Privacy Policy

RetroDash ("we," "our," or "us") operates retrodash.app, a real-time retrospective platform for Scrum and Kanban teams. This Privacy Policy explains what personal information we collect, why we collect it, how we use it, with whom we share it, and the rights available to you.

By using RetroDash, you agree to the collection and use of information in accordance with this policy. If you disagree with any part of this policy, please discontinue use of the platform.

We collect the following categories of information:

• Account data (via Google Sign-In): your display name, email address, profile photo URL, and Google User ID (UID). We do not collect or store your Google password — authentication is handled entirely by Google.
• Room configuration: room names, column titles, and room passwords (stored as cryptographic hashes — never in plain text).
• User-generated content: text you type into retrospective cards. In anonymous rooms, your name is hidden in the UI, but your user ID is stored internally to enforce voting rules and for moderation purposes.
• Participation and activity data: when you joined a room, your role (facilitator or member), and your voting history — which cards you voted for.
• Technical data: Firebase automatically collects your IP address, browser type, operating system, and device identifiers to operate, secure, and improve the service.

Information is collected in the following ways:

• Directly from you: when you sign in with Google, create rooms, write cards, vote, or configure room settings.
• From Google: when you authorize Google Sign-In, Google provides your profile data (name, email, photo) under Google's own privacy terms and your authorization.
• Automatically: Firebase Authentication and Firestore collect device and network metadata (IP address, browser fingerprint) as part of their standard security infrastructure.

We use your information to:

• Authenticate you and maintain your session securely across browser tabs and devices.
• Display your name and profile photo on the board, dashboard, and participant lists (unless the room is configured as anonymous).
• Create, manage, and display rooms, columns, and cards on your behalf.
• Enforce voting rules (preventing duplicate votes and self-votes) by tracking which users voted for which cards.
• Allow facilitators to view room participants and manage the retrospective session.
• Analyze aggregate, anonymized usage patterns to improve platform features and reliability.
• Respond to support requests or communications you initiate with us.
• Comply with legal obligations and enforce our Terms of Service.

We do not sell, rent, or trade your personal data. We share data only with the service providers necessary to operate the platform:

• Firebase (Google LLC, Mountain View, CA, USA): we use Firebase Authentication for identity management and Cloud Firestore for real-time database storage. All user data flows through Firebase infrastructure. Google's Privacy Policy governs their processing: https://policies.google.com/privacy
• Vercel Inc. (San Francisco, CA, USA): we use Vercel to host the Next.js application and serve it globally via CDN. Vercel may log IP addresses and request metadata for performance and security purposes.

We may also disclose your information if required by law, court order, or a legitimate government request, or to protect the rights, safety, or property of RetroDash, our users, or the public.

RetroDash's infrastructure is primarily located in the United States. If you access the platform from the European Union, Brazil, or another jurisdiction with data transfer restrictions, your personal data is transferred to and processed in the United States.

For EU users (GDPR): data transfers to the US rely on Standard Contractual Clauses (SCCs) or other appropriate safeguards as maintained by Firebase and Vercel.

For Brazil users (LGPD): international data transfers are conducted on the basis of the necessity of the transfer for the provision of the contracted service (Lei 13.709/2018, Art. 33, VIII).

We retain personal data for as long as necessary to provide the service and comply with legal obligations:

• Account data (name, email, photo): retained until you request account deletion.
• Room and card data: retained as long as the room exists in the platform. Room facilitators can delete rooms at any time.
• Deleted data: when a card, room, or account is deleted, data is removed from our active database within 30 days. Backup systems may retain copies for up to 90 additional days before permanent deletion.
• Firebase authentication logs and security data: retained according to Firebase's standard log retention policies (typically 30–90 days).

Depending on your location, you have the following rights regarding your personal data. To exercise any right, contact us at privacy@retrodash.app.

• Right of access: request a copy of the personal data we hold about you.
• Right to rectification: correct inaccurate or incomplete information (profile data can be updated directly through your Google account).
• Right to erasure ("right to be forgotten"): request deletion of your account and personal data.
• Right to restriction: ask us to pause processing of your data while a complaint is under review.
• Right to data portability: receive your data in a structured, machine-readable format.
• Right to object: object to processing based on legitimate interests.
• GDPR (EU): all rights above, plus the right to lodge a complaint with your national supervisory authority.
• LGPD (Brazil): all rights above, plus the right to know with whom your data is shared, the right to anonymization of unnecessary data, and the right to lodge a complaint with the ANPD (Autoridade Nacional de Proteção de Dados).

We will respond to verified requests within 30 days. We may need to verify your identity before processing your request.

RetroDash does not use advertising cookies or third-party tracking pixels. We use only the following:

• Firebase Authentication tokens: stored in your browser's local storage to maintain your login session. These are essential for the platform to function and cannot be disabled without logging out.
• Ephemeral UI state: temporary data (such as in-progress card drafts) may be stored in session storage and is automatically cleared when you close the browser tab.

You can clear local storage and cookies through your browser settings at any time, which will log you out of the platform.

We implement industry-standard security measures to protect your data:

• Encryption in transit: all data is transmitted over HTTPS/TLS 1.2 or higher.
• Encryption at rest: Firebase Firestore encrypts all stored data using AES-256.
• Access controls: Firestore security rules restrict data access so users can only read and write data they are authorized to see.
• Password hashing: room passwords are stored as cryptographic hashes — plain-text passwords are never stored.
• No password handling: user authentication is delegated to Google OAuth 2.0 — we never see or store your Google password.

Despite these measures, no security system is perfect. We cannot guarantee absolute security of your data. If you discover a security vulnerability, please report it responsibly to privacy@retrodash.app.

RetroDash is not directed at children under 13 years of age (or under 16 in jurisdictions where that threshold applies, such as the EU). We do not knowingly collect personal data from children below these ages.

If you are a parent or guardian and believe your child has provided us with personal data, please contact us at privacy@retrodash.app and we will take steps to delete that data promptly.

We may update this Privacy Policy from time to time to reflect changes in our practices or applicable law. When we make material changes, we will:

• Update the "Last updated" date at the top of this page.
• Post a prominent notice within the RetroDash application.
• Where required by applicable law, send email notification at least 30 days before changes take effect.

Your continued use of RetroDash after the effective date of the updated policy constitutes your acceptance of the changes. If you do not agree, you must stop using the platform before the effective date.

For privacy questions, data access requests, complaints, or to exercise your rights under applicable law, please contact us:

• Email: privacy@retrodash.app
• We aim to respond to all privacy inquiries within 30 days.