Privacy Policy

1. Introduction

Supaboard ("we," "us," or "our") is operated by Printelangelo, a sole proprietorship based in Vancouver, British Columbia, Canada. This Privacy Policy explains how we collect, use, disclose, and safeguard your personal information when you use our website at supaboard.app and all related services (collectively, the "Service").

By accessing or using the Service, you acknowledge that you have read, understood, and agree to be bound by this Privacy Policy. If you do not agree with the practices described herein, please do not use the Service.

If you have any questions or concerns, please contact us at support@supaboard.app.

2. Information We Collect

2.1 Information You Provide Directly

• Account registration data: email address and password (stored as a cryptographic hash by our authentication provider).
• Profile information: display name and avatar image (if uploaded or sourced from OAuth).
• User-generated content: system design boards including titles, descriptions, tags, diagram data, functional and non-functional requirements, and thumbnail images.
• Collaboration data: email addresses of people you invite to collaborate on boards.
• Communication data: any correspondence you send to us via email or support channels.

2.2 Information Collected via Third-Party Authentication

If you sign in using Google or GitHub OAuth, we receive your name, email address, and profile picture URL from the provider. We only request the minimum profile information necessary for authentication.

2.3 Information Collected Automatically

• IP addresses: collected when you view boards, used for view count deduplication and platform security. IP addresses are also recorded in administrative audit logs.
• Cookies and session data: authentication cookies for session management and a UI preference cookie for sidebar state (7-day duration). See Section 9 for details.
• Usage data: timestamps of activities such as board creation, edits, views, and login events; practice session tracking (dates and frequency); board engagement metrics (views, likes, bookmarks).

2.4 Payment Information

We use Stripe, Inc. to process payments. We do not store credit card numbers, bank account details, or other financial payment credentials on our servers. We store only Stripe customer and subscription identifiers, billing period dates, and subscription status. Please refer to Stripe's Privacy Policy for information on how Stripe handles your payment data.

3. How We Use Your Information

We use the information we collect to:

• Create and manage your account.
• Provide core functionality — saving, loading, and versioning your system design boards.
• Process subscription payments via Stripe.
• Enable collaboration features, including sending invitation emails via our email service provider.
• Display published boards in the public gallery (only after approval).
• Send transactional notifications — board approvals, rejections, collaboration invitations, and subscription status changes.
• Track practice sessions and provide progress metrics.
• Record board views using IP addresses for deduplication — not for user profiling or behavioral targeting.
• Maintain platform security and prevent abuse via audit logging.
• Moderate content submitted to the public gallery for compliance with our Terms of Service.
• Generate aggregate, anonymized analytics that cannot be used to identify individual users.
• Comply with legal obligations.
• Enforce our Terms of Service.

We do not use your personal information for automated decision-making that produces legal effects or similarly significant effects on you. We do not sell your personal information to any third parties.

4. Legal Basis for Processing (EEA, UK, and Switzerland)

If you are located in the European Economic Area (EEA), United Kingdom, or Switzerland, we process your personal data under the following legal bases:

• Performance of a contract (Article 6(1)(b) GDPR): account creation, core service delivery, payment processing, transactional communications.
• Legitimate interests (Article 6(1)(f) GDPR): IP address logging for security and view deduplication, aggregate analytics, content moderation. We have conducted balancing tests and determined that our interests do not override your fundamental rights and freedoms.
• Consent (Article 6(1)(a) GDPR): future AI features processing user content (consent will be obtained before activation), and marketing communications if ever introduced.
• Legal obligation (Article 6(1)(c) GDPR): compliance with applicable laws and regulations.

You may object to processing based on legitimate interests at any time by contacting us. Where we rely on consent, you have the right to withdraw your consent at any time without affecting the lawfulness of processing before withdrawal.

5. How We Share Your Information

5.1 Service Providers (Data Processors)

We use the following third-party service providers who process data on our behalf and under our instructions:

• Supabase, Inc. — database hosting, authentication, and file storage. All application data is stored on Supabase infrastructure.
• Stripe, Inc. — payment processing. Receives your email address and payment information. Stripe also acts as an independent data controller for data it collects directly.
• Resend, Inc. — transactional email delivery. Receives recipient email addresses and email content.
• Hosting provider — application hosting. Receives server logs including IP addresses and request data.

5.2 Independent Data Controllers

If you authenticate via Google or GitHub, those providers operate as independent data controllers for the data collected through their sign-in flows, subject to their own privacy policies.

5.3 Other Disclosures

We may disclose your information:

• If required by law, subpoena, court order, or governmental request.
• To protect our rights, property, or safety, or the rights, property, or safety of others.
• In connection with a business transfer (merger, acquisition, or sale of assets), with advance notice to you.
• With your explicit consent for any other purpose.

5.4 What We Do Not Do

• We do not sell personal information to third parties.
• We do not share personal information with third parties for their direct marketing purposes.
• We do not provide personal data to data brokers.

6. International Data Transfers

Supaboard is operated from Canada. Your personal data may be stored and processed in the United States or other countries where our service providers maintain infrastructure.

Where we transfer personal data from the European Economic Area, the United Kingdom, or Switzerland to countries that have not been deemed to provide an adequate level of data protection, we rely on appropriate safeguards including the European Commission's Standard Contractual Clauses (SCCs) and, where applicable, the EU-US Data Privacy Framework.

You may request information about the applicable data transfer safeguards by contacting us at support@supaboard.app.

7. Data Retention

We retain your personal data only for as long as necessary to fulfill the purposes for which it was collected:

• Active account data: retained as long as your account is active.
• Deleted accounts: upon account deletion, your profile is marked for deletion and your data becomes inaccessible. Data is eligible for permanent purging after 90 days.
• IP addresses: retained in board view records for deduplication purposes.
• Audit logs: retained for up to 2 years for security and compliance purposes.
• Aggregate analytics: retained indefinitely as they contain no personal data.

When we no longer need your personal data, we will securely delete or anonymize it. You may request deletion of your account and associated data at any time through your account settings.

8. Your Privacy Rights

8.1 Rights for All Users

Regardless of your location, you may:

• Access your personal data through your account settings.
• Request correction of inaccurate data.
• Delete your account and associated data via the Settings page.
• Export your data in a portable format (JSON) via the Settings page.
• Opt out of email notifications via your notification preferences.

8.2 Additional Rights for Canadian Residents (PIPEDA)

Under the Personal Information Protection and Electronic Documents Act (PIPEDA), you have the right to access your personal information, challenge its accuracy, and withdraw consent for its collection, use, or disclosure. You may file a complaint with the Office of the Privacy Commissioner of Canada.

8.3 Additional Rights for EEA/UK Residents (GDPR)

If you are in the EEA or UK, you additionally have the right to: access (Article 15), rectification (Article 16), erasure (Article 17), restriction of processing (Article 18), data portability (Article 20), object to processing based on legitimate interests (Article 21), and to not be subject to automated decision-making (Article 22). You may lodge a complaint with your local data protection supervisory authority.

8.4 Additional Rights for California Residents (CCPA/CPRA)

If you are a California resident, you have the right to: know what personal information is collected, used, and disclosed; delete your personal information; opt out of the sale of personal information (we do not sell your personal information); correct inaccurate personal information; and not be discriminated against for exercising your rights.

8.5 Additional Rights for Brazilian Residents (LGPD)

Under the Lei Geral de Proteção de Dados (LGPD), you have the right to: confirmation of processing, access, correction, anonymization or deletion of unnecessary data, data portability, information about shared data, and consent revocation.

We will respond to rights requests within 30 days (or within the timeframe required by applicable law). We may verify your identity before processing your request. We will not discriminate against you for exercising your privacy rights.

To exercise any of these rights, contact us at support@supaboard.app. You may also manage your data directly through your account settings.

9. Cookies and Similar Technologies

We use only cookies that are strictly necessary for the operation of our Service:

• Authentication cookies (Supabase): session management cookies required to keep you signed in. These are first-party, essential cookies.
• UI preference cookie (sidebar_state): stores your sidebar preference for 7 days. This is a first-party, functional cookie.

We do not use cookies for advertising, behavioral tracking, or cross-site tracking. We do not use third-party analytics cookies.

You can control cookies through your browser settings. However, disabling authentication cookies may prevent you from using the Service. We do not currently respond to Do Not Track browser signals.

10. Children's Privacy

Our Service is not directed to children under the age of 13. We do not knowingly collect personal information from children under 13. If you are a parent or guardian and become aware that your child has provided us with personal information, please contact us at support@supaboard.app.

If we become aware that we have collected personal information from a child under 13 without verification of parental consent, we will take steps to delete that information as quickly as possible.

For users in the European Economic Area, our Service is not directed to individuals under the age of 16 in accordance with GDPR Article 8.

11. User-Generated Content

If you choose to publish a board to our public gallery, certain information becomes publicly accessible, including your display name, board title, description, tags, thumbnail, and the board diagram itself. Published boards may be indexed by search engines.

Please do not include sensitive personal information in boards you intend to publish. You may unpublish your boards at any time. However, once content has been publicly available, we cannot guarantee that it has not been cached, copied, or indexed by third parties.

We moderate published content for compliance with our Terms of Service but are not responsible for personal information you voluntarily include in your published designs.

12. Data Security

We implement industry-standard technical and organizational measures to protect your personal data, including: encryption in transit (HTTPS/TLS), encryption at rest, database-level access controls (Row-Level Security), and secure authentication token management.

While we strive to use commercially acceptable means to protect your personal data, no method of transmission over the Internet or method of electronic storage is 100% secure. We cannot guarantee absolute security.

You are responsible for maintaining the confidentiality of your account credentials and for all activities that occur under your account.

In the event of a data breach that is likely to result in a risk to your rights and freedoms, we will notify you and relevant data protection authorities without undue delay and in accordance with applicable law.

13. Artificial Intelligence and Automated Processing

We may introduce artificial intelligence features in the future that analyze your board content to provide design suggestions, feedback, or enhanced functionality. Before any such features are activated, we will:

• Update this Privacy Policy to reflect the new processing.
• Provide you with clear notice of the change.
• Where required by law, obtain your consent before processing your content with AI systems.

Your content will not be used to train machine learning models operated by third parties without your explicit, prior consent. You will always have the ability to opt out of AI-powered features when they become available.

14. Changes to This Privacy Policy

We may update this Privacy Policy from time to time. We will notify you of any material changes by posting the new Privacy Policy on this page and updating the "Last Updated" date. For material changes, we will provide prominent notice, such as an email notification to the address associated with your account, at least 30 days before the changes take effect.

We encourage you to review this Privacy Policy periodically for any changes.

15. Contact Us

If you have any questions about this Privacy Policy or our data practices, please contact us at:

• Email: support@supaboard.app
• Address: Vancouver, BC, Canada

If you are located in the European Economic Area or the United Kingdom and believe we have not adequately addressed your concerns, you have the right to lodge a complaint with your local data protection supervisory authority.

If you are a Canadian resident, you may file a complaint with the Office of the Privacy Commissioner of Canada at www.priv.gc.ca.