← noboard

Privacy Policy

Last updated: 2026-04-28

DRAFT — pending legal review. Use this notice as a good-faith statement of intent. The final binding policy will be published before paid plans go live; in the meantime, write to [email protected] with any specific question.

1. Who we are

noboard is operated by Produce Stuff Ltd ("we", "us"). You can reach us at [email protected].

2. Data we collect

  • Account data: email, display name, hashed password, sign-in timestamps.
  • Workspace content: nodes, comments, tags, and any context you write into the board. Treat content you put into a public_read workspace as public.
  • Operational telemetry: request logs, error traces, anonymous performance metrics. Used to keep the service running and debug failures.
  • Product analytics: page views, feature usage events. Off by default in self-hosted mode; on for the hosted product. We do not sell or share this data.
  • Billing data (when paid plans launch): processed by our payment provider (Stripe). We never see or store full card numbers.

3. Purposes and lawful basis

  • Operating the service (contract).
  • Securing accounts, preventing abuse (legitimate interest).
  • Improving the product through aggregated usage analysis (legitimate interest).
  • Sending transactional email — verification, password reset, billing receipts (contract).
  • Sending lifecycle email — trial reminders, product updates — only with consent; you can unsubscribe at any time.

4. Where your data is stored

noboard runs on Cloudflare Workers (global edge), with primary data in Neon Postgres (AWS US-West) and assets in Cloudflare R2 (West North America). Email delivery uses Cloudflare Email Sending. EU-region data hosting is on the roadmap; if you require EU storage today, contact us before signing up.

5. Sub-processors

We use the following sub-processors:

  • Cloudflare — compute, DNS, R2 object storage, email delivery.
  • Neon — managed Postgres database.
  • Stripe (when paid plans launch) — payment processing.
  • PostHog — product analytics, when enabled.

6. Retention

Active workspace content is retained for as long as your account is active. If you delete your account we delete or anonymise your personal data within 30 days, except where retention is required for legal or accounting reasons (typically up to 7 years for billing records).

7. Your rights

Subject to applicable law (UK GDPR / EU GDPR / similar), you have the right to access, correct, port, or delete your data, to object to or restrict processing, and to lodge a complaint with a supervisory authority. To exercise any of these, write to [email protected].

8. Cookies

We set a session cookie on sign-in. Analytics cookies are loaded only after you accept the cookie banner. We do not use advertising or cross-site tracking cookies.

9. Children

noboard is not intended for users under 16. Do not create an account or submit data to us if you are under 16.

10. Changes

We will publish material changes to this notice at this URL and update the "Last updated" date. Continued use after a change constitutes acceptance.