Privacy Policy

1. Who We Are

Backlog is operated by:

We are the data controller for the personal information described in this policy ("we", "us", "our").

2. What Data We Collect

We collect the minimum data necessary to provide and improve the Service:

• Email address — provided when you create an account, join the waitlist, or contact us.
• Account data — entries, notes, tasks, client information, and other content you create within the Service.
• Payment data — processed by Stripe. We do not store your credit card number, CVC, or full payment details on our servers.
• Analytics data — anonymous, aggregated usage metrics collected through our own cookie-free analytics service (see Section 7).

3. How We Use Your Email

We use your email address for the following purposes only:

• Authentication — sending magic link sign-in emails.
• Waitlist — sending a one-time verification email when you join the waitlist, and notifying you when access becomes available.
• Service communications — account-related notifications such as subscription confirmations, payment receipts (sent by Stripe), and important changes to the Service or these policies.
• Support — responding to emails you send us at hello@thosekids.studio.

We do not send marketing emails, newsletters, or promotional content. We do not sell, rent, or share your email address with third parties.

4. Waitlist

When you join the waitlist, we collect your email address and send a verification email. We store your email and verification status to manage the waitlist. If you no longer wish to be on the waitlist, contact us at hello@thosekids.studio and we will remove your entry.

5. Payment Processing

Subscription payments are processed by Stripe, Inc., a PCI-compliant payment processor. When you subscribe:

• Your payment information (card number, expiration, CVC) is collected and processed directly by Stripe. It never touches our servers.
• We store a Stripe customer ID and subscription ID to manage your subscription status.
• Stripe may collect additional data as described in their privacy policy.

6. Your Content & Data

All entries, notes, tasks, client information, and other content you create in Backlog belong to you. We do not access, analyze, sell, or share your content. Your data is isolated per account and stored in a secure database. We access your data only when technically necessary to provide the Service or when required by law.

7. Analytics

We use a custom, self-hosted analytics service to understand how the Service is used. Our analytics:

• Do not use cookies — no tracking cookies, fingerprinting, or local storage for analytics purposes.
• Do not track individual users — all data is anonymous and aggregated.
• Do not share data with third parties — analytics data stays on our infrastructure.
• Collect only: page views, referrer URLs, browser type, country (derived from IP, which is not stored), and general usage patterns.

No consent banner is required because we do not use cookies or process personal data for analytics.

8. Cookies

We use only strictly necessary cookies for authentication:

• access_token — a secure, HTTP-only session cookie used to authenticate your requests. Expires after 1 hour.
• refresh_token — a secure, HTTP-only cookie used to renew your session. Expires after 7 days.

These cookies are essential to the functioning of the Service and cannot be disabled. We do not use advertising, tracking, or third-party cookies.

9. Data Retention

• Account data — retained while your account is active. After cancellation, your data is kept for 30 days and then permanently deleted.
• Waitlist data — retained until the waitlist is no longer needed or you request removal.
• Payment data — managed by Stripe according to their retention policies. We retain only the Stripe customer and subscription IDs.
• Analytics data — aggregated and anonymous; retained indefinitely.

10. Your Rights

Under applicable data protection laws (including GDPR), you have the right to:

• Access your personal data.
• Correct inaccurate data.
• Delete your account and associated data.
• Export your data in a portable format.
• Object to or restrict certain processing.

To exercise any of these rights, email us at hello@thosekids.studio. We will respond within 30 days.

11. Third-Party Services

We use the following third-party services:

• Stripe — payment processing. Privacy policy.

We do not use Google Analytics, Facebook Pixel, or any other third-party tracking service.

12. Data Security

We take reasonable technical and organizational measures to protect your data, including encrypted connections (HTTPS), secure authentication (JWT), per-account data isolation, and access controls. However, no system is 100% secure and we cannot guarantee absolute protection.

13. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify registered users of significant changes by email. The "Last updated" date at the top indicates the latest revision.

14. Contact

For any privacy-related questions, requests, or concerns, contact us at hello@thosekids.studio.