Skip to main content
Start free
Privacy Policy

Version: privacy-policy-6e685e89

Privacy Policy

Our Privacy Commitment

TrueBoard is built on a simple principle: your personal data belongs to you. We are a legitimate business serving churches and nonprofit organizations, and we take that responsibility seriously. We will never sell your information, use it for advertising, or share it in ways that don't directly serve you.

What Makes Us Different

  • No marketing cookies — We don't track you for advertising. No annoying cookie banners needed.
  • No data selling — Your information is never sold to third parties. Period.
  • No behavioral tracking — We don't build profiles about you to sell ads or manipulate your experience. No external user analytics services are used.
  • Minimal data collection — We only collect what's necessary to provide our service.

Data We Collect

Account Information

When you sign in, we receive basic profile information from your identity provider (currently Google, Microsoft, and Planning Center; additional providers may be added over time): your name, email address, profile photo, and in some cases phone number. This is used solely to identify you within the app and personalize your experience.

Organization Data

Documents, files, and organizational data you create belong to your organization. We store this data to provide the service and make it available to authorized members of your organization. See our Terms of Service for details on organizational data ownership and content licensing.

Security Logs

We log IP addresses and basic session information for security purposes only:

  • Detecting unauthorized access attempts
  • Preventing session hijacking
  • Investigating security incidents if they occur

Security logs are retained for up to 12 months, after which they are permanently deleted. They are never used for marketing or user profiling.

Cookies We Use

We use only essential cookies required to make the application work:

Cookie Purpose Duration
tb_session Keeps you signed in Until you sign out or it expires
tb_csrf Protects against cross-site attacks Session duration
tb_org Remembers your last visited organization for convenience 6 months

That's it. No analytics cookies, no advertising cookies, no social media trackers. Because we don't use marketing cookies, there's nothing to opt out of.

Anonymous Visit Counts

We count visits to our marketing site so we know which pages people find useful. This is done entirely on our own server — no cookies, no third-party tool, no profile of you as an individual.

For each visit we record the page path, the locale, the host (only the host, not the full URL) of any referring site, and a one-way visitor hash. The hash is built from your IP address combined with a server-side secret that rotates every day at midnight UTC. Your IP is never stored. Once the daily secret rotates, yesterday's hash cannot be linked to today's — by anyone, including us. The hash exists only so we don't count one visitor ten times when they read ten pages.

No cookies, no browser fingerprinting, no third-party analytics, no advertising profiles.

Raw visit events are kept for 30 days, after which only daily aggregates remain (counts per page, per locale, per day).

How We Protect Your Data

  • All data is encrypted in transit using TLS 1.3
  • Passwords are never stored (we use OAuth with trusted providers)
  • Sessions are cryptographically secured and regularly rotated
  • Access controls ensure only authorized organization members see your data
  • We follow security best practices and regularly audit our systems

Third-Party Services

We use a limited number of third-party services to operate:

  • Identity Providers (currently Google, Microsoft, and Planning Center; additional providers may be added over time) — for authentication only
  • Cloud Infrastructure (Amazon Web Services) — to host and store your data securely in the United States
  • Email Provider — to send transactional emails such as verification codes, invitations and notifications
  • SMS Provider — to send verification codes for phone number verification and for optional notifications

We do not share your data with any third party for marketing or advertising purposes.

International Data Transfers

TrueBoard's servers are located in the United States. If you access TrueBoard from outside the United States, your data will be transferred to and processed in the United States. By using TrueBoard, you consent to this transfer.

For users in the European Economic Area (EEA), the legal basis for this transfer is that it is necessary for the performance of our contract with you (GDPR Art. 49(1)(b)). Organizations that require Standard Contractual Clauses or a Data Processing Agreement may contact us at info@trueboard.org.

Your Privacy Rights

We provide the following rights to all users, regardless of location:

  • Right to Know/Access — Request details about the personal information we collect and how it's used
  • Right to Correct — Request correction of inaccurate personal information
  • Right to Delete — Request deletion of your account and associated personal data (subject to organizational record retention; see below)
  • Right to Non-Discrimination — We will never discriminate against you for exercising your privacy rights

Exercising the individual rights above — including accessing and obtaining a copy of your own personal data — is always free.

Organization administrators may request an export of their organization's data in a commonly used machine-readable format (such as JSON or CSV). We will fulfill export requests within 30 days. Because we do not currently offer self-service export, these organizational exports are prepared manually, so we may charge a reasonable fee based on the time and materials involved. We will not delete an organization's data without first giving you a reasonable opportunity to obtain an export.

We do not sell or share your personal information. Because we never sell or share personal information for advertising or marketing purposes, there is no need to opt out. You already have the strongest protection by default.

California Residents (CCPA/CPRA)

These rights are guaranteed to California residents under the California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA). Categories of personal information we collect:

  • Identifiers (name, email address, account ID)
  • Internet activity (IP address, session data for security purposes only)
  • Professional information (organization membership, role within organizations)

How to Exercise Your Rights

Email us at info@trueboard.org. California residents may include "California Privacy Request" in the subject line. We will verify your identity and respond within 45 days.

Data Retention & Organizational Records

We retain your personal data only as long as you have an active account or as needed to provide services to your organization. When you delete your account, we remove your personal data (name, email, phone, profile photo) from active systems within 30 days. Encrypted backups may retain data for up to 90 days before being rotated.

However, organizational governance records are different. Documents, meeting minutes, motions, votes, and other content created within an organization belong to that organization. Records of your actions as a board member (votes cast, motions made, documents authored) are part of the organization's official record and may be retained even after you leave or delete your account.

This mirrors how governance works in the physical world: a departing board member cannot require the organization to expunge records of their service. Organizations often have legal obligations to retain these records, and TrueBoard enables them to do so faithfully.

The legal basis for this retention is legitimate interest (GDPR Art. 6(1)(f)) — organizations have a legitimate need to maintain complete, unalterable governance records. For more details, see our Terms of Service.

Data Processing for Organizations

If your organization is subject to data protection regulations (such as GDPR), TrueBoard acts as a data processor on behalf of your organization (the data controller). Organizations that require a Data Processing Agreement (DPA) may contact us at info@trueboard.org.

Data Breach Notification

In the event of a data breach that affects your personal information, we will notify affected users and relevant authorities within 72 hours of becoming aware of the breach, as required by applicable law. Notification will include the nature of the breach, the data affected, and steps we are taking in response.

Changes to This Policy

If we make significant changes to this policy, we'll notify you through the app or by email at least 14 days before the changes take effect. We will not materially reduce your privacy protections without notice.

Contact Us

Questions about this policy or our privacy practices? We're happy to help.

Email: info@trueboard.org

This privacy policy is written in plain language because we believe you deserve to actually understand how your data is handled.