Privacy Policy

1. Who we are

ObligoBoard is the data controller for your personal data. We are headquartered in Italy.

Data protection contact: privacy@obligoboard.com

2. What data we collect

Account data

• Name, email address, and password (stored as a bcrypt hash — we never store your password in plain text)

Organisation data

• Organisation name, country, and currency preference
• Organisation risk profile: size, business type, data categories processed, international transfer status, and privacy documentation status

Usage data

• Tasks, notes, evidence files, and activity logs you create while using ObligoBoard
• Assessment wizard answers and resulting compliance risk scores
• Document generation history (document type, template version, locale, generation date)

Security data

• Failed login attempts, account lockout timestamps, and IP addresses recorded in security event and activity logs

Contact form

• Name, email address, and message content when you use our contact form

Invitations

• Email addresses of people you invite to join your organisation

3. How we use your data

We process your data to:

• Provide, maintain, and improve ObligoBoard (legal basis: contract performance)
• Authenticate your identity and protect your account (legal basis: contract performance and legitimate interest)
• Process payments and manage your subscription (legal basis: contract performance)
• Send transactional emails — welcome messages, password resets, team invitations, task reminders (overdue and due-soon digests), and trial expiry reminders (legal basis: contract performance)
• Respond to your support enquiries (legal basis: contract performance)
• Detect and prevent fraud and security incidents (legal basis: legitimate interest)

Automated processing

ObligoBoard calculates a compliance risk score for your organisation based on your organisation profile (size, business type, data categories, international transfers, documentation status) and obligation completion state. This score is advisory only — it is not used to restrict your access to any features or make decisions about your account. You can view the factors contributing to your score on the dashboard and update your profile at any time to recalculate it.

We do not use your data for advertising or marketing profiling.

Marketing communications

If you opt in during signup or via your notification settings, we may send you product updates, compliance tips, and news about ObligoBoard. These emails are separate from transactional communications (such as account notifications, password resets, and compliance reminders) which are necessary for the service to function.

Legal basis: Your explicit consent (GDPR Article 6(1)(a) / UK GDPR Article 6(1)(a)).

Withdrawal: You can withdraw your consent at any time by:

• Clicking the “Unsubscribe” link in any newsletter email
• Disabling the “Newsletter” toggle in Settings → Notifications

Withdrawing consent does not affect the lawfulness of processing based on consent before its withdrawal.

We use Resend as our email service provider. Your email address and name are shared with Resend for the purpose of delivering emails. Resend’s privacy policy is available at resend.com/legal/privacy-policy.

4. Cookies

We use three essential cookies only. No analytics cookies, no advertising cookies, no tracking cookies. For full details see our Cookie Policy.

5. Third-party services

We share data with the following service providers, solely to operate ObligoBoard. Each processes data under a data processing agreement (DPA) where applicable.

Vercel Analytics is used for basic page-view metrics. It is cookieless and does not track individual users. No personal data is collected.

Google Fonts (Inter) is self-hosted via Next.js — no data is sent to Google at runtime.

We do not use Google Analytics, advertising pixels, chat widgets, or error-tracking services.

6. International data transfers

Your database and file storage are located in the EU (Frankfurt). Some service providers (Resend, Stripe, Font Awesome) may process data in the United States under appropriate safeguards, including Standard Contractual Clauses (SCCs) and data processing agreements.

7. Data retention

• Active accounts: your data is retained for as long as your account is active.
• Cancelled accounts: your data is deleted 90 days after cancellation.
• Risk scores and audit history: retained for as long as your organisation exists. Deleted when the organisation is deleted.
• Generated document records: metadata (type, version, date) retained for as long as your organisation exists. Deleted when the organisation is deleted.
• Security logs: retained for 12 months, then deleted.

8. Security

Passwords are hashed with bcrypt. Sessions use signed JWT tokens that expire after 24 hours of inactivity. Password reset tokens expire after 60 minutes. We log security events (failed logins, lockouts) and enforce account lockout after repeated failed attempts.

9. Your rights

Under the EU GDPR and UK GDPR, you have the right to:

• Access your personal data
• Rectify inaccurate data
• Erase your data (“right to be forgotten”)
• Port your data to another service
• Restrict processing
• Object to processing

To exercise any of these rights, email privacy@obligoboard.com. We will respond within 30 days.

10. Supervisory authorities

If you believe we have not handled your data correctly, you have the right to lodge a complaint with a supervisory authority:

• EU users: contact your national Data Protection Authority (DPA).
• UK users: contact the Information Commissioner's Office (ICO) at ico.org.uk.

11. Changes to this policy

We may update this policy from time to time. Material changes will be communicated via email or an in-app notice. The “Last updated” date at the top of this page reflects the most recent revision.

12. Contact

For any privacy-related questions, email privacy@obligoboard.com.