Privacy Policy

This Privacy Policy describes how BoardsVault LLC ("we," "us," or "our") collects, uses, and shares information about you when you use our platform and services (the "Service"). By using the Service, you agree to the collection and use of information as described in this policy.

For users in the European Union or United Kingdom, BoardsVault acts as the data controller for the personal data described in this policy.

Information We Collect

We collect the following categories of information:

• Account information. Name and email address when you register. If you sign in with Google, we receive your name, email address, and profile picture from Google.
• Usage and performance data. Your quiz answers, scores, question history, study progress, block configurations, bookmarks, and interactions with platform features.
• Payment information. Subscription and billing records including plan type and payment status. Payment transactions are processed by Stripe — we do not receive or store your full card number, expiry, or CVV.
• Technical data. IP address, browser type and version, operating system, referring URLs, and pages visited. This data is collected automatically when you use the Service.
• Communications. Messages you send to us through the support form or by email.

How We Use Your Information

We use the information we collect for the following purposes and, where applicable, on the following legal bases:

• To provide and operate the Service — including authenticating your account, delivering question content, tracking your study progress, and generating performance analytics. Legal basis: contract performance.
• To process payments and manage subscriptions — billing, invoicing, and subscription management through Stripe. Legal basis: contract performance.
• To communicate with you — sending transactional emails (account confirmations, password resets, subscription notices) and responding to support requests. Legal basis: contract performance and legitimate interests.
• To improve the Service — analyzing usage patterns to improve content quality, platform features, and user experience. Legal basis: legitimate interests.
• To ensure security and prevent fraud — detecting and preventing unauthorized access, abuse, and violations of our Terms of Use. Legal basis: legitimate interests and legal obligation.

Data Sharing and Third-Party Processors

We do not sell your personal information. We share data only with the following categories of third-party service providers, and only to the extent necessary to operate the Service:

• Stripe — payment processing and subscription management. Stripe processes your payment details directly under its own privacy policy.
• Vercel — cloud hosting, deployment infrastructure, and web analytics. Vercel may collect technical and usage data including IP addresses and page views as part of hosting the Service.
• Your email service provider — transactional email delivery (password resets, account notifications, subscription emails). The specific provider in use will be updated here as the platform evolves.
• Google — if you use Google sign-in, Google provides your name and email to us for authentication purposes.
• Law enforcement and legal process — we may disclose information when required by law, subpoena, court order, or to protect the rights, property, or safety of BoardsVault, our users, or the public.

All third-party processors are contractually obligated to process your data only as directed by us and in compliance with applicable data protection laws.

Cookies and Tracking

We use cookies and similar technologies for the following purposes:

• Essential cookies — required for authentication, session management, and core platform functionality. These cannot be disabled without breaking the Service.
• Analytics — Vercel Analytics collects anonymized page view and performance data to help us understand how the Service is used. This data does not identify you individually.

If you are located in the EU or UK, non-essential cookies require your consent. We will present a consent notice where required by applicable law.

International Data Transfers

BoardsVault is operated from the United States. Our infrastructure is hosted on Vercel and associated cloud providers, whose servers are located primarily in the United States. If you access the Service from the European Union, United Kingdom, or other regions with data protection laws that differ from U.S. law, your information may be transferred to and processed in the United States.

For transfers from the EU/UK to the United States, we rely on Standard Contractual Clauses (SCCs) approved by the European Commission, or equivalent transfer mechanisms, where required by applicable law.

Data Security

We implement industry-standard technical and organizational measures to protect your personal data, including encrypted connections (HTTPS/TLS), hashed and salted passwords, and access controls limiting who within our organization can access your data. However, no method of transmission over the internet or electronic storage is completely secure, and we cannot guarantee absolute security.

Data Retention

We retain your account and study data for as long as your account is active. If you request deletion of your account, we will remove your personal information within 30 days, except where we are required to retain certain data by law (for example, billing records for tax purposes) or where retention is necessary to resolve disputes or enforce our agreements.

Your Rights

Depending on your location, you may have the following rights regarding your personal data:

All users:

• Access. Request a copy of the personal information we hold about you.
• Correction. Request that we correct inaccurate or incomplete data.
• Deletion. Request deletion of your account and associated personal data, subject to legal retention requirements.
• Objection. Object to our processing of your data where we rely on legitimate interests as the legal basis.

California residents (CCPA/CPRA additional rights):

• Right to know. You may request disclosure of the categories and specific pieces of personal information we have collected about you, the sources of that information, the business or commercial purposes for collecting it, and the categories of third parties with whom we share it.
• Right to delete. You may request deletion of personal information we have collected from you, subject to certain exceptions.
• Right to correct. You may request correction of inaccurate personal information we maintain about you.
• Right to opt out of sale or sharing. We do not sell or share your personal information for cross-context behavioral advertising. If this practice ever changes, we will update this policy and provide an opt-out mechanism.
• Right to non-discrimination. We will not discriminate against you for exercising any of your CCPA rights.
• Shine the Light. California Civil Code § 1798.83 permits California residents to request information about personal data disclosed to third parties for direct marketing purposes. We do not disclose personal data to third parties for their direct marketing purposes.

EU/UK residents (GDPR/UK GDPR additional rights):

• Data portability. Where processing is based on consent or contract and carried out by automated means, you may request a copy of your data in a structured, machine-readable format.
• Restriction. You may request that we restrict processing of your data in certain circumstances.
• Lodge a complaint.You have the right to lodge a complaint with your local supervisory authority (e.g., your EU member state's data protection authority, or the UK ICO).

To exercise any of these rights, contact us at support@boardsvault.com. We will respond within 30 days (or within the timeframe required by applicable law). We may ask you to verify your identity before processing your request.

Children's Privacy

The Service is intended for users who are at least 18 years of age and is not directed at children. We do not knowingly collect personal information from anyone under the age of 18. If we become aware that we have collected personal information from a person under 18 without verified parental consent, we will delete that information promptly.

Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of material changes by email at least 30 days before the changes take effect. The updated policy will be posted at this URL with a revised "Last updated" date. Continued use of the Service after the effective date constitutes your acceptance of the revised policy.

Contact

For privacy-related questions or to exercise your rights, contact us at support@boardsvault.com.