Inboard

Legal

Privacy Policy

Last updated: 21 April 2026

Draft — pending legal review. This document is a working draft based on standard SaaS templates. It will be replaced with legally reviewed copy before general availability. If you are evaluating Inboard for regulated or enterprise use, please contact legal@inboard.dev for the signed version.

This Privacy Policy explains what personal information Inboard (“we”) collects, why we collect it, and the rights you have over it. If you are visiting inboard.dev as a prospect, signing up as a customer, or interacting with a customer’s widget as an end-user, this policy applies to you.

1. Who is the controller

For account holders and website visitors, Inboard is the data controller. For end-users interacting with a customer’s embedded widget, our customer is the controller and Inboard acts as the processor.

2. Information we collect

Account information

  • name, email, and (when you set one) display name;
  • authentication credentials (stored hashed by our auth provider);
  • billing details (name, billing address, VAT or tax ID) — payment card numbers are handled by Stripe and never touch our systems.

Service usage

  • projects, install templates, variables, and assets you upload (“Customer Content”);
  • session and analytics events generated when end-users load your widget;
  • API request metadata (timestamps, endpoints, status codes, IP);
  • application logs necessary for debugging and security.

End-user data via embedded widgets

When you embed Inboard on your site, the widget collects the minimum telemetry we need to measure install success and protect the service from abuse. We do not collect names, emails, or payment information from end-users unless the install template author specifically configures a step to ask for it. Whatever is collected flows to the install template author’s account and is governed by that customer’s privacy policy.

On the first widget view of a session we record:

  • an anonymous session identifier and the URL where the widget loaded;
  • browser language, timezone, user-agent string, platform hint, viewport and screen size, device pixel ratio, and referrer (all read from the browser APIs already exposed to the embedding page);
  • the visitor’s IP address (see retention below) and the country, region, and city it resolves to at the moment of capture.

As the session progresses we additionally record which requirements were completed, any verification events, and whether the session was abandoned — tied to the same anonymous session identifier. Lawful basis for this processing is legitimate interest (product analytics and anti-abuse); end-users can opt out by disabling the widget on the embedding site.

Website analytics and cookies

inboard.dev uses first-party analytics to measure page views, clicks, and conversion events. We describe exactly what cookies we set and your choices in the Cookie Policy.

3. Why we use it

  • to operate the Service — authenticate you, render your install templates, serve the widget, and process billing (contract as the lawful basis);
  • to keep the Service reliable and secure — monitor for abuse, detect bugs, throttle runaway clients, and recover from incidents (legitimate interest);
  • to communicate with you — send transactional emails about your account, invoices, and material product changes (contract);
  • to comply with law — respond to lawful requests, meet tax obligations, and defend against claims (legal obligation);
  • with your consent — for non-essential marketing communications and optional integrations (consent — you can withdraw at any time).

4. How long we keep it

  • Account data: for the life of your account plus thirty days after closure to allow recovery, then deleted or anonymised.
  • Customer Content: for the life of your account, and deleted within thirty days of account closure or on request.
  • Billing records: for at least seven years as required by tax and accounting law in most jurisdictions.
  • Security and application logs: typically thirty to ninety days, and up to one year for logs tied to incidents.
  • End-user widget IP addresses: the full IP address is retained for sixty days for debugging and anti-abuse, after which it is truncated to the /24 block for IPv4 or the /48 block for IPv6. The resolved country, region, and city are stored separately and retained indefinitely so the geographic signal survives truncation.

5. Sub-processors

We engage the following sub-processors to deliver the Service. We remain responsible to you for the acts and omissions of each sub-processor.

ProviderPurposeProcessing location
SupabaseDatabase hosting, authentication, object storageEuropean Union (primary) / United States (backups)
VercelWeb and edge hosting for the dashboard and marketing siteGlobal edge — originating region in the EU/US
StripePayment processing and invoice generationUnited States (Stripe Inc. is the data controller for cardholder data)

Before adding or replacing a sub-processor, we will update this list and give customers a reasonable opportunity to object. You can ask for a signed Data Processing Agreement (DPA) at legal@inboard.dev.

6. International transfers

Personal data may be transferred to and processed in countries other than your own. When data leaves the European Economic Area, we rely on Standard Contractual Clauses with each sub-processor, supplemented by the UK Addendum where applicable. A copy of the relevant safeguards is available on request.

7. Your rights

Under the GDPR (EEA/UK residents)

You have the rights to access, rectify, erase, restrict, port, and object to the processing of your personal data, and to withdraw consent at any time. You can exercise most of these rights directly from the dashboard; where that is not possible, email privacy@inboard.dev. You also have the right to lodge a complaint with your local supervisory authority.

Under the CCPA/CPRA (California residents)

California residents have the right to know what personal information we collect, to delete it, to correct it, to opt out of any sale or sharing (we do not sell personal information and do not share it for cross-context behavioural advertising), and to non-discrimination for exercising these rights. Requests can be submitted to privacy@inboard.dev. We will verify your identity before responding.

8. Security

We encrypt traffic in transit with TLS and at rest through our infrastructure providers. We apply least-privilege access controls, review sub-processor security annually, and maintain an incident response process. No system is perfectly secure; if we learn of a breach that affects your personal data we will notify you without undue delay and within the windows required by law.

9. Children

The Service is not directed to children under 16, and we do not knowingly collect information from them. If you believe a child has provided us with personal information, contact us and we will delete it.

10. Changes to this policy

We may update this policy from time to time. For material changes we will give at least thirty days’ notice by email or in the dashboard. The “Last updated” date above always reflects the current version.

11. Contact

For privacy questions or to exercise your rights: privacy@inboard.dev.