Your privacy is very important to us. Accordingly, we have developed this Policy to help you understand how we collect, use, communicate and make use of personal information.
If you do not agree with this policy, please do not access or use our services or interact with any other aspect of our business.
What information we collect?
Data you provide to us
New Account Registration
When you register for a new account (i.e. myaccount.kanbantool.com), you become a data controller responsible for everything that is stored under that account, as well as for management and lawful processing of personal data, including personal data of any users you invite. Thus it's essential for you to know what data we collect and how we process it.
During registration we collect some personal information which includes your email address, name and IP address of the computer you are connecting from, the website you are coming from and information about the referring search engine phrase or marketing campaign details.
We need this information to provide the service to you.
In particular, your email address helps us verify your identity when you contact us or require assistance with password reset, while referral details help us identify where people find out and learn about our services.
For as long as you are our customer, we may also use your email address to contact you directly regarding the status of performed services, to send automated periodic account reminders or information about special offers applicable to your account.
You can update the data on "My profile" and "Account administration" pages. If you wish for us to stop processing this data, you can terminate the account on the "Account administration > Account details" page. Some data may survive erasure i.e. your account name, payments history or usage statistics.
When you invite others to join your account on Kanban Tool, we send an invitation email to the email addresses you provided. If you decide to provide them, we also store and use the full name, initials and other details of the invitee.
The information you provide is stored and used to personalize and send the invitation email to the invitee.
Account administrators have access to all information about people invited to their account on the "People" page, where it can be corrected or removed if needed.
Invited Users and User Profile Information
We collect information that you provide when you create or modify your profile settings, preferences or sign up for a paid plan through our billing system. This information includes, in particular, your name and email address.
We need this information to provide the service to you, which includes the email delivery of automated messages such as status updates and comment notifications. If marked as optional, information is used mainly to personalize your experience or improve our communication with you, i.e. to personalize an email header (Hi Joe!), or to prominently display your team's name to your account users.
We may also use your email address to reach out to you directly, regarding status of the services performed, special offers applicable to your account or other support cases.
You can access and edit your details or opt-out from unwanted communication where applicable on the "Account administration" and "My Profile" pages.
Content that you provide
For obvious reasons we store and process the content you provide and make it accessible to you and other people that you've shared it with. Examples include names of the boards you create, the content you put on the cards, files you attach and comments you make.
It's all yours - we do not pre-screen or claim any rights of ownership to such content, but in return require that it's legal for you to post it (no piracy please!). You retain all rights to the data you provide, even though this data may be sent and stored using the hardware, software, storage, networking and related technologies that belong to third-party vendors.
Please bear in mind, that account administrators can limit or revoke your access to the content you've provided, and you may not be able to get it back. Also, if the provided content includes personal data of others, as a data controller you or your account owners are solely responsible for the conformance with any applicable privacy laws and regulations.
As long as you have access to it, you can usually update and delete your content through interacting with our service, usually in a manner similar to the one you've originally used to post the content. (i.e. by selecting the "Delete" option from the card's menu, or clicking the trash icon near the comment you've made).
Other users of the account may also be given the option to modify or delete the content you have provided, given they have sufficient access permissions.
Account administrators can always gain access to, modify, and delete content posted on the account.
Support enquiries and related information
We store and process any support enquiries you make, as well as any other communication you make with us.
We understand and preserve the privacy of such enquiries, but also reserve the right to publish them after sufficient anonymization on public channels such as QA sites, social feeds or our "Support" pages in order to gather feedback or facilitate resolution of similar issues by other users.
Payment processing is done through a secure third-party service. Once you decide to activate a subscription or make a payment, you will be redirected to a designated third-party payment processor which will collect data on their behalf.
We receive and process some of the information you provide to the payment processor, i.e. the country of credit card issuance, card's expiration date and the billing address you have entered.
We may use it i.e. for credit card fraud screening, or to assign the payment to an appropriate source country for EU VAT purposes - in the event you haven't given us any details about your current country of residence.
On no occasion we store or have access to the full credit card number you have provided.
In order for us to issue tax invoices for the service, we need to store and process your invoicing details, together with an optional billing contact email address. You can access and modify this information when needed on the "Account administration > Plan & Billing details" page.
Information we collect automatically
When you use the service, we automatically collect technical information about your device, its software and your activity. Such information is stored in log files and may include personal data, if it was part of the activity you made. In particular, we log the IP address of the device making a request, which is considered a personal data by EU law.
The main purpose of log data collection is for legal and regulatory reasons, to aim with the identification of the source of any potential security breaches or misuse of the service, for request rate limiting, and for service performance profiling.
Cookies and related technologies
We use Google Analytics to gather and analyze service usage patterns and statistics.
Some of the resources used on our website come from Content Delivery Networks, such as Google Fonts or Google Hosted Libraries service. While their usage is a common practice and allows for fast content delivery, through the technical process involved in connecting with them, their providers may be able to gather some limited technical data about your device and browser, including your IP address. This may allow them to track your visits across sites which utilize the same Content Delivery Networks.
Information that we receive from others
Other users of the serviceOther users may invite you to their account or refer you to the service by providing your email address and name. Account administrators may provide and manage your personal details on the "People" page. They may also choose to include you in communication with our company thus providing us with your email address and possibly other details.
User provided contentAnother user of the service may give your personal data as part of their content provided to the service (i.e. inside a task description). We do not screen such content for personal details and the user who provided it remains solely responsible for all the rights you may have into it.
Services linked to your accountBy enabling certain service integrations or Power-Ups, we may receive additional information about you from their providers. We may store and process that information, but it's not used outside of the scope you have consented to. For example, while enabling the "Google Drive" integration, you will be asked by Google to consent for us to have access to the file names stored on your Google Drive. We will use that information solely to enable the "Google Drive" Power-Up to work as intended.
Web scrapping and third-party providersWe might have received your contact details from third-party (i.e. reseller) or web scrapping activities (i.e. from your blog). These will be used solely for the purpose they were collected for, and you can object to our processing of them at any time.
How your information is used?
We use collected information for the following general purposes: products and services provision, billing, identification and authentication, services improvement, contact, compliance and research.
How we share your information?
The primary purpose of the service is fostering and providing means of collaboration between individuals and teams. We share your information with other people on your account as part of providing the service to you.
We also share information with third-party service providers, such as hosting, payment processing and backup services, but only within the scope which is needed by such provider to provide the service on our behalf, under instructions given by us.
Certain Power-Ups or service integrations (i.e. Google Drive integration), when enabled, may share some of your information with third-parties in order to make the desired Power-Up or service integration work as intended. Account administrators have full control over what Power-Ups or service integrations are enabled on their account. Also, any custom code or scripts enabled on the account, if designed so, may share your or other account user's data.
We may also share your information when we have received your consent to do so, or when required for compliance with applicable law, or to protect our rights.
Lawfulness of processing
We collect and use information about you only when we have a legal basis to do so under the applicable EU law. Legal basis will depend on the type of information concerned and the specific context, but we normally collect the information only: a) when we need it to provide you with or operate the offered service; b) where you have given us an explicit consent for processing, i.e. with a newsletter subscription; c) when it satisfies our legitimate interest such as research and development, compliance, security or marketing; d) when we need to comply with a legal obligation.
Data retention policy
Things you can delete
If you are given the "delete" option on the content you or others have provided to the service, the underlying data will usually be only marked as deleted. It may remain accessible to you and others, and subject to recovery i.e. on the "trash" page.
Tasks and boards marked as deleted are erased from our database usually within 21 days. We take care to remove as much information as possible, but there may be certain associated data that survives deletion, for legal, technological or other reasons - i.e. name and some other details of the deleted task will remain visible in the board's changelog even after it's deletion.
Otherwise, we retain your account and associated content until the account owner decides to cancel the entire account. Following the cancellation, the account will be queued for removal from our database, and actual removal will usually happen within 30 days. Please contact us during that time if you want to speed up this process or recover a mistakenly canceled account.
We reserve the right to retain some of the information, including information necessary for us to comply with legal obligations, provide business continuity, resolve disputes, maintain security and enforce our rights.
Whenever possible and viable, we will anonymize such information to ensure that your personal details are not retained.
If we process your data for marketing purposes, including newsletter opt-ins, it may be processed as long as it's viable for the purpose it was collected, until you revoke your consent or otherwise oppose the processing.
We store statistical data about your service usage and navigation patterns in Google Analytics for 26 months since your last activity.
Communication and support enquiries
We usually archive and keep any support enquiries you make, as well as other direct communication, including emails you send us, for as long as reasonably needed or until you explicitly ask us to delete them. Even then, we do reserve the right to retain some of the information for legal or other reasons, where allowed by the applicable EU privacy laws.
We store encrypted, off-site backups of our database to restore the Service from them in case of any serious incidents. Data stored in such backups is not actively processed or accessed, and we take care to remove backups once they are no longer needed. If at any point we need to recover the Service from such backups, we will re-delete the accidentally recovered data as soon as reasonably possible.
Your content remains yours, and account owners can request a dump of content associated with their account in a machine-readable, portable format.
Some internal statistical, financial or other data may be missing, but otherwise exports are complete and can be used to transfer the online data to the Kanban Tool On-Site installation if needed.
Due to size, external file attachments are not included in the dump, but can be downloaded at the provided URLs.
We treat your data security seriously and take all reasonably necessary steps to protect your information from unauthorized access, alteration, or destruction. To that end, we follow generally accepted industry best standards and implement adequate physical, administrative and technical security measures. You can find more details on how your data is secured on the security & reliability page.
International data transfers
We operate globally and primarily store and process your information on a cloud infrastructure physically located in the United States and the European Economic Area (the “EEA”). By using the service, you understand and accept that your personal data may be stored and transferred internationally.
Whenever we appoint international data sub-processor or a third-party service, we take steps to ensure adequate protection of your rights and ensure its conformance to the industry best standards and practices. This includes, where applicable, conformance with the EU-US Privacy Shield Program and Model Contractual Clauses.
We currently use the following third party suppliers to assist in connection with the services:
|Amazon Web Services (AWS)||US, EEA||Hosting services; Content processing and delivery.||https://aws.amazon.com/compliance/data-privacy/
|Google Cloud||US, EEA||Hosting services; Content processing and delivery.||https://cloud.google.com/security/compliance/
|Linode||US, EEA||Hosting services; Content processing and delivery.||https://www.linode.com/compliance
|Worldpay||UK, (2)||Subscription and payment processing.||https://www.worldpay.com/|
|Google Suite||(3)||Email and support enquries; CRM; Internal processes.||https://gsuite.google.com/security/|
|Google Analytics||(3)||Website analytics and performance.||https://privacy.google.com/businesses/compliance|
|Kancelaria Podatkowa Kwartet||PL (EU)||Billing and accounting services.||http://www.kwartet.katowice.pl/|
2 Customer data is generally stored in the country or region where the customer is based, unless there are operational, business or other compelling reasons for processing such data outside of this region. For UK and EAA customers, data will generally be stored on servers based in the UK, Ireland, the Netherlands or other EAA locations, as appropriate.
3 see https://www.google.com/about/datacenters/inside/locations/ and https://privacy.google.com/businesses/compliance/
By enabling certain service integrations, Power-Ups, custom scripts or any other custom code, data may be shared with other third-parties, as desired by you, and not listed above.
Our use of web cookies
|Name of Cookie||Required||Reason|
|Yes||Cookies holding session information.|
|auth_token||No||Cookie responsible for the "Remember me" functionality.|
|kt_version||No||The version of Kanban Tool SDK your browser is using.|
|_ga and __utm*||No||Cookies used by Google Analytics|
Certain pages on our site may set other third-party cookies. For example, when we embed content, such as presentations, another site may leave a cookie. Also, some of the preferences and other data may be stored in the form of cookies not listed here, i.e. by the enabled Power-Ups.
Where applicable, you have the right to request access to and rectification or erasure of personal data, to restrict the processing, to object to processing, as well as the right to data portability.
When processing is based on the consent that we received from you, you can withdraw such consent at any time.
Policy towards children
We do not knowingly collect any personal information from individuals under 18. If you become aware that such information is processed, please contact us.
If Kanban Tool or Shore Labs is acquired by or merged with another company, we will notify you before information about you is transferred.
For minor changes not affecting your rights, we encourage you to monitor this page for updates.
Kanban Tool On-Site
If you are still concerned about your information privacy, you may be interested in our Kanban Tool On-Site offering. Kanban Tool On-Site can be installed on your own infrastructure and offers supreme control over how and where your data is stored.
Our service is primarily designed with teams and organizations in mind. To that end, most activities are performed under specific accounts, i.e. acme.kanbantool.com, which have appointed account administrators and account owners of their own.
Account administrators have full access to personal data related to the account and are the actual data controllers.
If you have been invited to an account, you are subject to the account owner's organization policies, and we are not responsible for such organization's privacy or security practices. Please contact your account administrator with any privacy-related requests.
Your information is controlled by Shore Labs, Poprzeczna 11, 40-654 Katowice, Poland, EU.
If you have any questions or concerns about the way your data is processed or stored, please contact us on firstname.lastname@example.org
If contacting us does not resolve your dispute, you have a right to lodge compliant with your national data protection authority.