PRIVACY POLICY

Effective Date: November 3, 2025
Last Updated: November 2, 2025

1. INTRODUCTION

This Privacy Policy explains how Norbert Ďurčanský ("we," "us," "our," or "Onlyboard") collects, uses, stores, and protects your personal data when you use our Telegram-based task management service ("Service") and visit our website at onlyboard.io ("Website").

We are committed to protecting your privacy and complying with the General Data Protection Regulation (GDPR), the Czech Act No. 110/2019 Coll. on Personal Data Processing, and other applicable data protection laws.

Data Controller:
Norbert Ďurčanský
IČO: 09922709
Prague, Czech Republic
Email: privacy@onlyboard.io

By using our Service or Website, you agree to the collection and use of information in accordance with this Privacy Policy.

2. INFORMATION WE COLLECT

2.1 Information You Provide Directly

When using the Telegram Bot:

• Agency name (provided during initial setup)
• User role (determined by invitation type: Agency Owner, Manager, or Model)
• Telegram user ID and username/handle (automatically collected when you interact with the bot)
• Task data: Task descriptions (which may include content details), assignees, status, and deadlines
• Payment information: Billing details processed by Stripe (we do not store credit card numbers)

When using the Website:

• Contact form data: Name, email address, message content, agency size, and number of models managed (for lead qualification)
• Email addresses: If you subscribe to newsletters or marketing communications (future feature)
• Account information: Login credentials and preferences (future feature when web accounts are enabled)

2.2 Information Collected Automatically

Usage Data:

• Log data: IP addresses, browser type, operating system, pages visited, time spent on pages, referring URLs
• Telegram interaction data: Commands sent, bot usage patterns, interaction timestamps
• Analytics data: Website navigation patterns, clicks, scrolling behavior, form interactions (via Google Analytics and PostHog)

Cookies and Tracking Technologies: See Section 10 (Cookie Policy) for detailed information.

2.3 Information from Third Parties

• Stripe: Payment transaction data, including billing address and payment method details (Stripe acts as a separate data controller for payment processing)
• Telegram: User profile information made available through the Telegram Bot API

3. HOW WE USE YOUR INFORMATION

We process your personal data for the following purposes and legal bases under GDPR:

3.1 To Provide and Maintain the Service (Legal Basis: Contract - Art. 6(1)(b) GDPR)

• Create and manage your account
• Process tasks, assignments, and workflows
• Enable team coordination and communication
• Provide customer support
• Process billing and payments

3.2 To Improve and Develop the Service (Legal Basis: Legitimate Interest - Art. 6(1)(f) GDPR)

• Analyze usage patterns to improve features
• Conduct research and development
• Troubleshoot technical issues and debug
• Monitor service performance and uptime

3.3 For Marketing and Communications (Legal Basis: Consent - Art. 6(1)(a) GDPR)

• Send promotional emails and newsletters (you can opt-out anytime)
• Send push notifications via Telegram about new features
• Display targeted advertisements on third-party platforms
• Conduct surveys and gather feedback

3.4 For Legal and Security Purposes (Legal Basis: Legal Obligation - Art. 6(1)(c) GDPR / Legitimate Interest - Art. 6(1)(f) GDPR)

• Comply with legal obligations (e.g., tax, accounting requirements)
• Detect and prevent fraud or abuse
• Enforce our Terms of Use
• Protect the rights and safety of users
• Respond to legal requests from authorities

4. DATA SHARING AND DISCLOSURE

We do not sell, rent, or trade your personal data. We share your information only in the following circumstances:

4.1 Service Providers and Sub-Processors

We use trusted third-party service providers to operate our Service. These providers process data on our behalf under strict data processing agreements:

Service ProviderPurposeData TransferredLocationStripePayment processingBilling details, payment methodEU/US (with SCCs)Google CloudData hosting and infrastructureAll user dataEU (europe-west1, Dublin)TelegramBot platform and messagingTelegram user IDs, usernames, messagesVarious (Telegram's infrastructure)Google AnalyticsWebsite analyticsUsage data, anonymized IP addressesUS (with SCCs)PostHogProduct analytics and session recordingUsage data, session recordings, form inputsUS/Cloud (with SCCs)Google AdsAdvertising and conversion trackingCookie data, website visitsUS (with SCCs)Meta (Facebook/Instagram)Advertising and trackingCookie data, website visits, clicksUS (with SCCs)TikTokAdvertising and conversion trackingCookie data, website visitsUS/Singapore (with SCCs)Twitter/XAdvertising and event trackingCookie data, website visitsUS (with SCCs)

4.2 International Data Transfers

Some of our service providers (Google Analytics, PostHog, advertising platforms) are located outside the European Economic Area (EEA), primarily in the United States. These transfers are protected by:

• Standard Contractual Clauses (SCCs) approved by the European Commission (Art. 46 GDPR)
• EU-US Data Privacy Framework (where applicable and certified)
• Your explicit consent for analytics and marketing cookies (obtained via cookie consent banner)

We ensure all international transfers comply with GDPR requirements through appropriate safeguards.

4.3 Legal Requirements

We may disclose your data if required by law or in response to valid requests by public authorities (e.g., court orders, subpoenas, tax authorities) or to:

• Comply with legal obligations
• Protect and defend our rights or property
• Prevent fraud or illegal activity
• Protect the safety of users or the public

4.4 Business Transfers

If we are involved in a merger, acquisition, asset sale, or bankruptcy, your personal data may be transferred to the successor entity. We will notify you via email and/or prominent notice on our Website before your data is transferred and becomes subject to a different privacy policy.

5. DATA RETENTION

We retain your personal data only as long as necessary for the purposes outlined in this Privacy Policy:

Data TypeRetention PeriodLegal BasisAccount and profile dataDuration of account + 30 days after deletionContract fulfillment, legitimate interestTask and workflow dataDuration of account + 30 days after deletionContract fulfillmentBilling records and invoices10 years after transactionCzech legal obligation (Act No. 563/1991 Coll.)Analytics data (Google Analytics, PostHog)26 months (default GA4 setting)Legitimate interest, consentMarketing cookiesUp to 2 years (varies by platform)ConsentContact form inquiries2 years or until resolvedLegitimate interestMessage logs (for debugging)90 days maximum (if implemented)Legitimate interest

After retention periods expire, we securely delete or anonymize your data so it can no longer identify you.

6. YOUR RIGHTS UNDER GDPR

As a data subject in the EU/EEA, you have the following rights:

6.1 Right of Access (Art. 15 GDPR)

You can request a copy of the personal data we hold about you, including details about how we process it.

6.2 Right to Rectification (Art. 16 GDPR)

You can request correction of inaccurate or incomplete personal data.

6.3 Right to Erasure / "Right to be Forgotten" (Art. 17 GDPR)

You can request deletion of your personal data when:

• It is no longer necessary for the purposes collected
• You withdraw consent (for consent-based processing)
• You object to processing and no overriding legitimate grounds exist
• Data was unlawfully processed
• Legal obligation requires erasure

Note: We may retain data if legally required (e.g., billing records for 10 years).

6.4 Right to Restriction of Processing (Art. 18 GDPR)

You can request we limit processing of your data in certain circumstances (e.g., while we verify accuracy or assess objections).

6.5 Right to Data Portability (Art. 20 GDPR)

You can request your data in a structured, machine-readable format (e.g., JSON, CSV) and transmit it to another service provider.

6.6 Right to Object (Art. 21 GDPR)

You can object to processing based on legitimate interests or for direct marketing purposes. We will cease processing unless we have compelling legitimate grounds.

6.7 Right to Withdraw Consent (Art. 7(3) GDPR)

For consent-based processing (e.g., marketing cookies, newsletters), you can withdraw consent at any time without affecting prior processing.

6.8 Right to Lodge a Complaint

You can file a complaint with your national data protection authority:

Czech Data Protection Authority (Úřad pro ochranu osobních údajů):
Address: Pplk. Sochora 27, 170 00 Prague 7, Czech Republic
Phone: +420 234 665 111
Email: posta@uoou.cz
Website: https://www.uoou.cz

6.9 How to Exercise Your Rights

To exercise any of these rights, contact us at:

• Email: privacy@onlyboard.io
• Subject line: "GDPR Data Subject Request - [Your Right]"

We will respond within 30 days (extendable to 60 days for complex requests). We may request additional information to verify your identity before fulfilling requests.
No fees: We do not charge fees for exercising your rights, except for manifestly unfounded or excessive requests.

7. DATA SECURITY

We implement appropriate technical and organizational measures to protect your personal data against unauthorized access, loss, alteration, or destruction:

7.1 Technical Measures

• Encryption: Data encrypted in transit (TLS/SSL) and at rest (AES-256)
• Access controls: Role-based access restrictions; only authorized personnel can access data
• Two-factor authentication: Available for user accounts (future feature)
• Secure hosting: Data hosted on Google Cloud Platform (EU region) with industry-leading security standards

7.2 Organizational Measures

• Regular security training for team members
• Confidentiality agreements with all personnel
• Incident response procedures (though no formal breach plan documented)

7.3 Limitations

Despite our efforts, no method of transmission or storage is 100% secure. We cannot guarantee absolute security. If you suspect unauthorized access, contact us immediately at privacy@onlyboard.io.

8. DATA BREACH NOTIFICATION

In the event of a personal data breach that poses a risk to your rights and freedoms, we will:

1. Notify the Czech Data Protection Authority within 72 hours of becoming aware (Art. 33 GDPR)
2. Notify affected users without undue delay if the breach poses a high risk (Art. 34 GDPR)

Notifications will include:

• Nature of the breach
• Categories and approximate number of affected individuals
• Likely consequences
• Measures taken to address the breach and mitigate harm
• Contact point for further information

9. CHILDREN'S PRIVACY

Our Service is not intended for individuals under 18 years of age. We do not knowingly collect personal data from children. If you are a parent or guardian and believe your child has provided us with personal data, contact us at privacy@onlyboard.io and we will delete it promptly.

10. COOKIE POLICY

10.1 What Are Cookies?

Cookies are small text files placed on your device (computer, smartphone, tablet) when you visit our Website. They help us recognize your device, remember your preferences, analyze how you use our Website, and deliver targeted advertising.

10.2 Types of Cookies We Use

We use the following categories of cookies:

A. Essential/Functional Cookies

These cookies are necessary for the Website and Service to function. You cannot opt out of these cookies.

Cookie NamePurposeDurationProvidersession_id (future)Maintain user login state for web accountsSession (deleted when browser closes)Onlyboardcsrf_tokenPrevent cross-site request forgery attacksSessionOnlyboard

B. Analytics Cookies (Requires Consent)

These cookies collect information about how visitors use our Website to help us improve performance and user experience.

Cookie NamePurposeDurationProvider_gaDistinguish unique users; track sessions2 yearsGoogle Analytics_gidDistinguish unique users (short-term)24 hoursGoogle Analytics_ga_<container-id>Store session state2 yearsGoogle Analyticsph_* (various)Product analytics, session recording, event tracking1 yearPostHog

Data Collected: Page views, clicks, scrolling behavior, form interactions (including inputs), session recordings, anonymized IP addresses, device type, browser, referring URLs.

IP Anonymization: Google Analytics anonymizes the last octet of your IP address before storage.

C. Marketing/Advertising Cookies (Requires Consent)

These cookies track your browsing activity across websites to deliver personalized ads and measure ad campaign effectiveness.

Cookie NamePurposeDurationProvider_gcl_* (e.g., _gcl_au)Google Ads conversion tracking and remarketing90 daysGoogle Ads_fbpMeta Pixel: Track visits and conversions90 daysMeta (Facebook/Instagram)_fbcMeta Pixel: Store campaign source information90 daysMetattclidTikTok Pixel: Click ID for conversion tracking13 monthsTikToktt_appInfoTikTok Pixel: Session informationSessionTikTokmuc_ads (and others)Twitter/X Pixel: Ad targeting and measurement2 yearsTwitter/X

Data Collected: Website visits, clicks, conversions (e.g., trial sign-ups), ad impressions, campaign sources.

10.3 Cookie Consent and Your Choices

EU Cookie Directive Compliance: We obtain your explicit consent before placing non-essential cookies (analytics and marketing) through a cookie consent banner displayed when you first visit our Website.
Managing Cookie Preferences:

1. Cookie Consent Banner: Click "Cookie Settings" in the banner to customize your preferences (accept/reject categories).
2. Browser Settings: You can block or delete cookies through your browser settings:
   • Chrome: Settings > Privacy and Security > Cookies and other site data
   • Firefox: Settings > Privacy & Security > Cookies and Site Data
   • Safari: Preferences > Privacy > Manage Website Data
   • Edge: Settings > Cookies and site permissions
3. Third-Party Opt-Outs:
   • Google Analytics: Install the Google Analytics Opt-out Browser Add-on
   • Google Ads: Visit Google Ads Settings
   • Meta: Visit Facebook Ads Preferences
   • TikTok: Visit TikTok Privacy Settings in your account
   • Twitter/X: Visit Twitter Privacy Settings
4. Do Not Track (DNT): We currently do not respond to DNT signals, as there is no universal standard. However, you can control cookies through the methods above.

Note: Blocking essential cookies may impair Website functionality. Blocking analytics/marketing cookies does not affect core Service features.

10.4 International Cookie Transfers

Cookies placed by third-party analytics and advertising providers (Google, Meta, TikTok, Twitter/X, PostHog) may transfer data to the United States and other countries outside the EEA. These transfers are protected by:

• Standard Contractual Clauses (SCCs) approved by the European Commission
• Your explicit consent obtained through the cookie banner (consent serves as a legal basis for transfers under GDPR Art. 49(1)(a))

10.5 Session Recording and Form Capture (PostHog)

PostHog Session Recording: With your consent, we use PostHog to record your interactions on our Website (mouse movements, clicks, scrolling) and capture form inputs (excluding sensitive fields like passwords). This helps us:

• Identify usability issues
• Understand how users navigate the site
• Improve user experience

Data Captured: Page navigation, clicks, form inputs (name, email, agency size, model count from contact forms), session duration.
Your Privacy: We do NOT record:

• Payment information or credit card details
• Passwords or authentication credentials
• Personal conversations or private messages

You can opt out of session recording by rejecting analytics cookies in the consent banner.

11. COMMUNICATION PREFERENCES

11.1 Marketing Communications

With your consent, we may send you:

• Promotional emails about new features, updates, and offers
• Newsletters with industry insights and tips
• Push notifications via Telegram Bot about Service updates

Opt-Out: You can unsubscribe from marketing emails by:

• Clicking "Unsubscribe" at the bottom of any marketing email
• Contacting privacy@onlyboard.io
• Adjusting notification settings in the Telegram Bot

Opting out does NOT stop:

• Transactional emails (e.g., billing confirmations, account security alerts)
• Service-related notifications necessary for account management

11.2 Transactional Communications

We will send essential, non-marketing communications such as:

• Payment confirmations and invoices
• Account security alerts
• Service updates that affect your use of Onlyboard

You cannot opt out of these communications, as they are necessary for the Service.

12. REFERRAL AND AFFILIATE PROGRAMS

If we implement referral or affiliate programs in the future:

• Data Collected: Referrer's email/Telegram username, referee's email/Telegram username, referral link clicks, conversions
• Purpose: Track referrals, issue rewards, prevent fraud
• Legal Basis: Legitimate interest (program administration), consent (for communications about rewards)

We will update this Privacy Policy accordingly before launching such programs.

13. AUTOMATED DECISION-MAKING AND PROFILING

We do not engage in automated decision-making (including profiling) that produces legal or similarly significant effects on you under GDPR Art. 22.

14. THIRD-PARTY LINKS

Our Website and Service may contain links to third-party websites or services (e.g., Telegram, Stripe, social media platforms). We are not responsible for the privacy practices of these third parties. We encourage you to review their privacy policies before providing any personal data.

15. CHANGES TO THIS PRIVACY POLICY

We may update this Privacy Policy from time to time to reflect changes in our practices, legal requirements, or Service features.
Notification of Changes:

• Effective Date: Updated at the top of this policy
• Material Changes: We will notify you via email (if available) or prominent notice on our Website/Telegram Bot at least 30 days before changes take effect
• Minor Changes: May take effect immediately upon posting

Your Continued Use: Continued use of the Service after changes take effect constitutes acceptance of the updated Privacy Policy.

16. CONTACT US

For questions, concerns, or requests regarding this Privacy Policy or your personal data:

Data Protection Contact:
Email: privacy@onlyboard.io
Response Time: Within 30 days

General Support:
Email: support@onlyboard.io

Data Controller:
Norbert Ďurčanský
IČO: 09922709
Prague, Czech Republic

Supervisory Authority:
Czech Data Protection Authority (Úřad pro ochranu osobních údajů)
Pplk. Sochora 27, 170 00 Prague 7, Czech Republic
Phone: +420 234 665 111
Email: posta@uoou.cz
Website: https://www.uoou.cz

17. CONSENT ACKNOWLEDGMENT

By using Onlyboard's Service or Website, you acknowledge that you have read, understood, and agree to this Privacy Policy, including our use of cookies and data processing practices. For analytics and marketing cookies, your consent is obtained through our cookie consent banner. You can withdraw consent at any time via the banner or browser settings.