1. Introduction

Sico Software Ltd, trading as Board of One ("we", "our", or "us"), is committed to protecting your privacy. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our Service.

This policy complies with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018.

2. Information We Collect

2.1 Information You Provide

Account Information: Email address, name, password (encrypted)
Profile Information: Business context, preferences, subscription tier
Decision Submissions: Questions and decisions you submit for deliberation
Payment Information: Billing details (processed via Stripe)

2.2 Automatically Collected Information

Usage Data: Pages visited, features used, session duration
Technical Data: IP address, browser type, device information, operating system
Cookies: See our Cookie Policy

2.3 Our Minimal Tracking Stance

We believe in collecting only what you consciously provide. Our approach to data collection is:

User-Provided Data: We collect information you explicitly give us (business context, decisions, preferences)
No Subversive Extraction: We do not use hidden trackers, fingerprinting, or surveillance techniques to gather data about you
Privacy-Focused Analytics: We use Umami, which collects only anonymized page views without cookies or personal identifiers
No Advertising Profiles: We do not build profiles about you for advertising purposes or share data with ad networks

2.4 AI-Generated Content

Deliberation Transcripts: Expert contributions, facilitator summaries, synthesis reports
Analytics: Convergence scores, session duration (admin-only, not shared with end users)

3. How We Use Your Information

We use your information to:

Provide, maintain, and improve the Service
Process your deliberations and generate recommendations
Manage your account and subscriptions
Send service-related communications (session updates, account notifications)
Respond to your inquiries and support requests
Analyze usage patterns to improve our deliberation model (anonymized and aggregated data only)
Comply with legal obligations

4. Legal Basis for Processing (GDPR)

We process your personal data under the following legal bases:

Contract Performance: To provide the Service you've subscribed to
Legitimate Interests: To improve our Service and prevent fraud
Consent: For marketing communications (opt-in only)
Legal Obligation: To comply with tax, accounting, and regulatory requirements

5. Data Sharing and Disclosure

5.1 Third-Party Service Providers

We share data with trusted service providers who assist us in operating the Service:

Anthropic (Claude API): AI deliberation processing
Voyage AI: Semantic embeddings for research cache
SuperTokens: Authentication
Neon: Database hosting
Stripe: Payment processing
DigitalOcean: Cloud infrastructure and file storage

These providers are contractually obligated to protect your data and use it only as instructed.

5.2 We Do NOT Share

Your decision submissions with other users (unless you explicitly share them)
Personal data with advertisers or marketers
Deliberation transcripts with third parties (except service providers necessary to operate the Service)

5.3 Protection Against Data Sale

We commit to protecting your data from commercial exploitation:

No Data Brokering: We will never sell, rent, or trade your personal data or deliberation content to third parties
Paying User Protection: If you are a paying customer, your data will never be sold or monetized beyond providing the Service, even in the event of company acquisition or change of ownership
No AI Training Data: Your deliberation content is not used to train external AI models
Acquisition Safeguard: In the event of acquisition, your data protections transfer with your account and cannot be weakened without your explicit consent

5.4 Legal Disclosures

We may disclose your information if required by law, court order, or government request, or to protect our rights, property, or safety.

6. Data Retention

Account Data: Retained while your account is active
Deliberation Data: Retained for 1 year by default (configurable in settings: 1 year, 2 years, or indefinite)
Anonymized Analytics: Retained indefinitely for research and improvement
Deleted Accounts: Personal data anonymized within 30 days of account deletion request

7. Your Rights (GDPR)

You have the right to:

Access: Request a copy of your personal data (Settings → Privacy → Export Data)
Rectification: Correct inaccurate or incomplete data (Settings → Account)
Erasure ("Right to be Forgotten"): Request deletion of your account and personal data (Settings → Privacy → Delete Account)
Data Portability: Receive your data in a machine-readable format (JSON export)
Objection: Object to processing based on legitimate interests
Restriction: Request temporary restriction of processing
Withdraw Consent: For marketing communications (unsubscribe link in emails)

To exercise these rights, contact us at privacy@boardof.one or use the settings page.

8. Data Security

We implement industry-standard security measures to protect your data:

Encryption in transit (TLS/SSL) and at rest (AES-256)
Secure authentication (SuperTokens with JWT tokens)
Regular security audits and penetration testing
Access controls and role-based permissions
Automated backups with encryption

However, no method of transmission or storage is 100% secure. We cannot guarantee absolute security.

9. International Data Transfers

Your data may be transferred to and processed in countries outside the UK/EEA where our service providers operate (e.g., United States for Anthropic Claude API). We ensure adequate safeguards through:

Standard Contractual Clauses (SCCs) approved by the UK ICO
Adequacy decisions (where applicable)
Compliance with GDPR transfer requirements

10. Children's Privacy

The Service is not intended for users under 18 years of age. We do not knowingly collect personal data from children. If you believe we have inadvertently collected data from a child, contact us immediately.

11. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of material changes via email or through the Service. Continued use after changes constitutes acceptance of the updated policy.

12. Contact and Complaints

For privacy-related questions or concerns, contact us at: privacy@boardof.one

If you are not satisfied with our response, you have the right to lodge a complaint with the UK Information Commissioner's Office (ICO): https://ico.org.uk/make-a-complaint/

13. Data Protection Officer

For data protection inquiries, contact our Data Protection Officer at: dpo@boardof.one