Privacy Policy

Last Updated: October 2, 2025

ScrumKit is an open-source platform for scrum ceremony tools including retrospectives, planning poker, daily standups, and team health checks. This Privacy Policy explains how information is collected, used, and protected when you use ScrumKit.

Important: ScrumKit is designed to be self-hosted, meaning you can deploy it on your own infrastructure. When self-hosting, you have full control over your data and are responsible for your own privacy and security practices.

1. Information We Collect

Account Information

When you create an account, we collect:

  • Email address (required for account creation and authentication)
  • Full name (optional, for display purposes)
  • Password (encrypted and stored securely)
  • OAuth provider data (if you sign in with Google or GitHub)

Usage Data

When you use ScrumKit, we may collect:

  • Retrospective board data (cards, votes, action items)
  • Planning poker session data (estimates, stories)
  • Team and organization information
  • Session information and authentication tokens

Cookies and Tracking

We use cookies and similar technologies for:

  • Authentication and session management
  • Remembering your preferences
  • Analytics (when enabled by the instance administrator)

2. How We Use Information

We use the information we collect to:

  • Provide the Service: Enable retrospectives, planning poker sessions, and other scrum ceremony tools
  • Maintain Security: Protect your account and prevent unauthorized access
  • Communicate: Send important updates about your account or sessions (if email notifications are enabled)
  • Improve the Platform: Analyze usage patterns to enhance features and user experience
  • Enable Collaboration: Allow team members to work together in real-time

3. Data Storage & Security

Storage Infrastructure

ScrumKit uses Supabase (built on PostgreSQL) for data storage. When self-hosting:

  • You control where your data is stored (your own infrastructure or cloud provider)
  • You are responsible for database backups and disaster recovery
  • You determine data retention policies

Security Measures

ScrumKit implements several security measures:

  • Passwords are hashed and encrypted using industry-standard algorithms
  • Row Level Security (RLS) policies ensure users can only access their own data
  • HTTPS encryption for data in transit (when properly configured)
  • OAuth 2.0 for secure third-party authentication

Data Retention

When self-hosting, you control data retention policies. We recommend implementing regular backups and establishing clear data retention guidelines for your organization.

4. Your Rights (GDPR & CCPA Compliance)

You have the following rights regarding your personal data:

  • Right to Access: You can view and export your account information and activity data
  • Right to Rectification: You can update or correct your personal information through your profile settings
  • Right to Erasure: You can request deletion of your account and associated data
  • Right to Data Portability: You can export your data in a machine-readable format
  • Right to Object: You can object to processing of your personal data for certain purposes
  • Right to Withdraw Consent: You can withdraw consent for data processing at any time

When self-hosting, the instance administrator is responsible for honoring these rights. For hosted instances, contact your administrator to exercise these rights.

5. Third-Party Services

ScrumKit integrates with the following third-party services:

Supabase

Used for database, authentication, and real-time functionality. When self-hosting, you can use your own Supabase instance or a managed Supabase service.

  • Privacy Policy: https://supabase.com/privacy
  • Security: https://supabase.com/security

OAuth Providers

When you sign in with Google or GitHub, those providers may collect data according to their privacy policies:

  • Google OAuth: Google Privacy Policy
  • GitHub OAuth: GitHub Privacy Statement

Analytics (Optional)

Instance administrators may optionally enable analytics services (such as Vercel Analytics). When enabled, these services collect anonymized usage data to help improve the platform. Check with your instance administrator about what analytics are enabled.

6. Cookie Policy

ScrumKit uses the following types of cookies:

  • Essential Cookies: Required for authentication and basic functionality (cannot be disabled)
  • Functional Cookies: Remember your preferences and settings
  • Analytics Cookies: Track usage patterns (optional, can be disabled by instance administrator)

You can control cookies through your browser settings, but disabling essential cookies may prevent you from using certain features of ScrumKit.

7. Data Sharing and Disclosure

ScrumKit does not sell or rent your personal information. We only share data in the following circumstances:

  • Within Your Team: Data you create in retrospectives and planning poker sessions is shared with your team members
  • Service Providers: Third-party services that help operate the platform (Supabase, OAuth providers)
  • Legal Requirements: If required by law, court order, or government regulation
  • Business Transfers: In the event of a merger, acquisition, or sale of assets (for hosted services)

When self-hosting, you control all data sharing decisions for your instance.

8. International Data Transfers

When self-hosting, you choose where your data is stored and processed. For hosted instances, data may be transferred to and processed in countries other than your own. These countries may have different data protection laws. We ensure appropriate safeguards are in place for international transfers in accordance with GDPR and other applicable regulations.

9. Children's Privacy

ScrumKit is intended for professional use and is not designed for children under 13 years of age. We do not knowingly collect personal information from children under 13. If you become aware that a child has provided us with personal information, please contact the instance administrator.

10. Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices or for legal, operational, or regulatory reasons. When self-hosting, you can customize this policy to meet your organization's specific needs and requirements.

We will notify users of any material changes by updating the "Last Updated" date at the top of this policy. Continued use of ScrumKit after changes constitutes acceptance of the updated policy.

11. Contact Us

If you have questions or concerns about this Privacy Policy or how your data is handled:

  • For Self-Hosted Instances: Contact your instance administrator
  • For ScrumKit Project: Open an issue on GitHub
  • Email: Create an issue for privacy-related concerns on our repository

Open Source Notice

ScrumKit is open-source software released under the MIT License. The source code is available onGitHub. When you self-host ScrumKit, you have complete control over your data and privacy practices. This Privacy Policy serves as a template and guideline, but you should customize it to reflect your specific implementation and jurisdiction requirements.