Privacy Policy

Last updated: 2025-01-19

1. Introduction

Board of One ("we", "our", or "us") is committed to protecting your privacy. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our Service.

This policy complies with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018.

2. Information We Collect

2.1 Information You Provide

  • Account Information: Email address, name, password (encrypted)
  • Profile Information: Business context, preferences, subscription tier
  • Decision Submissions: Questions and decisions you submit for deliberation
  • Payment Information: Billing details (processed via Stripe)

2.2 Automatically Collected Information

  • Usage Data: Pages visited, features used, session duration
  • Technical Data: IP address, browser type, device information, operating system
  • Cookies: See our Cookie Policy

2.3 AI-Generated Content

  • Deliberation Transcripts: Expert contributions, facilitator summaries, synthesis reports
  • Analytics: Convergence scores, session duration (admin-only, not shared with end users)

3. How We Use Your Information

We use your information to:

  • Provide, maintain, and improve the Service
  • Process your deliberations and generate recommendations
  • Manage your account and subscriptions
  • Send service-related communications (session updates, account notifications)
  • Respond to your inquiries and support requests
  • Analyze usage patterns to improve our deliberation model (anonymized and aggregated data only)
  • Comply with legal obligations

4. Legal Basis for Processing (GDPR)

We process your personal data under the following legal bases:

  • Contract Performance: To provide the Service you've subscribed to
  • Legitimate Interests: To improve our Service and prevent fraud
  • Consent: For marketing communications (opt-in only)
  • Legal Obligation: To comply with tax, accounting, and regulatory requirements

5. Data Sharing and Disclosure

5.1 Third-Party Service Providers

We share data with trusted service providers who assist us in operating the Service:

  • Anthropic (Claude API): AI deliberation processing
  • Voyage AI: Semantic embeddings for research cache
  • Supabase: Authentication and database hosting
  • Stripe: Payment processing
  • Hosting Providers: Cloud infrastructure (AWS, Railway, or similar)

These providers are contractually obligated to protect your data and use it only as instructed.

5.2 We Do NOT Share

  • Your decision submissions with other users (unless you explicitly share them)
  • Personal data with advertisers or marketers
  • Deliberation transcripts with third parties (except service providers necessary to operate the Service)

5.3 Legal Disclosures

We may disclose your information if required by law, court order, or government request, or to protect our rights, property, or safety.

6. Data Retention

  • Account Data: Retained while your account is active
  • Deliberation Data: Retained for 1 year by default (configurable in settings: 1 year, 2 years, or indefinite)
  • Anonymized Analytics: Retained indefinitely for research and improvement
  • Deleted Accounts: Personal data anonymized within 30 days of account deletion request

7. Your Rights (GDPR)

You have the right to:

  • Access: Request a copy of your personal data (Settings → Privacy → Export Data)
  • Rectification: Correct inaccurate or incomplete data (Settings → Profile)
  • Erasure ("Right to be Forgotten"): Request deletion of your account and personal data (Settings → Privacy → Delete Account)
  • Data Portability: Receive your data in a machine-readable format (JSON export)
  • Objection: Object to processing based on legitimate interests
  • Restriction: Request temporary restriction of processing
  • Withdraw Consent: For marketing communications (unsubscribe link in emails)

To exercise these rights, contact us at privacy@boardof.one or use the settings page.

8. Data Security

We implement industry-standard security measures to protect your data:

  • Encryption in transit (TLS/SSL) and at rest (AES-256)
  • Secure authentication (Supabase Auth with JWT tokens)
  • Regular security audits and penetration testing
  • Access controls and role-based permissions
  • Automated backups with encryption

However, no method of transmission or storage is 100% secure. We cannot guarantee absolute security.

9. International Data Transfers

Your data may be transferred to and processed in countries outside the UK/EEA where our service providers operate (e.g., United States for Anthropic Claude API). We ensure adequate safeguards through:

  • Standard Contractual Clauses (SCCs) approved by the UK ICO
  • Adequacy decisions (where applicable)
  • Compliance with GDPR transfer requirements

10. Children's Privacy

The Service is not intended for users under 18 years of age. We do not knowingly collect personal data from children. If you believe we have inadvertently collected data from a child, contact us immediately.

11. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of material changes via email or through the Service. Continued use after changes constitutes acceptance of the updated policy.

12. Contact and Complaints

For privacy-related questions or concerns, contact us at: privacy@boardof.one

If you are not satisfied with our response, you have the right to lodge a complaint with the UK Information Commissioner's Office (ICO): https://ico.org.uk/make-a-complaint/

13. Data Protection Officer

For data protection inquiries, contact our Data Protection Officer at: dpo@boardof.one