Privacy Policy

BoardSprint ("we", "us", or "our") is a project management platform that helps teams organize work using Kanban boards. This Privacy Policy explains how we collect, use, store, and protect your personal data when you use our service.

We are committed to complying with the Turkish Personal Data Protection Law (KVKK, Law No. 6698) and the EU General Data Protection Regulation (GDPR).

We collect the following personal data when you use BoardSprint:

• Account information: Name, email address, and profile picture — provided through Google or GitHub OAuth authentication.
• Usage data: Board content, cards, comments, subtasks, and other project data you create within the service.
• Technical data: IP address, browser type, device information, and access timestamps collected automatically through server logs.
• Analytics data: Page views and interaction patterns, collected via Vercel Analytics only with your consent.

• To create and manage your account
• To provide the project management service
• To send notifications and reminders you configure
• To improve the service and fix bugs
• To ensure the security and integrity of the platform
• To comply with legal obligations

• Consent (Art. 6(1)(a)): Analytics cookies are only activated after you give explicit consent via our cookie banner.
• Contract performance (Art. 6(1)(b)): Processing your account and project data is necessary to provide the service.
• Legitimate interest (Art. 6(1)(f)): We process technical data (IP, logs) for security, fraud prevention, and service improvement.

Under the Turkish Personal Data Protection Law (KVKK), you have the right to:

• Learn whether your personal data is being processed
• Request information about the processing
• Learn the purpose of processing and whether data is used in accordance with its purpose
• Know the third parties to whom your data has been transferred
• Request correction of incomplete or inaccurate data
• Request deletion or destruction of your data under the conditions set forth in Article 7
• Object to any outcome that arises exclusively from automated processing
• Claim compensation for damages arising from unlawful processing

If you are in the EU/EEA, you have the right to:

• Access: Request a copy of your personal data
• Rectification: Correct inaccurate data
• Erasure:Request deletion of your data ("right to be forgotten")
• Restriction: Request restriction of processing
• Data portability: Receive your data in a structured, machine-readable format
• Object: Object to processing based on legitimate interest
• Withdraw consent: Withdraw consent at any time without affecting the lawfulness of prior processing

BoardSprint uses the following types of cookies:

• Essential cookies: Session cookies required for authentication and security. These are necessary for the service to function and cannot be disabled.
• Analytics cookies: Vercel Analytics cookies used to understand how the service is used. These are only activated after you give explicit consent via our cookie banner.

You can change your cookie preferences at any time from our Cookie Policy page.

We retain your personal data for as long as your account is active or as needed to provide the service. If you delete your account, we will delete your personal data within 30 days, except where retention is required by law.

Activity logs and audit trails may be retained for up to 90 days for security purposes.

We use the following third-party services:

• Vercel: Hosting, deployment, and analytics (USA)
• Neon: PostgreSQL database hosting (USA/EU)
• Google: OAuth authentication provider
• GitHub: OAuth authentication provider

Each third-party service has its own privacy policy governing the use of your data. We ensure that data transfers comply with applicable data protection regulations.

We implement appropriate technical and organizational measures to protect your personal data, including:

• HTTPS encryption for all data in transit
• Parameterized database queries to prevent SQL injection
• Security headers (CSP, HSTS, X-Frame-Options, X-Content-Type-Options)
• Rate limiting on all API endpoints
• Role-based access control (RBAC) for board permissions

BoardSprint is not directed at children under the age of 16. We do not knowingly collect personal data from children. If you believe a child has provided us with personal data, please contact us and we will delete it promptly.

We may update this Privacy Policy from time to time. We will notify registered users of significant changes via email or an in-app notification. The "Last updated" date at the top of this page indicates when the policy was last revised.

If you have questions about this Privacy Policy or wish to exercise your rights under KVKK or GDPR, please contact us at:

Email: privacy@boardsprint.com