Privacy Policy

1. Introduction

Welcome to FlowBoard ("we," "our," or "us"), operated by FlowBoard Ltd. We are committed to protecting your personal data and respecting your privacy. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our service.

By using FlowBoard, you agree to the collection and use of information in accordance with this policy.

2. Information We Collect

2.1 Personal Information

When you create an account, we collect:

• Email address
• Display name (optional)
• Profile photo (optional)
• Username

2.2 Workspace and Project Data

We store data you create in FlowBoard:

• Workspaces and their settings
• Tasks, ideas, and project items
• Comments and attachments
• Team member information
• Custom fields and configurations

2.3 Payment Information

Payment processing is handled by Stripe. We do not store credit card information. Stripe may collect payment details in accordance with their privacy policy.

2.4 Usage Data

We may collect information about how you access and use FlowBoard, including:

• Device information
• Browser type and version
• IP address
• Pages visited and features used

2.5 AI-Generated Content

FlowBoard uses AI-powered features to enhance your experience:

• AI-powered changelog generation
• AI-powered email newsletter generation
• AI user story generation (when ideas are accepted)

These features process your content to generate summaries and formatted content. You have the right to opt-out of AI processing or request human review of AI-generated content. Contact us at privacy@flowboard.dev to exercise this right.

3. How We Use Your Information

We use the collected information for:

• Providing and maintaining our service
• Processing payments and managing subscriptions
• Sending transactional emails (password resets, notifications, workspace updates)
• Sending marketing communications (with your consent)
• Providing customer support via email
• Gathering analysis or valuable information to improve our service
• Monitoring usage and detecting technical issues
• Generating AI-powered content (changelogs, newsletters, user stories)

4. Legal Basis for Processing (GDPR)

We process your personal data based on:

• Contract: To provide our services and fulfill our Terms of Service
• Consent: For marketing communications and non-essential cookies
• Legitimate Interest: For service improvement, security, and fraud prevention
• Legal Obligation: To comply with applicable laws and regulations

5. Data Storage and Location

Your data is stored using Firebase (Google Cloud Platform) in the europe-west1 region (Belgium, European Union). This means your personal data is primarily stored within the EU/EEA.

We implement appropriate technical and organizational measures to protect your personal data against unauthorized access, alteration, disclosure, or destruction, including:

• SSL/TLS encryption for data in transit
• Firebase security rules and access controls
• Secure authentication mechanisms
• Regular security reviews

6. Third-Party Services

We use the following third-party services:

• Firebase (Google Cloud Platform): Authentication, database, hosting, and analytics. Data stored in EU (Belgium).
• Stripe: Payment processing. Stripe may process data in various regions as per their privacy policy.
• Google OAuth: Authentication provider
• Google Analytics: Website analytics. May process data in the United States.

These services have their own privacy policies. We have Data Processing Agreements (DPAs) in place with these providers to ensure your data is handled in accordance with applicable data protection laws. Where data is transferred outside the EU/EEA (such as with Google Analytics), we rely on Standard Contractual Clauses (SCCs) approved by the European Commission.

7. Your Rights (GDPR)

Under the General Data Protection Regulation (GDPR), you have the following rights:

• Right to Access: Request a copy of your personal data
• Right to Rectification: Correct inaccurate or incomplete data
• Right to Erasure: Request deletion of your personal data ("Right to be Forgotten")
• Right to Restrict Processing: Limit how we use your data
• Right to Data Portability: Receive your data in a structured, machine-readable format
• Right to Object: Object to processing based on legitimate interests
• Right to Withdraw Consent: Withdraw consent at any time

To exercise these rights, please contact us at privacy@flowboard.dev or use the privacy settings in your account. We aim to respond to all requests within:

• Data access requests: Within 30 days as required by GDPR
• Deletion requests: Within 7 days
• Other requests: Within 7 business days

You can also use our automated data export feature in your account privacy settings to download all your data at any time.

8. Data Retention

We retain your personal data for as long as necessary to:

• Provide our services to you
• Comply with legal obligations
• Resolve disputes and enforce agreements

When you delete your account, we will immediately delete or anonymize your personal data, except where we are required to retain it for legal or compliance reasons:

• Billing records: Retained for 7 years as required by tax law
• Inactive accounts: Retained until you request deletion (we do not automatically delete inactive accounts)

9. Cookies

We use cookies to enhance your experience. For detailed information about our use of cookies, please see our Cookie Policy.

10. Children's Privacy

FlowBoard is not intended for users under the age of 16. We do not knowingly collect personal information from children. If you believe we have collected information from a child, please contact us immediately at privacy@flowboard.dev.

11. California Privacy Rights (CCPA/CPRA)

If you are a California resident, you have additional rights under the California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA):

• Right to Know: Request information about what personal information we collect, use, and disclose
• Right to Delete: Request deletion of your personal information
• Right to Correct: Request correction of inaccurate personal information
• Right to Opt-Out: Opt-out of the "sale" or "sharing" of personal information (we do not sell or share your personal information)
• Right to Non-Discrimination: We will not discriminate against you for exercising your privacy rights

To exercise your California privacy rights, contact us at privacy@flowboard.dev. We will respond within 45 days (may be extended to 90 days with notice).

12. International Data Transfers

Your personal data is primarily stored in the European Union (Belgium). However, some third-party services may process data outside the EU/EEA:

• Google Analytics: May process data in the United States
• Stripe: May process payment data in various regions

When we transfer your personal data outside the EU/EEA, we ensure appropriate safeguards are in place, including Standard Contractual Clauses (SCCs) approved by the European Commission, to protect your data in accordance with GDPR requirements.

13. Changes to This Privacy Policy

We may update our Privacy Policy from time to time. We will notify you of material changes by:

• Posting the updated Privacy Policy on this page
• Sending an email notification to your registered email address
• Displaying a notice in the Service

We will provide at least 30 days' notice before material changes take effect. You are advised to review this Privacy Policy periodically.

14. Contact Us

If you have any questions about this Privacy Policy or wish to exercise your rights, please contact us: