toobusyto logo

Privacy policy

Last updated April 24, 2026

This policy explains what information toobusyto (“we”, “us”) collects when you use the toobusyto mobile app and toobusyto.ca, how we use it, and the choices you have. It is designed to comply with Canada’s Personal Information Protection and Electronic Documents Act (PIPEDA), Quebec’s Law 25 (formerly Bill 64), and Canada’s Anti-Spam Legislation (CASL).

1. Information we collect

Account information

When you sign up we collect your email address, display name, phone number, mailing address (street, city, province, postal code), and any profile photo you upload.

Identity verification (Partners only)

Before a Partner can apply to a Gig, we require identity verification through Stripe Identity, a service provided by Stripe, Inc. During verification you will be asked to submit photos of a government-issued identity document (driver’s licence, passport, or national ID card). These document images are transmitted directly to Stripe and are processed by Stripe under its own privacy policy (stripe.com/privacy). We receive from Stripe only the verification result (verified / requires re-submission / canceled) and a Stripe reference identifier — we do not store copies of your ID documents on our servers. Stripe retains verification records for as long as required to satisfy its legal obligations.

Phone verification

We verify your phone number using Twilio Verify (Twilio Inc.). Your phone number is shared with Twilio for the sole purpose of delivering a one-time verification code by SMS. Twilio processes this data under its own privacy policy.

Location

We use precise location (GPS) for three purposes:

  • Helping customers drop an accurate pin when posting a gig.
  • Showing partners a map of gigs near them.
  • Sharing a partner’s live location with the paying customer while a gig is in progress, so the customer knows when to expect them. Tracking stops the moment the partner marks the gig complete or cancelled.

You can revoke location access at any time in your device settings. Revoking it disables gig matching and live tracking.

Photos

Several flows store photos in Firebase Storage:

  • Profile photo and portfolio. Visible to any signed-in user on your public profile and on bid lists.
  • Service photos. Visible to any signed-in user when they browse partners.
  • Completion proof photos. Uploaded by the partner when they mark a gig completed. Visible to the gig’s customer, the assigned partner, and our admins for dispute resolution.
  • Gig attachments. Uploaded when posting a gig. Visible only to parties to that gig and our admins.

Anyone can flag a photo for review using the “Report” affordance attached to it. We retain reports in a moderation queue and remove offending images.

Address

At signup we ask for your home address (Ontario only at launch). We verify it against the Google Places API and store the canonical street, city, postal code, and latitude/longitude on your profile. When you post a gig the address gets split:

  • Public: only your city + province, plus a fuzzed approximate latitude/longitude (rounded to about 300 metres). Visible to any signed-in user via the gig feed.
  • Private: the exact street + latitude/longitude. Visible only to the gig’s customer (always) and the assigned partner (post-accept), plus our admins.

Payment information

All payments are processed by Stripe, Inc. We never see or store your full card number. We keep the Stripe payment intent id and the last four digits of your card so you can recognize past charges. Where applicable under Canadian tax law we also retain transaction totals, tax amounts, and GST/HST-registered business numbers on receipts.

Push notification tokens

When you enable push notifications, we store an Expo Push Token (a device identifier issued by Expo, Inc.) on your profile so we can deliver notifications through the Expo Push service. The token is not a personally identifying number — it cannot be used to send you unsolicited pushes from anyone but us. You can revoke push notifications any time in your device settings.

Usage & diagnostic data

We log basic events (screens viewed, errors) through Firebase so we can fix bugs and understand usage. These logs don’t include the contents of your messages or gig details.

2. How we use it

  • To run the marketplace: match customers with partners, process payments, release payouts.
  • To verify Partner identity before they can apply to Gigs, to keep the marketplace safe.
  • To communicate with you about your account, gigs, receipts, and support tickets (transactional email and push).
  • To send you marketing emails only if you’ve consented — see Section 4.
  • To prevent fraud and enforce our terms.
  • To improve the app.

3. Who we share it with

  • The other party to your gig. Customers see partner names, profile photos, ratings, and live location while a gig is in progress. Partners see the customer’s name, gig details, pickup/drop-off address, and messages.
  • Service providers we rely on.
    • Stripe, Inc. — payments, payouts, and identity verification.
    • Google / Firebase — authentication, database, file storage, and push infrastructure.
    • Google Maps Platform — map rendering and address autocomplete (Places API). Address text you type into the signup form is sent to Google to return suggestions.
    • Apple, Inc. — “Sign in with Apple”. If you choose this option, Apple sends us your identity token and (if you allow it) your name. Apple doesn’t share your real email if you use the “Hide My Email” relay.
    • Google OAuth — “Sign in with Google”. If you choose this option, Google sends us your identity token, name, and email.
    • Expo, Inc. — push notification delivery.
    • Twilio, Inc. — phone number verification by SMS.
    • Resend, Inc. — transactional and (consent-based) marketing email delivery.
    Each service provider processes your data only as needed to deliver its service to us, under a data processing agreement consistent with PIPEDA and Law 25.
  • Law enforcement when required by law or valid process.

We do not sell your personal information.

4. Marketing emails and consent (CASL)

We may send you marketing or promotional emails — for example, announcements of new features or seasonal promotions — only if you have given express or implied consent under CASL. Every marketing email we send includes an unsubscribe link and our physical business address. Unsubscribing takes effect within 10 business days (and usually immediately). Transactional emails (payment receipts, identity verification results, account and security notices) are sent whenever they are needed to service your account and are not subject to marketing consent.

You can unsubscribe at any time by clicking the link at the bottom of any marketing email, or by emailing support@toobusyto.ca with the subject line “Unsubscribe”.

5. Retention

We keep your account data while your account is active. If you delete your account (see Delete account), we remove your profile and gig history within 30 days, except where we’re required to retain records for tax, accounting, or legal reasons — typically 6 years for payment and GST/HST records under the Canadian Income Tax Act and Excise Tax Act.

6. Your rights

Under PIPEDA and (if you reside in Quebec) Law 25, you have the right to:

  • Access the personal information we hold about you.
  • Correct information that is inaccurate or incomplete.
  • Request that we delete your account and associated data.
  • Withdraw your consent to the collection or use of your personal information, subject to legal or contractual restrictions (for example, we must retain certain tax records).
  • Request that your data be provided to you or transmitted to another organization in a structured, commonly used electronic format (data portability, where technically feasible).

To exercise any of these rights, email our Privacy Officer (see Section 9). We will respond within 30 days.

7. International transfers

Some of our service providers (Stripe, Firebase, Expo, Resend) may process and store your personal information on servers located outside of Canada, including in the United States. When this happens, your information remains subject to the laws of the jurisdiction in which it is stored, which may differ from Canadian law. We contractually require our service providers to protect your information to a standard consistent with Canadian law.

8. Children

toobusyto isn’t for anyone under 18. We don’t knowingly collect information from children.

9. Privacy Officer & contact

Under Quebec Law 25, we have designated a Privacy Officer responsible for toobusyto’s compliance with this policy and Canadian privacy law. You may contact the Privacy Officer with any question, concern, or request at:

Privacy Officer, toobusyto
privacy@toobusyto.ca

General questions: support@toobusyto.ca.

10. Changes

If we make material changes we’ll notify you in the app and update the “last updated” date above. Continuing to use toobusyto after changes take effect means you accept them.