This Privacy Policy explains how Chimedeck collects, uses, stores, and shares information when you visit chimedeck.io, use any hosted Chimedeck services (including tenant domains provisioned for hosted plans), request a demo, create an account, or interact with related support, documentation, CLI, or API experiences.

This policy is written for the public website and hosted service. If you self-host Chimedeck, you are responsible for the privacy practices of your own deployment.

Who we are

Chimedeck is operated by Journey Horizon Pty Ltd (ACN / ABN on request), a company registered in the Australian Capital Territory, Australia. Our registered address is:

Unit G10, 48 Gungahlin Place, Gungahlin ACT 2912, Australia

For privacy questions, requests, or complaints, contact developer@journeyh.io or write to the address above. We aim to respond to privacy requests within 30 days.

Contents

1. Scope
2. Information we collect
3. How we use information
4. Legal bases for processing (GDPR)
5. Cookies, tokens, and tracking signals
6. Analytics and error monitoring
7. Email and notifications
8. Subprocessors and infrastructure
9. When information may be shared
10. Workspace visibility and collaboration
11. Data retention
12. Security and breach notification
13. International transfers
14. Your rights and choices
15. California residents (CCPA/CPRA)
16. Australian residents (Privacy Act 1988)
17. Children
18. Changes to this policy
19. Contact

1. Scope

This policy applies to the Chimedeck marketing website and documentation, hosted Chimedeck application environments (including any tenant-specific domains provisioned for hosted plans), account registration, sign-in, and workspace access, product communications such as verification, password reset, invite, and notification emails, and support, implementation, and onboarding interactions related to Chimedeck.

2. Information we collect

Information you provide directly. Depending on how you use Chimedeck, we may collect your name, email address, account credentials, profile details such as avatar or display name, workspace, board, list, card, checklist, attachment, comment, mention, and activity content you create inside the product, and information you submit through contact, demo, onboarding, or support conversations.

Authentication information. Chimedeck supports sign-in via email and password and via OAuth providers including Google and GitHub. If you choose a third-party provider, Chimedeck may receive basic account information (name, email, profile image) as permitted by that provider and your settings.

Technical and usage information. When you use the website or hosted product, we may collect your IP address and general network metadata, browser and device information, product events needed to operate the service, server and security logs, rate-limit logs, crash and error telemetry, and timestamps associated with account and workspace activity.

Files and user-generated content. If you upload files, images, avatars, attachments, or board backgrounds, Chimedeck stores the file along with metadata needed to deliver and secure that content.

3. How we use information

We use information to operate the website and hosted service, create and manage user accounts, authenticate users and secure sessions, deliver work-management features (boards, cards, assignments, checklists, comments, mentions, notifications, search), store and serve attachments and other assets, send account and service communications, detect and investigate fraud, abuse, spam, and security incidents, debug and improve performance and reliability, provide support, onboarding, and migration services, and comply with legal obligations.

4. Legal bases for processing (GDPR)

Where the GDPR or UK GDPR applies, we rely on the following legal bases under Article 6:

• Contract — to provide the service you've requested, manage your account, and deliver core features.
• Legitimate interests — to secure the service, prevent fraud and abuse, maintain reliability, improve the product, and operate our business. We balance these interests against your rights.
• Legal obligation — to comply with applicable laws, respond to valid legal process, and meet record-keeping requirements.
• Consent — where required (for example, for certain non-essential cookies or marketing communications). You can withdraw consent at any time; withdrawal does not affect prior processing.

5. Cookies, tokens, and tracking signals

Hosted Chimedeck environments use cookies and similar technologies in the following categories:

• Strictly necessary — session, authentication, CSRF, and security cookies required to operate the service.
• Functional — cookies that remember preferences such as language or UI state.
• Analytics — cookies set by the third-party analytics providers described in Section 6. Where required by law, these are only set after you give consent through our cookie banner.

Chimedeck's architecture also uses access tokens and refresh-token flows for authenticated sessions. These mechanisms are used for account security and product operation, not advertising.

Do Not Track and Global Privacy Control. We currently honor Global Privacy Control (GPC) signals from supported browsers as an opt-out of sale/sharing under applicable US state laws. Because there is no consistent industry standard for "Do Not Track," we do not respond to DNT headers separately.

6. Analytics and error monitoring

We use the following third-party tools for product analytics, marketing research, and diagnostics:

• Google Analytics — aggregate website traffic and usage measurement.
• Semrush and Ahrefs — marketing and SEO analytics applied to our public website.
• Sentry — application error and performance monitoring. Sentry is configured to redact sensitive headers and query parameters, and automatic PII collection is disabled by default.

We do not use advertising cookies, cross-context behavioral advertising trackers, or ad networks.

7. Email and notifications

Chimedeck sends transactional and operational emails, including account verification, password reset, invite, mention notifications, card and workspace activity notifications, and service-related support communications. Outbound email is delivered through Amazon SES.

If we send marketing or product-update emails, each message will include a clear unsubscribe link. Unsubscribing from marketing communications does not affect transactional emails required to operate your account.

8. Subprocessors and infrastructure

Chimedeck's hosted service is built primarily on Amazon Web Services (AWS). Current subprocessors include:

• AWS — application hosting, compute, managed PostgreSQL database, S3-compatible object storage for attachments and assets, and SES for transactional email.
• Sentry — error and performance monitoring (configured with PII minimization).
• Google Analytics, Semrush, Ahrefs — website analytics as described in Section 6.

We may update this list from time to time. Material changes to subprocessors that process customer data will be reflected in updates to this policy or a linked subprocessors page.

9. When information may be shared

Chimedeck may share information with the infrastructure, hosting, storage, email, and monitoring providers listed in Section 8, with service providers or contractors involved in support, onboarding, migration, or implementation, within a workspace according to the permissions and collaboration features of the product, when required by law, legal process, or a valid governmental request, to protect the rights, safety, security, and integrity of Chimedeck, its users, and the public, and as part of a merger, acquisition, financing, reorganization, or asset transfer.

10. Workspace visibility and collaboration

Chimedeck is a collaborative product. Information you add to a workspace, board, or card may be visible to other users in that environment according to workspace role settings, board visibility, membership, guest access, assignments, comments, mentions, and notification features.

Public board sharing is controlled by workspace administrators. If an administrator publishes a board publicly, its contents may be accessible to anyone with the link and may be indexed by search engines. Do not place sensitive information on publicly shared boards.

11. Data retention

We retain information for as long as needed to operate the service, comply with legal obligations, resolve disputes, and investigate abuse. Typical retention windows:

• Account and workspace content — retained while your account is active, and deleted within 90 days of account deletion, subject to legal holds and backup cycles.
• Backups — typically retained for up to 30 days.
• Server and security logs — typically retained for up to 90 days.
• Error telemetry (Sentry) — retained per Sentry's default retention (typically 30–90 days).
• Transactional email records — retained as long as reasonably required for operational and fraud-prevention purposes.

Specific periods may vary by data type, deployment model, and contractual requirements.

12. Security and breach notification

Chimedeck uses administrative, technical, and organizational measures designed to protect information against unauthorized access, loss, misuse, alteration, or disclosure. These include authenticated access controls, secure session handling, encryption in transit, storage controls, and operational monitoring.

No internet service can guarantee absolute security. If Chimedeck becomes aware of a personal-data breach that is likely to affect you, we will notify affected users and applicable regulators in accordance with Australian, EU/UK, and US state-law obligations within the timeframes those laws require.

13. International transfers

Chimedeck is operated from Australia, and our hosted service uses AWS regions that may be located outside your country of residence. Where personal information is transferred out of the EEA, UK, or Switzerland to a country that does not have an adequacy decision, we rely on the European Commission's Standard Contractual Clauses (and UK Addendum, where applicable) as the transfer mechanism, together with supplementary measures where appropriate. By using the hosted service, you acknowledge that information may be transferred to and processed in jurisdictions where Chimedeck or its infrastructure providers operate.

14. Your rights and choices

Depending on your location, you may have rights to request access to, correction of, deletion of, or export of personal information, to object to or restrict certain processing, and to withdraw consent where processing is based on consent. To exercise any of these rights, contact developer@journeyh.io. We will verify your identity before acting on a request and will respond within the timeframe required by applicable law (generally 30 days).

For account and workspace data, some requests may need to be coordinated with your workspace owner or administrator, especially where the data forms part of a shared collaborative environment.

You have the right to lodge a complaint with a supervisory authority — in Australia, the Office of the Australian Information Commissioner (OAIC); in the EEA, your local Data Protection Authority; in the UK, the Information Commissioner's Office (ICO).

15. California residents (CCPA/CPRA)

If you are a California resident, you have additional rights under the California Consumer Privacy Act as amended by the CPRA.

Categories of personal information we collect (per Cal. Civ. Code § 1798.140): identifiers (name, email, IP address, account IDs), customer records (contact details you provide), commercial information (subscription and billing records if applicable), internet/network activity (product usage, logs, device and browser information), geolocation (coarse, derived from IP), and professional information (limited, such as workplace role if you provide it). We do not collect sensitive personal information for purposes that would trigger the right to limit use.

Sources include you, your browser or device, your single-sign-on provider if used, and workspace administrators.

Business purposes include providing and improving the service, security and fraud prevention, customer support, and legal compliance — as described in Section 3.

Sale or sharing. We do not sell personal information and we do not share personal information for cross-context behavioral advertising.

Your rights. You may request to know, delete, correct, and receive a copy of your personal information; opt out of sale or sharing (not applicable — we don't do either); limit the use of sensitive personal information (not applicable as above); and not be subject to discrimination for exercising these rights. Submit requests via developer@journeyh.io. You may use an authorized agent; we will verify the agent's authority.

16. Australian residents (Privacy Act 1988)

Journey Horizon Pty Ltd handles personal information in accordance with the Australian Privacy Principles (APPs) under the Privacy Act 1988 (Cth). You may request access to or correction of your personal information by contacting us. If you believe we have breached the APPs, you may contact us first, and if you are not satisfied with our response, you may lodge a complaint with the Office of the Australian Information Commissioner at oaic.gov.au.

17. Children

Chimedeck is not intended for children under 16, or the minimum age of digital consent in your jurisdiction (never lower than 13). We do not knowingly collect personal information from children below that age. If you believe a child has provided personal information to us, contact developer@journeyh.io and we will review and take appropriate action.

18. Changes to this policy

We may update this Privacy Policy from time to time. When we do, we will revise the "Last updated" date above and, where changes are material, provide additional notice (for example, in-product or by email) before the changes take effect.

19. Contact

For privacy questions or requests:

• Email: developer@journeyh.io
• Mail: Journey Horizon Pty Ltd, Unit G10, 48 Gungahlin Place, Gungahlin ACT 2912, Australia

‍