Back to BoardFlow

Privacy Policy

Last updated: April 17, 2026

1. Overview

Slatewood Labs LLC, a New York limited liability company doing business as BoardFlow ("we", "us", or "our"), operates the BoardFlow platform. This Privacy Policy explains how we collect, use, disclose, and protect your personal information when you use our Service. We maintain reasonable administrative, technical, and physical safeguards in accordance with the New York Stop Hacks and Improve Electronic Data Security Act ("SHIELD Act") and other applicable privacy laws.

For data we process on behalf of property managers in the co-op/condo board-package flow, see also our Data Processing Agreement. For our direct-to-applicant rental flow — where BoardFlow acts as the independent data controller — see the Rental Privacy Policy.

2. Information We Collect

2.1 Account Information

When you create an account, we collect your name, email address, and an encrypted password. Your user role (applicant, agent, manager, board member) is stored to enforce access controls.

2.2 Application Data

Applicants and brokers submit board package materials including:

  • REBNY Financial Statement data (name, address, employer, position, income, dollar balances of assets and liabilities)
  • Purchase details (price, down payment, mortgage, maintenance) or rental details (rent, lease term, current landlord)
  • Uploaded documents (financial statements, tax returns, bank statements, reference letters, photo ID, and similar). These documents may contain Social Security Numbers, bank account numbers, or other sensitive identifiers; BoardFlow does not request those identifiers as structured form fields and stores the documents only as uploaded files, behind role-based access controls and short-lived signed URLs.

2.3 Usage Data

We collect audit logs of document access (who accessed what and when) for security and compliance purposes.

3. How We Use Your Information

  • To facilitate the board package submission and review process
  • To enforce role-based access controls and data security
  • To send transactional emails (submission confirmations, revision requests, review notifications)
  • To generate AI-assisted executive summaries of applications for board reviewers (document content is sent to Google Gemini AI; see Section 5)
  • To process the $99 Package Preparation Fee via Stripe
  • To maintain audit trails for compliance

4. Data Retention

  • Application documents: Automatically deleted 30 days after a final decision (approval or denial) is made on the application.
  • Stale drafts: Applications in draft status for more than 30 days are automatically cleaned up.
  • Expired invites: Unused invitation links are automatically removed after expiration.
  • Account data: Retained until you request account deletion.

5. Third-Party Services

We share data with the following third-party service providers:

  • Supabase: Database hosting, authentication, and file storage. Data is stored in Supabase-managed PostgreSQL with row-level security enforced.
  • Stripe: Payment processing for the $99 Package Preparation Fee. We do not store credit card numbers — Stripe handles all payment data. See Stripe's Privacy Policy.
  • Resend: Transactional email delivery. Only recipient email addresses and message content are shared.
  • Google Gemini AI (paid tier):Used to generate executive summaries of applications for board reviewers. The structured REBNY data and uploaded document content are transmitted to Google's API for analysis. Under Google's paid-tier Gemini API terms, Google does not use prompts, attachments, or responses to train or improve its models. Prompts and responses are retained by Google for a limited period (currently up to 55 days) solely to detect abuse of the API, and are not otherwise used for Google's product development. See Gemini API Additional Terms.
  • Vercel: Application hosting and deployment.

6. Data Security

For a fuller technical and operational overview of our security program — including authentication, multi-factor authentication, SSN redaction, encryption, audit logging, sub-processors, and incident response — see our Security page. At a high level, we implement the following security measures:

  • Row-level security (RLS) on all database tables to prevent unauthorized access
  • Individual documents are rendered in a secure in-browser viewer — native browser download and print controls are disabled; screenshots cannot be technically prevented
  • The full application packet is available as a downloadable PDF only to authorized reviewers (the applicant's agent, the building's manager, board members of the building, and platform administrators) — applicants cannot bulk-download their own packet; every download is watermarked and audit-logged
  • Document access URLs expire within 5 minutes
  • SSN and account numbers are masked (last 4 digits only) in the UI
  • All data is transmitted over HTTPS with HSTS enforcement
  • Rate limiting on sensitive operations to prevent abuse
  • Audit logging of document access

7. Your Rights

7.1 California Residents (CCPA)

If you are a California resident, you have the right to:

  • Know what personal information we collect about you
  • Request deletion of your personal information
  • Opt out of the sale of your personal information (we do not sell personal data)
  • Non-discrimination for exercising your privacy rights

7.2 All Users

Regardless of location, you may:

  • Export your data: Request a copy of all personal data we hold about you via your profile settings.
  • Delete your account: Request permanent deletion of your account and associated data via your profile settings. Upon deletion, your personal information is anonymized and documents are removed.
  • Correct your data: Update your profile information at any time.

8. Cookies

We use essential cookies for authentication and session management. We do not use tracking or advertising cookies. See our Cookie Policy for details.

9. Children's Privacy

The Service is not intended for users under 18 years of age. We do not knowingly collect personal information from children.

10. Changes to This Policy

We may update this Privacy Policy from time to time. Material changes will be communicated via email or in-app notification. Your continued use of the Service constitutes acceptance of the updated policy.

11. Contact

For privacy inquiries or to exercise your data rights, contact us at privacy@nycboardflow.com, or by mail at:

Slatewood Labs LLC
Attn: Privacy
418 Broadway, Ste N
Albany, NY 12207