Last updated: June 2026
Table of Contents
1. Introduction
2. Terms
3. Data Controller
4. Data Protection Officer
5. Scope of This Policy — Website and Mobile App
6. Who Is Responsible for Which Processing
7. Website Processing Activities
7.1 Provision of Website and Log Files
7.2 Contact Form and Contact by E-Mail
7.3 Google Analytics (GA4)
7.4 Google reCAPTCHA
7.5 Social Networks
7.6 LinkedIn Insight Tag
7.7 Cookies
8. Mobile App Processing Activities
8.1 Data Categories Processed by the App
8.2 Authentication and Sign-In (Microsoft OAuth)
8.3 Workspace Content
8.4 App Distribution and Technical Metadata
8.5 Recipients and Third-Party Sharing
8.6 Retention and Deletion
8.7 Device Permissions
8.8 Security Measures for the Mobile App
8.9 Account and Workspace Deletion
9. Security Measures (General)
10. Your Rights as a Data Subject
11. California Residents — Additional Disclosures (CCPA/CPRA)
12. Changes to This Policy
The operation of our website https://boardwise.io and our Boardwise mobile application (collectively the "Services") involves the processing of personal data. We handle this data confidentially and in accordance with applicable laws, in particular the General Data Protection Regulation (GDPR) and Germany's Federal Data Protection Act (BDSG).
This Privacy Policy informs you about the personal data we collect, the purposes for which we use it, the legal bases for processing, with whom we share it, how long we retain it, and your rights as a data subject.
"Personal data" is all information relating to an identified or identifiable natural person (Art. 4 No. 1 GDPR). This includes names, e-mail addresses, IP addresses, location data, and any other information that can be used directly or indirectly to identify a person.
Under Art. 4 No. 2 GDPR, "processing" describes any operation applied to personal data, including collection, recording, organisation, structuring, storage, adaptation, retrieval, use, disclosure, dissemination, restriction, erasure, or destruction.
The party responsible for data processing for Boardwise-controlled activities is:
Boardwise GmbH Nobistor 10 22767 Hamburg, Germany
Statutory representatives: Sven Rebbert, Dr. Boris Häfele, Dr. Gisbert Grasses
E-mail: contact@boardwise.io
Note on customer-hosted workspaces: When you access a Boardwise workspace operated within your organisation's own Microsoft 365/Azure or other customer-controlled cloud environment, the customer organisation is generally the data controller for workspace content stored in that environment. See Section 6 for details.
We have appointed an external data protection officer:
Dr. Thomas Brehm
C/O BBS Bier Brehm Spahn Partnerschaft Rechtsanwälte
Brandstwiete 46 20457 Hamburg, Germany
This Privacy Policy applies to:
1. The Boardwise website at https://boardwise.io — including all pages, contact forms, and web-based resources available on that domain.
2. The Boardwise mobile application — the iOS and Android apps published by Boardwise GmbH on the Apple App Store and Google Play Store.
Certain processing activities differ depending on whether you visit the public website, use the mobile app, or access a Boardwise workspace operated in your organisation's own cloud environment. Sections 7 and 8 describe these activities separately.
The mobile app does not process personal data for advertising purposes. We do not sell personal data. We do not use personal data from the app for cross-app tracking or interest-based advertising.
Boardwise GmbH decides the purposes and means of processing for:
• Visitors to and users of the public Boardwise website (https://boardwise.io).
• Distribution of the Boardwise mobile app through the Apple App Store and Google Play Store, including any app crash or diagnostic data transmitted to Boardwise.
• Support requests addressed directly to Boardwise GmbH.
• Any data Boardwise collects for its own compliance, security monitoring, or legal obligations.
For all such processing, this Privacy Policy and the contact details in Section 3 apply.
Boardwise is designed to run inside the customer's own Microsoft 365/Azure or other customer-controlled cloud environment. This means that:
• Workspace content — including agendas, meeting documents, minutes, resolutions, follow-up tasks, comments, committee records, and other board-governance materials — is processed in and stored in the customer organisation's own environment.
• The customer organisation (your employer or the entity operating the Boardwise workspace) generally determines the purposes, access rights, retention periods, and deletion rules for that workspace content and is therefore the data controller for that content.
• Boardwise GmbH does not operate central servers that store your workspace content unless a separate written agreement with your organisation expressly provides for this.
If your request concerns workspace content or your access rights within a Boardwise workspace, please contact the administrator of the Boardwise workspace in your organisation first.
Where your organisation has engaged Boardwise GmbH to provide support, maintenance, or cloud-hosted services that involve access to workspace data, Boardwise GmbH may act as a data processor on behalf of your organisation, under a data processing agreement.
When you visit the website https://boardwise.io, we process the personal data described in Sections 7.1–7.7. We process this data exclusively for the stated purposes. As a general rule, we do not sell, lease, or transfer your data to third parties. Where we engage external service providers, we do so as a data controller within an order-processing relationship and provide appropriate instructions.
We do not, as a general rule, transfer personal data to third countries. Exceptions are noted in the relevant sections below.
Description: When anyone visits our website, we automatically collect information that their browser transmits to our server and store it in log files. This includes:
Purpose: To enable access to the website; to ensure stability and security; toe nable statistical evaluation and improvement of our online service.
Legal basis: Art. 6(1)(f) GDPR — legitimate interests. Our legitimate interest is the purpose stated above.
Retention: Logfiles are deleted after 30 days.
Description: We provide a contact form on our website. You are asked to enter your e-mail address, name, and a message. Data is transmitted with SSL/TLS encryption. You may also contact us directly by e-mail. In both cases the personal data you transmit will be processed by us.
Purpose: To process and respond to your request.
Legal basis: Art. 6(1)(f) GDPR — legitimate interests (responding to your enquiry). Where e-mail contact is aimed at concluding or fulfilling a contract, Art. 6(1)(b) GDPR also applies.
Retention: Data is deleted when the communication has been conclusively resolved. Statutory retention periods may require longer retention, after which deletion follows immediately upon expiry.
Description: Our website uses Google Analytics 4 (GA4), a web-analytics service provided by Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland ("Google"). GA4 uses cookies and similar technologies to collect pseudonymised data about how visitors use the website. IP anonymisation is enabled; IP addresses are truncated before storage. We do not use Universal Analytics, which has been sunset by Google.
The information generated is generally transferred to and stored on Google servers, which may include servers in the USA. Such transfers are safeguarded by the EU Standard Contractual Clauses (Art. 46(2)(c) GDPR) concluded between Boardwise GmbH and Google.
Purpose: To evaluate the use of our website and improve our online presence.
Legal basis: Art. 6(1)(a) GDPR — your consent, where obtained via our cookie banner. Consent is voluntary and may be withdrawn at any time via the cookie settings on this website.
Right to object / opt-out: You may also install the Google Analytics opt-out browser add-on at https://tools.google.com/dlpage/gaoptout.
Retention: Analysis data is deleted by us after 14 months. For further information on Google's data practices, see https://policies.google.com/privacy.
Description: Our website uses reCAPTCHA, operated by Google Ireland Limited. reCAPTCHA analyses form interactions (IP address, time on page, mouse movements, and other signals) to distinguish human users from automated software.
Purpose: To protect forms against spam and automated misuse.
Legal basis: Art. 6(1)(f) GDPR — legitimate interests. Where consent is obtained via a cookie banner, Art. 6(1)(a) GDPR applies.
Third-country transfers: Data may be transferred to Google servers in the USA, safeguarded by Standard Contractual Clauses. See https://policies.google.com/privacy.
Description: Our website does not use social media plugins. The logos of LinkedIn, Xing, and X (formerly Twitter) are simple links to our company profiles on those platforms. Clicking a logo redirects you to the external website of the respective social network, which is subject to that network's own privacy policy.
Purpose: Contemporary public relations and communication with customers and interested parties.
Legal basis: Art. 6(1)(f) GDPR — legitimate interests.
Social network privacy policies:
Description: We use the LinkedIn Insight Tag for retargeting and conversion tracking. The tag is operated by LinkedIn Ireland Unlimited Company, Wilton Plaza, Wilton Place, Dublin 2, Ireland. Data collected includes:
• IP address
• Device information
• Browser information
• Referrer URL
• Timestamp
This data is stored in a cookie and used to provide us with aggregated statistics and to show relevant offers to users who have previously visited our website.
Legal basis: Art. 6(1)(a) GDPR — your consent. Consent is voluntary and may be withdrawn at any time via the cookie settings on this website.
Third-country transfers: Data may be transferred to the USA. Such transfers are safeguarded by Standard Contractual Clauses (Art. 46(2)(c) GDPR). If Standard Contractual Clauses are not sufficient to ensure an adequate level of protection, we will obtain your separate consent under Art. 49(1)(a) GDPR.
Retention: Data is stored only as long as necessary for the stated purposes.
Description: Our website uses cookies — small text files stored on your device when you visit a website. Session cookies are deleted when you close your browser. Persistent cookies remain for a defined period.
Purpose: To make our website more user-friendly and to enable the features described in Sections 7.3–7.6.
Legal basis: Art. 6(1)(f) GDPR — legitimate interests (session cookies technically required for website operation). Art. 6(1)(a) GDPR — consent (analytics, marketing, and third-party cookies via cookie banner). Consent is voluntary.
Control: You can manage cookie preferences at any time via the cookie settings on this website or through your browser settings. Instructions for common browsers:
• Microsoft Edge: https://support.microsoft.com/en-us/microsoft-edge/delete-cookies-in-microsoft-edge-63947406-40ac-c3b8-57b9-2a946a29ae09
• Firefox: https://support.mozilla.org/en/kb/cookies-allow-and-block
• Chrome: https://support.google.com/chrome/answer/95647
• Safari: https://support.apple.com/guide/safari/manage-cookies-sfri11471
• Opera: http://help.opera.com/Windows/10.20/de/cookies.html
This section describes the personal data processing activities specific to the Boardwise mobile application available on the Apple App Store and Google Play Store.
When you use the Boardwise mobile app, the following categories of data are processed, depending on which features you use:
Data that is processed only on-device and is not transmitted off the device is not considered "collected" under the Apple and Google definitions and is not subject to further disclosure requirements.
Purpose: Authentication, workspace access, document delivery, meeting preparation and execution, app stability, and security.
Legal basis (Boardwise-controlled processing): Art. 6(1)(b) GDPR — processing necessary for the performance of a contract (app services provided to you); Art. 6(1)(f) GDPR — legitimate interests (security, fraud prevention, app stability).
Description: The Boardwise mobile app uses Microsoft OAuth 2.0 with the Authorization Code + PKCE flow to authenticate users via their organisation's Microsoft identity (Microsoft Entra ID / Microsoft 365). The app does not store your Microsoft account password. Authentication tokens are stored using platform-secure storage mechanisms provided by the operating system (iOS Keychain / Android Keystore).
Sign-in data is processed by the Microsoft identity service configured by your organisation. Microsoft's privacy practices for identity services are described in the Microsoft Privacy Statement at https://privacy.microsoft.com/en-us/privacystatement.
Purpose: Secure user authentication and authorisation.
Retention: Authentication tokens are stored only as long as the session is active and are removed on logout, workspace removal, or app deletion.
Description: Workspace content such as agendas, meeting materials, minutes, resolutions, follow-up tasks, and related documents is stored in the customer organisation's own Microsoft 365/Azure or other customer-controlled cloud environment. The app retrieves and displays this content from the customer's backend.
Boardwise GmbH does not have access to your workspace content unless your organisation has separately engaged Boardwise GmbH for a cloud-hosted or support service and a data processing agreement is in place.
Controller: Your organisation (see Section 6.2).
Retention: Workspace content is retained and deleted in accordance with your organisation's own retention and deletion settings. Locally cached content on the device is cleared on logout, workspace removal, or app deletion.
Description: When you download, install, or use the Boardwise app, the Apple App Store and Google Play Store process data related to the download and installation in accordance with their own privacy policies. Boardwise GmbH may receive aggregated, non-personalised statistics about app downloads and usage provided by Apple and Google.
If the app collects crash or error reports for diagnostic purposes, such reports may include technical data such as app version, device model, OS version, and a stack trace. This data is used exclusively for the purpose of diagnosing and fixing software defects.
Purpose: App distribution; diagnosing and resolving technical defects.
Legal basis: Art. 6(1)(f) GDPR — legitimate interests (product quality and security).
Retention: Crash and diagnostic data is retained only as long as required to resolve the relevant defect.
The following parties may receive personal data in connection with your use of the Boardwise mobile app:
Any third-country transfers to subprocessors located outside the EEA are safeguarded by Standard Contractual Clauses (Art. 46(2)(c) GDPR) or another appropriate transfer mechanism.
We do not sell personal data. We do not use app data for cross-app advertising or tracking. We do not share personal data with advertising networks.
The Boardwise mobile app requests only the permissions necessary for its stated functions. The table below lists the permissions the app may request:
The app does not request access to the device microphone, contacts, location, calendar, or photo library as part of its standard functionality. The camera permission is used exclusively on-device for QR code scanning; no images or video are captured, stored, or transmitted to any server. If a future version introduces optional features requiring additional permissions, this section will be updated and users will be informed in-app before any such permission is requested.
You can withdraw optional permissions at any time in your device's operating system settings (iOS: Settings > Boardwise; Android: Settings > Apps > Boardwise > Permissions).
We implement the following technical and organisational measures to protect your personal data in the mobile app:
• Encryption in transit: All data transmitted between the app and any backend is encrypted using TLS. The app is configured to use secure transport only; plaintext HTTP is not permitted in production builds.
• Platform-secure credential storage: Authentication tokens are stored using iOS Keychain or Android Keystore.
• OAuth with PKCE: Sign-in uses the industry-standard OAuth 2.0 Authorization Code flow with PKCE, reducing exposure of authentication artefacts.
• Screen privacy controls: The app implements measures designed to reduce exposure of sensitive board-governance information when the app is backgrounded or when screen-recording/screenshot detection is applicable.
• Minimal data on-device: The app does not persist workspace content on-device beyond what is required for the current session, unless offline access is explicitly enabled and agreed upon.
The Boardwise app requires users to sign in via their organisation's Microsoft identity. Boardwise GmbH does not independently create or own your app account; your account is managed by your organisation.
If you wish to remove your access to a Boardwise workspace or delete your account:
• Contact the Boardwise workspace administrator in your organisation.
• Your organisation's administrator can deactivate your access and remove your user record from the workspace.
If you require deletion of personal data processed by Boardwise GmbH for its own purposes (e.g. crash reports or support data), please contact us using the details in Section 3.
In order to protect your personal data from unauthorised third-party access, we use SSL (Secure Sockets Layer) or TLS (Transport Layer Security) technology to encrypt data communication between our website or app and your device. You can identify SSL/TLS encryption on the website by the padlock icon in your browser's address bar.
We review and, where necessary, update our security measures on a regular basis.
With regard to personal data processed by Boardwise GmbH as data controller, you have the following rights:
You have the right to obtain confirmation as to whether we are processing your personal data and, if so, to receive a copy of that data and supplementary information as specified in Art. 15 GDPR.
You have the right to obtain from us the rectification of inaccurate personal data and the completion of incomplete personal data.
You have the right to obtain the erasure of your personal data where one of the grounds listed in Art. 17 GDPR applies (e.g. where the data is no longer necessary for the purposes for which it was collected).
You have the right to obtain restriction of processing where one of the conditions in Art. 18 GDPR is met (e.g. where you dispute the accuracy of your data).
Subject to the conditions in Art. 20 GDPR, you have the right to receive your personal data in a structured, commonly used, and machine-readable format.
Where processing is based on your consent, you may withdraw that consent at any time. Withdrawal applies from the date of your request and does not affect the lawfulness of processing before withdrawal.
If you believe that our processing of your personal data infringes the GDPR, you may lodge a complaint with the supervisory authority in the EU member state where you habitually reside or work, or where the alleged infringement took place. The competent supervisory authority for Boardwise GmbH is:
Hamburgischer Beauftragter für Datenschutz und Informationsfreiheit
Ludwig-Erhard-Str. 22, 7. OG 20459 Hamburg, Germany
https://www.datenschutz-hamburg.de
Decisions that produce legal effects on you or similarly significantly affect you must not be based solely on automated processing of personal data. We do not carry out any such automated decision-making or profiling with respect to your personal data.
Where we process your personal data on the basis of Art. 6(1)(f) GDPR (legitimate interests), you have the right to object at any time on grounds relating to your particular situation. Upon your objection, we will cease processing unless we can demonstrate compelling legitimate grounds that override your interests, rights, and freedoms, or the processing is needed to establish, exercise, or defend legal claims. You have an unconditional right to object to processing for direct marketing purposes at any time.
For data processed by Boardwise GmbH for its own purposes (website, app distribution, crash reporting, support): contact us at contact@boardwise.io or by post to the address in Section 3.
For workspace content and user records stored in your organisation's Boardwise environment: please contact the Boardwise workspace administrator in your organisation, as your organisation is the data controller for that content. Boardwise GmbH will assist your organisation in fulfilling data subject requests where we act as a processor.
This section applies to residents of California and supplements the information provided in the rest of this Privacy Policy.
In the preceding 12 months, Boardwise GmbH may have collected the following categories of personal information from California residents:
Boardwise GmbH does not sell or share personal information as defined under CCPA/CPRA. We do not sell personal information to third parties. We do not share personal information for cross-context behavioural advertising.
In the preceding 12 months, we have disclosed personal information to service providers (as defined under CCPA/CPRA) strictly for business purposes described in this Privacy Policy.
California residents have the right to:
• Know: Request information about the categories and specific pieces of personal information collected about you.
• Delete: Request deletion of personal information we hold about you, subject to certain exceptions.
• Correct: Request correction of inaccurate personal information.
• Opt out of sale or sharing: We do not sell or share personal information, so this right does not apply to our current practices.
• Limit use of sensitive personal information: We do not use or disclose sensitive personal information beyond what is permitted under CPRA.
• Non-discrimination: We will not discriminate against you for exercising any of your California privacy rights.
To exercise your rights, contact us at contact@boardwise.io. We will respond within 45 calendar days, as required by CCPA/CPRA. Where reasonably necessary, we may extend this period by a further 45 days and will notify you of the extension within the initial period.
We may update this Privacy Policy from time to time to reflect changes in our processing activities, applicable law, or regulatory guidance. When we make material changes, we will update the "Last updated" date at the top of this page and, where appropriate, notify you via the app or by other means. We encourage you to review this page periodically.