Back to BoardFlow

Privacy Policy

Last updated: April 16, 2026

1. Overview

BoardFlow Inc. ("we", "us", or "our") operates the BoardFlow platform. This Privacy Policy explains how we collect, use, disclose, and protect your personal information when you use our Service.

2. Information We Collect

2.1 Account Information

When you create an account, we collect your name, email address, and an encrypted password. Your user role (applicant, broker, manager, board member) is stored to enforce access controls.

2.2 Application Data

Applicants and brokers submit board package materials including:

  • REBNY Financial Statement data (income, assets, liabilities, employment details)
  • Social Security Number (stored securely, displayed with masking — last 4 digits only)
  • Bank account numbers (stored securely, displayed with masking)
  • Uploaded documents (financial statements, tax returns, reference letters, etc.)
  • Purchase or rental details

2.3 Usage Data

We collect audit logs of document access (who accessed what and when) for security and compliance purposes.

3. How We Use Your Information

  • To facilitate the board package submission and review process
  • To enforce role-based access controls and data security
  • To send transactional emails (submission confirmations, revision requests, review notifications)
  • To generate AI-assisted executive summaries of applications (using anonymized financial data)
  • To process the $99 application processing fee via Stripe
  • To maintain audit trails for compliance

4. Data Retention

  • Application documents: Automatically deleted 30 days after a final decision (approval or denial) is made on the application.
  • Stale drafts: Applications in draft status for more than 30 days are automatically cleaned up.
  • Expired invites: Unused invitation links are automatically removed after expiration.
  • Account data: Retained until you request account deletion.

5. Third-Party Services

We share data with the following third-party service providers:

  • Supabase: Database hosting, authentication, and file storage. Data is stored in Supabase-managed PostgreSQL with row-level security enforced.
  • Stripe: Payment processing for the $99 application fee. We do not store credit card numbers — Stripe handles all payment data. See Stripe's Privacy Policy.
  • Resend: Transactional email delivery. Only recipient email addresses and message content are shared.
  • Google Gemini AI: Used to generate executive summaries of applications. Document content may be sent for AI analysis. No personal identifiers are included in AI prompts beyond what appears in the documents.
  • Vercel: Application hosting and deployment.

6. Data Security

We implement the following security measures:

  • Row-level security (RLS) on all database tables to prevent unauthorized access
  • Documents are rendered in-browser only — no download links are provided
  • Document access URLs expire within 5 minutes
  • SSN and account numbers are masked (last 4 digits only) in the UI
  • All data is transmitted over HTTPS with HSTS enforcement
  • Rate limiting on sensitive operations to prevent abuse
  • Audit logging of document access

7. Your Rights

7.1 California Residents (CCPA)

If you are a California resident, you have the right to:

  • Know what personal information we collect about you
  • Request deletion of your personal information
  • Opt out of the sale of your personal information (we do not sell personal data)
  • Non-discrimination for exercising your privacy rights

7.2 All Users

Regardless of location, you may:

  • Export your data: Request a copy of all personal data we hold about you via your profile settings.
  • Delete your account: Request permanent deletion of your account and associated data via your profile settings. Upon deletion, your personal information is anonymized and documents are removed.
  • Correct your data: Update your profile information at any time.

8. Cookies

We use essential cookies for authentication and session management. We do not use tracking or advertising cookies. See our Cookie Policy for details.

9. Children's Privacy

The Service is not intended for users under 18 years of age. We do not knowingly collect personal information from children.

10. Changes to This Policy

We may update this Privacy Policy from time to time. Material changes will be communicated via email or in-app notification. Your continued use of the Service constitutes acceptance of the updated policy.

11. Contact

For privacy inquiries or to exercise your data rights, contact us at privacy@boardflow.app.