Privacy Policy
Last updated: May 29, 2026 · Effective: May 29, 2026
Plain English summary. We collect what we need to run the service — your email, the deals and notes you create, and basic usage analytics. You can export or delete your data anytime. If you're in California or the EU/UK, you have specific rights described below.
1. Who we are and our role
Dealboard is operated by Dealboard ("Dealboard," "we," "us"). Our service runs at app.getdealboard.com (the "Service"). Contact us at support@getdealboard.com with any questions about this policy.
Our role depends on the data. For your account-level information — your name, email, billing details, sign-in credentials, and analytics about how you use the Service — Dealboard is the data controller (under GDPR and UK GDPR) and the business (under CCPA/CPRA). We decide what's collected, why, and how long it's kept, and we're directly responsible to you for that processing.
For the data you upload into the Service — deals, notes, attachments, contact records, lead-form submissions, inbound emails, and any other content you or your teammates create inside Dealboard (collectively, "Customer Content") — Dealboard acts strictly as a data processor (under GDPR and UK GDPR) and a service provider (under CCPA/CPRA). We process Customer Content on your behalf, under your instructions, and only to provide and secure the Service. You are the data controller / business for Customer Content. You are solely responsible for having the lawful basis (e.g. consent or another lawful ground) to collect personal information from your contacts, leads, and prospects before uploading it. Higher-volume customers who require it can request our standard Data Processing Addendum at support@getdealboard.com.
2. What we collect and why
We collect the minimum personal information needed to deliver and operate the Service. Categories:
- Account information. Your name, email, profile photo (from Google OAuth or uploaded by you), and a hashed credential if you sign in with a password. Used to authenticate you and identify your activity inside the app.
- Customer content. The deals, notes, attachments, stages, team members, and other content you or your teammates create inside Dealboard. We process this solely to provide the Service to you.
- Billing information. If you subscribe to a paid plan, our payment processor (Stripe) collects your payment method, billing address, and tax information. Dealboard receives a card brand, last four digits, and a Stripe customer ID — never your full card number.
- Usage analytics. Pages visited inside the app, feature clicks, error events, and approximate session duration. Used to understand which features work and which need fixing. We do not use third-party advertising trackers in the Service.
- Device and log data. IP address, browser type, operating system, and timestamps. Used for security (rate limiting, anomaly detection) and debugging.
- Inbound email and lead form submissions.
If you enable lead capture, the contents of forms submitted
to your boards or emails sent to your inbound address
(e.g.
leads-abc123@getdealboard.com). This content is your data, processed on your behalf. - Integration and API authorizations. If
you connect an external client to Dealboard via our API
or our Model Context Protocol (MCP) server at
/mcp— for example, authorizing ChatGPT, Claude, or another AI assistant to act on your workspace — we store the OAuth client registration, the scopes you granted (e.g.deals:read,deals:write), and a rotating refresh token tied to your account and team. Access tokens are short-lived (approximately 10 minutes) and are not retained server-side after issuance.
3. How we use information
We use personal information to:
- Operate, secure, and improve the Service.
- Authenticate you and protect your account.
- Communicate with you about your account, billing, security, and product changes (transactional). You cannot opt out of transactional email while you have an active account.
- Send occasional product news and onboarding tips (lifecycle). You can opt out of these any time from your account settings or any email footer.
- Comply with legal obligations and enforce our Terms.
Our marketing site at getdealboard.com uses Google Analytics 4 and Google Ads conversion tracking, which under California law's broad definitions may be characterized as "sharing for cross-context behavioral advertising." See Section 12 for what these tools send and Section 9 for opt-out options, including the Global Privacy Control browser signal, which we honor.
4. Legal bases (EEA / UK users)
If you're in the European Economic Area, United Kingdom, or Switzerland, our legal bases under the GDPR are:
- Contract — to provide the Service you've signed up for (account, customer content, billing).
- Legitimate interests — to secure the Service, prevent fraud, and improve product quality (analytics, log data). You can object at any time.
- Consent — for optional marketing emails. You can withdraw consent at any time without affecting the lawfulness of prior processing.
- Legal obligation — when we must retain or disclose information under applicable law.
5. Subprocessors
We rely on a small, carefully chosen set of vendors to run the Service. Each is bound by a data processing agreement requiring at least the protections in this policy.
- Fly.io (USA) — application hosting and Postgres database.
- Cloudflare (USA) — DNS, CDN, R2 object storage for attachments, inbound email routing, and Browser Rendering for server-side PNG export of certain reports (report HTML is processed transiently by Cloudflare to produce the image and is not retained by Cloudflare beyond the render request).
- Stripe (USA) — payment processing and subscription billing.
- Resend (USA) — transactional and lifecycle email delivery.
- Google (USA) — OAuth sign-in, optional Workspace integrations you connect.
We'll post any material changes to this list before the new subprocessor begins processing your data, except in the case of emergency vendor changes required to maintain availability, security, or data integrity (e.g. a hosting or storage provider outage that forces a failover), where we will provide notice as soon as commercially practicable after the change. Higher-volume customers can request a current subprocessor list at any time at support@getdealboard.com.
6. AI assistants and the MCP server
Dealboard exposes an OAuth-authenticated Model Context
Protocol (MCP) server at /mcp so you can
authorize an AI assistant — such as ChatGPT, Claude, or
another MCP-compatible client — to read and act on your
Dealboard workspace on your behalf. Authorization uses
Dynamic Client Registration and scoped consent. Today's
scopes are deals:read,
deals:write, leads:read,
leads:write, and pipeline:read;
the scopes you grant determine what the assistant can see
and change. Access tokens are short-lived (approximately
10 minutes, EdDSA-signed) and scoped to a single team.
Refresh tokens rotate on each use. You can revoke any
authorized client at any time from your account settings.
What leaves Dealboard when you use an AI assistant. When you invoke a tool through an authorized MCP client, the deals, leads, notes, pipeline data, and other Customer Content responsive to that tool call are transmitted to the AI provider you chose (e.g. OpenAI for ChatGPT, Anthropic for Claude). For that data flow, Dealboard acts as a data exporter: we send the data because you instructed us to by invoking the tool. The AI provider then becomes an independent controller of that data, and its own privacy policy and terms govern how it is processed, retained, and whether it may be used to train models. The AI provider is not a Dealboard subprocessor and we do not have a processor relationship with it for this flow. If you need data minimization, grant only the read scopes you actually need, and review the AI provider's policy before authorizing.
7. Security
We use industry-standard administrative, technical, and organizational measures to protect personal information, including encryption in transit and at rest, logical tenant isolation, access controls, and secure-development practices. The specific controls evolve over time as technology and threats change.
No system is perfectly secure. If we discover a personal-data breach that meaningfully affects you, we will notify you within the timeframes required by applicable law.
8. Retention
We retain your customer content for as long as your account is active. When you delete your account:
- We mark it for deletion immediately. You can typically sign back in within approximately 30 days to restore it (the exact window may vary).
- After the grace period, we remove your user record, deals, notes, attachments, sessions, and related data from our live systems.
- Encrypted backups are retained for a limited period for disaster recovery and rolled off on a regular cycle.
- We retain a minimal billing record (Stripe customer ID, invoices, tax records) for the period required by law.
- We may retain limited data longer where necessary to comply with legal obligations, resolve disputes, prevent fraud or abuse, or enforce our terms.
9. Your California rights (CCPA / CPRA)
If you're a California resident, the California Consumer Privacy Act (as amended by the CPRA) gives you the following rights regarding your personal information:
- Know. Request the categories and specific pieces of personal information we've collected about you, the sources, the business purposes, and the categories of third parties we share it with.
- Delete. Request that we delete the personal information we've collected from you.
- Correct. Request that we correct inaccurate personal information.
- Opt out of sale or sharing. We do not sell personal information for money. Our marketing site (getdealboard.com) uses Google Analytics 4 and Google Ads conversion tracking, which the CPRA's broad "share" definition may capture as cross-context behavioral advertising — see Section 12 for what these tools actually send to Google. You can opt out two ways: (a) enable Global Privacy Control (GPC) in your browser and we'll honor it as a binding opt-out signal for that browser, or (b) email us and we'll suppress sharing for your account across browsers.
- Limit use of sensitive personal information. We do not intentionally collect sensitive personal information beyond what's necessary to operate and secure the Service (e.g. authentication credentials).
- Non-discrimination. We will not deny you the Service, charge different prices, or provide a different level of quality because you exercised your rights.
To exercise any of these rights, email support@getdealboard.com from the email address on your account, or with sufficient information for us to verify your identity. You may designate an authorized agent to make a request on your behalf — we'll require written authorization from you and independent verification of your identity. We respond to verifiable requests within the timeframes required by applicable law (and may take available statutory extensions where reasonably necessary to complete the request).
10. Your rights (EEA / UK)
If you're in the EEA, UK, or Switzerland, you have the rights to access, rectify, erase, restrict, port, and object to processing of your personal data, and to lodge a complaint with a supervisory authority. Email support@getdealboard.com to exercise these rights.
11. International transfers
Dealboard's servers are located in the United States and personal information is processed in the United States. Where personal data is transferred out of the EEA, UK, or Switzerland, we rely on appropriate transfer mechanisms under applicable law (such as the European Commission's Standard Contractual Clauses and the UK Addendum, as applicable), implemented through our subprocessor arrangements.
12. Cookies and tracking
Inside the Service (app.getdealboard.com) we use a small number of strictly necessary cookies for authentication and session management, plus a first-party usage analytics measure (page views, feature events) to understand which features work and which need fixing. These analytics stay on our infrastructure, do not set third-party cookies, and are not used for advertising.
On the marketing site (getdealboard.com) we use Google Analytics 4 for traffic analysis and Google Ads conversion tracking for paid acquisition. GA4 is configured to drop the visitor's IP address before storage on Google's side. Google Ads is configured with "enhanced conversions" enabled, which means that when a visitor signs up after clicking a Google ad, a one-way SHA-256 hash of their email address may be sent to Google to improve conversion matching. This is the only point at which any user-identifying signal from our marketing site leaves our infrastructure for an advertising platform.
Honoring opt-out signals. When your browser sends the Global Privacy Control (GPC) signal, we treat it as a valid opt-out under the CPRA. On the marketing site, GA4 is placed into Restricted Data Processing mode and the Google Ads enhanced-conversions personal-data path is suppressed for that session. You can also opt out explicitly by emailing us at support@getdealboard.com.
13. Children
Dealboard is a business tool not directed to children. We do not knowingly collect personal information from anyone under 16. If you believe a child has provided us personal information, contact us and we will delete it.
14. Changes
We may update this policy from time to time. Material changes will be announced via in-app notice or email at least seven days before they take effect, except where immediate updates are required by applicable law, regulatory order, or to address an urgent security or fraud necessity, in which case the change takes effect when posted and we will provide notice as soon as commercially practicable thereafter. Continued use of the Service after the effective date constitutes acceptance. The version date at the top of this page is authoritative.
15. Contact
Questions, requests, or DSAR submissions: support@getdealboard.com. For postal correspondence, contact us first by email and we'll provide the appropriate mailing address.