Privacy policy

Your privacy is very important to us. Accordingly, we have developed this Privacy Policy to help you understand how we collect and use personal information.

If you do not agree with this policy, please do not access or use our services or interact with any other aspect of our business.

What information we collect?

  • Data you provide to us

    • New Account Registration

      When you register for a new account (e.g. myaccount.kanbantool.com), you become a data controller responsible for everything that is stored under that account, as well as for management and lawful processing of personal data, including personal data of any users you invite. Thus it's essential for you to know what data we collect and how we process it.

      During registration we collect some personal information which includes your email address, name and IP address of the computer you are connecting from, the website you are coming from and information about the referring search engine phrase or marketing campaign details.

      We need this information to provide the service to you.

      In particular, your email address helps us verify your identity when you contact us or require assistance with password reset, while referral details help us identify where people find out and learn about our services.

      For as long as you are our customer, we may also use your email address to contact you directly regarding the status of performed services, to send automated periodic account reminders or information about special offers applicable to your account.

      You can update the data on "My profile" and "Account administration" pages. If you wish for us to stop processing this data, you can terminate the account on the "Account administration > Account details" page. Some data may survive erasure e.g. your account name, payments history or usage statistics.

    • Invitations

      When you invite others to join your account on Kanban Tool, we send an invitation email to the email addresses you provided. If you decide to provide them, we also store and use the full name, initials and other details of the invitee.

      The information you provide is stored and used to personalize and send the invitation email to the invitee.

      Account administrators have access to all information about people invited to their account on the "People" page, where it can be corrected or removed if needed.

    • Invited Users and User Profile Information

      We collect information that you provide when you create or modify your profile settings, preferences or sign up for a paid plan through our billing system. This information includes, in particular, your name and email address.

      We need this information to provide the service to you, which includes the email delivery of automated messages such as status updates and comment notifications. If marked as optional, information is used mainly to personalize your experience or improve our communication with you, e.g. to personalize an email header (Hi Joe!), or to prominently display your team's name to your account users.

      We may also use your email address to reach out to you directly, regarding status of the services performed, special offers applicable to your account or other support cases.

      You can access and edit your details or opt-out from unwanted communication where applicable on the "Account administration" and "My Profile" pages.

    • Content that you provide

      For obvious reasons we store and process the content you provide and make it accessible to you and other people that you've shared it with. Examples include names of the boards you create, the content you put on the cards, files you attach and comments you make.

      It's all yours - we do not pre-screen or claim any rights of ownership to such content, but in return require that it's legal for you to post it (no piracy please!). You retain rights to the data you provide, even though this data may be sent and stored using the hardware, software, storage, networking and related technologies that belong to third-party vendors.

      Please bear in mind, that account administrators can limit or revoke your access to the content you've provided, and you may not be able to get it back. Also, if the provided content includes personal data of others, as a data controller you or your account owners are solely responsible for the conformance with any applicable privacy laws and regulations.

      As long as you have access to it, you can usually update and delete your content through interacting with our service, usually in a manner similar to the one you've originally used to post the content. (e.g. by selecting the "Delete" option from the card's menu, or clicking the trash icon near the comment you've made).

      Other users of the account may also be given the option to modify or delete the content you have provided, given they have sufficient access permissions.

      Account administrators can always gain access to, modify, and delete content posted on the account.

    • Support enquiries and related information

      We store and process any support enquiries you make, as well as any other communication you make with us.

      We understand and preserve the privacy of such enquiries, but also reserve the right to publish them after sufficient anonymization on public channels such as QA sites, social feeds or our "Support" pages in order to gather feedback or facilitate resolution of similar issues by other users.

    • Billing information

      Payment processing is done through a secure third-party service. Once you decide to activate a subscription or make a payment, you will be redirected to a designated third-party payment processor which will collect data on their behalf.

      We receive and process some of the information you provide to the payment processor, e.g. the country of credit card issuance, card's expiration date and the billing address you have entered.

      We may use it e.g. for credit card fraud screening, or to assign the payment to an appropriate source country for EU VAT purposes - in the event you haven't given us any details about your current country of residence.

      On no occasion we store or have access to the full credit card number you have provided.

      In order for us to issue tax invoices for the service, we need to store and process your invoicing details, together with an optional billing contact email address. You can access and modify this information when needed on the "Account administration > Plan & Billing details" page.

  • Information we collect automatically

    • Log data

      When you use the service, we automatically collect technical information about your device, its software and your activity. Such information is stored in log files and may include personal data, if it was part of the activity you made. In particular, we log the IP address of the device making a request, which is considered a personal data by EU law.

      The main purpose of log data collection is for legal and regulatory reasons, to aim with the identification of the source of any potential security breaches or misuse of the service, for request rate limiting, and for service performance profiling.

    • Cookies and related technologies

      Kanban Tool and our third-party partners use cookies and related technologies (e.g. web beacons, pixels and device identifiers) to identify users, analyze trends, track page views and gather demographic information about the user base as a whole.

    • Third-party trackers

      We use Google Analytics to gather and analyze service usage patterns and statistics.

      Our public pages available on the kanbantool.com domain may include third-party social features and buttons, such as the Facebook Like button, which may use cookies and perform request logging on their own.

      Some of the resources used on our website come from Content Delivery Networks, such as Google Fonts or Google Hosted Libraries service. While their usage is a common practice and allows for fast content delivery, through the technical process involved in connecting with them, their providers may be able to gather some limited technical data about your device and browser, including your IP address. This may allow them to track your visits across sites which utilize the same Content Delivery Networks.

  • Information that we receive from others

    • Other users of the service

      Other users may invite you to their account or refer you to the service by providing your email address and name. Account administrators may provide and manage your personal details on the "People" page. They may also choose to include you in communication with our company thus providing us with your email address and possibly other details.
    • User provided content

      Another user of the service may give your personal data as part of their content provided to the service (e.g. inside a task description). We do not screen such content for personal details and the user who provided it remains solely responsible for all the rights you may have into it.
    • Services linked to your account

      By enabling certain service integrations or Power-Ups, we may receive additional information about you from their providers. We may store and process that information, but it's not used outside of the scope you have consented to. For example, while enabling the "Google Drive" integration, you will be asked by Google to consent for us to have access to the file names stored on your Google Drive. We will use that information solely to enable the "Google Drive" Power-Up to work as intended.
    • Web scrapping and third-party providers

      We might have received your contact details from third-party (e.g. reseller) or web scrapping activities (e.g. from your blog). These will be used solely for the purpose they were collected for, and you can object to our processing of them at any time.

How your information is used?

We use collected information for the following general purposes: products and services provision, billing, identification and authentication, services improvement, contact, compliance and research.

How we share your information?

The primary purpose of the service is fostering and providing means of collaboration between individuals and teams. We share your information with other people on your account as part of providing the service to you.

We also share information with third-party service providers, such as hosting, payment processing and backup services, but only within the scope which is needed by such provider to provide the service on our behalf, under instructions given by us.

Certain Power-Ups or service integrations (e.g. Google Drive integration), when enabled, may share some of your information with third-parties in order to make the desired Power-Up or service integration work as intended. Account administrators have full control over what Power-Ups or service integrations are enabled on their account. Also, any custom code or scripts enabled on the account, if designed so, may share your or other account user's data.

We may also share your information when we have received your consent to do so, or when required for compliance with applicable law, or to protect our rights.

Lawfulness of processing

We collect and use information about you only when we have a legal basis to do so under the applicable EU law. Legal basis will depend on the type of information concerned and the specific context, but we normally collect the information only: a) when we need it to provide you with or operate the offered service; b) where you have given us an explicit consent for processing, e.g. with a newsletter subscription; c) when it satisfies our legitimate interest such as research and development, compliance, security or marketing; d) when we need to comply with a legal obligation.

Data retention policy

  • Things you can delete

    If you are given the "delete" option on the content you or others have provided to the service, the underlying data will usually be only marked as deleted. It may remain accessible to you and others, and subject to recovery e.g. on the "trash" page.

    Tasks and boards marked as deleted are erased from our database usually within 21 days. We take care to remove as much information as possible, but there may be certain associated data that survives deletion, for legal, technological or other reasons - e.g. name and some other details of the deleted task will remain visible in the board's changelog even after it's deletion.

  • Inactive Accounts

    You should periodically log in to the account and use the service through it. Lack of payment, activity, and use of the services via the account for at least two years may result in the account being deemed abandoned, closed, and its content and data deleted. We will attempt to notify the account owners in advance via email before the account is considered abandoned and closed.

  • Account Data

    Otherwise, we retain your account and associated content until the account is closed (e.g. the account owner cancels the entire account or the account is closed in accordance with other conditions outlined in the Terms of Service). Following the closure, the account will be queued for removal from our database, and actual removal will usually happen within 30 days. Please contact us during that time if you want to speed up this process or recover a mistakenly canceled account.

    We reserve the right to retain some of the information, including information necessary for us to comply with legal obligations, provide business continuity, resolve disputes, maintain security and enforce our rights.

    Whenever possible and viable, we will anonymize such information to ensure that your personal details are not retained.

  • Marketing

    If we process your data for marketing purposes, including newsletter opt-ins, it may be processed as long as it's viable for the purpose it was collected, until you revoke your consent or otherwise oppose the processing.

  • Website Analytics

    We may store statistical data about your service usage and navigation patterns, including through third-party website analytic platforms. We attempt to store only a minimal amount of information needed, and any personal identifiable information will not be stored for this purpose for more than 26 months since your last activity.

  • Communication and support enquiries

    We usually archive and keep any support enquiries you make, as well as other direct communication, including emails you send us, for as long as reasonably needed or until you explicitly ask us to delete them. Even then, we do reserve the right to retain some of the information for legal or other reasons, where allowed by the applicable EU privacy laws.

  • Database Backups

    We store encrypted, off-site backups of our database to restore the Service from them in case of any serious incidents. Data stored in such backups is not actively processed or accessed, and we take care to remove backups once they are no longer needed. If at any point we need to recover the Service from such backups, we will re-delete the accidentally recovered data as soon as reasonably possible.

Data portability

Your content remains yours, and account owners can request a takeout of content associated with their account in a machine-readable, portable format.

Some internal statistical, financial or other data may be missing, but otherwise exports are complete and can be used to transfer the online data to the Kanban Tool On-Site installation if needed.

Due to size, external file attachments are not included in the takeout, but can be downloaded at the provided URLs.

Data security

We treat your data security seriously and take reasonably necessary steps to protect your information from unauthorized access, alteration, or destruction. To that end, we follow generally accepted industry best standards and implement adequate physical, administrative and technical security measures. You can find more details on how your data is secured on the security & reliability page.

International data transfers

We operate globally and primarily store and process your information on a cloud infrastructure physically located in the United States and the European Economic Area (the “EEA”). By using the service, you understand and accept that we may use sub-processors, and that your personal data may be stored and transferred internationally.

Whenever we appoint international data sub-processor or a third-party service, we take steps to ensure adequate protection of your rights and ensure its conformance to the industry best standards and practices. This includes, where applicable, conformance with the EU-US Privacy Shield Program and Model Contractual Clauses.

Appointed sub-processors

We currently use the following third party suppliers to assist in connection with the services:

NameLocationCategoryLearn more
Amazon Web Services (AWS) US, EEA Hosting services; Content processing and delivery. https://aws.amazon.com/compliance/data-privacy/
https://aws.amazon.com/security/
Google Cloud US, EEA Hosting services; Content processing and delivery. https://cloud.google.com/security/compliance/
https://cloud.google.com/security/
Akamai Cloud Computing (formerly Linode) US, EEA Hosting services; Content processing and delivery. https://www.linode.com/compliance
https://www.linode.com/security
Stripe Payments Europe, Ltd. IE (EU) Subscription and payment processing. https://stripe.com/privacy
https://stripe.com/docs/security/stripe
Worldpay UK, (2) Subscription and payment processing. https://www.worldpay.com/
Google Suite (3) Email and support enquiries; CRM; Internal processes. https://gsuite.google.com/security/
Google Analytics (3) Website analytics and performance monitoring. https://privacy.google.com/businesses/compliance
Kancelaria Podatkowa Kwartet PL (EU) Billing and accounting services. http://www.kwartet.katowice.pl/
Hostersi Sp. z o.o. PL (EU) IT infrastructure management. https://www.hostersi.com/
Intuition Machines, Inc. US hCaptcha anti-bot service. https://www.hcaptcha.com/privacy
Plausible Insights OÜ EE (EU) Website analytics and performance monitoring. https://plausible.io/privacy
https://plausible.io/dpa
1 EEA - European Economic Area
2 Customer data is generally stored in the country or region where the customer is based, unless there are operational, business or other compelling reasons for processing such data outside of this region. For UK and EAA customers, data will generally be stored on servers based in the UK, Ireland, the Netherlands or other EAA locations, as appropriate.
3 see https://www.google.com/about/datacenters/inside/locations/ and https://privacy.google.com/businesses/compliance/

By enabling or using certain service integrations, Power-Ups, custom scripts or any other custom code, data may be shared with other third-parties, as desired by you, and not listed above.

Our use of web cookies

We use cookies mostly to store session information and perform service usage analytics. By using our service, you agree that we can place cookies on your device. You can set your browser not to accept cookies, but some of our service features may not function as a result. The main cookies we use are:

Name of CookieRequiredReason
kanbantool.com_session
kt-access_token
Yes Cookies holding session information.
auth_token No Cookie responsible for the "Remember me" functionality.
kt_version No The version of Kanban Tool SDK your browser is using.
kt-http-referrer No Referral information.
_ga and __utm* No Cookies used by Google Analytics

Certain pages on our site may set other third-party cookies. For example, when we embed content, such as presentations, another site may leave a cookie. Also, some of the preferences and other data may be stored in the form of cookies not listed here, e.g. by the enabled Power-Ups.

Your rights

Where applicable, you have the right to request access to and rectification or erasure of personal data, to restrict the processing, to object to processing, as well as the right to data portability.

When processing is based on the consent that we received from you, you can withdraw such consent at any time.

Policy towards children

We do not knowingly collect any personal information from individuals under 18. If you become aware that such information is processed, please contact us.

Changes to this Privacy Policy

Whenever this Privacy Policy is subject to a material change, we will notify you in advance via the "what's new" widget, by message displayed on the web page, or by other means.

If Kanban Tool or Shore Labs is acquired by or merged with another company, we will notify you before information about you is transferred.

For minor changes not affecting your rights, we encourage you to monitor this page for updates.

Translations

Translations of this Privacy Policy to languages other than English, where available, are provided for convenience only. In case of any discrepancies between the English version of this Privacy Policy and a version in a different language, the English version shall prevail.

Kanban Tool On-Site

If you are still concerned about your information privacy, you may be interested in our Kanban Tool On-Site offering. Kanban Tool On-Site can be installed on your own infrastructure and offers supreme control over how and where your data is stored.

Responsible party

Our service is primarily designed with teams and organizations in mind. To that end, most activities are performed under specific accounts, e.g. acme.kanbantool.com, which have appointed account administrators and account owners of their own.

Account administrators have full access to personal data related to the account and are the actual data controllers.

If you have been invited to an account, you are subject to the account owner's organization policies, and we are not responsible for such organization's privacy or security practices. Please contact your account administrator with any privacy-related requests.

Contact Us

Your information is controlled by Shore Labs, Poprzeczna 11, 40-654 Katowice, Poland, EU.

If you have any questions or concerns about the way your data is processed or stored, please contact us on privacy@kanbantool.com

If contacting us does not resolve your dispute, you have a right to lodge compliant with your national data protection authority.