PrioBoardPrioBoard

Privacy Policy

Last updated: May 12, 2026

PrioBoard (“we”, “us”) provides real-time collaboration tools for agile teams — retrospective boards and planning poker. This policy explains what we collect, why, and how we handle it. If something is unclear, email team@prioboard.com and we’ll happily explain.

What We Collect

  • Account info: email address and display name you provide at sign-up.
  • Board content: retrospective notes, poker stories, votes, tags, comments, and any other text or links you create inside boards.
  • Team data: team names, member roles, invitations, and team relationships.
  • Activity data: board visit history and real-time presence (which users are currently viewing a board).
  • Analytics: anonymized page views and interaction events via Google Analytics (GA4). We do not intentionally send personal information to Google.

Why We Collect It

We collect data solely to make PrioBoard work: authenticating you, syncing boards in real time, sending team invitations, and understanding usage patterns so we can improve the product.

We do not sell your data, profile you for advertising, or share it with third parties for marketing. Period.

Where Your Data Lives

  • Database: Supabase-hosted PostgreSQL, US-based. Encrypted at rest (AES-256) and in transit (TLS).
  • Application: AWS ECS Fargate in US East (N. Virginia, us-east-1), behind an HTTPS load balancer.
  • Email delivery: Resend handles transactional emails (team invitations, password resets).
  • Analytics: Google Analytics (GA4).
  • AI features: Anthropic (Claude) processes content from standups and retros when a team member explicitly invokes an AI feature. Details below.

Third-Party Integrations

PrioBoard supports optional integrations with third-party services. Integrations are off by default and only activate when you explicitly connect them. You can disconnect at any time from your profile settings.

Atlassian Jira

  • What you provide: a Jira account email and an Atlassian API token that you generate yourself at id.atlassian.com, plus the Jira REST API origin for your instance.
  • How it’s stored: tokens are encrypted with AES-256-GCM at the application layer before being written to the database. Plaintext tokens never reach Postgres and are not logged.
  • What we do with it: we call the Jira REST API on your behalf to fetch issue titles, statuses, and metadata for stories you reference in poker boards. We do not modify Jira data — reads only.
  • Scope: the integration only fetches issues that you or your teammates explicitly reference by URL or key in a board. We do not crawl projects or sync issues in bulk.
  • Disconnecting: revoke the token in Atlassian and/or remove the credential from your PrioBoard profile. Cached titles in existing boards remain until the board is deleted.

AI Features (Anthropic Claude)

  • What it does:on-demand, user-triggered features that send relevant board or standup content to Anthropic’s Claude API and return a result. Examples: summarizing a retro or standup, suggesting retro cards drawn from recent standup answers, and inferring themes (blockers, wins, shout-outs) from standup answers.
  • When it runs: only when a team member clicks an AI button. There is no background analysis, no training on your data, and no automatic processing on write. If nobody clicks an AI button, no content is sent to Anthropic.
  • What gets sent:the specific content the feature needs — e.g., the answers in one standup instance for “Summarize this standup,” or recent standup answers for the same team when generating retro card suggestions. Author display names are included for attribution in the prompt; email addresses and account identifiers are not.
  • Anthropic’s handling: Anthropic receives the prompt over HTTPS, generates a response, and does not retain prompts or responses for training under their commercial API terms. See Anthropic’s privacy policy for the authoritative terms.
  • What gets stored:AI summaries are ephemeral — they appear in the UI and are not saved to the database. AI-inferred standup flags are stored only when a user explicitly confirms one; rejected or ignored inferences are discarded.
  • Team-level control: a team admin can disable AI features for the entire team from the Team settings page. When disabled, AI buttons are hidden and no requests are sent to Anthropic for that team.
  • Rate limits:each user has a per-day cap on AI calls, scaled by subscription tier. The cap is informational only — it’s a cost guardrail, not a privacy mechanism.

Future Integrations

We may add additional integrations over time (for example, other issue trackers, chat platforms, or calendar tools). Any future integration will follow the same principles: opt-in per user or team, narrowly scoped to the feature it powers, credentials encrypted at rest, and disconnectable on demand. Material changes to the set of sub-processors will be reflected in this policy.

Who Can Access Your Data

  • You— you can view and edit your own content at any time.
  • Board and team members— access is enforced by Postgres Row-Level Security (RLS) policies. Only authenticated members of a board or team can read its content.
  • PrioBoard operators— the developer has database administrative access for maintenance, debugging, and incident response.
  • Sub-processors— Supabase, AWS, Resend, Google, and Anthropic operate the infrastructure listed above under their own privacy and security terms. Anthropic only receives content when a team member explicitly invokes an AI feature; see Third-Party Integrations above.

Authentication & Security

Authentication is handled by Supabase Auth using JWT-based sessions. All connections use HTTPS/TLS. Service credentials and API keys are stored in AWS Secrets Manager, encrypted with AWS KMS. We monitor availability with external uptime checks and AWS CloudWatch.

Cookies & Local Storage

We use cookies and browser storage to keep you signed in, remember UI preferences (e.g., dark mode), and maintain your recent board history. Google Analytics sets its own cookies for anonymized usage measurement.

Data Retention & Deletion

Board data is retained for as long as your account exists. You can delete board items, archive boards, and remove team members at any time.

To request full account or data deletion, email team@prioboard.com and we’ll handle it within a reasonable timeframe.

Backups & Incident Response

Supabase performs automated daily backups of the database. In the event of a suspected security incident, we rotate credentials, review access logs, and notify affected users when appropriate.

Children

PrioBoard is built for workplace and team collaboration and is not intended for users under the age of 13. We don’t knowingly collect data from children.

Changes to This Policy

We may update this policy as the product evolves. Material changes will be reflected in the “Last updated” date above. Continued use of PrioBoard after changes means you accept the updated policy.

Contact

Questions, deletion requests, or anything else: team@prioboard.com