Privacy Policy

Læs på dansk

Last updated: 2 June 2026 Effective date: 2 June 2026

This Privacy Policy explains how Kontekstwork ApS ("Kontekstwork", "we", "us", "our"), the provider of the Kontekstboard service available at https://kontekstboard.com (the "Service"), collects, uses, shares and protects personal data when you use the Service, including the web application, the API and the MCP server integration.

Kontekstboard is a product of Kontekstwork ApS.

This version replaces all earlier versions of the Privacy Policy from the effective date above. If you signed up before the effective date, the version in force when you signed up continues to govern your relationship with us until you accept this version (for example, by continuing to use the Service after we have notified you of the change in accordance with Section 11).

Language. This Privacy Policy is published in English and Danish. The English version is the official text and prevails in case of any discrepancy, except where mandatory Danish consumer law requires the Danish version to be used (in which case the Danish version prevails for that consumer).

1. Data controller

The data controller for personal data processed in connection with the Service is:

Kontekstwork ApS, provider of the Kontekstboard service CVR no.: 46512669 Address: Hørkrogen 6, 5270 Odense N, Denmark General contact: [email protected] Privacy contact: [email protected]

Data Protection Officer. Kontekstwork has not appointed a Data Protection Officer because we do not currently meet the criteria in GDPR Article 37(1). All data-protection enquiries can be directed to [email protected].

EU representative. Kontekstwork is established in Denmark (EU), so no Article 27 representative is required.

2. When Kontekstwork is controller and when Kontekstwork is processor

Kontekstwork is always controller of the following data, regardless of plan:

  • Account, profile, billing and support data;
  • Security, audit, abuse-prevention and fraud signals (including IP addresses);
  • Analytics and consent records;
  • Diagnostic data we generate ourselves.

Where the Customer is a business (Team / Enterprise plan) and you use Kontekstboard on the Customer's behalf:

  • The Customer is the controller of personal data that its users add to the Service as part of board content ("Work data", see Section 3), and
  • Kontekstwork acts as a processor on the Customer's behalf for that Work data, under our Data Processing Agreement (DPA).

Where you use Kontekstboard as a solo / free user (no Customer entity), Kontekstwork is the sole controller of all of your personal data, including the Work data on your boards.

3. What personal data we collect

We collect only the data we need to provide and operate the Service. The categories below cover everything we process.

Account data Name, email address, hashed password, account type, registration date and last login time.

Profile data Display name, avatar image, preferred AI tool (e.g. Claude Code, Cursor, GitHub Copilot), and, where applicable, UI preferences (e.g. theme, sidebar state, view mode).

Billing data Billing name, email, company name, street address, city, country and VAT/tax ID. Payment card and bank details are not collected by us; they are handled directly by our Merchant of Record, Polar.sh (see Section 6).

Work data Boards, columns, work items, comments, attachments, Skill assignments, item links and board documentation that you or your team create in the Service.

Session and access data Refresh tokens stored in a secure browser cookie, and CLI tokens stored in hashed form.

Network and security data IP addresses and basic request metadata processed by our backend systems for security, abuse prevention and rate-limiting. IP addresses are retained in transient logs and rate-limit counters for up to 30 days (see Section 8).

Security data (Enterprise plan) Single Sign-On (SSO) configuration including OIDC/SAML credentials stored encrypted, and email domain allowlists.

Audit trail (Enterprise plan) Login events including IP address, and administrative actions with actor and timestamp.

Activity data Board and item activity log: who moved or edited what, and when.

Diagnostic data Feedback submissions and waitlist entries. We also generate internal application logs, metrics and error traces; these are processed by self-hosted observability tooling on our Hetzner infrastructure (see Section 10) and are not shared with any third party.

What we do not collect We do not collect payment card details (handled by Polar.sh) or precise location beyond what appears in your billing address.

4. How we use your data and the legal basis

We process personal data on the legal bases set out in Article 6 of the GDPR.

Purpose Categories used Legal basis (GDPR Art. 6)
Provide and operate the Service (create your account, run boards, sync items to MCP/CLI, etc.) Account, profile, work, session (b) Performance of contract
Process subscriptions and invoicing Billing (b) Performance of contract; (c) Legal obligation (Danish bookkeeping law)
Send transactional emails (sign-in, password reset, invoices, security alerts) Account, billing (b) Performance of contract
Keep the Service secure and prevent abuse (rate limiting, audit logs, fraud prevention, error monitoring) Session, network/security, audit, activity, diagnostic (f) Legitimate interest in protecting the Service and our users — a summary of our balancing test is available on request
Improve the Service (analytics on aggregate usage patterns, set via the cookie banner) Cookie / analytics data (a) Consent
Respond to support, feedback and waitlist requests Diagnostic, account (f) Legitimate interest in operating a usable Service
Comply with legal obligations (accounting, tax, data subject requests) All as required (c) Legal obligation

We do not use your Customer Data (work items, comments, attachments, Skills or board documentation) to train any AI models, whether owned by us or by a third party.

Automated decision-making. We do not carry out automated decision-making, including profiling, that produces legal or similarly significant effects on you within the meaning of Article 22 GDPR.

5. Cookies, local storage and analytics

We use a small number of strictly necessary cookies and browser-storage entries for authentication, session management and UI preferences, and, only if you consent via the cookie banner, analytics cookies set by Google Analytics. Full details are in our Cookie Policy.

You can withdraw your analytics consent at any time by using the "Cookie settings" link in the website footer.

6. Sub-processors and recipients of data

We share personal data only with carefully selected sub-processors who help us deliver the Service. Each sub-processor is bound by a written data processing agreement and processes data only on our instructions.

Sub-processor Purpose Data categories Location Transfer mechanism
Hetzner Online GmbH Cloud hosting, application servers, database, file storage All Service data Germany / Finland (EU) N/A — within EEA
Resend, Inc. Transactional and notification email delivery Account email, recipient name, message content United States EU Standard Contractual Clauses (2021/914), Module Two, supplemented with technical and organisational measures
Google Ireland Ltd. (Google Analytics 4) Web analytics on the marketing website — only with your consent Pseudonymous usage data, truncated IP address EU servers; Google LLC (US) involved as joint controller / onward recipient Google LLC is certified under the EU-US Data Privacy Framework
Polar.sh, Inc. Merchant of Record — subscription billing, invoicing and payment processing Billing data, payment card data (handled by Polar) United States EU Standard Contractual Clauses (2021/914), Module Two, supplemented with technical and organisational measures

Beyond these sub-processors, we may disclose personal data if we are required by law (e.g. court order) or to protect our rights, but never for marketing purposes.

We do not sell personal data and we never share it with advertisers.

A current list of sub-processors is also published at https://kontekstboard.com/sub-processors.

7. International transfers

All Kontekstboard application data is hosted exclusively in the European Union (Hetzner data centres in Germany or Finland).

Some of our sub-processors (Resend, Google, Polar.sh) are based in the United States. Transfers to these providers take place under one or more of the safeguards listed in the table in Section 6:

  • The European Commission's adequacy decision for the EU-US Data Privacy Framework (DPF), where the recipient is currently DPF-certified, and / or
  • The European Commission's Standard Contractual Clauses (Module Two: controller-to-processor, 2021/914), supplemented by appropriate technical and organisational measures following a transfer impact assessment.

You can request a copy of the safeguards in place by emailing [email protected].

8. How long we keep your data

Data Retention
Account, profile, work data For as long as your account is active. Deleted from production within 30 days of account closure, unless we are required to retain it (see below).
Billing records and invoices 5 years after the end of the financial year (Danish Bookkeeping Act, bogføringsloven).
Audit logs (Enterprise) 12 months, then automatically deleted.
Server access logs and rate-limit counters (incl. IP addresses) Up to 30 days.
Application logs, metrics and error traces (self-hosted observability stack) 30 days, then deleted.
Search index entries Co-deleted with the source row.
Real-time session and cache data Held in memory only; cleared when your session ends or within 60 seconds after disconnect.
Soft-deleted boards / items (trash) Up to 30 days in trash, then permanently deleted.
Backups Up to 35 days after deletion from the live system, then overwritten.
Marketing or feedback emails Until you ask us to delete them, or 24 months from last contact.

When data is deleted, it is removed from production systems and overwritten in backups within the period above.

9. Your rights

Under the GDPR you have the following rights in relation to your personal data:

  • Access: request a copy of the personal data we hold about you.
  • Rectification: ask us to correct inaccurate or incomplete data.
  • Erasure: ask us to delete your personal data, subject to legal retention obligations.
  • Restriction: ask us to limit processing in certain cases.
  • Portability: receive your data in a structured, commonly used, machine-readable format, and have it transferred to another controller.
  • Objection: object to processing based on legitimate interests.
  • Withdraw consent: withdraw any consent you have given (e.g. cookies), without affecting the lawfulness of processing before withdrawal.
  • Lodge a complaint with the Danish Data Protection Authority, Datatilsynet (https://www.datatilsynet.dk).

To exercise any of these rights, email [email protected] from the email address associated with your account. We will respond within one month of receipt. Where a request is particularly complex or where we have received a high number of requests, we may extend that period by up to a further two months; if we need an extension we will tell you within the first month and explain why.

If you are using Kontekstboard through your employer, please direct rights requests in the first instance to your employer (the controller of your work data).

10. Security

We protect your data with industry-standard technical and organisational measures, including:

  • Encryption in transit and at rest using current industry-standard algorithms
  • Industry-standard adaptive password hashing
  • Session and CLI tokens stored in hashed form or in secure browser cookies
  • Encrypted storage of SSO credentials
  • Role-based access control and least-privilege access for engineers
  • Multi-factor authentication required for administrative access
  • Uploaded attachments stored on encrypted disks within the EU and served only after an authentication and authorisation check
  • Network isolation, audit logging and automated vulnerability scanning
  • Regular encrypted backups stored within the EU
  • Documented incident response and breach notification procedures

Observability. Application logs, metrics and error traces are collected by a self-hosted observability stack running on our Hetzner infrastructure within the EU, accessible only to Kontekstwork engineers. No third-party error-monitoring service is used.

A more detailed description is included in Annex II of our Data Processing Agreement.

11. Children

The Service is contractually offered only to users aged 16 or older; see clause 4 of our Terms of Service. Denmark's national age of consent for information-society services under GDPR Article 8 is 13 (databeskyttelsesloven §6 stk. 3); the higher contractual age limit is our choice and does not change Danish law. We do not knowingly collect personal data from anyone under 16. If you believe a child has created an account, please contact [email protected] and we will delete it.

12. Changes to this Privacy Policy

We may update this Privacy Policy from time to time. The "Last updated" date at the top of this page reflects the most recent version. If we make material changes, we will notify you in the Service or by email at least 30 days before the changes take effect, and the new version will apply from the date stated at the top.

13. Contact

For questions about this Privacy Policy or how we handle personal data:

Kontekstwork ApS (provider of Kontekstboard) CVR no.: 46512669 Address: Hørkrogen 6, 5270 Odense N, Denmark Privacy contact: [email protected] General contact: [email protected]

You also have the right to lodge a complaint with Datatilsynet, Carl Jacobsens Vej 35, 2500 Valby, Denmark, at https://www.datatilsynet.dk.