Privacy Policy

Boardupscale ("we", "our", or "us") is an open-source project management platform operated by CodeUpscale. This Privacy Policy explains how we collect, use, store, and share information when you access or use boardupscale.com and any related services (collectively, the "Service").

By using the Service, you agree to the collection and use of information in accordance with this policy. If you are self-hosting Boardupscale, this policy applies only to data processed by the hosted version at boardupscale.com. Your own self-hosted instance is outside our control and your organisation is the data controller for that data.

Account information. When you register, we collect your name, email address, and organisation name. You may optionally provide a profile photo.

Usage data. We automatically collect information about how you interact with the Service, including pages visited, features used, and actions taken (e.g., creating issues, moving cards).

Log data. Our servers automatically record standard log information such as your IP address, browser type, operating system, referrer URL, and timestamps.

Communications. If you contact us for support, we retain the content of those communications and your contact details.

OAuth data. If you sign in via Google, GitHub, or Microsoft, we receive your name, email, and profile photo from the respective provider. We do not store OAuth tokens beyond the session.

We use the information we collect to:

• Provide, operate, and maintain the Service
• Create and manage your account
• Send transactional emails (email verification, password reset, notifications you configure)
• Respond to support requests
• Detect and prevent fraudulent or abusive activity
• Analyse usage patterns to improve the Service
• Comply with legal obligations

We do not sell your personal data to third parties, nor do we use it for targeted advertising.

We may share your information with:

• Service providers. Trusted third parties that help us operate the Service (e.g., cloud hosting, email delivery, error tracking). These parties are contractually bound to protect your data and process it only on our behalf.
• Your organisation. Administrators of your Boardupscale organisation can see member names, email addresses, and activity within that organisation.
• Legal requirements. We may disclose information if required by law, court order, or government request, or to protect the rights and safety of our users or the public.
• Business transfers. In the event of a merger, acquisition, or asset sale, your information may be transferred as part of that transaction. We will notify you before your data is transferred and becomes subject to a different privacy policy.

We retain your personal data for as long as your account is active or as needed to provide the Service. If you delete your account, we will delete or anonymise your personal data within 30 days, except where we are required to retain it for legal or compliance reasons (e.g., billing records, audit logs required by law).

Issue content, comments, and project data created by you may remain visible to other members of your organisation after you leave, as they form part of the project record.

We implement industry-standard security measures including TLS encryption in transit, AES-256 encryption at rest, bcrypt password hashing, JWT with short-lived access tokens (15 minutes), and role-based access controls.

No method of transmission over the internet or method of electronic storage is 100% secure. While we strive to use commercially acceptable means to protect your data, we cannot guarantee absolute security.

We use essential cookies for authentication sessions and CSRF protection. For details, see our Cookie Policy.

Depending on your location, you may have the following rights under applicable data protection laws (including GDPR, CCPA):

• Access. Request a copy of the personal data we hold about you.
• Correction. Request correction of inaccurate data.
• Deletion. Request deletion of your personal data.
• Portability. Request a machine-readable export of your data.
• Objection. Object to or restrict certain processing activities.
• Withdraw consent. Where processing is based on consent, you may withdraw it at any time.

To exercise any of these rights, contact us at privacy@boardupscale.com. We will respond within 30 days.

Your information may be transferred to, and maintained on, servers located outside your jurisdiction where data protection laws may differ. By using the Service, you consent to such transfers. Where required, we use Standard Contractual Clauses approved by the European Commission to safeguard transfers from the EEA.

The Service is not directed to children under the age of 16. We do not knowingly collect personal data from children under 16. If we become aware that a child under 16 has provided us with personal information, we will delete it promptly.

We may update this Privacy Policy from time to time. We will notify you of any material changes by posting the new policy on this page and updating the "Last updated" date. For significant changes, we will also send an in-app notification or email.

If you have questions or concerns about this Privacy Policy, please contact us at: