Skip to content

streamboard · legal

Privacy Policy

Last updated: May 26, 2026 (v2)

1. Introduction

streamboard ("we", "us", "our") operates the usestreamboard.com website and application. This Privacy Policy explains what personal data we collect, how we use it, and your rights regarding that data.

The data controller is Dr Jacob Cable, an individual sole trader trading as streamboard, contactable at 7 Kellands Row, Kingsbridge, TQ7 1LT, United Kingdom, or by email at support@usestreamboard.com. We do not currently have a designated Data Protection Officer; privacy queries are handled by the founder.

2. Data We Collect

We collect and process the following categories of personal data:

Account data: your name, email address, email verification status, and profile image URL (if provided via an OAuth provider).

Authentication data: hashed password (for email/password accounts), OAuth provider identifiers and tokens (for GitHub or Google sign-in), and session tokens.

Session metadata: your IP address and browser User-Agent string, stored with each session for security purposes.

Streamboard data: json-render specs you author (title, structure, palette preset, version history, public / private flag) and the most recent state envelope pushed to each streamboard (replaced on each push, never versioned).

Token data: per-streamboard data tokens you mint — token id, SHA-256 hash of the secret, optional label, creator user id, and last-used timestamp. We never store the raw secret; once shown after minting, it is unrecoverable.

Organisation data: if you join or create an organisation, the organisation id, role, and membership metadata.

Folder, comment, and view metadata: optional folder placement of streamboards, comments left on streamboards, and aggregated viewer counts.

Notification preferences: email and push notification settings for transactional events.

Push subscription data: Web Push endpoint URL, encryption keys, and browser User-Agent (required for delivering push notifications).

Subscription & trial data: your subscription status (active / canceled / past-due), trial-end timestamp, and trial-reminder dispatch state. Payment-card data is handled by Polar and never reaches our servers.

Onboarding responses: your stated usage intent (collected once during sign-up).

Terms-acceptance records: a record of which Terms version you have accepted and when, for audit and re-consent purposes.

Security & error telemetry: per-request observability events (request id, route, error class / message, latency) written to Cloudflare Analytics Engine. We use these for debugging and incident response; they are not joined back to your account for any other purpose.

3. Lawful Bases for Processing

We rely on the following UK GDPR lawful bases:

  • Contract (UK GDPR Art. 6(1)(b)) — to provide the Service, manage your account, fulfil your subscription, and deliver transactional emails / push notifications you require to use the Service.
  • Legitimate interests (Art. 6(1)(f)) — to keep the Service secure (session metadata, rate limits, abuse detection), to operate at sufficient quality (aggregated analytics, error telemetry), and to communicate operationally with you about your account. You can object to processing based on legitimate interests by contacting us.
  • Legal obligation (Art. 6(1)(c)) — to retain limited records where required by tax, accounting, or other applicable law, and to respond to lawful requests from authorities.
  • Consent (Art. 6(1)(a)) — for optional channels such as push notifications (you grant consent via your browser when you subscribe). Consent can be withdrawn at any time via your browser settings or notification preferences.

4. How We Use Your Data

We use your personal data to:

  • Provide and operate the Service — store your streamboard specs, serve viewer pages, and accept authenticated state pushes.
  • Authenticate you and maintain session security.
  • Send transactional emails (verification, password reset, trial-ending reminder, account-deletion confirmation) via our email provider, Resend.
  • Deliver push notifications for transactional events you have opted in to.
  • Process payments and manage subscriptions via Polar.
  • Collect aggregated, anonymised product analytics and per-request error telemetry using Cloudflare Analytics Engine.
  • Detect, investigate, and respond to abuse, security incidents, and violations of our Acceptable Use Policy.

We do not sell your personal data, do not use your User Content to train AI models, and do not use any automated decision-making or profiling that produces legal or similarly significant effects on you.

5. Third-Party Services (Sub-Processors)

We share data with the following sub-processors, solely to provide and operate the Service. We require each to provide appropriate contractual and technical safeguards under UK GDPR Art. 28.

Sub-processors used by streamboard, their purpose, the data shared with each, and where they process it.
Service Purpose Data Shared Region
Cloudflare Hosting, edge runtime, D1 database, R2 object storage, Workers Analytics Engine, Web Push All data we store (as infrastructure provider); analytics aggregated and non-personally-identifiable Global edge; primary D1 region Western Europe (WEUR)
Polar Payment and subscription processing Email address, external user id, subscription state US / EU (Polar processes globally)
Resend Transactional email delivery Email address, name, email content (subject, body) US
GitHub OAuth authentication (sign-in option) OAuth tokens, profile (name, email, avatar) on sign-in only US
Google OAuth authentication (sign-in option) OAuth tokens, profile (name, email, avatar) on sign-in only US

Out of scope. AI providers such as Anthropic, OpenAI, etc. are not sub-processors of streamboard. When you author a streamboard via an AI tool (MCP client, agent, IDE plugin), the prompt and source material is handled by the tool's provider under that provider's own terms; streamboard receives only the final spec submitted by your authenticated session.

Sub-processor changes. We will use reasonable efforts to give 30 days' advance notice of material sub-processor changes (additions or replacements that materially affect how your data is processed), via in-app notice and / or email where required by your contract.

6. International Transfers

Some of our sub-processors are located outside the UK / EEA (notably in the United States). Where personal data is transferred to such recipients, we rely on the UK International Data Transfer Agreement (IDTA), the UK Addendum to the EU Standard Contractual Clauses, and/or the EU-US Data Privacy Framework (where applicable), as the safeguard required under UK GDPR Chapter V.

7. Cookies and Local Storage

We use only essential cookies (session token, access token, theme preference). We do not use any third-party tracking, advertising, or behavioural-analytics cookies. We also use your browser's local storage for UI preferences and short-lived caches.

For full details, see our Cookie Policy.

8. Data Retention

We retain personal data only as long as needed for the purpose for which it was collected:

  • Account & streamboard data — for as long as your account is active. After account deletion, permanently erased at the end of the 30-day grace period described in section 9.
  • Session tokens — expire per session lifecycle; cleared on sign-out, on session expiry, or immediately when you request account deletion.
  • Email verification / password reset tokens — short-lived (hours); deleted on use or expiry.
  • Soft-deleted streamboards — physically purged 30 days after deletion (matches the account-deletion window for operational symmetry).
  • Security & error telemetry (Analytics Engine) — retained according to Cloudflare's Analytics Engine retention defaults; not joined to your account for analysis.
  • Billing & tax records — retained for up to 7 years where required by UK tax / accounting law, in Polar and our own records.

9. Account Deletion

You can request account deletion at any time from Settings → Account. The request schedules a 30-day grace period during which you can cancel and restore full access. After 30 days, all data associated with your account is permanently and irreversibly deleted — streamboards (specs, all versions, state envelopes, live-data tokens), comment threads and replies, organisations you sole-own (with their org-branding assets in R2), folder and onboarding metadata, notification settings, push subscriptions, terms-acceptance records, and the user record itself. Your Polar customer record is anonymised at the same time.

10. Data Breach Notification

If a personal-data breach occurs that is likely to result in a risk to your rights and freedoms, we will notify the Information Commissioner's Office (ICO) without undue delay and, where feasible, within 72 hours of becoming aware of it, as required by UK GDPR Art. 33. Where the breach is likely to result in a high risk, we will also notify affected users without undue delay, under Art. 34. To report a suspected security issue, please email support@usestreamboard.com.

11. Your Rights

Under the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018, you have the right to:

  • Access your personal data.
  • Rectification — request correction of inaccurate data.
  • Erasure ("right to be forgotten") — available via account deletion (Settings → Account).
  • Restriction of processing.
  • Data portability — we do not yet offer automated data export. Contact us at support@usestreamboard.com for a manual export; we will respond within one month, as required by UK GDPR.
  • Object to processing based on legitimate interests.
  • Withdraw consent at any time, where processing is based on consent.
  • Lodge a complaint with the Information Commissioner's Office (ICO) at ico.org.uk. The ICO is the lead supervisory authority for streamboard.

To exercise any of these rights, contact us at support@usestreamboard.com. We respond within one month of receiving a verifiable request.

12. Children's Privacy

streamboard is not intended for children under the age of 13. We do not knowingly collect personal data from anyone under 13. If we become aware that we have collected data from a child under 13, we will delete it promptly. Users aged 13 to 17 should have parental or guardian consent before using the Service. Signup requires acknowledgement of this requirement.

13. Organisations and Data Processing Agreements (DPA)

If you use streamboard on behalf of an organisation to process personal data about other people (e.g. shared dashboards within a team), you may be acting as a data controller and streamboard as a data processor for that purpose. We offer a standard Data Processing Agreement at /dpa that satisfies UK GDPR Art. 28 requirements (including sub-processor terms and SCC reference). To enter into the DPA or request an executed counterpart, email support@usestreamboard.com.

14. Changes to This Policy

We may update this Privacy Policy from time to time. The "Last updated" date at the top of this page will reflect the most recent revision; material changes will be notified in-app and / or by email where we have your address. Continued use of the Service after an update constitutes acknowledgement of the revised Policy.

15. Governing Law

This Privacy Policy is governed by and construed in accordance with the laws of England and Wales.

16. Contact

For any privacy-related questions or to exercise your rights, please contact support@usestreamboard.com. For security disclosures, please use the subject line "Security disclosure".