal calendar via the Google Calendar API — but these fields are processed in memory only, used to construct the timing of a "Busy" block, and immediately discarded. They are never written to our database:

• Event start and end times (used to set the busy block duration, then discarded)
• Event busy/free status (used to decide whether to create a block at all)
• Event recurrence rules (used to handle recurring events correctly)
• Your own RSVP status on an event (used to skip events you declined)

We configure our Google Calendar API access to minimize the data we use. We do not use or store personal event content (such as titles, descriptions, locations, or attendee lists) to operate Busy Mirror. If any additional fields are returned by Google by default, we do not use them for the service and do not write them to our database.

Specifically, Busy Mirror does not store (and does not use to build busy blocks):

• Event titles or names
• Event descriptions or notes
• Event locations
• Event attendee lists (including other guests' details)
• Event links (e.g., video call URLs)

The "Busy" block written to your work calendar contains: a start time, end time, and the title "Busy." To keep syncing accurate (for example, to update or delete a block when the source event changes), the block may also include a non-human-readable internal identifier stored in the Google Calendar event's metadata. This identifier is not personal event content (we do not copy titles, descriptions, locations, attendees, or links).

Workplace note: depending on your organization's Google Workspace settings, Workspace administrators or compliance tools may be able to access event metadata (including private events). See Section 15 for more.

To Provide the Service

• Authenticate you with your Google accounts via OAuth
• Sync your selected personal calendars regularly (typically within a few minutes, subject to Google API availability and rate limits)
• Create, update, or delete "Busy" blocks in your work calendar
• Display sync status and recent activity on your dashboard

To Manage Your Subscription

• Verify your Stripe subscription is active before running syncs
• Process cancellations and account deletions

To Send Transactional Communications

• Send one-time team invitation emails via SendGrid when an organization admin invites a colleague
• We do not send marketing emails, newsletters, or promotional content

To Maintain Service Health

• Log sync results to diagnose errors and improve reliability
• Investigate security incidents using infrastructure logs

We do not use your data for advertising, behavioral profiling, sale to third parties, training AI or machine learning models, or any purpose not listed above.

If you are located in the EEA or UK, we rely on the following legal bases under GDPR Article 6:

Contract Performance (Article 6(1)(b)) — Primary Basis

Processing your email address, OAuth tokens, calendar IDs, and sync metadata is necessary to deliver the calendar sync service you paid for. Without this processing, the service cannot function.

Legitimate Interests (Article 6(1)(f))

We maintain audit logs and may access infrastructure logs to ensure service reliability and investigate security incidents. Our legitimate interest in a stable, secure service is balanced against your privacy rights — logs contain no calendar content and are deleted on defined schedules.

Legal Obligation (Article 6(1)(c))

We may retain certain records for as long as required by applicable law (e.g., billing records for tax obligations).

Authorization via Google OAuth

When you connect your Google account, you authorize our app through Google's standard OAuth consent screen. This is the technical mechanism that enables the service — it is not our GDPR lawful basis, which is contract performance as described above. You can revoke this authorization at any time via Google Account → Third-party apps, which will stop the sync service from functioning.

We share data only as follows:

• With the service providers listed below, strictly to operate the service;
• To comply with law or valid legal process (e.g., a court order or subpoena), or to protect the security and integrity of Busy Mirror, our users, and the public;
• In connection with a merger, acquisition, or asset sale, with notice to affected users where required by law.

We do not sell, rent, or trade personal data. We do not share data with advertisers, data brokers, or behavioral analytics networks.

Google LLC

Google provides the Google account and Calendar platform. We access Google Calendar via APIs you authorize. Google's own processing of your account and data is governed by Google's policies; our processing via those APIs is governed by this policy.

Your control: Revoke access at any time via Google Account → Third-party apps. See Google's Privacy Policy.

Stripe, Inc.

Purpose: Subscription billing and payment processing. Stripe collects payment card details directly — we never see or store your card number, CVV, or banking information.

What we share: Your email address and subscription plan type. Stripe is certified to PCI Service Provider Level 1. See Stripe's Privacy Policy.

SendGrid (Twilio Inc.)

Purpose: Sending one-time team invitation emails on our behalf. No marketing emails are sent through SendGrid.

What we share: Recipient email address and invitation link. No calendar data is ever included. See Twilio's Privacy Policy.

Railway (PBC)

Purpose: Cloud hosting and database infrastructure. Railway runs the servers that store and process your data as our infrastructure provider. Railway does not use your data for its own purposes.

See Railway's Privacy Policy.

We are a US-based service. If you are located in the EEA or UK, your personal data will be processed in the United States. Where required, we rely on the following transfer safeguards:

• EU Standard Contractual Clauses (SCCs): For transfers to our processors (Railway, SendGrid) where required under GDPR.
• UK International Data Transfer Addendum (IDTA) or UK Addendum to EU SCCs: For transfers to processors in the context of UK GDPR.
• Google and Stripe maintain their own EU and UK data transfer mechanisms including SCCs. Please refer to their respective privacy policies for details.

If you have questions about these safeguards or wish to obtain a copy of applicable SCCs or the IDTA, contact us at gcalbusymirror@gmail.com.

What "deletion" means: Deletion means we remove data from active production systems and schedule it for purge from backups. We may retain limited records where required by law, to resolve active disputes, or to prevent fraud. We do not retain deleted data for other purposes.

Depending on where you live, you may have the following legal rights. We also offer certain controls to all users as a courtesy, regardless of location.

How to Exercise Your Rights

Many controls (account deletion, data export, pausing sync) are available self-serve from your dashboard. For all other requests, you may use either of the following methods:

1. Email gcalbusymirror@gmail.com with subject "Privacy Request – [Your Right]"
2. Use the in-app settings page (dashboard → Account Settings → Privacy Request)

We will respond within 30 days and may extend to 90 days for complex requests, with notice within the first 30 days. We will not charge a fee for reasonable requests. We may verify your identity before acting.

Lodging a Complaint (EEA / UK Users)

If unsatisfied with our response, you may lodge a complaint with your national supervisory authority. EU authorities are listed at edpb.europa.eu. UK users may contact the ICO.

Residents of certain US states (including California, Colorado, Virginia, Connecticut, and Utah) may have additional privacy rights under applicable state law.

Categories of Personal Information We Collect (California)

In the past 12 months, we have collected the following categories of personal information:

• Identifiers (email address, session identifiers, IP address)
• Commercial information (subscription status, Stripe customer ID)
• Internet/network activity (session cookie, infrastructure logs)
• Inferences — we do not draw or store inferences about you

Sources: Directly from you; Google OAuth; our hosting infrastructure (Railway).

Business purposes: Providing the sync service; billing; security; sending invited-user notifications.

Categories disclosed to service providers: Identifiers and commercial information (to Stripe and SendGrid as necessary for billing and email delivery); infrastructure data (to Railway for hosting).

Retention: As described in Section 8.

Rights That May Apply

• Right to Know / Access: Request information about the personal data we collect, use, and disclose about you.
• Right to Delete: Request deletion of your personal data (subject to legal exceptions).
• Right to Correct: Request correction of inaccurate personal data.
• Right to Opt Out of Sale or Sharing: We do not sell or share your personal data for cross-context behavioral advertising. No opt-out action is required.
• Right to Non-Discrimination: We will not deny service or treat you differently for exercising your privacy rights.
• Right to Appeal (Colorado, Virginia, Connecticut): If we decline your request, email us with "Privacy Appeal" in the subject line. We will respond within 45 days.

Sensitive Personal Information

We do not intentionally collect sensitive personal information as defined under California law (such as Social Security numbers, precise geolocation, racial or ethnic origin, or biometric data). While calendar timing data could, in some contexts, allow inferences, we minimize this by never storing event content and never drawing or retaining inferences.

Do Not Sell or Share

We do not sell your personal data or share it for targeted advertising. We do not knowingly sell or share personal data of consumers under 18 years of age.

How to Submit a Request

You may submit a request by either of the following methods:

1. Email gcalbusymirror@gmail.com with "US Privacy Request" in the subject line
2. Use the in-app privacy request option in Account Settings

We will verify your identity and respond within timeframes required by applicable law (generally 45 days, extendable by 45 days with notice). California residents may designate an authorized agent — we will require written authorization and may verify your identity directly.

We take reasonable technical and organizational measures to protect your data:

• Encryption in transit: All communication uses TLS (HTTPS).
• Encryption at rest: Google OAuth tokens are encrypted using AES-256-GCM before being written to the database.
• Minimal data storage: Personal event content is processed in memory only and never written to disk.
• Secure session cookies: Session cookies are HTTP-only and transmitted only over HTTPS in production. They do not contain calendar content.
• Access controls: Access to production systems is limited using least-privilege controls. Only authorized personnel may access production data when necessary for operations, support, or security, and access is restricted and monitored.
• Secrets management: API keys are stored as environment variables, not in source code.

No system is perfectly secure. Where required by applicable law, we will notify relevant regulators and affected individuals within the legally required timeframes following discovery of a data breach.

We use only strictly necessary cookies to operate the service. In many jurisdictions, consent is not required for strictly necessary cookies, though you can control cookies via browser settings. Note that blocking the session cookie will prevent you from logging in.

We do not use advertising cookies, behavioral tracking cookies, or third-party analytics tools. We do not use localStorage or other browser storage for tracking. This privacy policy page uses only system fonts and loads no resources from third-party CDNs.

Busy Mirror is intended for users 18 years of age and older. We do not permit use by minors and do not knowingly collect personal data from anyone under 18. If you believe someone under 18 has created an account, please contact gcalbusymirror@gmail.com and we will delete it promptly.

Busy Mirror supports team and organization accounts. If you join an organization account, the following applies:

• The organization admin can invite and remove members and view limited account information (such as work email address and sync status). Admins cannot view your personal calendar content through Busy Mirror.
• If the org admin deletes the organization, all member accounts and associated data are deleted and Google access is revoked for all members.
• If you are a regular member (not an admin) and delete your own account, you are removed from the organization but the organization's subscription and other members are not affected.
• Busy Mirror follows the instructions of the organization admin for membership management, consistent with this privacy policy.

Busy Mirror creates "Busy" blocks in your work Google Calendar. While these blocks are marked private, you should be aware of the following:

• Your employer's Google Workspace administrators may have the ability to access, export, or audit calendar data — including events marked "private" — depending on their organization's settings and policies.
• The timing of busy blocks (when you are unavailable) is visible to anyone who can view your calendar's free/busy information.
• We recommend reviewing your organization's Google Workspace data access policies with your IT or HR department before using this service.

We have no control over your employer's access to your work calendar. Our privacy protections cover what we collect and store on our own systems — not what your employer can access through their own Google Workspace admin tools.

We may update this Privacy Policy from time to time. When we do:

• We will update the "Effective Date," "Last Updated," and version number at the top of this page.
• For material changes (changes affecting how we collect or use data), we will notify you by email at least 30 days before the change takes effect.
• For minor changes (typos, clarifications), we will update the page without prior notice.
• Prior versions are available upon request at gcalbusymirror@gmail.com.

Material changes take effect on the stated effective date. If you do not agree with a material change, you should stop using the service and delete your account before that date. We will delete your data as described in Section 8.

For questions, concerns, or privacy requests regarding this policy or your personal data: