Privacy Policy

Last updated: January 2025

1. Introduction

At Boardwise, we understand that board materials and governance information are among the most sensitive data any organization handles. This Privacy Policy explains how we collect, use, protect, and handle your personal information and organizational data when you use our board management software.

Our commitment: Your data is your data. We act as a trusted custodian, never as an owner or seller.

2. Information We Collect

Account Information

  • Name, email address, and password
  • Organization name and role
  • Profile information you choose to provide
  • Multi-factor authentication preferences

Content Data

  • Meeting agendas, minutes, and documents you upload
  • Messages and communications within the platform
  • Committee and board member information
  • Calendar and scheduling data
  • Action items and task assignments

Technical Information

  • IP addresses and device information
  • Browser type and operating system
  • Usage patterns and feature interactions
  • Error logs and performance data

3. How We Use Your Information

Service Delivery

  • Providing the Boardwise platform and features
  • Synchronizing calendar integrations
  • Sending meeting notifications and reminders
  • Processing document uploads and annotations
  • Managing user access and permissions

Communication

  • Sending service-related notifications
  • Responding to your support requests
  • Providing account and billing information
  • Notifying you of important service updates

Service Improvement

  • Analyzing usage patterns to improve features
  • Diagnosing and fixing technical issues
  • Ensuring security and preventing abuse
  • Planning new features and functionality

4. Data Sharing and Disclosure

We Do NOT Share Your Data

We do not sell, rent, or trade your personal information or organizational data to third parties for their marketing purposes. Period.

Limited Sharing

We only share your information in these specific circumstances:

  • With your explicit consent for specific purposes
  • Service providers: Hosting (Heroku/Salesforce), email delivery (for notifications), and analytics tools that are bound by strict confidentiality agreements
  • Legal requirements: When required by law, subpoena, or court order
  • Safety purposes: To protect rights, property, or safety of Boardwise, our users, or the public
  • Business transfer: In the event of a merger or sale (new owner must honor this Privacy Policy)

5. Data Security and Infrastructure

Heroku Infrastructure Security

Boardwise is hosted on Heroku, which operates within Salesforce's enterprise infrastructure:

  • SOC 2 Type II certified data centers
  • ISO 27001 compliance
  • PCI DSS certified infrastructure
  • 24/7 monitoring and incident response
  • Regular security audits and penetration testing

Application-Level Security

  • Encryption at rest: All data encrypted using AES-256
  • Encryption in transit: TLS 1.3 for all communications
  • Multi-factor authentication: Required for all users
  • Role-based access: Granular permissions down to document level
  • Audit logging: Complete trail of all access and changes
  • Regular backups: Encrypted backups across multiple geographic regions

6. Data Retention and Deletion

Active Accounts

We retain your data as long as your account remains active or as needed to provide services. You can delete specific documents or data at any time through the platform.

Account Termination

  • Upon account termination, you have 30 days to export your data
  • After 30 days, we begin secure deletion of your data
  • Complete deletion typically occurs within 90 days
  • Some metadata may be retained longer for legal or security purposes
  • Backups are overwritten according to our standard retention cycles

7. Your Privacy Rights

Access and Control

  • View: Access all your personal data through your account settings
  • Edit: Update your information at any time
  • Export: Download all your data in standard formats
  • Delete: Remove specific documents or your entire account

Privacy Rights by Jurisdiction

California (CCPA): Right to know, delete, and opt-out of sale (though we don't sell data)

European Union (GDPR): Right to access, rectification, erasure, portability, restriction, and objection

All users: We extend these rights to all users regardless of location

8. Cookies and Tracking

Essential Cookies

We use essential cookies to:

  • Keep you logged in securely
  • Remember your preferences
  • Prevent security threats
  • Ensure proper functioning of the service

Analytics

We use privacy-focused analytics to understand how users interact with our platform. This helps us improve features and identify issues. All analytics data is:

  • Aggregated and anonymized
  • Used only for service improvement
  • Never shared with third parties for marketing
  • Processed with IP anonymization

9. Third-Party Integrations

Calendar Integrations

When you connect calendar services (Google Calendar, Outlook), we:

  • Access only calendar data you explicitly authorize
  • Use this data solely to sync meeting information
  • Store minimal calendar data needed for functionality
  • Allow you to disconnect integrations at any time

Service Providers

Our carefully selected service providers include:

  • Heroku/Salesforce: Application hosting and infrastructure
  • Email delivery services: For sending notifications (not marketing)
  • Payment processing: For billing (PCI-compliant processors)

All service providers are bound by strict data processing agreements and confidentiality requirements.

10. International Data Transfers

Boardwise is hosted in the United States through Heroku's infrastructure. If you're outside the U.S., your data will be transferred to and processed in the United States. We ensure adequate protection through:

  • Standard contractual clauses for EU users
  • Heroku's certifications and security measures
  • Strong encryption for all data transfers
  • Compliance with applicable data protection laws

11. Changes to This Policy

We may update this Privacy Policy to reflect changes in our practices or legal requirements. When we make material changes:

  • We'll notify you by email at least 30 days in advance
  • We'll post the updated policy on our website
  • We'll highlight key changes in our notification
  • Your continued use constitutes acceptance of changes

12. Contact Us

We're a small team, and we personally handle all privacy-related inquiries. If you have questions, concerns, or want to exercise your privacy rights:

Privacy Contact:
Email: [email protected]
Subject line: "Privacy Policy Question"

Data Protection Officer:
For EU users: [email protected]

Our Personal Promise: Unlike large corporations, when you contact us about privacy concerns, you're talking directly to the founders who built this platform. We understand the sensitivity of board governance data and take our responsibility as data custodians seriously. Your trust is earned, not assumed.