PrioBoardPrioBoard

Privacy Policy

Last updated: May 5, 2026

PrioBoard (“we”, “us”) provides real-time collaboration tools for agile teams — retrospective boards and planning poker. This policy explains what we collect, why, and how we handle it. If something is unclear, email team@prioboard.com and we’ll happily explain.

What We Collect

  • Account info: email address and display name you provide at sign-up.
  • Board content: retrospective notes, poker stories, votes, tags, comments, and any other text or links you create inside boards.
  • Workspace data: workspace names, member roles, invitations, and team relationships.
  • Activity data: board visit history and real-time presence (which users are currently viewing a board).
  • Analytics: anonymized page views and interaction events via Google Analytics (GA4). We do not intentionally send personal information to Google.

Why We Collect It

We collect data solely to make PrioBoard work: authenticating you, syncing boards in real time, sending workspace invitations, and understanding usage patterns so we can improve the product.

We do not sell your data, profile you for advertising, or share it with third parties for marketing. Period.

Where Your Data Lives

  • Database: Supabase-hosted PostgreSQL, US-based. Encrypted at rest (AES-256) and in transit (TLS).
  • Application: AWS ECS Fargate in US East (N. Virginia, us-east-1), behind an HTTPS load balancer.
  • Email delivery: Resend handles transactional emails (workspace invitations, password resets).
  • Analytics: Google Analytics (GA4).

Third-Party Integrations

PrioBoard supports optional integrations with third-party services. Integrations are off by default and only activate when you explicitly connect them. You can disconnect at any time from your profile settings.

Atlassian Jira

  • What you provide: a Jira account email and an Atlassian API token that you generate yourself at id.atlassian.com, plus the Jira REST API origin for your instance.
  • How it’s stored: tokens are encrypted with AES-256-GCM at the application layer before being written to the database. Plaintext tokens never reach Postgres and are not logged.
  • What we do with it: we call the Jira REST API on your behalf to fetch issue titles, statuses, and metadata for stories you reference in poker boards. We do not modify Jira data — reads only.
  • Scope: the integration only fetches issues that you or your teammates explicitly reference by URL or key in a board. We do not crawl projects or sync issues in bulk.
  • Disconnecting: revoke the token in Atlassian and/or remove the credential from your PrioBoard profile. Cached titles in existing boards remain until the board is deleted.

Future Integrations

We may add additional integrations over time (for example, other issue trackers, chat platforms, or calendar tools). Any future integration will follow the same principles: opt-in per user or workspace, narrowly scoped to the feature it powers, credentials encrypted at rest, and disconnectable on demand. Material changes to the set of sub-processors will be reflected in this policy.

Who Can Access Your Data

  • You— you can view and edit your own content at any time.
  • Board and workspace members— access is enforced by Postgres Row-Level Security (RLS) policies. Only authenticated members of a board or workspace can read its content.
  • PrioBoard operators— the developer has database administrative access for maintenance, debugging, and incident response.
  • Sub-processors— Supabase, AWS, Resend, and Google operate the infrastructure listed above under their own privacy and security terms.

Authentication & Security

Authentication is handled by Supabase Auth using JWT-based sessions. All connections use HTTPS/TLS. Service credentials and API keys are stored in AWS Secrets Manager, encrypted with AWS KMS. We monitor availability with external uptime checks and AWS CloudWatch.

Cookies & Local Storage

We use cookies and browser storage to keep you signed in, remember UI preferences (e.g., dark mode), and maintain your recent board history. Google Analytics sets its own cookies for anonymized usage measurement.

Data Retention & Deletion

Board data is retained for as long as your account exists. You can delete board items, archive boards, and remove workspace members at any time.

To request full account or data deletion, email team@prioboard.com and we’ll handle it within a reasonable timeframe.

Backups & Incident Response

Supabase performs automated daily backups of the database. In the event of a suspected security incident, we rotate credentials, review access logs, and notify affected users when appropriate.

Children

PrioBoard is built for workplace and team collaboration and is not intended for users under the age of 13. We don’t knowingly collect data from children.

Changes to This Policy

We may update this policy as the product evolves. Material changes will be reflected in the “Last updated” date above. Continued use of PrioBoard after changes means you accept the updated policy.

Contact

Questions, deletion requests, or anything else: team@prioboard.com