Privacy Policy

1. Introduction

Xephix Technologies Private Limited (“Xephix,” “we,” “us,” or “our”) operates Xephix Boards, a project management and collaboration platform. Boards can be configured for continuous-flow work and/or time-boxed iterations (including related backlog and sprint data). This Privacy Policy explains how we collect, use, disclose and protect information when you use our website, applications and related services (the “Service”). By using the Service, you agree to the practices described in this policy. If you do not agree, please do not use the Service.

This policy applies to Xephix Boards. For other Xephix products or the main company website, please see our Xephix Privacy Policy.

2. Data controller

The data controller responsible for your personal data in connection with Xephix Boards is Xephix Technologies Private Limited, 59/2, Block-C, Bangur Avenue, Kolkata – 700 055, West Bengal, India (CIN: U62013WB2025PTC284577). You can contact us at the address above or via xephix.com/contact.

3. Information we collect

We collect information you provide directly, information we obtain when you use the Service and information from third parties where applicable.

3.1 Account and profile information

When you register or sign in (including via email/password, magic link, or social login), we collect your email address and, if you choose to provide it, your name, profile photo, job title and other profile fields. We may also store your acceptance of our Terms of Service and Privacy Policy (e.g., timestamp of acceptance).

3.2 Organization and membership data

When you create or join an organization, we store the organization’s name, slug, logo and settings. We also store your membership role and permissions (as defined in the product), membership status and invitation/acceptance details. If you invite others, we process the email addresses and invitation state (pending, accepted, expired).

3.3 Content you create in the Service

We store the content you and your team add to the Service, including:

• Work items (titles, descriptions, types, priorities, labels, assignees, custom fields, status, iteration or sprint assignment where your organization uses that model and related metadata)
• Comments, reactions and activity on work items
• Time logs and other work-tracking data
• File attachments you upload (and associated metadata)
• Board and project configuration (including workflow or board-type settings), workflows and custom fields
• Automation rules you or your organization configure and related execution metadata (for example schedules and run status)

This content may include personal data (e.g., names, email addresses) where you or your organization choose to include it. You are responsible for ensuring you have a lawful basis to provide such data to us.

3.4 Usage and device information

We automatically collect information about how you use the Service, such as pages or screens you view, actions you take (e.g., creating work items, commenting) and feature usage. We may collect device and browser type, IP address and general location (e.g., country or region) for security, fraud prevention and improving the Service. We may use cookies and similar technologies as described in Section 12.

3.5 Billing and payment information

If you subscribe to a paid plan, we or our payment processors collect billing details (e.g., billing email, company name, tax ID) and payment information. We do not store full payment card numbers; those are handled by our payment providers in accordance with their policies and applicable regulations.

For billing calculations, we may process invoice-region data (such as billing country and address), tax profile fields, and limited pricing metadata (for example proration inputs and, where applicable, exchange-rate source/timestamp used for a quote). This data is used to generate invoice totals, support auditability, and resolve billing disputes.

4. How we use your information

We use the information we collect to:

• Provide, operate, maintain and improve the Service
• Authenticate you and manage your account and organizations
• Process invitations, roles and permissions
• Store and display your content (work items, comments, attachments, etc.) and make it available to you and other members of your organization as configured
• Send you service-related communications (e.g., magic links, password resets, billing and important product updates)
• Respond to your requests and support inquiries
• Monitor usage, diagnose issues and improve performance and security
• Comply with legal obligations and enforce our Terms of Service
• Protect against fraud and abuse

We may use aggregated or de-identified data for analytics and product improvement; such data is not considered personal data under this policy.

5. Legal basis for processing (EEA/UK)

Where applicable law requires a legal basis (e.g., in the EEA or UK), we process your data based on: (a) performance of our contract with you (providing the Service), (b) your consent where we have asked for it (e.g., optional marketing), (c) our legitimate interests (e.g., security, improving the Service, analytics) and (d) compliance with legal obligations. You may have the right to object to processing based on legitimate interests or to withdraw consent where consent is the basis; see Section 9.

6. Sharing and disclosure

We do not sell your personal data. We may share your information in the following circumstances:

• Within your organization. Content and membership information are visible to other members of the same organization according to roles and permissions set by your organization admins.
• Service providers. We use third-party providers for hosting, email, analytics, payment processing and support. They process data on our instructions and are bound by contracts that require them to protect your data and use it only for the purposes we specify.
• Legal and safety. We may disclose information if required by law, court order, or government request, or when we believe in good faith that disclosure is necessary to protect our rights, your safety, or the safety of others, or to detect and prevent fraud or abuse.
• Business transfers. If we are involved in a merger, acquisition, or sale of assets, your information may be transferred as part of that transaction, subject to the same privacy commitments.

7. Data retention

We retain your information for as long as your account is active or as needed to provide the Service and fulfill the purposes described in this policy. After you close your account or an organization is deleted, we may retain certain data for a reasonable period for backup, legal compliance, dispute resolution and enforcement of our agreements. Where we no longer need the data, we will delete or anonymize it in accordance with our retention practices and applicable law.

8. Security

We implement appropriate technical and organizational measures to protect your personal data against unauthorized access, alteration, disclosure, or destruction. These include access controls, encryption in transit and at rest where applicable and regular review of our security practices. No method of transmission or storage is completely secure; we cannot guarantee absolute security and you use the Service at your own risk.

9. Your rights

Depending on your location, you may have the right to:

• Access the personal data we hold about you
• Correct inaccurate or incomplete data
• Delete your data (subject to legal or contractual retention requirements)
• Portability – receive a copy of your data in a structured, machine-readable format
• Object to or restrict certain processing
• Withdraw consent where processing is based on consent
• Lodge a complaint with a supervisory authority (e.g., in the EEA or UK)

To exercise these rights, contact us using the details in Section 14. We will respond in accordance with applicable law. You can also update much of your profile and account information directly in the Service. If you request deletion, we may need to retain some data as required by law or for legitimate business purposes.

10. International transfers

Your information may be processed and stored in India or other countries where we or our service providers operate. If you are located in the EEA, UK, or another jurisdiction with restrictions on international transfers, we ensure appropriate safeguards (e.g., standard contractual clauses or other mechanisms approved by the relevant authorities) are in place where required by law.

11. Children

The Service is not intended for users under 18 (or the age of majority in your jurisdiction). We do not knowingly collect personal data from children. If you believe we have collected data from a child, please contact us and we will take steps to delete it.

12. Cookies and similar technologies

We use cookies and similar technologies (e.g., local storage) to maintain your session, remember your preferences and understand how you use the Service. Essential cookies are necessary for the Service to function; we may also use analytics cookies to improve our product. You can control cookies through your browser settings; disabling certain cookies may affect the functionality of the Service.

13. Changes to this policy

We may update this Privacy Policy from time to time. We will post the updated policy on this page and update the “Last updated” date. For material changes, we may notify you by email or through the Service. Your continued use of the Service after the effective date constitutes acceptance of the updated policy. We encourage you to review this policy periodically.

14. Contact

For privacy-related questions, to exercise your rights, or to report a concern, contact us at: Xephix Technologies Private Limited, 59/2, Block-C, Bangur Avenue, Kolkata – 700 055, West Bengal, India; or via xephix.com/contact. For our full company privacy policy, see Xephix Privacy Policy.