Boardwise Privacy Policy

Last updated: June 2026

Table of Contents

1. Introduction

2. Terms

3. Data Controller

4. Data Protection Officer

5. Scope of This Policy — Website and Mobile App

6. Who Is Responsible for Which Processing

7. Website Processing Activities

7.1 Provision of Website and Log Files

7.2 Contact Form and Contact by E-Mail

7.3 Google Analytics (GA4)

7.4 Google reCAPTCHA

7.5 Social Networks

7.6 LinkedIn Insight Tag

7.7 Cookies

8. Mobile App Processing Activities

8.1 Data Categories Processed by the App

8.2 Authentication and Sign-In (Microsoft OAuth)

8.3 Workspace Content

8.4 App Distribution and Technical Metadata

8.5 Recipients and Third-Party Sharing

8.6 Retention and Deletion

8.7 Device Permissions

8.8 Security Measures for the Mobile App

8.9 Account and Workspace Deletion

9. Security Measures (General)

10. Your Rights as a Data Subject

11. California Residents — Additional Disclosures (CCPA/CPRA)

12. Changes to This Policy

1. Introduction

The operation of our website https://boardwise.io and our Boardwise mobile application (collectively the "Services") involves the processing of personal data. We handle this data confidentially and in accordance with applicable laws, in particular the General Data Protection Regulation (GDPR) and Germany's Federal Data Protection Act (BDSG).

This Privacy Policy informs you about the personal data we collect, the purposes for which we use it, the legal bases for processing, with whom we share it, how long we retain it, and your rights as a data subject.

2. Terms

2.1 Personal Data

"Personal data" is all information relating to an identified or identifiable natural person (Art. 4 No. 1 GDPR). This includes names, e-mail addresses, IP addresses, location data, and any other information that can be used directly or indirectly to identify a person.

2.2 Processing

Under Art. 4 No. 2 GDPR, "processing" describes any operation applied to personal data, including collection, recording, organisation, structuring, storage, adaptation, retrieval, use, disclosure, dissemination, restriction, erasure, or destruction.

3. Data Controller

The party responsible for data processing for Boardwise-controlled activities is:

Boardwise GmbH Nobistor 10 22767 Hamburg, Germany

Statutory representatives: Sven Rebbert, Dr. Boris Häfele, Dr. Gisbert Grasses

E-mail: contact@boardwise.io

Note on customer-hosted workspaces: When you access a Boardwise workspace operated within your organisation's own Microsoft 365/Azure or other customer-controlled cloud environment, the customer organisation is generally the data controller for workspace content stored in that environment. See Section 6 for details.

4. Data Protection Officer

We have appointed an external data protection officer:

Dr. Thomas Brehm

C/O BBS Bier Brehm Spahn Partnerschaft Rechtsanwälte

Brandstwiete 46 20457 Hamburg, Germany

5. Scope of This Policy — Website and Mobile App

This Privacy Policy applies to:

1. The Boardwise website at https://boardwise.io — including all pages, contact forms, and web-based resources available on that domain.

2. The Boardwise mobile application — the iOS and Android apps published by Boardwise GmbH on the Apple App Store and Google Play Store.

Certain processing activities differ depending on whether you visit the public website, use the mobile app, or access a Boardwise workspace operated in your organisation's own cloud environment. Sections 7 and 8 describe these activities separately.

The mobile app does not process personal data for advertising purposes. We do not sell personal data. We do not use personal data from the app for cross-app tracking or interest-based advertising.

6. Who Is Responsible for Which Processing

6.1 Boardwise GmbH as Data Controller

Boardwise GmbH decides the purposes and means of processing for:

• Visitors to and users of the public Boardwise website (https://boardwise.io).

• Distribution of the Boardwise mobile app through the Apple App Store and Google Play Store, including any app crash or diagnostic data transmitted to Boardwise.

• Support requests addressed directly to Boardwise GmbH.

• Any data Boardwise collects for its own compliance, security monitoring, or legal obligations.

For all such processing, this Privacy Policy and the contact details in Section 3 apply.

6.2 Your Organisation as Data Controller for Workspace Content

Boardwise is designed to run inside the customer's own Microsoft 365/Azure or other customer-controlled cloud environment. This means that:

• Workspace content — including agendas, meeting documents, minutes, resolutions, follow-up tasks, comments, committee records, and other board-governance materials — is processed in and stored in the customer organisation's own environment.

• The customer organisation (your employer or the entity operating the Boardwise workspace) generally determines the purposes, access rights, retention periods, and deletion rules for that workspace content and is therefore the data controller for that content.

• Boardwise GmbH does not operate central servers that store your workspace content unless a separate written agreement with your organisation expressly provides for this.

If your request concerns workspace content or your access rights within a Boardwise workspace, please contact the administrator of the Boardwise workspace in your organisation first.

6.3 Boardwise GmbH as Data Processor

Where your organisation has engaged Boardwise GmbH to provide support, maintenance, or cloud-hosted services that involve access to workspace data, Boardwise GmbH may act as a data processor on behalf of your organisation, under a data processing agreement.

7. Website Processing Activities

When you visit the website https://boardwise.io, we process the personal data described in Sections 7.1–7.7. We process this data exclusively for the stated purposes. As a general rule, we do not sell, lease, or transfer your data to third parties. Where we engage external service providers, we do so as a data controller within an order-processing relationship and provide appropriate instructions.

We do not, as a general rule, transfer personal data to third countries. Exceptions are noted in the relevant sections below.

7.1 Provision of Website and Log Files

Description: When anyone visits our website, we automatically collect information that their browser transmits to our server and store it in log files. This includes:

Data Details
IP address Shortened by the last three digits before storage
Browser software Version and language
Operating system
Pages visited Sub-pages and resources
Date and time Timestamp of each visit
Internet service provider

Purpose: To enable access to the website; to ensure stability and security; toe nable statistical evaluation and improvement of our online service.

Legal basis: Art. 6(1)(f) GDPR — legitimate interests. Our legitimate interest is the purpose stated above.

Retention: Logfiles are deleted after 30 days.

7.2 Contact Form and Contact by E-Mail

Description: We provide a contact form on our website. You are asked to enter your e-mail address, name, and a message. Data is transmitted with SSL/TLS encryption. You may also contact us directly by e-mail. In both cases the personal data you transmit will be processed by us.

Purpose: To process and respond to your request.

Legal basis: Art. 6(1)(f) GDPR — legitimate interests (responding to your enquiry). Where e-mail contact is aimed at concluding or fulfilling a contract, Art. 6(1)(b) GDPR also applies.

Retention: Data is deleted when the communication has been conclusively resolved. Statutory retention periods may require longer retention, after which deletion follows immediately upon expiry.

7.3 Google Analytics (GA4)

Description: Our website uses Google Analytics 4 (GA4), a web-analytics service provided by Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland ("Google"). GA4 uses cookies and similar technologies to collect pseudonymised data about how visitors use the website. IP anonymisation is enabled; IP addresses are truncated before storage. We do not use Universal Analytics, which has been sunset by Google.

The information generated is generally transferred to and stored on Google servers, which may include servers in the USA. Such transfers are safeguarded by the EU Standard Contractual Clauses (Art. 46(2)(c) GDPR) concluded between Boardwise GmbH and Google.

Purpose: To evaluate the use of our website and improve our online presence.

Legal basis: Art. 6(1)(a) GDPR — your consent, where obtained via our cookie banner. Consent is voluntary and may be withdrawn at any time via the cookie settings on this website.

Right to object / opt-out: You may also install the Google Analytics opt-out browser add-on at https://tools.google.com/dlpage/gaoptout.

Retention: Analysis data is deleted by us after 14 months. For further information on Google's data practices, see https://policies.google.com/privacy.

7.4 Google reCAPTCHA

Description: Our website uses reCAPTCHA, operated by Google Ireland Limited. reCAPTCHA analyses form interactions (IP address, time on page, mouse movements, and other signals) to distinguish human users from automated software.

Purpose: To protect forms against spam and automated misuse.

Legal basis: Art. 6(1)(f) GDPR — legitimate interests. Where consent is obtained via a cookie banner, Art. 6(1)(a) GDPR applies.

Third-country transfers: Data may be transferred to Google servers in the USA, safeguarded by Standard Contractual Clauses. See https://policies.google.com/privacy.

7.5 Social Networks

Description: Our website does not use social media plugins. The logos of LinkedIn, Xing, and X (formerly Twitter) are simple links to our company profiles on those platforms. Clicking a logo redirects you to the external website of the respective social network, which is subject to that network's own privacy policy.

Purpose: Contemporary public relations and communication with customers and interested parties.

Legal basis: Art. 6(1)(f) GDPR — legitimate interests.

Social network privacy policies:

Network Operator Privacy Policy
LinkedIn LinkedIn Ireland Unlimited Company, Wilton Place, Dublin 2, Ireland https://www.linkedin.com/legal/privacy-policy
Xing New Work SE, Dammtorstraße 30, 20354 Hamburg, Germany https://privacy.xing.com/en/privacy-policy
X (formerly Twitter) X Corp., 1355 Market St, Suite 900, San Francisco, CA 94103, USA https://twitter.com/privacy

7.6 LinkedIn Insight Tag

Description: We use the LinkedIn Insight Tag for retargeting and conversion tracking. The tag is operated by LinkedIn Ireland Unlimited Company, Wilton Plaza, Wilton Place, Dublin 2, Ireland. Data collected includes:

• IP address

• Device information

• Browser information

• Referrer URL

• Timestamp

This data is stored in a cookie and used to provide us with aggregated statistics and to show relevant offers to users who have previously visited our website.

Legal basis: Art. 6(1)(a) GDPR — your consent. Consent is voluntary and may be withdrawn at any time via the cookie settings on this website.

Third-country transfers: Data may be transferred to the USA. Such transfers are safeguarded by Standard Contractual Clauses (Art. 46(2)(c) GDPR). If Standard Contractual Clauses are not sufficient to ensure an adequate level of protection, we will obtain your separate consent under Art. 49(1)(a) GDPR.

Retention: Data is stored only as long as necessary for the stated purposes.

7.7 Cookies

Description: Our website uses cookies — small text files stored on your device when you visit a website. Session cookies are deleted when you close your browser. Persistent cookies remain for a defined period.

Purpose: To make our website more user-friendly and to enable the features described in Sections 7.3–7.6.

Legal basis: Art. 6(1)(f) GDPR — legitimate interests (session cookies technically required for website operation). Art. 6(1)(a) GDPR — consent (analytics, marketing, and third-party cookies via cookie banner). Consent is voluntary.

Control: You can manage cookie preferences at any time via the cookie settings on this website or through your browser settings. Instructions for common browsers:

• Microsoft Edge: https://support.microsoft.com/en-us/microsoft-edge/delete-cookies-in-microsoft-edge-63947406-40ac-c3b8-57b9-2a946a29ae09

• Firefox: https://support.mozilla.org/en/kb/cookies-allow-and-block

• Chrome: https://support.google.com/chrome/answer/95647

• Safari: https://support.apple.com/guide/safari/manage-cookies-sfri11471

• Opera: http://help.opera.com/Windows/10.20/de/cookies.html

8. Mobile App Processing Activities

This section describes the personal data processing activities specific to the Boardwise mobile application available on the Apple App Store and Google Play Store.

8.1 Data Categories Processed by the App

When you use the Boardwise mobile app, the following categories of data are processed, depending on which features you use:

Category Examples Processed by
Account and workspace configuration data Business e-mail address, display name, workspace URL, tenant/workspace identifier Your organisation
Authentication and session data OAuth tokens, session identifiers, sign-in timestamps Your organisation's Microsoft identity service; tokens stored locally on-device
Workspace content Agendas, meeting documents, minutes, resolutions, follow-up tasks, comments, board-governance records Your organisation's Boardwise workspace environment
App technical metadata App version, device OS version, crash and error reports transmitted to Boardwise Boardwise GmbH

Data that is processed only on-device and is not transmitted off the device is not considered "collected" under the Apple and Google definitions and is not subject to further disclosure requirements.

Purpose: Authentication, workspace access, document delivery, meeting preparation and execution, app stability, and security.

Legal basis (Boardwise-controlled processing): Art. 6(1)(b) GDPR — processing necessary for the performance of a contract (app services provided to you); Art. 6(1)(f) GDPR — legitimate interests (security, fraud prevention, app stability).

8.2 Authentication and Sign-In (Microsoft OAuth)

Description: The Boardwise mobile app uses Microsoft OAuth 2.0 with the Authorization Code + PKCE flow to authenticate users via their organisation's Microsoft identity (Microsoft Entra ID / Microsoft 365). The app does not store your Microsoft account password. Authentication tokens are stored using platform-secure storage mechanisms provided by the operating system (iOS Keychain / Android Keystore).

Sign-in data is processed by the Microsoft identity service configured by your organisation. Microsoft's privacy practices for identity services are described in the Microsoft Privacy Statement at https://privacy.microsoft.com/en-us/privacystatement.

Purpose: Secure user authentication and authorisation.

Retention: Authentication tokens are stored only as long as the session is active and are removed on logout, workspace removal, or app deletion.

8.3 Workspace Content

Description: Workspace content such as agendas, meeting materials, minutes, resolutions, follow-up tasks, and related documents is stored in the customer organisation's own Microsoft 365/Azure or other customer-controlled cloud environment. The app retrieves and displays this content from the customer's backend.

Boardwise GmbH does not have access to your workspace content unless your organisation has separately engaged Boardwise GmbH for a cloud-hosted or support service and a data processing agreement is in place.

Controller: Your organisation (see Section 6.2).

Retention: Workspace content is retained and deleted in accordance with your organisation's own retention and deletion settings. Locally cached content on the device is cleared on logout, workspace removal, or app deletion.

8.4 App Distribution and Technical Metadata

Description: When you download, install, or use the Boardwise app, the Apple App Store and Google Play Store process data related to the download and installation in accordance with their own privacy policies. Boardwise GmbH may receive aggregated, non-personalised statistics about app downloads and usage provided by Apple and Google.

If the app collects crash or error reports for diagnostic purposes, such reports may include technical data such as app version, device model, OS version, and a stack trace. This data is used exclusively for the purpose of diagnosing and fixing software defects.

Purpose: App distribution; diagnosing and resolving technical defects.

Legal basis: Art. 6(1)(f) GDPR — legitimate interests (product quality and security).

Retention: Crash and diagnostic data is retained only as long as required to resolve the relevant defect.

8.5 Recipients and Third-Party Sharing

The following parties may receive personal data in connection with your use of the Boardwise mobile app:

Recipient Role Purpose
Customer organisation's Boardwise backend Data controller Workspace access and data
Microsoft identity/Microsoft 365 services Configured by your organisation Authentication, document access
Apple Inc. / Google LLC Independent controller (App Store / Play Store) App distribution, in-app purchase
Boardwise GmbH technical subprocessors Data processor App stability, crash reporting (if applicable)

Any third-country transfers to subprocessors located outside the EEA are safeguarded by Standard Contractual Clauses (Art. 46(2)(c) GDPR) or another appropriate transfer mechanism.

We do not sell personal data. We do not use app data for cross-app advertising or tracking. We do not share personal data with advertising networks.

8.6 Retention and Deletion

Data type Retention rule
Locally stored workspace metadata and cached content Until logout, workspace removal, or app deletion from the device
Authentication tokens Until the session expires or the user logs out
Workspace content in customer-hosted environment Per the customer organisation's retention settings
Crash and diagnostic data (Boardwise-controlled) Until the related defect is resolved, and no longer than 12 months
Support correspondence with Boardwise Until the request is resolved; longer if required by applicable law

8.7 Device Permissions

The Boardwise mobile app requests only the permissions necessary for its stated functions. The table below lists the permissions the app may request:

Permission Required / Optional Purpose
Network access Required Connecting to the workspace backend and authentication service
Secure storage (Keychain/Keystore) Required Storing authentication tokens securely on-device
Camera Optional Scanning a QR code during workspace setup for faster configuration (no images are stored or transmitted)

The app does not request access to the device microphone, contacts, location, calendar, or photo library as part of its standard functionality. The camera permission is used exclusively on-device for QR code scanning; no images or video are captured, stored, or transmitted to any server. If a future version introduces optional features requiring additional permissions, this section will be updated and users will be informed in-app before any such permission is requested.

You can withdraw optional permissions at any time in your device's operating system settings (iOS: Settings > Boardwise; Android: Settings > Apps > Boardwise > Permissions).

8.8 Security Measures for the Mobile App

We implement the following technical and organisational measures to protect your personal data in the mobile app:

Encryption in transit: All data transmitted between the app and any backend is encrypted using TLS. The app is configured to use secure transport only; plaintext HTTP is not permitted in production builds.

Platform-secure credential storage: Authentication tokens are stored using iOS Keychain or Android Keystore.

OAuth with PKCE: Sign-in uses the industry-standard OAuth 2.0 Authorization Code flow with PKCE, reducing exposure of authentication artefacts.

Screen privacy controls: The app implements measures designed to reduce exposure of sensitive board-governance information when the app is backgrounded or when screen-recording/screenshot detection is applicable.

Minimal data on-device: The app does not persist workspace content on-device beyond what is required for the current session, unless offline access is explicitly enabled and agreed upon.

8.9 Account and Workspace Deletion

The Boardwise app requires users to sign in via their organisation's Microsoft identity. Boardwise GmbH does not independently create or own your app account; your account is managed by your organisation.

If you wish to remove your access to a Boardwise workspace or delete your account:

• Contact the Boardwise workspace administrator in your organisation.

• Your organisation's administrator can deactivate your access and remove your user record from the workspace.

If you require deletion of personal data processed by Boardwise GmbH for its own purposes (e.g. crash reports or support data), please contact us using the details in Section 3.

9. Security Measures (General)

In order to protect your personal data from unauthorised third-party access, we use SSL (Secure Sockets Layer) or TLS (Transport Layer Security) technology to encrypt data communication between our website or app and your device. You can identify SSL/TLS encryption on the website by the padlock icon in your browser's address bar.

We review and, where necessary, update our security measures on a regular basis.

10. Your Rights as a Data Subject

With regard to personal data processed by Boardwise GmbH as data controller, you have the following rights:

10.1 Right of Access (Art. 15 GDPR)

You have the right to obtain confirmation as to whether we are processing your personal data and, if so, to receive a copy of that data and supplementary information as specified in Art. 15 GDPR.

10.2 Rectification (Art. 16 GDPR)

You have the right to obtain from us the rectification of inaccurate personal data and the completion of incomplete personal data.

10.3 Erasure (Art. 17 GDPR)

You have the right to obtain the erasure of your personal data where one of the grounds listed in Art. 17 GDPR applies (e.g. where the data is no longer necessary for the purposes for which it was collected).

10.4 Restriction of Processing (Art. 18 GDPR)

You have the right to obtain restriction of processing where one of the conditions in Art. 18 GDPR is met (e.g. where you dispute the accuracy of your data).

10.5 Data Portability (Art. 20 GDPR)

Subject to the conditions in Art. 20 GDPR, you have the right to receive your personal data in a structured, commonly used, and machine-readable format.

10.6 Withdrawal of Consent (Art. 7(3) GDPR)

Where processing is based on your consent, you may withdraw that consent at any time. Withdrawal applies from the date of your request and does not affect the lawfulness of processing before withdrawal.

10.7 Right to Lodge a Complaint (Art. 77 GDPR)

If you believe that our processing of your personal data infringes the GDPR, you may lodge a complaint with the supervisory authority in the EU member state where you habitually reside or work, or where the alleged infringement took place. The competent supervisory authority for Boardwise GmbH is:

Hamburgischer Beauftragter für Datenschutz und Informationsfreiheit
Ludwig-Erhard-Str. 22, 7. OG 20459 Hamburg, Germany
https://www.datenschutz-hamburg.de

10.8 Prohibition of Automated Decision-Making / Profiling (Art. 22 GDPR)

Decisions that produce legal effects on you or similarly significantly affect you must not be based solely on automated processing of personal data. We do not carry out any such automated decision-making or profiling with respect to your personal data.

10.9 Right to Object (Art. 21 GDPR)

Where we process your personal data on the basis of Art. 6(1)(f) GDPR (legitimate interests), you have the right to object at any time on grounds relating to your particular situation. Upon your objection, we will cease processing unless we can demonstrate compelling legitimate grounds that override your interests, rights, and freedoms, or the processing is needed to establish, exercise, or defend legal claims. You have an unconditional right to object to processing for direct marketing purposes at any time.

10.10 How to Exercise Your Rights

For data processed by Boardwise GmbH for its own purposes (website, app distribution, crash reporting, support): contact us at contact@boardwise.io or by post to the address in Section 3.

For workspace content and user records stored in your organisation's Boardwise environment: please contact the Boardwise workspace administrator in your organisation, as your organisation is the data controller for that content. Boardwise GmbH will assist your organisation in fulfilling data subject requests where we act as a processor.

11. California Residents — Additional Disclosures (CCPA/CPRA)

This section applies to residents of California and supplements the information provided in the rest of this Privacy Policy.

11.1 Categories of Personal Information Collected

In the preceding 12 months, Boardwise GmbH may have collected the following categories of personal information from California residents:

Category Examples Source Purpose
Identifiers Name, e-mail address, workspace identifier Directly from you / your organisation App and workspace access, support
Internet/network activity Website log data, IP address, pages visited Automatically from your device Website security, analytics
Device and app technical data App version, OS version, crash data Automatically from the app App stability and diagnostics
Commercial information (B2B) Enquiries via contact form Directly from you Responding to sales or support enquiries

11.2 Disclosure of Personal Information

Boardwise GmbH does not sell or share personal information as defined under CCPA/CPRA. We do not sell personal information to third parties. We do not share personal information for cross-context behavioural advertising.

In the preceding 12 months, we have disclosed personal information to service providers (as defined under CCPA/CPRA) strictly for business purposes described in this Privacy Policy.

11.3 California Privacy Rights

California residents have the right to:

Know: Request information about the categories and specific pieces of personal information collected about you.

Delete: Request deletion of personal information we hold about you, subject to certain exceptions.

Correct: Request correction of inaccurate personal information.

Opt out of sale or sharing: We do not sell or share personal information, so this right does not apply to our current practices.

Limit use of sensitive personal information: We do not use or disclose sensitive personal information beyond what is permitted under CPRA.

Non-discrimination: We will not discriminate against you for exercising any of your California privacy rights.

To exercise your rights, contact us at contact@boardwise.io. We will respond within 45 calendar days, as required by CCPA/CPRA. Where reasonably necessary, we may extend this period by a further 45 days and will notify you of the extension within the initial period.

12. Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our processing activities, applicable law, or regulatory guidance. When we make material changes, we will update the "Last updated" date at the top of this page and, where appropriate, notify you via the app or by other means. We encourage you to review this page periodically.