Privacy Policy

1. Data Controller

Yonas Valentin Kristensen, Callisensvej 20, 2900 Hellerup, Denmark ("we", "us", "our") is the data controller responsible for your personal data under the EU General Data Protection Regulation (GDPR) and Danish Data Protection Act.

2. Personal Data We Collect

We collect and process the following categories of personal data:

• Account Information: Name, email address, password (encrypted)
• Usage Data: Workspace data, flowcharts, brainstorms, and content you create
• Technical Data: IP address, browser type, device information, cookies
• Payment Information: Processed by Stripe (we do not store full credit card details)
• Communication Data: Support messages, feedback, and correspondence

3. Legal Basis for Processing

We process your personal data based on:

• Contract Performance (GDPR Art. 6(1)(b)): To provide our services
• Consent (GDPR Art. 6(1)(a)): For marketing communications (you can withdraw anytime)
• Legitimate Interest (GDPR Art. 6(1)(f)): For analytics, security, and service improvement
• Legal Obligation (GDPR Art. 6(1)(c)): For tax and accounting requirements

4. Data Retention

We retain your personal data only as long as necessary: Active accounts are retained while you use our service. Deleted accounts are permanently removed within 30 days. Payment records are kept for 5 years per Danish Bookkeeping Act (Bogføringsloven). Analytics data is anonymized after 26 months.

5. Data Sharing and Third Parties

We share data only with trusted service providers bound by data processing agreements: Clerk (authentication), Supabase (database hosting - EU servers), Stripe (payment processing), Umami Analytics (privacy-focused, GDPR-compliant analytics). We do not sell your personal data. All processors comply with GDPR and EU-US Data Privacy Framework.

6. Your Rights Under GDPR

You have the following rights:

• Right to Access (Art. 15): Request a copy of your data
• Right to Rectification (Art. 16): Correct inaccurate data
• Right to Erasure (Art. 17): Delete your data ('right to be forgotten')
• Right to Restriction (Art. 18): Limit how we use your data
• Right to Data Portability (Art. 20): Receive your data in a structured format
• Right to Object (Art. 21): Object to processing based on legitimate interest
• Right to Withdraw Consent: Unsubscribe from marketing anytime

7. Cookies and Tracking

We use only essential cookies for authentication and session management. Analytics cookies (Umami) are privacy-focused and do not track personal information. You can disable cookies in your browser settings.

8. Data Security

We implement industry-standard security measures: encryption in transit (TLS/SSL) and at rest, regular security audits, access controls and authentication, automatic backups. Despite our efforts, no system is 100% secure. We will notify you of any data breach within 72 hours as required by GDPR Art. 33.

9. International Transfers

Your data is primarily stored on EU servers. Where we use US-based services (e.g., Stripe, Clerk), they comply with EU-US Data Privacy Framework and Standard Contractual Clauses (SCCs).

10. Children's Privacy

Our service is not intended for children under 16. We do not knowingly collect data from children. If we discover this, we will delete it immediately.

11. Changes to This Policy

We may update this policy. Material changes will be notified via email 30 days before taking effect.

12. Complaints

You have the right to lodge a complaint with the Danish Data Protection Agency (Datatilsynet): www.datatilsynet.dk, dt@datatilsynet.dk, +45 33 19 32 00.