Dealboard
TermsPrivacy
Draft — pre-launch. This document is reasonable-floor boilerplate and has not been reviewed by counsel. Engage a lawyer before relying on it in production.

Privacy Policy

Last updated: [DATE]

Summary (the TL;DR)

  • We collect what's needed to run the Service — your email, the deals/notes you create, your billing details if you're paying.
  • We don't sell your data. We don't use it to train models.
  • You can export or delete your data anytime.
  • We use a small, named set of subprocessors (listed below).
  • Data is encrypted at rest and in transit.

1. Who we are

Dealboard ("we") is the data controller for the personal data you submit to our Service. Address: [LEGAL ADDRESS]. Contact: privacy@[YOUR_DOMAIN].

2. What we collect

We collect the following categories of data:

  • Account data: name, email, profile image, password hash if applicable, sign-in provider identifiers.
  • Customer Data: the deals, notes, attachments, contacts, and other content you put into the Service.
  • Usage data: in-app events (deal_created, login, etc.) that we use to understand product behavior. Limited PII — we link events to your user id, not to your IP or device.
  • Technical data: server logs, error reports (scrubbed of customer data fields), basic analytics from Cloudflare Web Analytics (no cookies).
  • Billing data (when applicable): processed by Stripe; we never see your card numbers.

3. How we use it

We use personal data to:

  • Provide, maintain, and improve the Service.
  • Authenticate you and protect your account.
  • Communicate with you about the Service (transactional emails, security notices, product updates).
  • Detect and prevent abuse, fraud, and security incidents.
  • Comply with legal obligations.

We do not use Customer Data to train machine-learning models, sell it to third parties, or share it with advertisers.

4. Legal bases (GDPR)

Where GDPR applies, we rely on the following legal bases:

  • Contract — providing the Service you signed up for.
  • Legitimate interests — securing the Service, preventing abuse, basic product analytics.
  • Consent — for any optional cookies/analytics beyond what's strictly necessary; for marketing email.
  • Legal obligation — tax records, lawful requests.

5. Subprocessors

We use the following subprocessors to operate the Service:

  • Fly.io — application hosting + Postgres database (US/EU regions, encrypted at rest).
  • Cloudflare R2 — file attachment storage (encrypted at rest).
  • Cloudflare — DNS, CDN, web analytics (no cookies).
  • Resend — transactional email delivery (magic links, invites, password reset).
  • Stripe — payment processing (PCI DSS-compliant; we never see card data).
  • Google — optional Google sign-in (you choose).

We will notify customers in advance of material subprocessor changes and give them the opportunity to object.

6. International transfers

Data may be processed in the United States, the European Union, or other locations where our subprocessors operate. Where required, we rely on Standard Contractual Clauses or other lawful transfer mechanisms.

7. Retention

We retain account and Customer Data for as long as your account is active. On account deletion, we delete or anonymize data within 30 days, except where retention is legally required (e.g., billing records: 7 years). Backups are purged within an additional 30 days.

8. Your rights

Depending on your jurisdiction, you may have rights to access, correct, port, restrict, object to, or delete your personal data. You may exercise these rights in-app (Account → Privacy) or by emailing privacy@[YOUR_DOMAIN]. We will respond within 30 days. Residents of California, Virginia, Colorado, Connecticut, Utah, and similar state-law jurisdictions have additional rights under those laws; the same channels apply.

9. Security

We use industry-standard technical and organizational measures, including:

  • TLS for all data in transit.
  • AES-256 encryption at rest for database and file storage.
  • Role-based access controls and least-privilege for employees.
  • Secrets stored in encrypted secret managers, never in code.
  • Routine vulnerability scanning and dependency updates.
  • Audit logging of sensitive admin actions.

No system is perfectly secure. If you become aware of a security issue, please email security@[YOUR_DOMAIN].

10. Children

The Service is not directed to children under 16, and we do not knowingly collect data from them.

11. Cookies

We use first-party cookies strictly necessary for authentication (session tokens) and CSRF protection. We do not use third-party tracking cookies. Our analytics provider (Cloudflare Web Analytics) is cookieless.

12. Changes to this policy

We may update this policy from time to time. Material changes will be notified by email or in-product at least 30 days before the effective date.

13. Contact

Questions, requests, or concerns? privacy@[YOUR_DOMAIN]

staging