Privacy Policy

BoardScore Pty Ltd (ABN pending) ("BoardScore", "we", "us", "our") operates the BoardScore governance platform at boardscore.io. We are an Australian company and all data is processed and stored on Australian infrastructure.

We collect only the information necessary to provide and improve our services. The types of personal information we collect include:

• Account information: name, email address, and organisational role when you create an account or are invited by your organisation.
• Organisation information: organisation name and details provided during onboarding.
• Usage data: information about how you interact with the platform, including pages visited, features used, and session duration.
• Technical data: IP address (encrypted at rest), browser type, device information, and operating system.
• Support data: any information you provide when contacting our support team.

We do not collect sensitive information as defined under the Privacy Act unless it is directly relevant to the governance assessments you choose to conduct within the platform.

We use your personal information for the following purposes:

• Providing and operating the BoardScore platform and your organisation's account.
• Authenticating your identity and managing access permissions.
• Sending transactional communications such as account invitations, password resets, and service notifications.
• Improving the platform through aggregated, de-identified usage analytics.
• Responding to support enquiries and providing technical assistance.
• Complying with legal obligations and enforcing our terms of service.

We do not use your personal information for marketing purposes without your explicit consent. We do not sell or rent your personal information to third parties.

We implement multiple layers of security to protect your data:

• Encryption at rest: personally identifiable information is encrypted with AES-256-GCM at the column level before storage, with unique initialisation vectors per value.
• Encryption in transit: all communications are encrypted via TLS with automatic certificate management.
• Tenant isolation: each organisation's data is stored in a dedicated database schema. There are no shared data tables between organisations.
• Access control: role-based access control with five distinct roles and capability-based permissions.
• Audit logging: all access and permission changes are logged with full attribution.
• Infrastructure: Australian-hosted, distroless container images, non-root execution, and pre-commit secret scanning.

For a detailed description of our security architecture, please visit our Security page.

We use a limited number of third-party services to operate the platform. Each is selected for its security posture and compliance practices:

• Kinde: identity provider for authentication. Kinde processes your email address and authentication credentials. We do not store passwords.
• Stripe: payment processor for subscription billing. Stripe processes your payment details directly — we do not store credit card numbers or bank account details.
• Cloud hosting: infrastructure hosted within Australian data centres.
• OpenTelemetry-compatible observability: for application monitoring and error tracking. Logs containing personal information are encrypted.

We do not share your personal information with third parties for their own marketing or advertising purposes.

We retain your personal information only for as long as necessary to fulfil the purposes described in this policy:

• Active account data is retained for the duration of your organisation's subscription.
• Upon account termination, personal information is deleted within 90 days, except where retention is required by law.
• Audit logs are retained for a minimum of 7 years to support compliance and regulatory requirements.
• Aggregated, de-identified analytics data may be retained indefinitely as it cannot be linked to individuals.

Under the Australian Privacy Principles, you have the following rights:

• Access: you may request a copy of the personal information we hold about you.
• Correction: you may request correction of inaccurate or outdated information.
• Complaint: you may lodge a complaint with us or with the Office of the Australian Information Commissioner (OAIC) if you believe your privacy has been breached.
• Erasure: you may request deletion of your personal information, subject to our legal retention obligations.

To exercise any of these rights, contact us at privacy@boardscore.io. We will respond to all requests within 30 days.

BoardScore uses only essential cookies required for platform functionality, such as session management and authentication state. We do not use third-party advertising cookies or cross-site tracking technologies.

If we introduce optional analytics cookies in the future, we will update this policy and seek your consent before setting them.

BoardScore is Australian-built and Australian-hosted. Your data is processed and stored entirely within Australian infrastructure. We do not transfer personal information to overseas recipients except where a third-party service provider (such as our identity or payment provider) may process limited data in accordance with their own privacy policies and applicable data protection laws.

BoardScore is a business-to-business platform designed for corporate governance professionals. We do not knowingly collect personal information from individuals under the age of 18. If we become aware that we have collected information from a minor, we will take steps to delete it promptly.

We may update this privacy policy from time to time to reflect changes in our practices or legal obligations. We will notify you of material changes by posting a notice on the platform or sending an email to your registered address. The effective date at the top of this page indicates when the policy was last revised.

If you have any questions, concerns, or requests regarding this privacy policy or our handling of your personal information, please contact us:

• Email: privacy@boardscore.io
• Entity: BoardScore Pty Ltd
• Location: Australia

If you are not satisfied with our response, you may lodge a complaint with the Office of the Australian Information Commissioner (OAIC) at oaic.gov.au.