Privacy Policy
This policy explains how Boardside Limited collects, uses, stores, and discloses personal information. We comply with the New Zealand Privacy Act 2020 and its thirteen Information Privacy Principles. By using the Platform you acknowledge this policy.
- Who we are
- Our privacy principles
- What we collect
- How we use it
- AI processing
- Content you upload about others
- Sub-processors
- Disclosure of information
- International transfers
- Aggregated and de-identified data
- Data retention
- Security
- No automated decision-making
- Lawful access requests
- Your rights
- Marketing communications
- Cookies
- Children
- Changes to this policy
- Contact and complaints
1. Who we are
Boardside Limited ("Boardside", "we", "us", "our") is a New Zealand company operating the Boardside governance intelligence platform at boardside.io. We are the data controller in respect of personal information we collect directly from you.
Privacy contact: hello@boardside.io — marked "Privacy" in the subject line. We respond to all privacy inquiries within 20 working days.
2. Our privacy principles
We handle personal information in accordance with the following principles, which reflect the Information Privacy Principles under the Privacy Act 2020:
- Collect only what we need. We collect the minimum personal information required to deliver the Platform.
- Use it only for stated purposes. We do not use personal information for purposes beyond those described in this policy without your consent.
- Keep it accurate. We take reasonable steps to keep your information accurate and up to date. You can correct it at any time.
- Keep it secure. We implement layered technical and organisational controls proportionate to the sensitivity of the data.
- Be transparent. We tell you what we collect, why, and who we share it with.
- Respect your rights. We honour requests to access, correct, and delete your information within statutory timeframes.
- Don't sell it. We do not sell personal information to any third party, ever.
- Privacy by design. We embed privacy considerations into Platform development and review them when features change.
3. What personal information we collect
Information you provide directly
- Account information — name, email address, and a securely hashed password on registration
- Professional profile — board role(s), entity name(s), sector, and jurisdiction you enter to configure the Platform
- Governance content — board papers, meeting notes, register entries, risk records, annotations, action items, and any other documents or text you create or upload
- Payment information — billing name and address at checkout; card details are handled entirely by Stripe and are never stored on Boardside systems
- Communications — emails or messages you send to us, including support requests
- Feedback — ideas, bug reports, or other input you voluntarily provide
Information collected automatically
- Usage data — pages viewed, features used, session duration, and in-Platform interactions
- Technical data — IP address, browser type and version, operating system, device type, and referring URL
- Log data — server request logs including timestamps, HTTP status codes, and error events, retained for 90 days
- Authentication tokens — stored in secure, HTTP-only, short-lived cookies to maintain your session
What we do not collect
- Sensitive personal information such as health data, biometric data, ethnicity, or religious beliefs
- Government-issued identity numbers (IRD numbers, passport numbers, etc.)
- Personal information from children under 18
- Data purchased from third-party data brokers
- Precise geolocation data
We strongly advise you not to upload documents containing sensitive personal information about third parties unless it is genuinely necessary for your governance purposes.
4. How we use your information
| Purpose | Legal basis (Privacy Act 2020) |
|---|---|
| Creating and managing your account | Necessary for contract |
| Delivering the Platform and its features | Necessary for contract |
| Generating personalised AI governance briefings | Necessary for contract |
| Matching NZ legislation to your entity's sector profile | Necessary for contract |
| Processing subscription payments | Necessary for contract |
| Sending transactional emails (password resets, receipts, service notices) | Necessary for contract |
| Diagnosing platform bugs and improving features | Legitimate interests |
| Detecting and preventing fraud, abuse, and security threats | Legitimate interests / legal obligation |
| Producing anonymised platform usage analytics | Legitimate interests |
| Responding to your support and privacy requests | Legal obligation / contract |
| Complying with legal obligations and lawful authority requests | Legal obligation |
| Sending product updates and feature news (opt-out available) | Legitimate interests |
We do not: sell your personal information; use your Content to train AI models; use your information for advertising; share your governance records with any third party except as described in this policy.
5. AI processing
Several Platform features send contextual information to Anthropic's Claude API to generate AI Outputs. We handle this as follows:
- What we send: entity sector, role type, recent signal data, PESTLE factors, and other non-sensitive context required to generate the requested output. We do not send your uploaded board papers, registers, or personal profile data to Anthropic unless a feature explicitly requires it and you initiate it.
- What Anthropic receives: only the minimum context needed for that specific request. Anthropic's API terms prohibit them from using API inputs to train their models.
- Retention by Anthropic: Anthropic may retain API inputs and outputs for a short period for safety and abuse monitoring purposes. We do not control Anthropic's internal retention beyond the terms of our API agreement.
- Boardside retention: AI-generated briefings and outputs are stored in your account so you can access them. The underlying prompts sent to Anthropic are not stored beyond the immediate processing session.
By using AI-powered features, you consent to relevant context being processed by Anthropic in accordance with their API privacy terms. If you prefer not to use AI features, you may request that they be disabled on your account.
6. Content you upload about others
Board papers, minutes, and governance documents often contain personal information about third parties — other directors, executives, employees, or external parties. When you upload such documents:
- You act as the data controller for that third-party personal information
- Boardside acts as your data processor — we process it only on your instructions and only to deliver the Platform to you
- You are responsible for ensuring you have a lawful basis under the Privacy Act 2020 to collect, store, and process that information through the Platform
- You are responsible for ensuring appropriate confidentiality obligations are met in relation to documents shared through the Platform
Boardside does not access, read, or use personal information about third parties contained in your uploaded documents except as strictly necessary to deliver the service (for example, optical character recognition for document search).
7. Sub-processors
We use the following third-party services to operate the Platform. Each is bound by a data processing agreement and may only use your data for the specific purpose stated.
| Provider | Purpose | Data location | More info |
|---|---|---|---|
| Supabase | Database, authentication, file storage | AWS ap-southeast-2 (Sydney) | supabase.com/privacy |
| Vercel | Platform hosting, edge functions, CDN | US primary; edge nodes globally | vercel.com/legal/privacy-policy |
| Anthropic | AI model inference | United States | anthropic.com/privacy |
| Stripe | Payment processing, subscription management | United States (PCI-DSS Level 1) | stripe.com/privacy |
We will notify you before adding any new sub-processor that materially changes how your personal information is handled, and we will update this policy accordingly. We maintain a current list of sub-processors and their data locations at all times.
8. Disclosure of personal information
We do not share your personal information with third parties except in the following circumstances:
- Sub-processors listed in Section 7, strictly to deliver the Platform
- Legal obligations — where required by law, court order, or a lawful demand from a regulatory authority with jurisdiction over Boardside (see Section 14)
- Business transfers — in the event of a merger, acquisition, restructure, or sale of Boardside, your information may be transferred to a successor entity subject to equivalent privacy protections. We will notify you at least 30 days before such a transfer and give you the option to delete your account
- Protection of rights and safety — where necessary to enforce our Terms of Service, prevent fraud, or protect the rights, property, or safety of Boardside, our users, or the public
- Your explicit consent — where you have specifically authorised a disclosure
We will never sell your personal information. We will never share your governance Content (board papers, registers, meeting records) with any third party for any commercial purpose.
9. International transfers
Your personal information is stored primarily in Australia (Supabase/AWS Sydney). AI processing occurs in the United States (Anthropic and Vercel). Payment data is processed in the United States (Stripe).
Where personal information is transferred outside New Zealand, we rely on:
- Contractual protections consistent with Information Privacy Principle 12 of the Privacy Act 2020
- Data processing agreements with each sub-processor requiring them to maintain security standards at least equivalent to those we apply
- The Privacy Commissioner's guidance on offshore disclosure
By using the Platform, you acknowledge that your information will be processed in the countries listed above. If you have concerns about a specific transfer, contact us at hello@boardside.io.
10. Aggregated and de-identified data
We may aggregate and de-identify usage data and platform analytics in a way that cannot reasonably be used to identify you or your organisation. This anonymised data is no longer personal information under the Privacy Act 2020. We may use it to:
- Improve the Platform and develop new features
- Publish general governance intelligence insights
- Share aggregate statistics with prospective customers or investors
De-identification means removing or generalising all direct and indirect identifiers so that re-identification is not reasonably practicable. We apply a formal de-identification standard before any data is used in this way.
11. Data retention
| Data type | Retention period | Reason |
|---|---|---|
| Account and profile data | Deleted within 30 days of account closure | No longer needed |
| Governance content (documents, registers, notes) | Deleted within 30 days of closure or on earlier request | Belongs to you |
| Billing and transaction records | 7 years from transaction date | Tax Administration Act 1994 |
| Server and access logs | 90 days | Security and debugging |
| Support correspondence | 3 years from last interaction | Legitimate interests |
| Encrypted database backups | Up to 30 days after deletion request | Disaster recovery; purged within cycle |
| Anonymised analytics | Indefinitely | Not personal information once anonymised |
On account closure, your Content export window is 30 days. After this period, all personal data is irreversibly deleted and cannot be recovered. We recommend exporting important governance records before closing your account.
12. Security
We implement layered technical and organisational security controls:
- Encryption in transit — all Platform communications use TLS 1.2 or higher
- Encryption at rest — all database and file storage encrypted at rest by Supabase/AWS
- Row-level security — database access controls enforce strict data isolation between accounts
- Authentication — passwords stored as salted bcrypt hashes; session tokens are HTTP-only, secure-flagged, and short-lived
- Staff access controls — Boardside personnel have no routine access to production user data; any access requires explicit authorisation, is logged, and is subject to internal audit
- Dependency management — software dependencies are monitored for known vulnerabilities and updated regularly
- Penetration testing — we conduct or commission security reviews periodically
- Incident response — we maintain a documented incident response plan
No system is perfectly secure. In the event of a notifiable privacy breach — one that is likely to cause serious harm — we will notify affected users and the Office of the Privacy Commissioner as required under the Privacy Act 2020, as soon as practicable and no later than 72 hours of becoming aware.
If you discover a security vulnerability, please report it to hello@boardside.io with "Security" in the subject line before any public disclosure.
13. No automated decision-making
Boardside does not make automated decisions about you that produce legal effects or similarly significant consequences without human involvement. AI Outputs are informational tools for human deliberation — they are not used by Boardside to make decisions about your account, access, or subscription.
Account suspension or termination decisions are made by Boardside personnel, not automated systems, except where automated fraud prevention measures flag an account for review.
14. Lawful access requests
Boardside may receive demands from law enforcement agencies, regulators, or courts requiring us to disclose user information. Our approach:
- We review every demand carefully and comply only where legally required
- Where permitted by law, we will notify you before disclosing your information so you can seek legal relief
- Where prior notification is legally prohibited (for example, by a court non-disclosure order), we will provide general transparency through our annual transparency disclosures
- We do not provide governments with direct access to our databases or infrastructure
- We will challenge demands that we believe are overbroad, unlawful, or disproportionate
We publish aggregate statistics on access requests we receive on an annual basis.
15. Your rights
Under the Privacy Act 2020, you have the following rights in relation to your personal information held by Boardside:
| Right | What it means | How to exercise |
|---|---|---|
| Access | Receive a copy of the personal information we hold about you | Email us |
| Correction | Have inaccurate or incomplete information corrected | Email us or update in-platform |
| Deletion | Have your account and associated personal data deleted (subject to legal retention obligations) | Email us |
| Portability | Receive an export of your Content and account data in a machine-readable format (JSON/CSV) | Email us |
| Objection | Object to processing based on legitimate interests, including marketing | Email us or use unsubscribe link |
| Restriction | Request that we restrict certain processing in defined circumstances | Email us |
To exercise any right, email hello@boardside.io with "Privacy Request" in the subject line. We respond within 20 working days. We may verify your identity before acting. We do not charge for requests unless they are manifestly excessive or repetitive, in which case we may apply a reasonable fee or decline the request and explain why.
We will not discriminate against you for exercising your privacy rights — your account access, pricing, or service quality will not be affected by a privacy request.
16. Marketing communications
We may send you product updates, feature announcements, and governance-related content relevant to your use of Boardside. These are sent on the basis of legitimate interests. You can opt out at any time by:
- Clicking "unsubscribe" in any marketing email
- Emailing hello@boardside.io with "Unsubscribe" in the subject line
Opting out of marketing does not affect transactional emails (receipts, security alerts, service notices) which are necessary for your account.
17. Cookies
Boardside uses only essential cookies:
- Session cookies — HTTP-only, secure-flagged tokens to maintain your authenticated session. Expire on logout or after a period of inactivity.
- Preference cookies — to remember your selected entity and interface preferences between sessions.
We do not use advertising cookies, third-party tracking cookies, or cross-site analytics. No third-party scripts that track you across the web are loaded by the Platform. You can configure your browser to block cookies; doing so will prevent you from logging in.
18. Children
The Platform is not directed at and must not be used by anyone under 18. We do not knowingly collect personal information from children. If you believe a child under 18 has created an account, contact us at hello@boardside.io and we will delete the account and its data promptly.
19. Changes to this policy
We may update this policy to reflect changes in our practices, the Platform, or applicable law. For material changes, we will notify registered users by email at least 14 days before the effective date and update the version number above. The current version is always at boardside.io/privacy.html.
Continued use of the Platform after the effective date of a material change constitutes acceptance. If you do not accept a material change, you must stop using the Platform and may request deletion of your account before the effective date.
20. Contact and complaints
For any privacy question, data request, or concern, contact us at hello@boardside.io — subject line "Privacy". We respond within 20 working days and take all privacy matters seriously.
If you are not satisfied with our response, you may lodge a complaint with the Office of the Privacy Commissioner of New Zealand:
- Website: privacy.org.nz
- Phone: 0800 803 909
- Post: PO Box 10094, The Terrace, Wellington 6143
The Privacy Commissioner can investigate complaints, mediate disputes, and issue compliance notices. Complaints to the Commissioner are free of charge.
Boardside Limited · hello@boardside.io · New Zealand · Version 1.1