Privacy Policy

We collect the following categories of information:

Account information: When you register, we collect your name, email address, and password (stored as a hashed value). If you use Google or GitHub SSO, we receive your profile name and email from that provider.

Usage data: We automatically collect information about how you interact with the Service, including pages visited, features used, timestamps, browser type, operating system, and IP address. This data is used in aggregate to improve the product.

Content you create: We store all issues, comments, sprint data, configurations, and other content you create within the Service.

Payment information: Subscription payments are processed by Paddle, our authorized reseller. We do not store your credit card number, expiry date, or CVV. We receive only a transaction ID and subscription status from Paddle.

We use the information we collect for the following purposes:

• To provide and operate the Service: storing your data, processing sprints, computing capacity, and delivering all platform features.
• To send transactional notifications: email confirmations, password resets, team invitations, and subscription receipts.
• To send product updates: release notes and feature announcements — you can opt out at any time from your profile settings.
• To improve the product: analyzing anonymized usage patterns to identify areas for improvement and diagnose bugs.
• To enforce our Terms of Service: detecting and preventing abuse, fraud, or policy violations.
• To power AI features (Pro/Business only): sprint content may be sent to an AI provider to generate summaries or insights. See Section 4 for details.

Your data is stored in a PostgreSQL database managed on our infrastructure. All data is encrypted at rest using AES-256 encryption. All data in transit is encrypted using HTTPS (TLS 1.2+).

We implement access controls, regular security audits, and intrusion detection measures to protect your data. Access to production data is strictly limited to authorized personnel on a need-to-know basis.

While we take reasonable precautions, no system is completely secure. In the event of a data breach affecting your personal information, we will notify you in accordance with applicable law.

We do not sell your personal data to third parties. We share your data only in the following limited circumstances:

• Paddle (payment processing): billing information and subscription status are managed by Paddle as our authorized reseller.
• Pusher (real-time notifications): session tokens are exchanged with Pusher's WebSocket infrastructure to deliver real-time @mention and comment alerts. No persistent personal data is stored by Pusher.
• AI providers (Pro/Business plans only): when you use AI-powered features, relevant sprint content (issue titles, summaries, status fields — no personal contact info) is sent to an AI provider for inference.
• Legal requirements: we may disclose your data if required by law, subpoena, or to protect our rights or the safety of others.

Sprinlo uses a minimal set of cookies necessary to operate the Service:

• Session cookies: an HttpOnly, Secure cookie is used to maintain your authenticated session. Deleted when you log out or your session expires.
• Preference cookies: lightweight preferences (UI theme, sidebar state) stored in your browser's localStorage. Not transmitted to our servers.

We do not use tracking cookies, advertising cookies, or any third-party analytics cookies.

You have the following rights with respect to your personal data:

• Access: view all personal information from your Profile settings page.
• Export: export all workspace data (issues, sprints, reports) in CSV or JSON format from workspace Settings.
• Correction: update your name, email, and other profile information at any time from Profile settings.
• Deletion: permanently delete your account and all associated data from Account Settings. See Section 7 for the data retention timeline.
• Objection / Restriction: contact us at admin@sprinlo.com to request restriction or objection to specific processing activities.

If you are located in the European Economic Area, you also have rights under the GDPR, including the right to lodge a complaint with your local supervisory authority.

We retain your data as follows:

• Active account data is retained indefinitely while your account remains open.
• If you delete your account, all personal data and workspace content will be permanently deleted within 30 days of the deletion request.
• Anonymized, aggregated usage statistics may be retained indefinitely as they contain no personally identifiable information.
• Billing records and transaction logs may be retained for up to 7 years to comply with financial regulations.

Sprinlo is not intended for use by individuals under the age of 13. We do not knowingly collect personal information from children under 13. If you are a parent or guardian and believe your child has provided us with personal information, please contact us at admin@sprinlo.com.

Sprinlo is operated from servers that may be located outside your country of residence. By using the Service, you acknowledge that your data may be transferred to, stored, and processed in countries that may have different data protection laws than your jurisdiction.

When we transfer data from the European Economic Area to countries not deemed adequate by the European Commission, we rely on appropriate safeguards such as Standard Contractual Clauses (SCCs).

We may update this Privacy Policy from time to time. When we make material changes, we will notify you by email at least 14 days before the changes take effect. Your continued use of the Service after the effective date constitutes your acceptance of the updated policy.

If you have questions, concerns, or requests related to this Privacy Policy, please contact our privacy team:

Email: admin@sprinlo.com

Andreal — We aim to respond to all privacy-related inquiries within 5 business days.