Skip to content
retronot
Home

Privacy Policy

Last updated: May 28, 2026

1. Introduction

RetroNot ("we", "us", or "our") is committed to protecting your privacy. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our retrospective collaboration platform at retronot.app ("the Service").

By using the Service, you consent to the data practices described in this policy. If you do not agree with these practices, please do not use the Service.

2. Information We Collect

2.1 Information You Provide

  • Account Information: When you register, we collect your email address, display name, and profile picture (if provided). If you sign in via a third-party provider (e.g., Google, GitHub), we receive your name, email, and avatar from that provider.
  • Retrospective Content: Cards, comments, votes, group labels, action items, and any other content you create during retrospective sessions.
  • Team Information: Team names, membership data, and invite configurations you set up.
  • Communications: If you contact us for support or feedback, we collect the content of your messages along with your email address.

2.2 Information Collected Automatically

  • Usage Data: Pages visited, features used, session duration, and interaction patterns within the Service.
  • Device & Browser Information: Browser type, operating system, device type, screen resolution, and language preference.
  • IP Address: Your IP address is collected for security, rate limiting, and approximate geolocation purposes.
  • Cookies & Local Storage: We use essential cookies for authentication and session management. We use local storage to persist your UI preferences (e.g., theme selection).

2.3 Information from Third Parties

  • Authentication Providers: When you sign in via Google, GitHub, or other OAuth providers, we receive basic profile information as authorized by you.
  • Error Tracking: We use Sentry to capture error reports that may include technical context about your session (no personal content is intentionally collected through error reports).

3. How We Use Your Information

We use the information we collect to:

  • Provide, operate, and maintain the Service
  • Authenticate your identity and manage your account
  • Enable real-time collaboration in retrospective sessions
  • Generate AI-powered features such as retrospective summaries, sentiment analysis, and action item suggestions
  • Send transactional emails (e.g., password resets, team invitations)
  • Monitor and analyze usage trends to improve the Service
  • Detect, prevent, and address security threats, abuse, and technical issues
  • Enforce our Terms of Service and comply with legal obligations

4. AI Data Processing

When you use AI-powered features (e.g., retrospective summaries), your retrospective content may be sent to third-party AI providers for processing. We take the following precautions:

  • Only the minimum necessary data is sent to AI providers — specifically, card text and action items relevant to the summary being generated
  • We do not send personally identifiable information (such as names or email addresses) to AI providers unless it is part of the card content you wrote
  • AI providers are contractually prohibited from using your data to train their models
  • AI-generated outputs are stored within your retrospective session data

5. Data Sharing & Disclosure

We do not sell, rent, or trade your personal information. We may share your data only in the following circumstances:

  • With Your Team: Content you create in a team retrospective is visible to other team members and participants of that session. Anonymous card authorship is preserved when configured.
  • Service Providers: We work with trusted third-party providers who process data on our behalf (e.g., Supabase for database and authentication, Vercel for hosting, Sentry for error tracking). These providers are bound by data processing agreements.
  • Legal Requirements: We may disclose your information if required by law, regulation, legal process, or governmental request.
  • Safety & Security: We may share information to investigate or prevent fraud, security threats, or violations of our Terms of Service.
  • Business Transfers: In the event of a merger, acquisition, or sale of assets, your information may be transferred as part of the transaction. We will notify you before your data becomes subject to a different privacy policy.

6. Data Storage & Security

Your data is stored on secure servers provided by Supabase (PostgreSQL) and hosted infrastructure provided by Vercel. We implement the following security measures:

  • All data is transmitted over HTTPS with TLS encryption
  • Database access is protected by Row Level Security (RLS) policies
  • Passwords are hashed using industry-standard algorithms (bcrypt via Supabase Auth)
  • API endpoints are protected by authentication checks and rate limiting
  • Session tokens are stored as secure, HTTP-only cookies
  • Regular security reviews and dependency updates are performed to address known vulnerabilities

While we take reasonable measures to protect your data, no method of electronic transmission or storage is 100% secure. We cannot guarantee absolute security.

7. Data Retention

  • Account Data: Retained as long as your account is active. Upon account deletion, your personal information is removed within 30 days.
  • Retrospective Content: Retained as long as the team or retrospective exists. Archived retrospectives are retained until explicitly deleted by a team administrator.
  • Logs & Analytics: Server logs and anonymized analytics data may be retained for up to 90 days for operational and security purposes.
  • Backups: Encrypted database backups may retain data for up to 30 days beyond deletion as part of disaster recovery procedures.

8. Your Rights

Depending on your location, you may have the following rights regarding your personal data:

  • Access: Request a copy of the personal data we hold about you
  • Rectification: Request correction of inaccurate or incomplete data
  • Erasure: Request deletion of your personal data ("right to be forgotten")
  • Data Portability: Request a machine-readable export of your data
  • Restriction: Request that we limit the processing of your data
  • Objection: Object to the processing of your data for certain purposes
  • Withdraw Consent: Where processing is based on consent, withdraw your consent at any time

To exercise any of these rights, please contact us at privacy@retronot.app. We will respond to your request within 30 days.

9. Cookies

We use the following types of cookies:

TypePurposeDuration
EssentialAuthentication, session management, CSRF protectionSession / 7 days
FunctionalTheme preference (light/dark mode), UI settings1 year
AnalyticsAnonymous usage statistics for service improvement90 days

We do not use advertising or tracking cookies. You can control cookie settings in your browser, but disabling essential cookies may prevent you from using the Service.

10. International Data Transfers

Your data may be transferred to and processed in countries other than your own. Our infrastructure providers (Supabase, Vercel) operate servers in multiple regions. When your data is transferred internationally, we ensure appropriate safeguards are in place through:

  • Standard contractual clauses approved by applicable authorities
  • Data processing agreements with all third-party providers
  • Ensuring providers maintain adequate levels of data protection

11. Children's Privacy

RetroNot is not intended for use by individuals under the age of 16. We do not knowingly collect personal information from children. If we become aware that we have collected data from a child under 16, we will take steps to delete that information promptly. If you believe a child has provided us with personal data, please contact us at privacy@retronot.app.

12. Third-Party Services

The Service integrates with the following third-party services. Each has its own privacy policy governing data usage:

  • Supabase — Database, authentication, and real-time infrastructure
  • Vercel — Application hosting and edge functions
  • Sentry — Error monitoring and performance tracking
  • OpenAI / AI Providers — AI-powered summary and analysis features

We encourage you to review the privacy policies of these services.

13. Changes to This Policy

We may update this Privacy Policy from time to time. When we make changes, we will update the "Last updated" date at the top of this page. For significant changes, we will provide notice through the Service or via email.

Your continued use of the Service after changes become effective constitutes your acceptance of the revised Privacy Policy.

14. Contact Us

If you have any questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us at:

RetroNot — Privacy Team

Email: privacy@retronot.app

General: support@retronot.app