Back to login

Privacy Policy

Last updated: May 1, 2026

1. Overview

This Privacy Policy explains how Board ROI ("boardroi," "we," "us," or "our") collects, uses, stores, shares, and protects information when you use our B2B SaaS dashboard, reports, integrations, websites, and related services.

boardroi is designed for business customers. When we process personal data contained in a customer workspace, connected account, report, or business dataset, we generally act as a processor or service provider on behalf of that customer. The customer is responsible for providing required notices, obtaining permissions, and determining whether the data may be processed through the Service.

2. Information We Collect

We may collect the following categories of information:

  • Account data: email address, display name, workspace membership, role, authentication events, and account settings.
  • Company profile data: company name, website, industry, size, funding stage, team structure, and business assumptions you provide.
  • Integration data: API keys, access tokens, workspace identifiers, tool names, and integration configuration. Sensitive credentials are encrypted at rest where technically supported.
  • AI usage and cost metrics: token counts, request counts, seat counts, usage volume, spend data, model/provider metadata, and related operational metrics from connected tools.
  • Financial and ROI inputs: hourly rates, team size, estimated time savings, productivity assumptions, revenue impact, budget data, and derived ROI calculations.
  • Generated content: dashboards, summaries, narratives, exports, board-ready PDF reports, and report metadata.
  • Technical data: IP address, device and browser data, log events, timestamps, errors, security events, usage analytics, and cookie or similar identifiers where used.
  • Payment and membership data: subscription status, plan, payment provider identifiers, billing events, and checkout metadata. We do not intentionally store full payment card numbers.
  • Support communications: emails, messages, feedback, requests, and related attachments or metadata.

3. How We Use Information

We use information to:

  • provide, operate, secure, and maintain the Service;
  • authenticate users and manage workspaces, roles, subscriptions, and access;
  • connect to authorized third-party tools and fetch usage or cost metrics;
  • calculate AI ROI, generate dashboards, and create PDF reports;
  • send transactional emails, account notifications, and report delivery emails;
  • provide support, debug issues, prevent abuse, and monitor service reliability;
  • improve product functionality using aggregated or de-identified analytics;
  • comply with legal obligations and enforce our Terms of Service.

We do not sell personal data or Customer Data. We do not use Customer Data to train third-party foundation models. We may use aggregated or de-identified data to understand adoption patterns, improve benchmarks, and improve the Service, provided it does not identify a customer, user, or individual.

4. AI Processing

boardroi may use AI model providers to generate report narratives, summaries, labels, explanations, and other text based on your authorized business metrics. We configure AI processing to limit the data sent to model providers to what is reasonably necessary for the requested feature.

For production customer data, boardroi should use paid or enterprise AI processing settings that contractually restrict provider use of inputs and outputs for model training, where available. If any unpaid, beta, or free-tier AI provider is used, we will avoid sending confidential customer content unless the customer has expressly authorized that use or the data has been sufficiently minimized or de-identified.

5. Legal Bases for Processing

Where privacy laws require a legal basis, we process personal data based on one or more of the following: performance of a contract, legitimate interests in operating and securing a B2B SaaS service, compliance with legal obligations, consent where required, and our customers' documented instructions when we act as their processor.

6. How We Share Information

We may share information with:

  • Service providers and subprocessors: vendors that provide hosting, database, storage, authentication, AI processing, email delivery, payments, analytics, monitoring, and support.
  • Customer-authorized integrations: third-party tools that you connect or instruct us to interact with.
  • Professional advisers: lawyers, accountants, auditors, insurers, and security advisers where necessary.
  • Authorities or legal parties: where required by law, legal process, or to protect rights, safety, and security.
  • Business transfer parties: in connection with a merger, acquisition, financing, reorganization, or sale of assets, subject to appropriate confidentiality protections.

7. Current Subprocessors

boardroi may use the following infrastructure and operational providers. This list may change as the Service evolves:

ProviderPurposeData Processed
SupabaseDatabase, authentication, storageAccount data, workspace data, reports, metrics
VercelApplication hosting, serverless functions, cron jobsApplication logs, request metadata, limited content
Google Gemini APINarrative and report text generationMinimized prompts, report context, generated outputs
ResendTransactional emailEmail addresses, email content, delivery metadata
WhopPayments, checkout, membership managementSubscription status, payment metadata, user identifiers

8. Data Storage and Security

We use commercially reasonable security measures designed to protect information, including TLS encryption in transit, access controls, least-privilege practices, credential protection, logging, monitoring, and encryption at rest for sensitive fields where technically supported.

Data may be stored or processed in the United States, European Union, Lebanon, or other locations where we or our subprocessors operate. If you require a specific hosting region, data residency commitment, DPA, or enterprise security review, contact us before using the Service for regulated or highly sensitive data.

9. Data Retention

We retain information for as long as needed to provide the Service, maintain security, comply with legal obligations, resolve disputes, and enforce agreements. Customer workspaces, metrics, and reports are generally retained while the account is active.

After cancellation or termination, we may retain Customer Data for up to 30 days to allow export or recovery, unless a shorter or longer period is required by law, security, backup, dispute, or written agreement. Backups and logs may persist for a limited additional period before deletion through normal retention cycles.

10. Customer Controls

Depending on your plan and configuration, you may be able to:

  • update workspace and company information;
  • disconnect integrations and revoke API keys;
  • delete generated reports;
  • export reports or business metrics;
  • request account deletion;
  • request a copy, correction, or deletion of personal data.

11. International Transfers

Because boardroi uses cloud providers and subprocessors, information may be transferred to and processed in countries other than where you are located. Where required, we use appropriate safeguards such as contractual commitments, data processing agreements, standard contractual clauses, or equivalent mechanisms.

12. Privacy Rights

Depending on your location, you may have rights to access, correct, delete, restrict, object to, or receive a copy of your personal data. You may also have the right to withdraw consent where processing is based on consent.

If you are an end user of one of our customers, we may direct your request to that customer because they control the relevant workspace data. We will assist customers in responding to valid privacy requests where required by law or contract.

13. Cookies and Analytics

We may use cookies, local storage, and similar technologies for authentication, security, preferences, product analytics, and performance monitoring. Where required by law, we will request consent for non-essential cookies or provide appropriate opt-out controls.

14. Children

The Service is not directed to children and is intended for business users. We do not knowingly collect personal data from children. If you believe a child has provided us with personal data, contact us and we will take appropriate steps to delete it.

15. Changes to This Policy

We may update this Privacy Policy from time to time. If changes are material, we will provide notice by email, in-product notice, or posting an updated version. The "Last updated" date shows when this Policy was last revised.

16. Contact

For privacy requests or questions, contact us at hello@boardroi.com.

If you are contacting us about data in a customer workspace, please include the relevant workspace, company, and email address so we can route the request appropriately.