TrailTrack by Boardrooms to Backroads
Template — review with legal counsel. This document is a starting point and must be reviewed and adapted by a qualified attorney for your jurisdiction(s) before you rely on it.

Privacy Policy

Last updated: 22 June 2026

This Privacy Policy explains how Boardrooms to Backroads Consulting LLC (“B2BC”, “we”, “us” or “our”) collects, uses, discloses and protects personal information in connection with TrailTrack, our project-management software-as-a-service application available at app.boardroomstobackroads.com, together with any related websites, applications and services (collectively, “the Service”). It also describes the rights and choices available to individuals whose personal information we process.

In this Policy, a “Customer” is the organization or individual that subscribes to or otherwise enters into an agreement to use the Service; a “User” is any individual authorized to access the Service under a Customer’s account, including administrators and invited members; a “Workspace” is the tenant environment within the Service that belongs to a Customer; “Content” means the data, files and materials that a Customer or its Users create, upload or submit through the Service (such as tasks, documents, comments, files, timesheets and expenses); and “Personal Data” means any information relating to an identified or identifiable natural person. A “Subprocessor” is a third party we engage to process Personal Data on our behalf in order to provide the Service.

1. Introduction & Scope; Controller vs. Processor

B2BC provides the Service to organizations and the individuals they authorize. Our role under data-protection law depends on the type of data involved, and it is important to distinguish between the two roles we may play.

  • Where B2BC acts as a controller.For Personal Data we collect and use for our own purposes — such as account and identity information, billing and transaction data, marketing and communications data, and information about how the Service is used and secured — B2BC determines the purposes and means of processing and acts as the “controller” (or “business” under US state law). This Policy governs that processing.
  • Where B2BC acts as a processor.For Content that a Customer and its Users put into a Workspace, B2BC acts as a “processor” (or “service provider”) and processes that Content on the Customer’s behalf and on the Customer’s documented instructions. In that case the Customer is the controller and is responsible for the lawfulness of the Content and for responding to data-subject requests relating to it. Our processing of Content is governed by our Data Processing Addendum(“DPA”), which supplements this Policy. If you are a User and have questions about how your employer or another Customer uses the Service, please contact that organization directly, as it controls that Content.

This Policy applies to the Service and to our public marketing pages. It does not apply to third-party websites, products or services that we do not control, even where they link to or integrate with the Service.

2. Information We Collect

We collect the following categories of information, with examples. Not every category applies to every individual, and some data is provided only if a Customer or User chooses to use a particular feature.

  • Account & identity data.Your name, email address and profile avatar; optional profile details such as job title, social links and a “book a call” link; and the Workspace and role associated with your account.
  • Authentication & security data. Information used to sign you in and protect your account, including magic-link email authentication, Google or Microsoft single sign-on (OAuth) identifiers, optional time-based one-time-password (TOTP) two-factor authentication secrets, and optional passkeys. We do not receive or store your passwords for Google or Microsoft.
  • Workspace & Content data.The Content you create or upload, such as tasks, projects, documents, comments, files and attachments, timesheets and expense records. As described in Section 1, we generally process Content as a processor on the Customer’s behalf.
  • Billing & transaction data. Subscription plan, billing contact details and transaction history. Payments are processed by our payment processor, Stripe. B2BC does not collect or store full payment-card numbers; Stripe handles card data directly under its own terms and privacy notice.
  • Usage, log & device data. Information generated automatically when you use the Service, such as IP address, browser and device type, operating system, pages and features accessed, actions taken, timestamps, referring pages, and diagnostic and performance data.
  • Cookies & similar technologies. Essential cookies required to operate the Service and preference cookies that remember your choices. See Section 6 and our Cookie Policy.
  • Support & feedback data. Information you provide when you contact us for support, submit feedback or feature requests, report a problem, or otherwise communicate with us.

3. How We Collect Information

We collect information in three main ways.

  • Directly from you. When you create or configure an account, set up a Workspace, enter Content, subscribe to a paid plan, contact support, or otherwise interact with the Service.
  • Automatically. Through cookies, server logs and similar technologies that record usage, log and device data when you access the Service, as described in Sections 2 and 6.
  • From third parties. From identity and OAuth providers (such as Google and Microsoft) when you choose to sign in or connect an account, from our payment processor in connection with billing, and from integrations you or your Customer choose to enable. We receive only the data those providers share based on your authorization and their settings.

4. How We Use Information

We use Personal Data for the following purposes:

  • to provide, operate, maintain and secure the Service;
  • to authenticate Users, manage Workspaces and access permissions, and enable account features such as two-factor authentication and passkeys;
  • to process subscriptions, payments, invoices and related transactions;
  • to provide customer support, respond to inquiries, and manage feedback and problem reports;
  • to monitor, troubleshoot and improve the Service, including analyzing usage and performance and developing new features;
  • to detect, investigate and prevent fraud, abuse, security incidents and other harmful or unlawful activity;
  • to send administrative, transactional and service-related communications (for example, security alerts, changes to terms, and billing notices);
  • to send marketing communications where permitted, from which you may opt out at any time;
  • to comply with legal obligations and enforce our agreements and policies.

Where we process Content as a processor, we use it only to provide and support the Service in accordance with the Customer’s instructions and our Data Processing Addendum.

5. Legal Bases for Processing (GDPR)

Where the EU or UK General Data Protection Regulation applies and B2BC is a controller, we rely on the following legal bases:

  • Performance of a contract. To provide the Service to you or to take steps at your request before entering into a contract (for example, creating and maintaining your account and processing payments).
  • Legitimate interests. To operate, secure and improve the Service, prevent fraud and abuse, and conduct limited marketing of our own similar products, provided those interests are not overridden by your rights and freedoms.
  • Consent. Where required, for example for non-essential cookies and certain marketing communications. You may withdraw consent at any time without affecting prior processing.
  • Legal obligation. To comply with applicable laws, regulations and lawful requests (for example, tax, accounting and record-keeping requirements).

Where B2BC processes Content as a processor, the relevant Customer is responsible for establishing a legal basis for that processing.

6. Cookies & Similar Technologies

We use essential cookies that are necessary to operate the Service (for example, to keep you signed in and to secure sessions) and preference cookies that remember your settings. We do not use the Service to serve third-party advertising. You can manage non-essential cookies through the controls we provide and through your browser settings. For full details, including the specific cookies we use and their purposes and durations, please see our Cookie Policy.

7. AI Features (Bring-Your-Own-Key)

The Service offers optional artificial-intelligence features that operate on a “bring-your-own-key” (“BYOK”) basis. These features are off unless a Customer enables them and supplies its own API key for a third-party AI provider (such as Anthropic, OpenAI, Google, xAI or Mistral). When an AI feature is used, the prompts and the relevant Content may be transmitted to the Customer’s chosen AI provider, under the Customer’s own key and subject to that provider’s terms and privacy practices. B2BC does not use Customer Content to train AI models. The Customer is responsible for its choice of AI provider and for the Content it submits to that provider. For more detail, see our AI Features & BYOK Disclosure.

8. How We Share Information; Recipients & Subprocessors

We do not sell your Personal Data. We share Personal Data only as described below and as needed to provide the Service.

  • Subprocessors. We engage trusted service providers to process Personal Data on our behalf, under contractual obligations to protect it and to use it only to provide services to us. Our core Subprocessors are: Supabase (database, authentication and storage); Vercel (application hosting and content delivery); Stripe (payment processing); and Resend (transactional email). A current list is available at our Subprocessors page.
  • AI providers (only if enabled).If a Customer enables BYOK AI features, prompts and Content may be sent to the Customer’s chosen AI provider under the Customer’s own key, as described in Section 7.
  • Integrations you connect (only if enabled). User-connected integrations (such as Google, Microsoft and Slack) receive or exchange data only when a Customer or User chooses to connect them, as described in Section 9.
  • Within your organization. Content and certain account data are visible to other Users and administrators in the same Workspace according to the permissions configured by the Customer.
  • Legal, safety & compliance. We may disclose information where required to comply with law, regulation, legal process or enforceable governmental request, or to protect the rights, property or safety of B2BC, our Customers or others.
  • Business transfers. In connection with a merger, acquisition, financing, reorganization or sale of assets, information may be transferred as part of that transaction, subject to this Policy or a successor policy.

9. Integrations You Connect

The Service lets Customers and Users connect third-party integrations, such as calendar, identity, messaging and other tools (for example, Google, Microsoft and Slack). When you authorize an integration, you permit the exchange of data between the Service and that third party as needed to provide the integration’s functionality. The third party’s use of your data is governed by its own terms and privacy notice, not by this Policy. You can disconnect an integration at any time through the Service’s settings, although data already shared may remain with the third party.

10. International Data Transfers

We and our Subprocessors may process and store Personal Data in countries other than the one in which you are located, including the United States. Those countries may have data-protection laws that differ from those in your country. Where we transfer Personal Data from the European Economic Area, the United Kingdom or Switzerland to a country that has not received an adequacy decision, we rely on appropriate safeguards, such as the European Commission’s Standard Contractual Clauses (and the UK International Data Transfer Addendum where applicable), together with supplementary measures as needed. You may request more information about these safeguards using the contact details in Section 18.

The Service is operated from the United States and is available to users around the world. Wherever you are located, we seek to handle Personal Data in accordance with this Policy and with the data-protection laws that apply to you — including, where applicable, the EU and UK General Data Protection Regulation, the Swiss Federal Act on Data Protection, Canada’s PIPEDA, Brazil’s LGPD, Australia’s Privacy Act, and other national, state, or provincial privacy laws. If you are located outside the United States, you may still exercise the rights described in this Policy by contacting us using the details in Section 18, and we will respond as required by the laws applicable to you.

11. Data Retention

We retain Personal Data for as long as needed to provide the Service and for the purposes described in this Policy, and thereafter as required to comply with our legal obligations, resolve disputes and enforce our agreements. Retention periods vary by data type and context; for example, billing records may be kept longer to meet tax and accounting requirements. Content is generally retained for the life of the Customer’s account and deleted or returned in accordance with our Data Processing Addendum after termination. When Personal Data is no longer needed, we delete or de-identify it in a manner consistent with applicable law.

12. Data Security

We maintain administrative, technical and organizational measures designed to protect Personal Data against unauthorized access, disclosure, alteration and destruction, including encryption in transit, access controls, optional two-factor authentication and passkeys, and private storage with signed access where appropriate. No method of transmission or storage is completely secure, so we cannot guarantee absolute security. For more detail on our security program, see our Security Overview.

13. Your Rights (GDPR) & How to Exercise Them

Subject to applicable law, individuals in the EEA, the UK and similar jurisdictions have the following rights regarding their Personal Data:

  • the right to access your Personal Data;
  • the right to rectification of inaccurate or incomplete data;
  • the right to erasure (the “right to be forgotten”);
  • the right to restrict processing;
  • the right to data portability;
  • the right to object to certain processing, including direct marketing;
  • the right to withdraw consent where processing is based on consent;
  • the right to lodge a complaint with a supervisory authority.

Customers and Users can export and delete much of their data self-service through Settings → Privacy & data in the Service. You may also exercise your rights by contacting us at dpo@boardroomstobackroads.com. Where we process Content as a processor, we will refer your request to the relevant Customer or assist that Customer in responding. We may need to verify your identity before acting on a request, and we will respond within the timeframes required by law.

14. US State Privacy Rights (CCPA/CPRA and Similar Laws)

If you are a resident of California or another US state with a comprehensive privacy law, you may have the following rights, subject to exceptions and verification:

  • the right to know what Personal Data we collect, use and disclose;
  • the right to delete Personal Data we have collected from you;
  • the right to correct inaccurate Personal Data;
  • the right to opt out of the “sale” or “sharing” of Personal Data and of targeted advertising;
  • the right not to be discriminated against for exercising your rights.

We do not sell your Personal Data, and we do not “share” it for cross-context behavioral advertising as those terms are defined under applicable US state laws. Because we do not sell or share Personal Data, no “do not sell or share” opt-out is necessary; however, you may still contact us to exercise your other rights. To submit a request, email dpo@boardroomstobackroads.com. You may use an authorized agent to submit a request on your behalf where permitted by law. Where we act as a service provider on a Customer’s behalf, we will direct your request to that Customer.

15. Children’s Privacy

The Service is intended for business use and is not directed to children. It is not intended for, and we do not knowingly collect Personal Data from, anyone under the age of 16. If you believe a child under 16 has provided us with Personal Data, please contact us at privacy@boardroomstobackroads.com and we will take appropriate steps to delete it.

16. Third-Party Links & Services

The Service may contain links to, or integrate with, third-party websites, products and services that we do not own or control. This Policy does not apply to those third parties, and we are not responsible for their content or privacy practices. We encourage you to review the privacy notices of any third-party services you access or connect.

17. Changes to This Policy

We may update this Policy from time to time to reflect changes in our practices, technology, legal requirements or other factors. When we make material changes, we will update the “Last updated” date above and, where appropriate, provide additional notice (for example, by email or an in-product notice). Your continued use of the Service after an update takes effect constitutes acceptance of the revised Policy, where permitted by law.

18. How to Contact Us; Complaints

For general privacy questions, contact us at privacy@boardroomstobackroads.com. For data-protection requests and to reach our data protection contact, email dpo@boardroomstobackroads.com. You may also write to us at 5900 Balcones Drive, STE 100, Austin, Texas 78731. If you are in the EEA, the UK or Switzerland, you may contact our representative at [EU/UK representative].

If you believe our processing of your Personal Data infringes applicable law, you have the right to lodge a complaint with your local supervisory authority. Our lead supervisory authority is [Lead supervisory authority]. We would, however, appreciate the opportunity to address your concerns before you approach a supervisory authority, so we encourage you to contact us first.

TrailTrack is a product of Boardrooms to Backroads Consulting LLC. Patent pending.