Privacy Policy

Board
Operated by Apslo Sp. z o.o.
Last Updated: January 7, 2026

1. Scope and Definitions

This Privacy Policy applies to personal data processed through the Board software platform, including the web application, mobile access, kiosk mode views, and API endpoints (collectively, the Service).

For purposes of the GDPR (Regulation (EU) 2016/679), Apslo Sp. z o.o. acts as:

• Controller for personal data related to account administration, billing, marketing preferences, and support communications.
• Processor for Customer Content (data entered into the Service by or on behalf of a customer, including end customer and employee data), when the customer is the Controller.

2. Personal Data We Collect

2.1 Account and Billing Data

• Account owner name
• Business or company name
• Email address
• Password (stored as a secure hash, never in plain text)
• Subscription plan status and billing records
• Invoices and transaction references
• Payment method tokenization information provided by our payment processor (we do not store full card details)

2.2 User, Role, and Access Data

• User names, email addresses, roles and permissions
• Employee profiles created by the customer (for production-floor use), including PIN based authentication identifiers
• Workstation and department assignments (if configured)
• Two-factor authentication status (if enabled) and associated security metadata
• API keys and access logs associated with those keys

2.3 Customer Content (Data You Upload or Create)

The Service is designed for production tracking. Customers may upload or generate data that can include personal data, for example:

• Client or project contact details (name, email, phone, address)
• Job and project details, reference numbers, schedules, notes
• Production logs including timestamps, notes, quantity updates, time tracking
• Images and attachments added to logs (subject to plan settings)
• Technical drawings and documents linked to jobs
• CSV imports/exports containing job, client, or operational data

2.4 Technical, Usage, and Security Data

• IP address and approximate location derived from IP (country or region level)
• Device and browser information
• Session identifiers and authentication events (login timestamps)
• Audit and event logs (for security and traceability)
• Error logs and diagnostic data
• Kiosk mode access logs (view key usage, refresh events)

3. Purposes and Legal Bases of Processing (GDPR)

We process personal data for the following purposes and legal bases:

• Providing and operating the Service (account creation, authentication, authorization, production workflows) on the basis of contract performance (Article 6(1)(b) GDPR).
• Billing, payments, invoices, and accounting on the basis of contract performance (Article 6(1)(b)) and legal obligation (Article 6(1)(c)).
• Customer support and request handling on the basis of contract performance (Article 6(1)(b)) and legitimate interests (Article 6(1)(f)).
• Security, fraud prevention, abuse detection, and incident response on the basis of legitimate interests (Article 6(1)(f)) and, where applicable, legal obligations (Article 6(1)(c)).
• Service improvement and reliability (analytics, troubleshooting, performance monitoring) on the basis of legitimate interests (Article 6(1)(f)).
• Marketing communications (if you opt in where required) on the basis of consent (Article 6(1)(a)) or legitimate interests (Article 6(1)(f)) where permitted by applicable law. You can opt out at any time.

4. Cookies and Similar Technologies

We use cookies and similar technologies (for example, local storage) to operate the Service, keep you logged in, secure sessions, and understand how the Service is used.

4.1 Categories of Cookies

• Strictly necessary cookies required for authentication, security, and core functionality.
• Functional cookies that remember your preferences (for example, language or UI settings).
• Analytics cookies that help us understand usage and improve performance (used only where required consent is obtained).

4.2 Cookie Controls

You can control cookies through your browser settings. Disabling strictly necessary cookies may prevent the Service from functioning properly. Where required by law, we will request your consent before placing analytics or non-essential cookies.

4.3 Cookie Details

Cookie names and providers may change as we improve the Service. We recommend maintaining a cookie list in your cookie banner or settings page. If you want, replace this paragraph with a concrete cookie table once your production stack is final.

5. Sharing and Disclosure

We do not sell personal data. We may share personal data only as follows:

• Service providers who support hosting, storage, payments, email delivery, monitoring, analytics, and customer support.
• Professional advisors (legal, accounting, auditors) under confidentiality duties when necessary.
• Authorities where required by law, subpoena, or valid legal process.
• Corporate transactions (merger, acquisition, reorganization) where data may be transferred subject to appropriate safeguards.

We require processors to protect personal data through contractual obligations and, where applicable, GDPR compliant data processing agreements.

6. International Transfers

We primarily process data in the European Economic Area (EEA). If we transfer personal data outside the EEA, we will do so only where lawful, and we will use appropriate safeguards such as the European Commission Standard Contractual Clauses (SCCs) and additional measures as needed.

7. Security Measures

We implement technical and organizational measures appropriate to the risk, including encrypted transport (HTTPS), access control, audit logging, and security monitoring. No method of transmission or storage is 100% secure, and we cannot guarantee absolute security.

You are responsible for maintaining the confidentiality of login credentials, PIN codes, and API keys, and for configuring user permissions appropriately.

8. Data Retention

We retain personal data only for as long as necessary to provide the Service, meet contractual obligations, and comply with applicable law. Retention periods depend on the type of data:

• Account and billing data retained as required for accounting and tax compliance.
• Customer Content retained while the account is active and as configured by the customer, then deleted following termination subject to Section 12 (DPA).
• Security and audit logs retained for a limited period to investigate incidents and ensure integrity.

If you request deletion, we will process it without undue delay and normally within 30 days, unless we must retain certain data for legal obligations.

9. Kiosk Mode and Public Links

The Service may provide kiosk mode views accessible via a URL key. Kiosk mode does not require login and is intended for display on production floors. It will display only the configured kanban view linked to the URL key.

You are responsible for controlling distribution of kiosk URLs and ensuring that kiosk displays do not expose personal data inappropriately. We recommend avoiding personal client details in kiosk views where not needed.

10. API Access

The Service supports API access via API keys and other authentication methods. API access may generate logs for security, rate limiting, and troubleshooting. Customers are responsible for protecting API credentials and for any access performed using their keys.

11. Your Rights (EEA/UK)

Where applicable, you have rights under data protection law, including access, rectification, deletion, restriction, portability, and objection. You also have the right to withdraw consent where processing is based on consent.

To exercise your rights, contact: [email protected]. We may need to verify your identity before responding.

You also have the right to lodge a complaint with your local supervisory authority.

12. Data Processing Addendum (DPA) for Enterprise Customers

This Section applies where the customer is a Controller and Apslo Sp. z o.o. acts as a Processor of Customer Content under GDPR. For enterprise clients, a signed DPA may be provided on request. This Section summarizes core processing terms.

12.1 Subject Matter, Nature, and Purpose

• Subject matter: Processing of Customer Content within the Service.
• Nature: Hosting, storage, retrieval, display, transmission, and deletion of Customer Content; support and troubleshooting when authorized.
• Purpose: Providing and improving the Service per the customer contract.
• Duration: For the term of the customer subscription plus the deletion/return period in Section 12.6.

12.2 Types of Personal Data and Data Subjects

• Types of data: Contact details (names, emails, phones, addresses), employment related identifiers (employee names, PIN identifiers), operational logs (timestamps, notes, quantities), attachments (images, drawings, files), and any other personal data included in Customer Content.
• Data subjects: Customer employees, contractors, end customers, suppliers, and other individuals whose data the customer uploads or creates in the Service.

12.3 Customer Obligations (Controller)

• Ensure a valid legal basis for processing and for providing Customer Content to the Service.
• Provide appropriate notices to data subjects and handle data subject requests, unless the parties agree otherwise.
• Configure the Service to avoid uploading unnecessary personal data.
• Maintain appropriate access controls, roles, and credential security within the customer organization.

12.4 Processor Obligations (Apslo Sp. z o.o.)

• Process Customer Content only on documented instructions from the customer, including to provide and support the Service.
• Ensure persons authorized to process Customer Content are bound by confidentiality.
• Implement appropriate technical and organizational security measures.
• Notify the customer without undue delay after becoming aware of a personal data breach affecting Customer Content, and provide information reasonably necessary to assist the customer.
• Assist the customer, taking into account the nature of processing, with security, DPIAs, and consultations where reasonably required.

12.5 Subprocessors

We may use subprocessors to deliver the Service (for example hosting, storage, monitoring, email delivery, analytics, and payment processing). We will ensure subprocessors are subject to contractual data protection obligations.

Enterprise customers may request a list of current subprocessors via [email protected]. Where required, we will provide advance notice of material changes and an opportunity to object on reasonable grounds.

12.6 Return and Deletion

Upon termination or expiration of the subscription, we will, at the customer's choice and where technically feasible:

• Provide an export of Customer Content; and/or
• Delete Customer Content within a reasonable period, typically within 30 days, unless retention is required by law.

Data may remain in backups for a limited period according to standard backup cycles, and will be protected until overwritten or deleted.

12.7 Audit and Compliance

Upon reasonable written request by an enterprise customer, we will provide information necessary to demonstrate compliance with this DPA section. Audits (if any) must be limited in scope, occur during normal business hours, and be subject to confidentiality and security requirements.

13. Children

The Service is intended for business use and is not directed to children. We do not knowingly collect personal data from children.

14. Changes to This Policy

We may update this Privacy Policy from time to time. If changes are material, we will provide notice via the Service or by email. Continued use of the Service after the effective date means you accept the updated policy.

15. Contact

Questions about this Privacy Policy or our processing practices should be sent to: [email protected].