Privacy Policy

Introduction

At PocketBoard (operated by PocketLab), we are committed to protecting your privacy and ensuring you have a positive experience on our platform. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you visit our website and use our services.

Please read this Privacy Policy carefully. If you do not agree with our policies and practices, please do not use our services.

1. What Personal Information We Collect

We collect information you provide directly and information collected automatically when you use our platform.

Information You Provide Directly

• Account Registration: Name, email address, organisation name, phone number, job title
• Billing Information: Payment card details (processed securely via Stripe; we don't store full card details), billing address
• Profile Information: Organisation profile details, branding preferences, subscription tier selection
• Content: Posts, categories, tags, and any information you upload to your bulletin board
• Communications: Emails, support tickets, feedback, and survey responses
• Optional Information: Profile picture, biography, organisation website URL

Information Collected Automatically

• Device Information: Device type, operating system, browser type, IP address
• Usage Data: Pages visited, features used, posts created/viewed, time spent on platform, interaction patterns
• Cookies & Tracking: Session identifiers, authentication tokens, user preferences (see Cookies section)
• Location Data: General location derived from IP address (country, city level; not precise GPS)

Information from Third Parties

• Notion Integration: With your permission, we access your Notion workspace metadata to sync content
• Payment Provider: Stripe provides us with transaction confirmation and subscription status
• Analytics: Aggregated usage data from our analytics provider

2. How We Use Your Information

We use collected information for the following purposes:

Service Delivery & Operations

• Creating and maintaining your account
• Delivering bulletin board features and functionality
• Processing payments and managing subscriptions
• Providing customer support and responding to inquiries
• Syncing data from integrated services (e.g., Notion)

Communication

• Sending transactional emails (account confirmations, password resets, subscription updates)
• Sending marketing communications (with your consent; you can opt-out anytime)
• Notifying you of policy changes, security updates, or service announcements
• Responding to your support requests

Analytics & Improvement

• Understanding how users interact with our platform
• Improving user experience and feature performance
• Identifying and fixing bugs or technical issues
• Developing new features based on user feedback and behaviour

Safety & Compliance

• Detecting and preventing fraud, abuse, or security threats
• Enforcing our Terms of Service and other agreements
• Complying with legal obligations and responding to lawful requests
• Protecting the rights, property, and safety of PocketBoard, our users, and the public

Aggregation & Research

• Creating anonymized, aggregated reports and insights for product development
• Conducting research on industry trends and user behaviour patterns

3. Information Disclosure & Sharing

We Do NOT Sell Your Data

We never sell, rent, lease, or trade your personal information to third parties for marketing purposes. This is a core commitment to your privacy.

We Share Information With

Service Providers

• Supabase: Cloud database and authentication services
• Stripe: Payment processing (with strict data use restrictions)
• Netlify: Website hosting and deployment
• SendGrid/Email Provider: Transactional and marketing email delivery
• Analytics Provider: Aggregated usage analytics

All service providers are contractually bound to use your data only for providing services to PocketBoard and must comply with data protection regulations.

Legal Requirements

We may disclose your information if required by law, court order, or government request (e.g., PDPA requests from Malaysia authorities, GDPR requests). When legally permitted, we will notify you of such disclosures.

Business Transfers

If PocketBoard is involved in a merger, acquisition, bankruptcy, or sale of assets, your information may be transferred as part of that transaction. We will provide notice before such transfer.

With Your Consent

We may share your information with other third parties if you explicitly consent, such as connecting additional integrations or allowing export of data.

4. Data Security & Protection

Security Measures We Implement

• Encryption: Data in transit is encrypted using TLS/SSL protocols. Sensitive data at rest is encrypted.
• Authentication: Secure authentication mechanisms including password hashing and optional multi-factor authentication (MFA)
• Access Controls: Role-based access control (RBAC) ensuring users access only their own data
• Regular Audits: Periodic security audits and penetration testing
• Secure Infrastructure: Hosted on Supabase and Netlify with SOC 2 Type II compliance
• Secrets Management: API keys and credentials managed securely, never exposed in code

What You Can Do

• Use a strong, unique password for your account
• Enable multi-factor authentication if available
• Never share your login credentials
• Log out of your account when using shared devices
• Report suspicious activity immediately to security@pocketboard.my

Limitations

While we implement comprehensive security measures, no system is completely immune to attacks. We cannot guarantee absolute security. If a breach occurs, we will notify affected users within 72 hours or as required by applicable law.

5. Data Retention

Retention Schedule

• Active Accounts: Data retained for the duration of your account + 30 days after deletion
• Deleted Accounts: Account data deleted within 90 days of account deletion request
• Content (Posts/Boards): Retained while your account is active; deleted upon account closure
• Backup Data: Retained for 90 days for disaster recovery purposes
• Logs & Analytics: Aggregated logs retained for 180 days; personal analytics deleted after 12 months
• Payment Records: Retained for 7 years for tax and legal compliance

Longer Retention

We may retain data longer if required by law, for litigation purposes, or to enforce our agreements.

6. Your Privacy Rights

General Rights

• Right to Know: Request what personal data we hold about you
• Right to Access: Obtain a copy of your data in a portable format
• Right to Correct: Update or correct inaccurate information
• Right to Delete: Request deletion of your data (subject to legal exceptions)
• Right to Opt-Out: Unsubscribe from marketing communications anytime
• Right to Restrict Processing: Limit how we use your data in certain circumstances

Malaysia (PDPA) Users

If you're in Malaysia, you have the right to request access, correction, or deletion of your personal data under the Personal Data Protection Act 2010. See Contact section for submission instructions.

EU/EEA (GDPR) Users

If you're in the EU/EEA, you have additional rights including data portability, withdrawal of consent, and lodge a complaint with your local data protection authority. We will respond to GDPR requests within 30 days.

How to Exercise Your Rights

Submit written requests to privacy@pocketboard.my with:

• Your name and email address associated with your account
• A clear description of your request (e.g., "Request data export")
• Proof of identity (copy of ID or passport)

We will respond within 30 days. If your request requires more time, we will inform you and provide regular updates.

7. Third-Party Services & Links

External Links

Our website may contain links to third-party websites and services. We are not responsible for the privacy practices of external sites. Please review their privacy policies independently.

Integrated Services

• Notion: If you connect Notion, PocketBoard accesses specific workspace data per your authorization. Notion's privacy policy governs their handling of data.
• Stripe: Payment processing is handled by Stripe. See Stripe's Privacy Policy.
• Supabase: Your data is hosted on Supabase. See Supabase's Privacy Policy.

Social Media

If you connect social media accounts for WhatsApp or other integrations, we access only the permissions you grant. We do not share your social media data with third parties.

8. Cookies & Tracking Technologies

What Are Cookies?

Cookies are small files stored on your device that help us recognize you and remember your preferences.

Types of Cookies We Use

• Essential Cookies: Required for authentication, security, and basic functionality (cannot be disabled)
• Session Cookies: Temporary cookies that disappear when you close your browser
• Preference Cookies: Remember your language, theme, and layout preferences
• Analytics Cookies: Help us understand usage patterns (can be disabled)

Controlling Cookies

Most browsers allow you to control cookie settings. You can delete cookies or refuse them, but some features may not work properly.

Do Not Track

If your browser sends a "Do Not Track" signal, we respect that preference and limit analytics tracking.

9. Children's Privacy

PocketBoard is not intended for children under 13 years old. We do not knowingly collect personal information from children under 13. If we become aware that we have collected data from a child under 13, we will delete it immediately.

For users aged 13-18 (minors in some jurisdictions), parental consent may be required. Parents can contact us to verify, review, or delete their child's data.

If you believe we have collected information from a child under 13, please contact us immediately at privacy@pocketboard.my.

10. International Data Transfers

Where Your Data Is Stored

PocketBoard operates with servers located primarily in Malaysia and selected regions across Asia-Pacific. When you use our services, your data may be transferred to, stored in, and processed in these locations.

Standard Contractual Clauses

For international transfers, we rely on:

• Standard Contractual Clauses (SCCs) between PocketBoard and processors
• Data Processing Agreements ensuring compliance with GDPR and PDPA
• Supabase's infrastructure agreements for data residency

Your Consent

By using PocketBoard, you consent to the transfer of your data to the jurisdictions where we operate. If you do not consent, please do not use our service.

12. Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors. We will notify you of material changes by:

• Posting the updated policy on this page with a new "Last Updated" date
• Sending an email notification to your registered email address
• Displaying a prominent notice on our website

Your continued use of PocketBoard after changes means you accept the updated Privacy Policy. For significant changes, we will ask for your explicit consent.

13. Final Note

We believe that transparency about data practices builds trust. This Privacy Policy reflects our commitment to respecting your privacy and protecting your data. If you have feedback or concerns, we welcome your input at privacy@pocketboard.my.

Document Version: 1.0 | Last Updated: October 24, 2025 | Effective Date: October 1, 2025