Privacy

Your data lives in Germany. We collect what Production Board needs to run for you and nothing else. You can export everything you put in. You can delete your account. Both buttons are in your account settings, no email needed.

We do not sell your data. We do not share it with advertisers. We do not run third-party analytics or session recording on logged-in pages. The only third parties touching your data are our payment processor (Stripe, only when you actively pay) and the mail relay we use for transactional email.

Finn Glas, Lange Straße 14, 72461 Tailfingen, Germany.

Privacy enquiries: see /imprint for the contact addresses. Replies usually arrive within one working day.

Account data you give us. Your email address, the name you chose, the workspace name, anything you create inside the product (records, attachments, settings). This is the data the product cannot run without.

Operational data. Timestamps of significant events: logins, plan changes, deletes, mail bounces, payment events. We keep these so we can answer your questions and meet our legal record-keeping obligations.

Diagnostic data. Short-lived request logs (IP, user agent, response code, timing) kept for at most 30 days. Used to debug crashes, detect abuse, and tune performance. Never used to profile you.

Payment data. Handled by Stripe. We see the masked card brand + last four, the country, the amount, never the full PAN.

Performance of the contract (Art. 6(1)(b)) - everything that makes the product run for you. Legal obligation (Art. 6(1)(c)) - tax retention of invoices, security incident records. Legitimate interest (Art. 6(1)(f)) - rate limiting, abuse detection, the diagnostic logs above. We do not rely on consent for the operational pipeline; if we ever do (newsletters, an opt-in campaign), it will be a clear separate ask.

You have the right to access, rectify, erase, restrict, port, and object to the processing of your personal data (Art. 15-21 GDPR). Most of this is one button in account settings - export and delete are both self-serve. For anything else, write to us at the addresses in /imprint and we will respond within 30 days. You can also lodge a complaint with your local supervisory authority at any time.

We use a single first-party session cookie to keep you signed in, and a CSRF token cookie that signs every state-changing request. We do not set tracking cookies. We do not embed third-party advertising tags. The full cookie list lives at /cookies.

Account data is retained as long as your account exists. Once you delete the account, your records are scheduled for permanent removal within 30 days, except where we are legally required to keep them (invoices, kept for 10 years per German tax law). Diagnostic logs roll off after 30 days. Backups expire on a 30-day rolling window; once they roll off, the deleted data is gone there too.

Your account data is processed and stored in Germany. Stripe, our payment processor, may process certain transaction data in the United States under the EU-US Data Privacy Framework (adequacy decision of 10 July 2023). We do not initiate any other transfer to non-EU countries.

Production Board is not directed at children under 16. We do not knowingly collect personal data from children. If you become aware that a child has provided personal data to us, please contact us via /imprint and we will delete it.

We may update this notice. Material changes are announced by email at least 30 days before they take effect. The current version is always the one published here, dated at the bottom of /imprint via the operator block.