Privacy Policy
We collect what we need to run ChalkBloom for you (account, workspace, billing, the content you create in boards) and nothing else. We don’t sell data. We don’t use your board content to train models. You can export everything, delete everything, and email our DPO directly.
This Privacy Policy describes how ChalkBloom AB processes personal data in the course of operating the ChalkBloom platform. We are the controller for the data described in section 2 unless otherwise noted, and we operate from Stockholm, Sweden, under the General Data Protection Regulation (EU 2016/679) and the Swedish Data Protection Act (Dataskyddslagen, SFS 2018:218).
01 Who we are
ChalkBloom AB, Org.nr 559 348 1729, Sveavägen 33, 111 34 Stockholm, Sweden. Our Data Protection Officer is Astrid Lindqvist; reachable at dpo@chalkbloom.com.
02 What we collect
- Account data: email, name, hashed password, organisation membership, OAuth identity (if you signed in via Google / Microsoft).
- Billing data: billing email, address, VAT number, payment method tokens held by Stripe (we do not store card numbers).
- Workspace data: workspace name, members, settings, custom templates.
- Board content: the sticky notes, shapes, drawings, frames, and comments you create. Processed under your instructions; we are a processor.
- Activity data: who opened which board, when. Retained 30 days for security; aggregated indefinitely.
- Video huddle data: peer-to-peer where possible; metadata (start, end, participants) retained 30 days.
03 Why we collect it
- To provide the Service you requested (legal basis: contract).
- To bill you for usage above the free tier (legal basis: contract).
- To detect abuse and protect platform integrity (legal basis: legitimate interest).
- To comply with Swedish tax and accounting law (legal basis: legal obligation).
04 How it is shared
We do not sell personal data. We do not share it for advertising. We share data with a small list of subprocessors who help operate the Service:
- Stripe Payments Europe Ltd — billing (Ireland).
- Amazon Web Services EMEA — primary infrastructure (Stockholm + Frankfurt).
- Daily.co — WebRTC infrastructure for video huddles (US, SCCs in place).
- Postmark (ActiveCampaign LLC) — transactional email (US, SCCs in place).
- Plausible Insights OÜ — cookie-free analytics for the marketing site (Estonia).
- Sentry GmbH — error tracking with EU data residency option (US, SCCs in place).
The current list is maintained at /subprocessors. We notify Enterprise customers at least 30 days before adding a new subprocessor.
05 Where it’s stored
Primary data is stored in AWS Stockholm (EU-North). Backups are replicated to AWS Frankfurt. Board content is stored encrypted at rest. Enterprise customers may request EU-only data residency with no backup outside Sweden.
06 Retention
- Account & billing data: for the life of your account and 7 years after closure (Swedish accounting law).
- Board content: until you delete it, or 30 days after workspace closure if you don’t export.
- Activity logs: 30 days in detailed form, indefinitely as monthly aggregates.
- Video huddle metadata: 30 days. Huddle audio/video itself is peer-to-peer and not retained.
- Support communications: 24 months.
07 Your rights
Under GDPR you have the right to access, rectify, erase, restrict, port, and object to processing of your personal data. You can exercise most of these from the workspace settings. To exercise any of them by other means, email dpo@chalkbloom.com — we respond within 30 days at no charge for the first request in any 12-month period.
You can also lodge a complaint with the Swedish Authority for Privacy Protection (Integritetsskyddsmyndigheten / IMY) at imy.se.
08 Security
All data is encrypted in transit (TLS 1.3, modern cipher suites only) and at rest (AES-256-GCM). Production access is restricted to Astrid and Jonas, gated by hardware security keys, and logged. We follow the Swedish IT-Incidents incident notification scheme and would notify affected customers within 72 hours of becoming aware of a qualifying breach.
Security disclosures are welcomed at security@chalkbloom.com and our PGP key is at /.well-known/security.txt. We don’t run a paid bug bounty but we credit researchers.
09 Cookies
The dashboard uses a single first-party session cookie for authenticated sessions. We do not set advertising or third-party tracking cookies. Plausible Analytics is configured for cookie-less measurement.
10 DPO contact
Astrid Lindqvist acts as our Data Protection Officer. Reach her at dpo@chalkbloom.com or by post at the address in section 1.
We will post material changes to this Policy at least 30 days before they take effect, and email account holders. The current version is always at this URL.