Privacy Policy

1. Controller of personal data

The controller of personal data processed within the lucyboard platform (the “Service”) is:

The Controller has not appointed a Data Protection Officer (DPO), as such appointment is not required under Article 37 of the GDPR. All inquiries regarding personal data processing may be addressed directly to the Controller via the e‑mail above.

2. Definitions

• User — a natural person who holds an account in the Service or accesses the Service via a share link.
• Account — the set of identifying data associated with a User, enabling authentication and use of sign‑in‑protected features.
• Board — a digital workspace where the User creates elements (notes, drawings, shapes, text) individually or collaboratively.
• Attachment — an image or PDF uploaded by the User and embedded on a Board.
• Content — any data entered by the User into the Service (elements, comments, names, descriptions).
• Operator — a person authorised by the Controller to perform administrative and moderation actions (company admin, superadmin).
• Meeting — an audio/video session conducted via WebRTC (LiveKit) within the Service.

3. Scope of data collected

The Service collects only the data necessary to achieve the purposes described in section 4. Specifically we process:

3.1. Account data

• Form registration: first name, e‑mail address, password (stored only as a bcrypt hash — never in plain text).
• Google sign‑in (OAuth 2.0): Google identifier, e‑mail, first name, profile picture URL. Fetched only if you choose to sign in with Google.
• Profile: optionally — avatar, UI preferences (dark/light mode, language).

3.2. User‑created content

• Boards, pages, elements (shapes, text, sticky notes, freehand drawings, links, embedded content).
• Attachments — images and PDFs with metadata (original filename, MIME type, size, checksum).
• Board change history (for state reconstruction and undo).
• Invitations, board memberships, share links.

3.3. Meeting data (LiveKit)

• Audio/video streams are transmitted in real time via LiveKit infrastructure. Streams are not recorded or persisted by the Service unless the User explicitly starts a recording — in which case the recording is stored per the feature settings, and all participants are clearly informed.
• Meeting metadata: room identifier, participant list, join/leave timestamps, transmission mode (audio/video/screen).

3.4. Technical and audit data

• IP address and browser version (User‑Agent) captured at consent, sign‑in and key security events.
• Sign‑in / sign‑out / session refresh timestamps.
• Security event logs (failed sign‑ins, unauthorised access attempts, rate‑limiting events).
• Moderation action logs (operator identifier, reason, note, timestamp).

3.5. Legal consent history

• Document version (privacy policy, terms, content policy), consent date and source, IP and User‑Agent at acceptance.
• Every (re)grant or withdrawal of consent is stored as a new, immutable audit record.

We do not knowingly process special category data within the meaning of Article 9 GDPR (e.g. ethnic origin, political opinions, religious beliefs, health, sexual orientation). If you place such data in board content on your own initiative, you do so at your own risk — this does not constitute an instruction to the Controller to process special category data.

4. Purposes and legal bases

Balancing test (for processing under Art. 6(1)(f)): the legitimate interest of the Controller and other Users (security, legal compliance, abuse prevention) prevails over the rights and freedoms of data subjects, subject to minimisation measures (restricted data scope, short retention, role‑based access, full moderation audit trail).

Provision of data is voluntary; however, not providing the data required at registration makes it impossible to conclude the service contract and use sign‑in‑protected features.

5. Recipients and processors

The Controller does not sell personal data and does not share it with third parties for marketing purposes. Data is entrusted only to processors necessary to run the Service, under data processing agreements (Art. 28 GDPR):

• Hosting / server infrastructure provider — application environment, PostgreSQL database, Redis, file storage.
• Reverse proxy / CDN provider (e.g. Cloudflare) — TLS termination, DDoS protection, asset delivery.
• Google Ireland Ltd. / Google LLC — only if you choose Google sign‑in (OAuth). Scope: Google ID, e‑mail, first name, profile picture.
• Transactional e‑mail provider (SMTP/ESP) — operational e‑mails (account verification, password reset, system notifications).
• WebRTC infrastructure provider (LiveKit) — real‑time relay of audio/video streams for meetings. Streams are not persisted by the provider.
• Accounting office / legal counsel — only to the extent necessary to comply with the Controller's accounting and legal obligations.

Transfers outside the EEA: if a processor is located outside the European Economic Area, the transfer is made on the basis of Standard Contractual Clauses (SCCs) adopted by the European Commission or an adequacy decision. Details available from the Controller on request.

Data may also be disclosed to public authorities (police, prosecutors, courts) to the extent required by applicable law.

6. Retention periods

7. Your rights

You have the following rights under the GDPR:

• Right of access (Art. 15) — confirmation of processing and a copy of your data.
• Right to rectification (Art. 16).
• Right to erasure — “right to be forgotten” (Art. 17), subject to exceptions (e.g. consent records kept for demonstration under Art. 17(3)(b)).
• Right to restriction (Art. 18).
• Right to data portability (Art. 20) — structured format (JSON) and, where technically feasible, transmission to another controller.
• Right to object (Art. 21) — to processing based on legitimate interest (Art. 6(1)(f)), including profiling.
• Right to withdraw consent (Art. 7(3)) — at any time, without affecting the lawfulness of processing before withdrawal.
• Right to lodge a complaint — with the President of the Personal Data Protection Office (UODO), ul. Stawki 2, 00‑193 Warsaw, Poland, kancelaria@uodo.gov.pl.

How to exercise your rights: send a request to kontakt@lucyboard.com from the e‑mail associated with your Account (we may ask for additional identity verification to avoid disclosing data to an unauthorised person).

We respond without undue delay and within one month at the latest (Art. 12(3) GDPR). For complex requests, the period may be extended by two further months, with notice and reasons. Service is free of charge; for manifestly unfounded or excessive requests (especially repetitive ones) we may charge a reasonable fee or refuse to act.

8. Security

We apply technical and organisational measures appropriate to the risk (Art. 32 GDPR):

• Transport encryption — all communication between the browser and the Service is TLS 1.2+; security headers (HSTS, X‑Content‑Type‑Options, Referrer‑Policy) are enforced.
• Passwords — stored only as bcrypt hashes with salt; weak passwords are rejected.
• Authentication — short‑lived JWTs over httpOnly, SameSite=Lax, Secure (in production) cookies; sign‑in rate limiting.
• Data minimisation — only data needed for the purpose; logs are truncated (e.g. User‑Agent ≤ 500 characters).
• Access control — role‑based permissions (owner, board member, Operator), enforced in guards and services; unauthorised requests are logged.
• Content sanitisation — User‑supplied HTML is sanitised before storage (XSS protection).
• Backups — regular encrypted database and file backups, stored separately from production.
• Audit of sensitive actions — all moderation operations are logged with operator identifier and reason.
• Access restriction for files — attachments are visible only to authorised Users; Operators access them only for moderation/audit, with each access logged.

9. Children's data

The Service is not directed at persons under the age of 16 (Art. 8 GDPR). We do not knowingly collect personal data of children without the consent of a legal guardian. If we learn that we have collected data of a child without such consent, we will delete it promptly. A legal guardian who observes a child using the Service may report it to kontakt@lucyboard.com.

10. Cookies and similar technologies

The Service uses only cookies and browser storage strictly necessary to function (“technical cookies”):

• auth_token — httpOnly cookie containing a JWT session token. Lifetime: up to 7 days.
• LocalStorage — UI preferences (theme, last opened board), client‑side app state cache. Stays in your browser.
• SessionStorage — editor temporary data (e.g. undo history), cleared on tab close.

We do not use marketing cookies, third‑party analytics, tracking pixels or fingerprinting technologies. For this reason no separate cookie banner is shown — technical cookies are used on the basis of “strictly necessary” exemption under the ePrivacy Directive.

11. Profiling and automated decisions

We do not engage in automated decision‑making producing legal effects concerning you or similarly significantly affecting you within the meaning of Art. 22 GDPR. We do not profile for marketing purposes.

Automated security mechanisms (rate limiting, anti‑spam filters, anomaly detection) are technical and defensive in nature — they do not produce decisions about you, only temporarily restrict specific operations. You can always contact the Controller for review and human intervention.

12. Personal data breaches

In case of a personal data breach (Art. 4(12) GDPR), the Controller will:

• notify the UODO within 72 hours of becoming aware of the breach, unless the breach is unlikely to result in a risk to the rights and freedoms of natural persons (Art. 33 GDPR);
• communicate the breach to affected data subjects without undue delay where the breach is likely to result in a high risk to their rights and freedoms (Art. 34 GDPR);
• maintain an internal register of breaches covering circumstances, effects and remedial measures.

13. Changes to this policy

Any material change will increase the version number. Signed‑in Users will be informed in‑app and asked to review the document. Previous consents remain in the audit records; re‑acceptance creates a new, separate consent record.

Version history:

• 2026-04-23 — current version: expanded processing register, clarified retention, added LiveKit/meeting, moderation logging, breaches, children and automated decisions clauses.
• 2025-01-15 — initial version.

14. Contact

All data protection inquiries should be addressed to kontakt@lucyboard.com. Abuse reports under the Content Policy should go to abuse@lucyboard.com.