Policy Owner: Information Security Officer (acting)
Contact: privacy@onboardjs.com
DPO: To be appointed upon formal company incorporation
Last Updated: November 26, 2025

1. Introduction

This Privacy Policy describes how OnboardJS ("we", "our", or "us") collects, uses, and protects information when you use our website, APIs, and analytics SaaS platform (collectively, the "Service").

OnboardJS consists of:

• An open‑source MIT‑licensed library (OnboardJS) that runs client‑side and does not itself store personal data; and
• A cloud analytics platform ("OnboardJS Cloud") that processes event and product adoption data on behalf of customers.

This Policy applies solely to the hosted analytics Service and not to your local usage of the open‑source library. By accessing or using the Service, you agree to this Policy.

2. Definitions

• Account: A unique registration enabling access to the OnboardJS dashboard or API.
• Service Provider: A third‑party entity engaged to assist in operating or delivering the Service.
• Device: Any internet‑connected device such as a computer, tablet, or smartphone.
• Personal Data: Any information relating to an identified or identifiable person (as defined by applicable privacy laws).
• Usage Data: Information collected automatically about how the Service is accessed and used.
• Cookies: Small text files stored in your browser that help maintain sessions and preferences.

3. Information We Collect

3.1 Account Information

When you register, we collect basic contact and authentication details:

• Name or alias
• Email address
• Workspace or organization name (optional)

Authentication is processed via WorkOS and secured through standard OAuth 2.0 flows. No plaintext credentials are stored by OnboardJS.

3.2 Service and Usage Data

We collect activity data strictly related to analytics and system performance, including:

• Application identifiers and event metadata generated via your OnboardJS integration
• Timestamped usage events and workspace identifiers
• Browser and device type, and IP‑derived regional data (city/country level)

3.3 Technical Logs

Logs may include API request metadata, performance metrics, and system events. They are used for debugging, security auditing, and reliability improvement.

3.4 Cookies and Local Storage

Essential cookies maintain secure login sessions. Analytics and non‑essential cookies are optional and may be disabled via browser settings.

4. How We Use Information

We process information to:

• Provide and operate the OnboardJS Service
• Authenticate and authorize registered accounts
• Generate anonymized reports and insights for customers
• Improve performance and prevent abuse
• Communicate important updates and security notifications

We do not sell personal information or use it for unrelated marketing.

5. Data Processing and Storage

• All production data is hosted with Amazon Web Services (AWS) in the eu‑central‑1 (Frankfurt) region.
• Search and event indexing are handled through our managed AWS OpenSearch cluster in the same region.
• Authentication and identity management are provided by WorkOS, which acts as a sub‑processor.

All data is encrypted in transit (TLS 1.2+) and at rest (AES‑256). Access to databases and logs is restricted to authorized personnel.

6. Data Retention

We retain account and usage data as long as your account remains active. Upon account deletion or written request, personal information is removed or anonymized within 30 days unless longer retention is legally required. Aggregated metrics and non‑identifiable analytics may be retained for product improvement.

To request deletion, contact privacy@onboardjs.com with the subject line:

"Data Deletion Request – [Your Workspace Name]"

7. Your Rights

Depending on your jurisdiction (e.g., EU or UK), you have the right to:

• Access a copy of data we hold about you
• Request correction of inaccurate or incomplete data
• Request erasure ("right to be forgotten")
• Restrict or object to processing under lawful grounds
• Request data portability

To exercise any of these rights, contact privacy@onboardjs.com. Verification may be required before fulfillment.

8. Sub‑Processors

We use limited sub‑processors to deliver our Service:

All vendors comply with confidentiality, access control, and data‑protection obligations consistent with GDPR standards.

9. International Data Transfers

All primary processing occurs within the European Union (eu‑central‑1). If limited processing occurs outside the EEA (e.g., WorkOS identity routing through the U.S.), we ensure protection via standard contractual clauses or equivalent safeguards until OnboardJS formalizes participation in EU‑U.S. adequacy frameworks.

10. Security Measures

We employ:

• End‑to‑end encryption for data in transit and at rest
• Role‑based and least‑privilege access control
• Regular patching and vulnerability monitoring
• Encrypted backups
• Continuous intrusion‑detection monitoring through AWS services

No online service is completely secure, but these controls are designed to minimize risk.

11. Business Transitions

If OnboardJS (or its assets) is ever merged, acquired, or transferred, user data may be included as part of that transaction, provided the successor honors this Privacy Policy or provides equivalent protection. You will be notified prior to such change where feasible.

12. Children’s Privacy

Our Service targets professional and developer audiences and is not intended for individuals under 16 years of age. We do not knowingly collect or store personal data from minors. Requests for removal of such data can be sent to privacy@onboardjs.com.

13. Policy Updates

We may revise this Privacy Policy periodically. Material changes will be announced through email or in‑app notifications at least 30 days before they take effect. The "Last Updated" date at the top of this document reflects the latest revision.

14. Contact Information

Privacy Questions or Data Requests:
privacy@onboardjs.com

General Inquiries:
support@onboardjs.com

Website: https://onboardjs.com