Privacy Policy

At Stickero, we respect your privacy and are committed to protecting your personal data. This Privacy Policy explains how we collect, use, store, and protect your information when you use our services.

1. Introduction

This Privacy Policy applies to all users of Stickero's web application and desktop application. By using our services, you agree to the collection and use of information in accordance with this policy.

1.1 Who We Are

• Service Name: Stickero
• Website: https://stickero.app
• Description: Collaborative planning application for remote teams using virtual stickers on shared boards

2. Data Controller

The data controller responsible for your personal data is:

• Contact Email: privacy@stickero.app
• Data Protection Officer: dpo@stickero.app

3. Information We Collect

3.1 Information You Provide

We collect information that you provide directly to us:

• Account Information: Name, email address, password (hashed), company name (optional)
• Profile Information: Preferred sticker color, display name
• Board Content: Stickers, notes, and other content you create on boards
• Communication Data: Messages sent through our contact form or support channels
• Payment Information: Processed securely through PayPal (we do not store credit card details)

3.2 Automatically Collected Information

• Usage Data: Pages visited, features used, time spent, interactions with boards
• Device Information: Browser type, operating system, device type, screen resolution
• Log Data: IP address, access times, error logs, authentication attempts
• Session Data: Authentication tokens, session duration

3.3 Cookies and Similar Technologies

We use cookies and browser storage (localStorage, sessionStorage) to:

• Maintain your login session
• Remember your preferences
• Analyze how you use our service
• Improve user experience

For more information, see our Cookie Policy.

4. How We Use Your Information

4.1 Service Provision

• Create and manage your account
• Provide access to boards and collaboration features
• Process your subscription and payments
• Authenticate your identity and maintain security
• Store and sync your board data across devices

4.2 Service Improvement

• Analyze usage patterns to improve features
• Monitor and troubleshoot technical issues
• Develop new features based on user behavior
• Optimize performance and user experience

4.3 Communication

• Send transactional emails (password resets, board invitations, payment confirmations)
• Respond to your support requests
• Send important service updates and security alerts
• Send product updates and feature announcements (with your consent)

4.4 AI-Powered Features

• Board Summaries: Your sticker content is sent to Anthropic's Claude API to generate AI summaries
• Smart Suggestions: Sticker text is sent to Claude API for intelligent auto-completion
• Auto-Clustering: Sticker content is analyzed by Claude API to group similar items

Note: We use Anthropic's Claude API with enterprise-grade security. Your data is not used to train AI models.

4.5 Legal Compliance

• Comply with legal obligations
• Enforce our Terms of Service
• Protect against fraud and abuse
• Respond to law enforcement requests when legally required

5. Legal Basis for Processing (GDPR)

We process your personal data under the following legal bases:

5.1 Contractual Necessity

Processing is necessary to provide our service to you (Article 6(1)(b) GDPR):

• Account creation and management
• Board access and collaboration features
• Payment processing

5.2 Legitimate Interests

Processing is necessary for our legitimate interests (Article 6(1)(f) GDPR):

• Service improvement and optimization
• Security and fraud prevention
• Technical troubleshooting
• Business analytics

5.3 Consent

Processing based on your explicit consent (Article 6(1)(a) GDPR):

• Marketing communications
• Non-essential cookies
• Optional features

You can withdraw consent at any time by contacting us or using your account settings.

5.4 Legal Obligation

Processing is necessary to comply with legal obligations (Article 6(1)(c) GDPR):

• Tax and accounting records
• Legal requests from authorities

6. Data Sharing and Disclosure

6.1 We Do NOT Sell Your Data

We do not sell, rent, or trade your personal data to third parties for their marketing purposes.

6.2 Service Providers

We share data with trusted third-party service providers who assist us:

• Anthropic (Claude API): AI-powered features (summaries, suggestions, clustering)
• PayPal: Payment processing (PCI DSS compliant)
• Email Services: Transactional email delivery
• Hosting Providers: Infrastructure and data storage

All service providers are bound by strict confidentiality agreements and process data only as instructed.

6.3 Board Members

When you collaborate on boards:

• Your name and email are visible to other board members
• Your sticker content is visible to all board members
• Board administrators can see member activity

6.4 Legal Requirements

We may disclose your information if required by law or in response to:

• Valid legal process (subpoenas, court orders)
• Government requests
• Protection of our legal rights
• Emergency situations involving danger to persons

6.5 Business Transfers

If we are involved in a merger, acquisition, or sale of assets, your data may be transferred. We will notify you before your data is transferred and becomes subject to a different privacy policy.

7. Data Storage and Security

7.1 Where We Store Your Data

• Data is stored in secure data centers
• Primary storage location complies with regional data protection laws
• Backups are stored in geographically distributed locations

7.2 How We Protect Your Data

• Encryption: TLS 1.3 for data in transit, AES-256 for data at rest
• Password Security: Bcrypt hashing with salt
• Access Controls: Strict role-based access limitations
• Security Monitoring: Continuous monitoring for suspicious activity
• Regular Backups: Daily encrypted backups with 30-day retention

For more details, see our Security & Compliance page.

8. Your Rights Under GDPR

If you are in the European Economic Area (EEA), you have the following rights:

8.1 Right to Access

You can request a copy of your personal data. Contact us at privacy@stickero.app.

8.2 Right to Rectification

You can update your personal information in your account settings or contact us to make corrections.

8.3 Right to Erasure ("Right to be Forgotten")

You can delete your account at any time from your settings page. All personal data will be permanently deleted within 30 days.

8.4 Right to Restriction of Processing

You can request that we limit how we use your data under certain circumstances.

8.5 Right to Data Portability

You can export your board data in JSON format from your account settings.

8.6 Right to Object

You can object to processing based on legitimate interests or for direct marketing purposes.

8.7 Right to Withdraw Consent

Where processing is based on consent, you can withdraw it at any time without affecting the lawfulness of processing before withdrawal.

8.8 Right to Lodge a Complaint

You have the right to lodge a complaint with your local data protection authority if you believe we have violated your rights.

8.9 Automated Decision-Making

We do not use automated decision-making or profiling that produces legal or similarly significant effects.

9. Data Retention

9.1 Active Accounts

• Data is retained as long as your account is active
• You control your data and can delete it at any time

9.2 Deleted Accounts

• Personal data is permanently deleted within 30 days of account deletion
• Some data may be retained in encrypted backups for up to 30 additional days
• Legal or compliance data may be retained longer as required by law

9.3 Inactive Accounts

• Accounts inactive for 2+ years may be archived or deleted
• We will notify you before deleting an inactive account

9.4 Guest Users

• Guest user data is retained for the duration of board access
• Guests can convert to registered users to maintain long-term access

10. Children's Privacy

Our service is not intended for children under 16 years of age. We do not knowingly collect personal data from children under 16.

If you are a parent or guardian and believe your child has provided us with personal data, please contact us at privacy@stickero.app, and we will delete the information immediately.

11. International Data Transfers

Your data may be transferred to and processed in countries other than your country of residence. We ensure that such transfers comply with applicable data protection laws through:

• Standard Contractual Clauses (SCCs) approved by the European Commission
• Adequacy decisions where applicable
• Other lawful transfer mechanisms under GDPR

12. California Privacy Rights (CCPA)

If you are a California resident, you have additional rights under the California Consumer Privacy Act (CCPA):

12.1 Right to Know

• Categories of personal information collected
• Categories of sources
• Business purposes for collection
• Categories of third parties we share with

12.2 Right to Delete

Request deletion of your personal information, subject to certain exceptions.

12.3 Right to Opt-Out

We do not sell personal information, so there is no need to opt-out of sales.

12.4 Non-Discrimination

We will not discriminate against you for exercising your CCPA rights.

To exercise these rights, contact us at privacy@stickero.app.

13. Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect:

• Changes in our practices
• Changes in applicable laws
• New features or services

13.1 Notification of Changes

• We will update the "Last updated" date at the top of this policy
• For material changes, we will notify you via email or prominent notice in the application
• Continued use of our service after changes indicates acceptance of the updated policy

14. Third-Party Links

Our service may contain links to third-party websites or services. We are not responsible for the privacy practices of these third parties. We encourage you to read their privacy policies before providing them with personal information.

15. Do Not Track Signals

Some browsers have "Do Not Track" features. We currently do not respond to Do Not Track signals as there is no industry standard for how to handle them.

16. Contact Us

If you have questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us:

16.1 Email Contacts

• Privacy Inquiries: privacy@stickero.app
• Data Protection Officer: dpo@stickero.app
• General Support: support@stickero.app

16.2 Contact Form

You can also reach us through our Contact Page.

16.3 Response Time

We will respond to privacy-related requests within:

• GDPR Requests: Within 30 days (may be extended by 2 months for complex requests)
• CCPA Requests: Within 45 days
• General Inquiries: Within 5 business days

17. Data Protection Impact Assessment

For high-risk processing activities, we conduct Data Protection Impact Assessments (DPIAs) to identify and minimize data protection risks.

18. Specific Features and Privacy

18.1 Board Collaboration

• When you join a board, other members can see your name, email, and contributions
• Board admins control member access and can remove members
• Leaving a board removes your access but may not delete your previous contributions

18.2 Desktop Application

• Same privacy practices as web application
• Session data stored locally on your device
• No additional data collection beyond web version

18.3 Email Verification

• We send verification emails to confirm your email address
• Verification links are single-use and time-limited
• Unverified accounts may have limited functionality