Privacy Policy

Last updated: 2026-03-14

Board of One is built by Sico Software Ltd ("we", "our", or "us"). Your data is yours. This policy explains what we collect, why, and what we do with it. It complies with UK GDPR and the Data Protection Act 2018.

1. What we collect

1.1 What you give us

  • Account Information: Email address, name, password (encrypted)
  • Profile Information: Business context, preferences, subscription tier
  • Decision Submissions: Questions and decisions you submit for deliberation
  • Payment Information: Billing details (processed via Stripe)

1.2 What we pick up automatically

  • Usage Data: Pages visited, features used, session duration
  • Technical Data: IP address, browser type, device information, operating system
  • Cookies: See our Cookie Policy
  • Anti-Abuse Data: Temporary IP-based records for signup rate and failed login tracking (automatically deleted, see section 1.5)

1.3 Our tracking stance

We collect only what you consciously provide. Here's how:

  • User-Provided Data: We collect information you explicitly give us (business context, decisions, preferences)
  • Minimal Browser Identification: We use a lightweight browser fingerprint solely to generate anonymous session identifiers — no personal data is extracted, and identifiers are not persisted beyond your browser session
  • Privacy-Focused Analytics: We use Umami, which collects only anonymized page views without cookies or personal identifiers
  • No Advertising Profiles: We do not build profiles about you for advertising purposes or share data with ad networks

1.4 AI-generated content

  • Deliberation Transcripts: Expert contributions, facilitator summaries, synthesis reports
  • Analytics: Convergence scores, session duration (admin-only, not shared with end users)

1.5 Fraud & abuse prevention

  • We use automated security measures to protect accounts and prevent abuse
  • These may involve temporary processing of your IP address
  • No external services are contacted for these checks; all processing happens on our infrastructure
  • Records are short-lived and automatically deleted (see section 5)

2. How we use it

We use your data to:

  • Run the service — deliberations, recommendations, account management
  • Send you updates about your sessions and account
  • Improve the deliberation model (anonymized, aggregated data only)
  • Comply with legal obligations

3. Legal basis (GDPR)

We process your data under these legal bases:

  • Contract Performance: To provide the Service you've subscribed to
  • Legitimate Interests: To improve our Service and prevent fraud
  • Consent: For marketing communications (opt-in only)
  • Legal Obligation: To comply with tax, accounting, and regulatory requirements

4. Who we share data with

4.1 Service providers

These companies help us run the service:

  • Anthropic (Claude API): AI deliberation processing
  • Voyage AI: Semantic embeddings for research cache
  • SuperTokens: Authentication
  • OpenAI: AI deliberation processing
  • Google (Gemini API): AI deliberation processing
  • Tavily: Web research and search
  • Brave: Web search
  • Stripe: Payment processing
  • DigitalOcean: Cloud infrastructure, database hosting, and file storage
  • Resend: Transactional and marketing email delivery
  • PostHog: Product analytics and session recording (requires analytics consent)
  • Umami: Privacy-focused, cookieless page view analytics (self-hosted)

All providers are contractually bound to protect your data.

4.2 What we don't share

  • Your decision submissions with other users (unless you explicitly share them)
  • Personal data with advertisers or marketers
  • Deliberation transcripts with third parties (except service providers necessary to operate the Service)

4.3 We don't sell your data

Full stop. Here's what that means:

  • No Data Brokering: We will never sell, rent, or trade your personal data or deliberation content to third parties
  • Paying User Protection: If you are a paying customer, your data will never be sold or monetized beyond providing the Service, even in the event of company acquisition or change of ownership
  • No AI Training Data: Your deliberation content is not used to train external AI models
  • Acquisition Safeguard: In the event of acquisition, your data protections transfer with your account and cannot be weakened without your explicit consent

4.4 Legal disclosures

We may disclose your information if required by law, court order, or government request, or to protect our rights, property, or safety.

5. How long we keep it

  • Account Data: Retained while your account is active
  • Deliberation Data: Retained for 1 year by default (configurable in settings: 1 year, 2 years, or indefinite)
  • Anonymized Analytics: Retained indefinitely for research and improvement
  • Deleted Accounts: Personal data deleted upon account deletion request
  • Anti-Abuse Records: Automatically deleted within hours (signup velocity, login attempts). Cleared immediately on successful login. Extended to 24 hours only for IPs that repeatedly trigger lockouts.

6. Your rights

Under GDPR, you can:

  • Access: Request a copy of your personal data (Settings → Privacy → Export Data)
  • Rectification: Correct inaccurate or incomplete data (Settings → Account)
  • Erasure ("Right to be Forgotten"): Request deletion of your account and personal data (Settings → Privacy → Delete Account)
  • Data Portability: Receive your data in a machine-readable format (JSON export)
  • Objection: Object to processing based on legitimate interests
  • Restriction: Request temporary restriction of processing
  • Withdraw Consent: For marketing communications (unsubscribe link in emails)

To exercise these rights, contact us at privacy@boardof.one or use the settings page.

7. Security

We take security seriously:

  • Your data is encrypted — both in transit and at rest
  • Authentication via secure token-based sessions
  • Role-based access controls
  • Automated encrypted backups
  • Regular security reviews

That said, no system is 100% secure. We can't guarantee absolute security, but we work hard to get close.

8. International transfers

Your data may be transferred to and processed in countries outside the UK/EEA where our service providers operate (e.g., United States for Anthropic Claude API). We ensure adequate safeguards through:

  • Standard Contractual Clauses (SCCs) approved by the UK ICO
  • Adequacy decisions (where applicable)
  • Compliance with GDPR transfer requirements

9. Children

The Service is not intended for users under 18 years of age. We do not knowingly collect personal data from children. If you believe we have inadvertently collected data from a child, contact us immediately.

10. Changes to this policy

We may update this policy. If we make material changes, we'll let you know by email or in the app. If you keep using the service after that, you're accepting the new version.

11. Questions or complaints

Email us: privacy@boardof.one

Not happy with our response? You can complain to the UK Information Commissioner's Office (ICO): https://ico.org.uk/make-a-complaint/

Data Protection Officer: dpo@boardof.one

12. Company details

Sico Software Ltd, a company registered in Scotland (company number SC712732).

ICO registration number: ZC106029.