Privacy notice

Last updated: 1 May 2026 · effective immediately

This notice explains what personal data Kagama Kanban (operated by Kagama GmbH, Frankfurt am Main, Germany) collects when you use our service, why we collect it, and what rights you have. We've kept it short and skimmable on purpose.

What we collect

We collect only the data we need to run the product:

  • Account data — your name, email, username, password (Argon2id-hashed), workspace memberships, and avatar choice.
  • Workspace content — the boards, cards, comments, and attachments you create. We don't read it.
  • Billing data — handled by Stripe. We see your plan, seat count, invoice history, and last 4 of your card. We never see full card numbers.
  • Aggregated usage analytics — anonymous metrics like "X% of workspaces use the Calendar view this week." No per-user tracking, no third-party analytics SDKs.
  • Operational logs — IP, timestamp, and request path on auth events for security forensics. Retained 30 days.

Why we collect it

  • To authenticate you and authorise access to your workspaces.
  • To bill paid plans and let you download invoices.
  • To improve the product based on aggregate usage patterns — never on individuals.
  • To meet our legal obligations (tax records, abuse investigations).
We do not sell your data, share it with advertisers, or use it to train AI models — ours or anyone else's.

Where it's stored

All customer data — Postgres database and S3 attachments — lives in AWS Frankfurt (eu-central-1). Backups stay in the same region. Stripe processes payment data on its own infrastructure (EU + US, GDPR-adequate).

Subprocessors

The full list, kept up to date, is on our Security page. We notify workspace admins by email at least 30 days before adding a new subprocessor that processes customer content.

How long we keep it

  • Account & workspace data — until you ask us to delete it. After deletion, we purge within 30 days from production and 90 days from backups.
  • Billing records — 10 years, as required by German tax law.
  • Operational logs — 30 days, then auto-purged.

Your rights under GDPR

If you're in the EU/EEA (and we extend the same to everyone), you have the right to:

  • Access a copy of the data we hold about you — request via Settings → Privacy.
  • Correct inaccurate data — most fields are editable in your profile.
  • Delete your account and all associated data — via Settings → Danger zone.
  • Port your data — export your workspaces as JSON or CSV anytime.
  • Object to processing or withdraw consent for marketing emails.

You can lodge a complaint with the Hessian Commissioner for Data Protection (HBDI) if you believe we're handling your data unlawfully.

Cookies

We use only essential cookies — a session token and a CSRF token. No marketing cookies, no third-party trackers, no consent banner needed. If we ever add anything beyond essential cookies, we'll ask you first.

Contact

Questions about your data? Email our DPO at privacy@kagama.io. We respond within 5 business days; complex requests within 30 days as per Art. 12 GDPR.

Kagama GmbH · Mainzer Landstraße 50, 60325 Frankfurt am Main, Germany · HRB 124857 · VAT DE349721834