Stickyboard

Privacy Policy

Last updated: May 13, 2026

Stickyboard is a sticky-note kanban app available as a web app at stickyboard.dev and as a Chrome extension that replaces the new-tab page. This policy explains exactly what data we collect, why, who processes it on our behalf, and the rights you have over it.

Who runs Stickyboard
What data we collect
How we use it
Who we share it with
Cookies and local storage
Retention and deletion
Your rights (GDPR / CCPA)
Security
Children
Changes to this policy
Contact

1. Who runs Stickyboard

Stickyboard is operated by an independent developer (the "operator," "we," "us"). It is a personal project, not a registered company. Contact details are at the bottom of this page.

2. What data we collect

2.1 Account data

Email address — required to sign in. Login uses a one-time code sent to your email; we never store passwords.
One-time login codes — short-lived codes generated when you request to sign in. They expire automatically and are not retained after use.
Session token — issued after successful sign-in and stored in your browser's localStorage. Sent with each request to identify your account. Cleared when you sign out.

2.2 Board content

Sticky notes — the text, color, position, and ordering of every note you create, plus the board it belongs to.
Board membership — when you share a board, we record the recipient's email address and the role you granted (owner or editor). Invitation tokens are stored until accepted, declined, revoked, or expired.

2.3 Technical data

Server logs — our hosting providers automatically record IP address, timestamp, request path, and user agent for each API request. Used for security, debugging, and abuse prevention. Rotated regularly.
Active board preference — the ID of the board you last viewed is saved in localStorage so we can re-open it on your next visit. Never leaves your browser.
Aggregate web analytics — when you visit the hosted web app at stickyboard.dev, Google Analytics records a randomly assigned client ID (the _ga cookie), your truncated IP address, the pages you view, and basic environment details (browser, device, country). This is used in aggregate only to understand how many people use Stickyboard and which parts they reach. Google Analytics is not loaded inside the Chrome extension — the extension is exempt from this collection entirely.

We do not collect: your browsing history, your location beyond country level, mouse/keystroke telemetry, advertising identifiers, or any cross-site fingerprint. The Chrome extension requests no permissions other than chrome_url_overrides (replacing the new-tab page).

3. How we use it

We use the data above strictly to:

Authenticate you and keep you signed in.
Store and sync your boards and notes across devices.
Deliver login codes and board invitation emails.
Operate, secure, and debug the service (e.g. investigating an incident reported via support).
Measure aggregate usage of the web app so we can understand which features people reach and prioritise accordingly. We do not look at individual users in analytics.
Comply with legal obligations when required.

We do not sell your data, use it for advertising, train AI models on it, or share it with any party not listed in Section 4.

We use the following sub-processors to operate the service. Each receives only the data needed for its specific job:

Railway (privacy policy) — hosts our backend application, PostgreSQL database, and Redis cache. Stores all account data and board content listed in Section 2.
Resend (privacy policy) — delivers transactional email (login codes and board invitations). Receives the recipient email address and the message body.
Google Fonts (privacy policy) — serves typography assets to your browser. Google may log your IP address when the font is fetched. We do not send Google any account data.
Google Analytics (privacy policy) — measures aggregate usage of the hosted web app at stickyboard.dev (pageviews, session count, browser, country). Receives a randomly assigned client ID, your truncated IP address, and event metadata. Does not receive your email address, board content, or any account identifier. Not loaded inside the Chrome extension.

We do not transfer data to third parties for their own purposes, do not use data for credit / lending decisions, and do not share data outside the approved use cases above.

5. Cookies and local storage

Stickyboard uses no advertising cookies. The hosted web app at stickyboard.dev sets Google Analytics cookies (_ga, _ga_*) to measure aggregate usage as described in Section 2.3. These cookies are first-party, last up to two years, and are not set inside the Chrome extension.

Beyond that, the only client-side storage is your browser's localStorage, which holds:

Your session token (so you stay signed in across page reloads).
The ID of your last-active board (so we can re-open it next time).
A pending invitation token, if you arrived via an invitation link before signing in. Cleared as soon as the invitation is handled.
A flag remembering that you dismissed the "install the Chrome extension" banner.

Signing out, or clearing site data in your browser, removes all of these. To opt out of Google Analytics on the web app, you can install Google's official opt-out browser add-on or block third-party cookies; the rest of Stickyboard continues to work normally.

6. Retention and deletion

Account and board data are kept for as long as your account is active.
Login codes expire after a few minutes and are not retained after use.
Invitation tokens are deleted once the invitation is accepted, declined, revoked, or expired.
Server logs are rotated by our hosting provider on their standard retention schedule (typically days to weeks).

To delete your account and all associated boards, email us at the address in Section 11. We will remove your data within 30 days, except where retention is required by law.

7. Your rights

If you are in the European Economic Area, the United Kingdom, or Switzerland, the General Data Protection Regulation (GDPR) gives you the right to:

Access the data we hold about you.
Correct inaccurate data.
Delete your account and data ("right to be forgotten").
Export your data in a portable format.
Object to or restrict certain processing.
Lodge a complaint with your local data protection authority.

If you are a California resident, the California Consumer Privacy Act (CCPA) gives you the right to know what we collect, to delete it, and to opt out of sale of personal information. Stickyboard does not sell personal information.

To exercise any of these rights, email us — see Section 11.

8. Security

All traffic between your browser and our servers is encrypted with HTTPS / TLS.
Authentication uses email-delivered one-time codes; we never see or store a password.
The database is hosted in a managed environment with provider-level encryption at rest and routine backups.
API requests are authenticated per-user; you can only read and write boards you own or have been explicitly invited to.

No system is perfectly secure. If you discover a vulnerability, please report it to the contact email below before disclosing it publicly.

9. Children

Stickyboard is not directed at children under 13 and we do not knowingly collect data from them. If you believe a child has provided us data, contact us and we will delete it.

10. Changes to this policy

We may update this policy as the service evolves. Material changes will be announced in-app or by email to the address on your account. The "Last updated" date at the top reflects the most recent revision. Continued use after a change indicates acceptance.

11. Contact

Questions, data requests, or security reports — email petritavd@gmail.com.