Privacy Policy

1. Introduction

"Just a Kanban" (“we”, “us”) operates the Just a Kanban service (the “Service”). This Privacy Policy explains how we collect, use, and protect your personal data when you use the Service. It should be read together with our Terms of Service. We process personal data in accordance with the EU General Data Protection Regulation (GDPR) and other applicable data protection laws. The Service is not intended for users under 16, and we do not knowingly collect personal data from children.

2. Data controller and contact

The data controller responsible for your personal data is "Just a Kanban". For privacy-related requests, including to exercise your rights, contact us at contact@justakanban.com. We will respond within the timeframes required by applicable law.

3. Data we collect

We collect the following categories of data:

Account and authentication

When you sign up or log in via our identity provider (WorkOS), we receive and store: email address, name, profile image, and organisation identifier (if you use an organisation account). We do not store your password; authentication is handled by WorkOS.

Product and usage data

When you use the Service, we store the data you create, such as: projects, boards, statuses, custom fields, kanban items (titles and custom field values), and comments on items. This data is necessary to provide the Service and is stored in our database (hosted by Convex).

Payment and billing

Payment and billing information (e.g. card details, billing address) are collected and processed by our payment provider, Stripe. We do not store your full card number. We may store billing-related identifiers and subscription status to manage your plan.

Feedback

If you submit feedback (e.g. through in-app feedback), we store the content and associate it with your account so we can respond and improve the Service.

Technical data

We collect minimal technical data as necessary to operate and secure the Service (e.g. logs that may include IP address and request metadata). We do not use non-essential cookies or third-party analytics.

4. Legal basis and purposes

We process your data on the following legal bases under the GDPR:

• Performance of a contract: To provide the Service, manage your account, and process payments.
• Legitimate interests: To secure the Service, prevent abuse, and improve our offering, where these interests are not overridden by your rights.
• Legal obligation: Where we must retain or disclose data to comply with law.
• Consent: Where we rely on consent (e.g. for optional marketing), you may withdraw it at any time.

We use your data to provide and improve the Service, process payments, provide support, ensure security, and comply with legal obligations.

5. Retention

We retain your account and product data for as long as your account is active. After you delete your account or request erasure, we will delete or anonymise your data within a reasonable period, except where we must retain it for legal, regulatory, or legitimate operational reasons (e.g. backup recovery, dispute resolution). Payment records may be retained as required by tax and accounting rules. Stripe retains payment data according to its own policy and legal obligations.

6. Third parties and sub-processors

We use the following service providers to operate the Service. Each is bound by data protection commitments and, where applicable, data processing agreements:

• Convex – Hosting and database for the Service. See Convex Privacy Policy.
• WorkOS – Authentication and identity. See WorkOS Privacy Policy.
• Stripe – Payment processing. See Stripe Privacy Policy.

We do not sell your personal data. We share data only as described in this policy or when required by law.

7. International transfers

Your data may be processed in countries outside the European Economic Area (e.g. the United States), including by Convex, WorkOS, and Stripe. We ensure appropriate safeguards are in place, such as standard contractual clauses approved by the European Commission or adequacy decisions, so that your data receives a level of protection consistent with EU law.

8. Your rights (GDPR)

Depending on your location, you may have the right to:

• Access – Obtain a copy of your personal data we hold.
• Rectification – Have inaccurate data corrected.
• Erasure – Request deletion of your data in certain circumstances.
• Restriction – Limit how we process your data in certain cases.
• Data portability – Receive your data in a structured, machine-readable format.
• Object – Object to processing based on legitimate interests.
• Withdraw consent – Where we rely on consent, you may withdraw it at any time.
• Complain – Lodge a complaint with a supervisory authority.

To exercise these rights, contact us at contact@justakanban.com. We will respond within the time required by applicable law.

9. Security

We implement appropriate technical and organisational measures to protect your data, including encryption in transit and at rest where applicable, access controls, and secure authentication through our identity provider. No system is completely secure; we encourage you to use a strong password and keep your account details safe.

10. Cookies

We do not use non-essential cookies or analytics cookies. We may use strictly necessary or session-related cookies to operate the Service (e.g. to keep you logged in). You can control cookies through your browser settings.

11. Changes to this policy

We may update this Privacy Policy from time to time. We will post the updated policy on the Service and update the “Last modification” date. For material changes we may notify you by email or in-app notice. We encourage you to review this policy periodically. Where required by law, we will seek your consent or give you the opportunity to object before applying material changes to how we use your data.

12. Contact

For any questions about this Privacy Policy or our data practices, contact us at contact@justakanban.com.