Privacy Policy

We collect only what’s necessary to run the service:

Account information

• Your name and email address, provided when you sign up.
• A hashed version of your password. We never store your password in plaintext.
• Your chosen avatar colour and display preferences.

Content you create

• Boards, columns, tasks, comments, and any other content you add to the platform.
• Task metadata: titles, descriptions, deadlines, priority, assignees, and column history.

Usage data

• Basic activity data used for analytics features (e.g. task completion times, workflow phase durations).
• This data is used only to power in-app analytics visible to your board members. It’s not shared externally.

Diagnostic data

• If the app encounters an error, we automatically collect diagnostic information including the error details, your browser and operating system type, and a session identifier. This is processed by our error monitoring provider (Sentry) and used solely to identify and fix bugs.
• Standard server logs, including IP addresses, browser type, and request timestamps, are collected automatically by our hosting infrastructure.

We don’t collect:

• Payment information (Kanbedu is currently free).
• Device fingerprints, advertising identifiers, or behavioural tracking data.
• Any data beyond what is necessary to operate the service.

We use the data we collect to:

• Create and manage your account.
• Provide the core features of Kanbedu (boards, tasks, collaboration).
• Power the analytics dashboard so you and your team can review progress.
• Send transactional emails (e.g. invite links, password resets). We don’t send marketing emails without your consent.
• Debug issues and improve the service.

If data protection law applies to you, here are the legal grounds we rely on to process your data:

• Performance of a contract: processing your account information and content is necessary to provide the service you signed up for.
• Legitimate interests: we process usage data to operate, secure, and improve the platform. We only do this where our interests don’t override your rights.
• Legal obligation: we may process or retain data where the law requires it.
• Consent: where we rely on your consent (e.g. marketing communications), you can withdraw it at any time. That won’t affect anything we processed before you withdrew.

When you create an account, we send a verification email to confirm your address. Your account will have limited access until your email is verified. Verification links are single-use and expire within 24 hours.

When you log in, Kanbedu issues a signed session token stored as an HTTP-only cookie. This token is used to authenticate your requests and expires after a period of inactivity.

We do not use third-party OAuth (e.g. Google, GitHub) at this time. All authentication is handled directly by Kanbedu.

Kanbedu uses a small number of cookies and browser storage mechanisms:

• Session cookie: an HTTP-only cookie used to keep you logged in securely.
• Theme preference: stored in localStorage to remember your light/dark mode setting.

We do not use advertising cookies, third-party tracking cookies, or analytics platforms like Google Analytics.

Your data is stored using third-party infrastructure providers (see Section 9). We use industry-standard practices to protect it:

• Passwords are hashed using bcrypt before storage.
• Communication between your browser and our servers is encrypted over HTTPS.
• Access to production data is restricted to authorised personnel only.

No system is perfectly secure. While we take reasonable precautions, we cannot guarantee absolute security. If you suspect unauthorised access to your account, contact us at support@kanbedu.com immediately.

Kanbedu may store and process your personal data in countries other than your own, including countries that may not provide the same level of data protection as your home jurisdiction. Where we transfer personal data internationally, we take steps to ensure appropriate safeguards are in place, for example by relying on infrastructure providers that maintain standard contractual clauses or equivalent protections recognised under applicable law.

By using Kanbedu, you acknowledge that your data may be transferred to and processed in other countries as described in this policy.

We rely on the following providers to operate Kanbedu. Each is contractually bound to handle your data securely and only as instructed by us.

• Supabase: database hosting. Stores all account data, content, and usage data.
• Vercel: hosting and deployment. Processes all web requests and server logs including IP addresses.
• Resend: email delivery. Receives your email address to send transactional emails (verification links, password resets, and board invites).
• Sentry: error monitoring. Receives diagnostic data including session identifiers and browser information when errors occur.

We do not integrate with advertising networks, social media trackers, or data brokers. If we add new providers in the future, we will update this section.

We do not sell, rent, or trade your personal data. We only share it in these limited circumstances:

• With your team: your name and avatar are visible to members of boards you belong to.
• Legal requirements: if required by law or a valid legal process, we may disclose information. Where permitted, we will notify you before complying.
• Service providers: limited data may be shared with infrastructure providers strictly to operate the service, under confidentiality obligations.
• Business transfers: in the event of a merger, acquisition, or sale of assets, your data may be transferred to a successor entity, subject to equivalent privacy protections.

Depending on where you live, you may have some or all of the following rights over your data:

• Access: request a copy of the data we hold about you.
• Correction: update inaccurate information (most can be changed directly in the app).
• Deletion: ask us to delete your account and associated data by contacting us at support@kanbedu.com.
• Portability: request your data in a structured, machine-readable format where technically feasible.
• Restriction: ask us to limit how we process your data in certain circumstances.
• Objection: object to processing based on our legitimate interests, including any profiling.
• Withdraw consent: if we’re relying on your consent, you can withdraw it at any time. This won’t affect anything we processed before you withdrew.
• Lodge a complaint: if you think we’ve mishandled your data, you can complain to your local data protection authority.

We aim to respond to all data requests within 30 days. We may need to verify your identity before fulfilling a request.

We retain your account and content data for as long as your account is active. If you delete your account, we will remove your personal data within a reasonable period (typically within 30 days), except where we are required to retain it by law or for legitimate security purposes.

Anonymised, aggregated data (e.g. aggregate usage patterns) may be retained indefinitely, as it cannot reasonably be linked back to you.

Kanbedu is intended for users aged 13 and over. We do not knowingly collect personal data from children under 13. If you are under 13, please do not use Kanbedu or provide any personal information.

If a parent or guardian believes a child under 13 has created an account, please contact us at support@kanbedu.com and we will promptly delete the account and associated data.

Users aged 13 to 17 should use Kanbedu only with the awareness and consent of a parent or guardian, where required by law.

Where Kanbedu is used in an institutional or educational setting, the institution is responsible for ensuring that appropriate consents and authorisations are in place for all users, including those under the digital age of consent in their jurisdiction.

We may update this Privacy Policy as the service evolves. When we do, we’ll update the “Last updated” date at the top. For material changes, we’ll notify you via email or an in-app notice at least 14 days before the changes take effect, where reasonably practicable.

If you have questions or concerns about this policy or how we handle your data, reach us at privacy@kanbedu.com. General support is at support@kanbedu.com.

If you are in the European Economic Area and believe we have not adequately addressed your concern, you have the right to contact your local supervisory authority.