Privacy Policy

1. Information We Collect

1.1 Information you provide

• Account information: name, email, password (hashed), profile photo.
• Billing information: processed by our payment provider (Stripe). We receive limited metadata (last four digits, card brand, billing country) — we do not store full card numbers.
• Workspace content:messages, channels, profiles, artifacts, documents, media uploads, and any other content you create or upload (“Workspace Content”).
• Integration data: when you connect a third-party service (e.g., Linear, GitHub, Slack, Notion, Google Drive), we receive data from that service per the scopes you authorize.
• Communications: support requests, feedback, survey responses.

1.2 Information collected automatically

• Usage data: pages visited, features used, click and scroll events, session duration, referring URLs.
• Device & log data: IP address, browser type, operating system, device identifiers, crash logs, timestamps.
• Cookies & similar technologies: see Section 8.

1.3 Information from third parties

• Authentication providers (e.g., Google, GitHub) if you sign in with them — we receive your name, email, and a unique identifier.
• AI model providers (e.g., Anthropic, OpenAI) — we send prompts and receive outputs; their handling is governed by their own privacy terms.
• Analytics providers (e.g., PostHog, Sentry) — usage and error data.

2. How We Use Information

We use information to:

• Provide, operate, and maintain the Service.
• Generate AI-assisted output based on your inputs and stored context.
• Authenticate you, prevent fraud, and secure the Service.
• Process billing and subscriptions.
• Respond to support requests and communicate about the Service.
• Improve the Service, debug, and develop new features.
• Comply with legal obligations and enforce our Terms.
• Send service announcements and, with consent where required, marketing emails (you can unsubscribe at any time).

We do not sell your personal information.

3. AI Processing

When you use AI features:

• Your prompts and the relevant workspace context are sent to third-party AI model providers (e.g., Anthropic, OpenAI) to generate a response.
• These providers process the data under their own data protection terms; we contractually require they not use your data to train their public models, where such terms are offered.
• Outputs may be inaccurate. You are responsible for reviewing them.

We do not voluntarily use Workspace Content to train foundation models. If we ever introduce features that use your data for model improvement, they will be opt-in.

4. How We Share Information

We share information only as described:

• Service providers (sub-processors): hosting, databases, payment processing, email delivery, AI model APIs, analytics, error monitoring. We bind these providers to confidentiality and data-protection obligations.
• Third-party integrations you connect: data is shared per the scopes you authorize. Disconnecting an integration stops further sharing.
• Other workspace members: content you post in shared channels or workspaces is visible to other members of those workspaces.
• Legal & safety: we may disclose information to comply with law, respond to lawful requests, enforce our Terms, or protect rights, property, or safety.
• Business transfers: if Boardbox is involved in a merger, acquisition, or asset sale, information may transfer, subject to this Policy or notice of changes.

5. Data Retention

• Account & workspace content: retained while your account is active.
• After deletion: Workspace Content is removed from production systems within 30 days; backups are purged on a rolling 90-day cycle.
• Billing & legal records: retained as long as required by tax, accounting, or legal obligations (typically up to 7 years).
• Logs: typically retained for 30–90 days.

You can export or delete your data from account settings.

6. Your Rights

Depending on where you live, you may have rights to:

• Access the personal information we hold about you.
• Correct inaccurate information.
• Delete your information.
• Object to or restrict certain processing.
• Port your information to another service.
• Withdraw consent where processing is based on consent.
• Lodge a complaint with a supervisory authority (EEA/UK).

To exercise these rights, email hello@tryboardbox.com. We will respond within the time required by applicable law (typically 30 days).

6.1 California residents (CCPA/CPRA)

You have the right to know, delete, correct, and opt out of “sharing” or “sale” of personal information. We do not sell personal information. To exercise rights, contact us at the email above. You may designate an authorized agent.

6.2 EEA / UK residents (GDPR / UK GDPR)

• Controller: Boardbox is the controller for account and usage data; for Workspace Content, we act as a processor on your behalf.
• Legal bases: contract performance, legitimate interests, consent (where applicable), legal obligation.
• International transfers: data may be transferred to the United States and other countries. We rely on Standard Contractual Clauses or equivalent safeguards.

7. Security

We use technical and organizational measures including encryption in transit (TLS), encryption at rest for sensitive fields, access controls, audit logging, and regular review of sub-processors. No system is perfectly secure; we cannot guarantee absolute security. Report vulnerabilities to hello@tryboardbox.com.

8. Cookies & Tracking

We use cookies and similar technologies to:

• Keep you signed in.
• Remember preferences.
• Measure usage and improve the Service.
• Detect and prevent fraud.

You can control cookies via browser settings. In jurisdictions that require it, we present a cookie banner allowing you to accept or reject non-essential cookies. We honor Global Privacy Control (GPC) signals where required by law.

9. Children’s Privacy

The Service is not intended for individuals under 18 (or the age of majority in your jurisdiction). We do not knowingly collect information from children. If you believe a child has provided us information, contact us and we will delete it.

10. Third-Party Links and Services

The Service may contain links to or integrate with third-party services. We are not responsible for their privacy practices. Review their policies before sharing information.

11. Changes to This Policy

We may update this Policy. Material changes will be communicated by email or in-product notice at least 14 days before they take effect. The “Last updated” date shows the most recent revision.

12. Contact

• Privacy questions / rights requests: hello@tryboardbox.com
• Security: hello@tryboardbox.com
• General: hello@tryboardbox.com