B

Boards

by 97 Technologies

Sign In
Back

Privacy Policy

Effective April 11, 2026

1. Introduction

97 Technologies ("we," "us," or "our") operates 97T Boards, a project and team collaboration platform available at https://boards.97-t.com. This Privacy Policy explains what personal information we collect, how we use it, who we share it with, and what rights you have with respect to your data.

By accepting this Privacy Policy at account creation, you acknowledge that you have read and understood these practices. If you do not agree, you should discontinue use of the service.

2. Who This Policy Applies To

97T Boards is an invitation-only platform. Access is granted only through:

  • Platform invitations issued by an administrator, or
  • Workspace invitations from an existing member of a workspace you are being invited to join.

This policy also applies to external users who submit bug reports through our public-facing bug report form without creating an account (see Section 4.7).

3. Data Controller

FieldValue
Legal entity97 Technologies
Service97T Boards
Production URLhttps://boards.97-t.com
Contact emailbuild@97technologies.com
Governing lawIdaho, USA (Bingham County)

4. Information We Collect

We collect several categories of personal information in the course of operating the service.

4.1 Account & Authentication Data

When you accept a platform or workspace invitation, we collect:

  • Email address
  • Display name
  • Password (stored as a bcrypt hash; we never store your plaintext password)
  • Profile avatar URL (if you upload one)
  • Timestamps recording when you accepted our Terms of Service and this Privacy Policy

Authentication sessions are managed via encrypted cookies. Refresh tokens rotate on each use.

4.2 Workspace & Project Content

Content you create within the platform (including workspace names, project walls, tasks, comments, document pages, labels, and milestones) is stored in our database. Free-text fields such as task titles, descriptions, comments, and documents may contain personally identifiable information at your discretion. We treat all content you submit as data you have chosen to share within your workspace.

4.3 Communications (Chat & Messaging)

The platform includes a messaging system. The following data is collected:

  • Message content (plaintext or encrypted ciphertext, depending on channel settings)
  • @-mention data linking messages to specific users
  • File attachments: file name, type, size, and storage path
  • Message reactions
  • Channel membership
  • Read receipts (last-read timestamps per channel)

End-to-end encryption (E2EE): Individual channels may optionally enable E2EE. When E2EE is active, message content is encrypted in your browser before transmission and we receive only ciphertext. Cryptographic key material is managed on-device (your browser).

Key recovery: To enable message recovery in the event of device loss, the platform maintains an encrypted copy of each channel key, protected by a server-side master secret. This means end-to-end encryption in Boards protects message content in transit and at rest, but is not zero-knowledge: 97T retains a recovery mechanism.

4.4 Cryptographic & Device Identity Data

To support E2EE chat, the platform generates and stores:

  • A device identifier (generated in your browser and stored in localStorage)
  • Your public key for the chat identity associated with your device (stored server-side)
  • Your private key (stored only in your browser's IndexedDB; never transmitted to our servers)
  • Wrapped channel keys and key package metadata (server-side, encrypted)
  • Push subscription endpoint URL and encryption keys used to deliver web push notifications

If an API key for the Cursor AI integration is stored, it is encrypted using envelope encryption (AES-256-GCM) and a master key before database storage.

4.5 Notification & Communication Preferences

We store your per-workspace notification delivery preferences (email, push, and in-app toggles for each event type), as well as delivery records including notification title, body, action URL, and timestamps indicating when a notification was emailed, pushed, or read.

4.6 Integration Data

When you connect third-party integrations, we store data necessary to operate those integrations:

GitHub: GitHub account username (account_login), account type, installation ID, repository owner/name, default branch, pull request titles and numbers, branch names, and the identity of the user who connected the integration. GitHub usernames are personal data and are collected solely to operate the code integration features you have enabled.

Cursor AI: Cursor user email, API key name, API key fingerprint (not the key itself), and the identity of the user who connected the integration. Per-agent-run records include prompt snapshots, summaries, error messages, agent URLs, PR URLs, branch names, and model selection.

Cursor AI — how prompt data is handled: The Cursor integration uses an API key you supply from your own Cursor account. When an agent run is triggered, Boards constructs a prompt from task content and transmits it to Cursor's API authenticated with your credential. 97T does not control Cursor's infrastructure. Data handling for those requests (including retention and training) is governed by your Cursor account's plan, privacy settings, and Cursor's privacy policy at cursor.com/privacy. You should ensure Privacy Mode is enabled in your Cursor account settings before connecting the integration. Separately, Boards retains a snapshot of each agent prompt and its summary in its own database (see Section 4.9 and the retention schedule in Section 9).

4.7 Bug Reports (External / Non-Account Users)

Workspace owners can enable a public bug report form for specific engineering project walls. When enabled, the workspace owner generates a link unique to that wall and distributes it (for example, to customers or clients) to allow external users to submit bug reports without a Boards account.

When an external reporter submits a bug report, we collect:

  • Reporter name (optional)
  • Reporter email address (optional)
  • Bug title, description, reproduction steps, and environment details

No file uploads are collected via the bug report form. Reporter IP addresses are not recorded by application logic, though hosting and database infrastructure may capture them in server logs.

How reporter data is stored: Submission data is created as a task in the workspace owner's project wall. Reporter name and email are stored as fields on that task. The workspace owner controls the lifecycle of the task, including deletion. Once a task is deleted, reporter data is retained only for the duration of 97T's standard deleted task retention period before permanent removal (see Section 9).

Responsibility: Because this feature is activated and the link is distributed by the workspace owner, the workspace owner bears primary responsibility for informing external reporters that their submission data will be stored in Boards. 97T collects and stores this data as a data processor on behalf of the workspace owner.

4.8 Behavioral & Technical Data

We collect limited behavioral and technical data to operate the service:

  • Activity log entries (action type, metadata, timestamps) generated by most application operations
  • Your timezone (detected automatically via browser API and stored as a cookie)
  • Recent navigation history stored locally in your browser (not transmitted to our servers)
  • Ephemeral presence and typing indicators (not persisted to the database)

4.9 AI & Automation Data

The platform supports AI-assisted workflows. We store:

  • AI plan data: plan name, context summary, prompt sequences, model recommendations, and attached context (may include copied task content)
  • Playbook templates: name, description, prompt template, and model recommendation
  • Cursor agent run records: prompt snapshot, summary, error messages (prompt content may include task data transmitted to Cursor's API; see Section 4.6)

5. Cookies & Local Storage

5.1 Cookies

We use the following cookies:

  • Supabase auth cookies — Session management (access and refresh tokens). Essential. Session (rotating).
  • tz — Timezone detection for scheduling features. Functional. 1 year.
  • sidebar_state — Remember sidebar open/closed preference. Functional. 7 days.

We do not use advertising, tracking, or analytics cookies. All cookies currently in use are either essential for authentication or functional for your experience.

5.2 Browser Local Storage & IndexedDB

The following data is stored in your browser and is not transmitted to our servers:

  • theme — Dark/light mode preference
  • boards_cookie_banner_accepted — Tracks whether you have dismissed the cookie consent banner
  • 97t-boards-recent-{workspaceSlug} — Recent navigation history for quick access
  • boards-chat-device-id — Device identifier for E2EE chat identity
  • boards-chat-device-crypto-v1 (IndexedDB) — Your chat identity key pair (public + private keys; private key never leaves your browser)
  • agenda-auto-defer:{workspaceSlug}:{userId}:{date} — Tracks whether deferred agenda items have been auto-rolled forward for a given day

5.3 Cookie Consent

A cookie banner is displayed on your first visit. Acceptance is recorded in local storage. Because all cookies in current use are essential or functional, no granular consent is required at this time. If we introduce analytics or advertising cookies in the future, we will update this policy and our consent mechanism accordingly.

6. How We Use Your Information

We use collected information to:

  • Provide, operate, and maintain the platform and its features
  • Authenticate your identity and maintain your session
  • Deliver notifications (in-app, email, and push) related to activity in your workspaces
  • Operate integrations with third-party services you have connected (GitHub, Cursor)
  • Enable end-to-end encrypted messaging where enabled by your workspace
  • Process and route bug reports submitted through the public form
  • Maintain activity logs for audit, accountability, and operational purposes
  • Improve and troubleshoot the service
  • Communicate product updates (subject to your notification preferences)

We do not sell personal information. We do not use personal information for advertising.

7. Third-Party Service Providers (Sub-Processors)

We share personal data with the following categories of service providers to operate the platform. Each provider receives only the data necessary for its function.

  • Supabase (Database & Auth) — Database, authentication, realtime events, file storage, edge functions. All application data: accounts, content, files, auth tokens, push payloads. US-hosted.
  • Postmark / ActiveCampaign (Email delivery) — Transactional email. Recipient email, display name, template variables (task titles, workspace names, action URLs).
  • GitHub (Code integration) — GitHub App integration for PR and repo linking. GitHub account username, repo owner/name, PR titles, branch names, installation IDs. Data flows both directions.
  • Browser push vendors / Google FCM, Mozilla, Apple (Notification delivery) — Web push notification delivery via VAPID. Push subscription endpoint URL, encryption keys, notification title/body/URL.
  • Vercel (Hosting & CDN) — Application hosting and content delivery. Server logs, request metadata (IP address, user-agent, headers).

The following services are confirmed absent from the platform: Stripe, Sentry, Google Analytics, Mixpanel, Segment, PostHog, Hotjar, Intercom, Amplitude, FullStory, LogRocket, Datadog.

Google Fonts (Inter and Playfair Display) are served via Next.js build-time optimization and self-hosted at deployment. No runtime requests are made to Google's font servers in production.

8. File Uploads

Files attached to tasks, chat messages, or document pages are stored in Supabase Storage with private access controls. Files are not publicly accessible; authenticated signed URLs are generated on demand and expire after a short period. The following file categories are supported:

  • chat-attachments — Chat message file attachments (may be client-side encrypted in E2EE channels). 10 MB limit.
  • task-attachments — Task file attachments. 10 MB limit.
  • doc-images — Inline images embedded in document pages.

9. Data Retention

We retain personal information only as long as necessary to provide the service or as required by law. The following schedule governs all personal data we hold:

  • Account data — Deleted within 30 days of account deletion.
  • Deleted tasks (including bug report PII) — 30-day grace period from deletion date, then permanently purged.
  • Chat messages (plaintext) — Deleted when the channel is deleted; 30-day grace period before hard purge.
  • Chat messages (E2EE ciphertext) — Deleted on the same schedule as plaintext messages; channel keys deleted immediately on channel deletion.
  • File attachments — Deleted with the parent task or channel; 30-day grace period before storage purge.
  • Activity logs — 2 years from creation.
  • Notification delivery records — 90 days.
  • Push subscriptions — Removed on confirmed delivery failure, or after 12 months of inactivity.
  • Cursor agent run data (prompts, summaries) — 1 year from creation.
  • Invitation records — Accepted invitations: deleted 30 days after acceptance. Unaccepted invitations: deleted 7 days after expiry.

Grace period: Data marked for deletion is hidden immediately but retained in a recoverable state for 30 days before permanent removal. This allows recovery of accidental deletions. After the grace period, deletion is permanent and irreversible.

Legal holds and exceptions: Notwithstanding the schedule above, we may retain data for longer where required by applicable law, to comply with a legal obligation, to resolve a dispute, to investigate a security incident, or to enforce our agreements.

To request deletion of your personal information before the end of the applicable retention period, please contact us at the address in Section 15.

10. Security

We implement technical and organizational measures designed to protect your personal information. These include:

  • Encryption in transit — HTTPS enforced across all services (Vercel and Supabase enforce TLS).
  • Encryption at rest — Supabase-managed database encryption; optional per-channel E2EE for chat messages.
  • Password hashing — Passwords stored using bcrypt via Supabase Auth; plaintext is never retained.
  • API key protection — Third-party API keys stored with envelope encryption (AES-256-GCM) plus a master key.
  • Database access control — Row-Level Security (RLS) enabled on all tables with workspace membership verification.
  • Cross-site protections — Content-Security-Policy headers, SameSite cookies, XSS mitigations.
  • Push notification security — VAPID-signed Web Push with per-subscription payload encryption.
  • Webhook verification — HMAC signature verification for GitHub and Cursor inbound webhooks.

No security measure is perfect. If you believe you have discovered a security vulnerability in our platform, please contact us at build@97technologies.com.

11. Your Rights & Controls

Depending on your jurisdiction, you may have certain rights regarding your personal information:

  • Access — Your profile, tasks, messages, and notification settings are accessible within the platform at any time.
  • Correction — You can edit your display name and avatar directly from your account settings.
  • Deletion — To request deletion of your account and associated personal data, use the "Request Account Deletion" option in Settings, which will open a pre-addressed email to build@97technologies.com. We will respond within 30 days. Upon processing, your data enters a 30-day grace period before permanent removal (see Section 9).
  • Data portability / export — Contact us at build@97technologies.com to discuss data export needs. Platform administrators have access to a legal-acceptance CSV export.
  • Notification preferences — Per-workspace, per-event-type notification delivery controls are available in Settings → Notifications.
  • Push notification opt-out — You may revoke push notification permission in your browser or OS settings at any time.
  • Cookie consent — A cookie banner is displayed on first use. All current cookies are functional or essential; no marketing or tracking cookies are used.

12. Geographic Scope

97T Boards is operated in the United States and is intended exclusively for US-based users and organizations. We do not knowingly provide the Service to users located outside the United States. All personal data collected through the Service is processed and stored in the United States by 97T and its US-based service providers.

If you access the Service from outside the United States, you do so at your own risk and you are responsible for compliance with local laws. We make no representation that the Service is appropriate or available for use in any other jurisdiction.

13. Children's Privacy

97T Boards is designed for business use and is not directed at children. We do not knowingly collect personal information from individuals under the age of 13. Because the platform is invitation-only, access is controlled by administrators. If you believe a minor has been granted access, please contact us and we will take appropriate action.

14. Changes to This Policy

We may update this Privacy Policy from time to time. When we make material changes, we will notify you via email or a prominent in-platform notice. The "Effective Date" at the top of this policy reflects the date of the most recent revision. Continued use of the platform following notice of changes constitutes your acceptance of the updated policy.

15. Contact Us

For questions about this Privacy Policy, to exercise your data rights, or to report a security concern, please contact: