This privacy policy outlines how Cardflow, owned and operated by Tymoteusz Zapała, registered in Poland with company number 7372221379, ("we", "us", or "our"), also known as Tymek Zapała, collects and uses your personal data when you use our Trello power-ups, including Colorful Budget, List Time Tracker, Unify Labels, and Time Slot Calendar.
1. Our commitment to your privacy
Our core philosophy is built on the GDPR principles of data minimization and purpose limitation. We are committed to collecting only the essential information required for specific, stated purposes to provide you with a functional and reliable service. We believe that a clear understanding of what information we collect, why we collect it, and how it is used is fundamental to building trust. This approach is consistent with regulatory requirements, such as the EU's General Data Protection Regulation (GDPR), which mandate that information related to data processing be provided in a concise, transparent, and easily accessible format, using clear and plain language.
2. Data we collect and how we use it
We never store any data from your Trello cards - including titles, descriptions, comments, or attachments - on our servers. The information we do collect is strictly limited to the following categories:
| Data type | Purpose of collection |
|---|---|
| Trello member IDs, workspace IDs, board IDs, and board names | To associate your Trello account with our power-ups, enable core service functionality, manage your subscription, facilitate customer support, and track usage for service improvement. |
| Payment & billing information | To process subscription payments, manage your account, and prevent fraudulent transactions. We use a third-party payment processor and do not store credit card numbers or personal information on our servers. |
| Aggregated website analytics data | To understand website traffic, identify popular content, and improve our services. This data is fully anonymized, contains no personal identifiers, and is not used to track individual users. |
When you add a Cardflow power-up to your Trello board, we receive a unique, alphanumeric Trello member ID along with board and workspace identifiers. This data is essential for the power-up to function as intended, allowing it to apply its features and associate them with your specific account.
For subscription payments, we use the third-party payment processor Stripe. When you provide your payment details, that information is sent directly to Stripe for processing. Stripe securely stores and manages your full payment information; it is never stored on our servers.
To understand how visitors interact with our website, we use Plausible Analytics. Plausible is a privacy-focused analytics service that collects only aggregated, non-identifiable data. It does not use cookies, does not track you across different websites, and does not collect any personal information. The information we gather includes referral sources, top pages, visit duration, and the country of origin, which helps us improve our website and the overall user experience.
3. Our legal basis for processing your data
Under the GDPR, every instance of processing personal data must have a clear and established legal justification. We rely on the following lawful bases for our data processing activities:
Our primary legal basis for processing your Trello member IDs and payment information is contractual necessity. Processing this information is essential to deliver the subscription service you purchase from us. For example, without your Trello ID, we cannot link the power-ups to your account, and without processing your payment information, we cannot deliver the paid subscription service.
We may also process non-identifiable, aggregated usage data for our legitimate interests. This involves analyzing how our power-ups and website are used in an anonymized form, for example, to identify common usage patterns or to detect potential issues. This type of analysis allows us to improve our services and features and enhance the overall user experience without relying on personally identifiable information.
4. Data sharing and disclosure
A core aspect of our privacy commitment is that we do not sell or share your personal information with third parties for their marketing or advertising purposes. Your data is not a product; it is a tool used solely to provide our service to you.
We only share your information with trusted third-party service providers when it is necessary for the operation of our business. These service providers act as data processors on our behalf and are bound by strict data privacy obligations. The types of service providers we use include:
- Payment processors: To process payments, your information is transmitted directly to Stripe, who securely stores and manages it.
- Analytics providers: We share aggregated and anonymized traffic data with Plausible Analytics to help us understand website usage and improve our service.
In addition to the above, we may be required to disclose your personal information in limited, legally mandated circumstances. This includes responding to valid court orders, subpoenas, or other lawful government requests. We may also disclose information to protect our rights, property, or safety, or the rights, property, or safety of our users, as permitted by law.
5. Your privacy rights (GDPR & CCPA)
Both the GDPR and CCPA provide you with significant rights regarding your personal information. To exercise any of the rights detailed below, please contact us at the email address provided in the "Contact us" section.
- Right to Know/Access: You have the right to request information about the personal data we have collected about you.
- Right to Deletion: You have the right to request the deletion of your personal data from our systems.
- Right to Correction: You have the right to request the correction of any inaccurate personal information we hold about you.
- Right to Data Portability (GDPR): You have the right to request a copy of your personal data in a machine-readable format.
- Right to Object & Restriction of Processing (GDPR): You have the right to object to our processing of your personal data under certain conditions.
As we do not sell your personal information or collect sensitive personal data, certain rights under the CCPA (like the Right to Opt-Out of Sale and the Right to Limit Use of Sensitive Personal Information) are not applicable to our services. We will not discriminate against you for exercising any of your privacy rights.
6. Data retention
We will retain your personal data only for as long as is necessary to provide you with our services and for a reasonable period thereafter to comply with our legal and financial obligations. For example, we will retain your Trello ID for the duration of your active subscription. Following the cancellation of your subscription, we may retain this information for a limited period to comply with applicable tax and accounting laws. Once this retention period has passed, the data will be deleted.
7. Contact us
For any questions about this privacy policy or to exercise your privacy rights, please contact our support at [email protected]. When submitting a request, please provide sufficient information to allow us to verify your identity and understand the nature of your request.
8. Changes to this policy
We may update this Privacy Policy from time to time to reflect changes in our practices or to comply with new legal requirements. When we make changes, we will post the updated policy on this page.