Privacy Policy

This Privacy Policy explains what data Kabana ("we", "us") collects, what we do with it, and how you can access or delete it. By creating a Kabana account you agree to this policy. If you do not, do not use the Service.

1. Who we are

The data controller is the Kabana team. The product is a SaaS kanban for software teams. The Service is described in our Terms of Service.

2. What we collect

Account data

• Email address (required, used to sign in).
• Display name (optional).
• Bcrypt-hashed password if you sign up via email + password. We never store the plain password.
• Account creation timestamp.

Workspace data you create

• Boards, columns, cards, checklist items, tags, dependencies, messages.
• Card priorities, due dates, time estimates, board briefs.
• Agent run state (which provider was used, which branch was opened, which PR URL came back, error messages from agent runs).
• Activity events streamed by your CLI (tool calls, results) so the kanban can show a live and replayable run timeline.

Billing data

• Stripe customer ID, subscription ID, status, and current period end date.
• Webhook events from Stripe (deduplicated).
• We do not store credit card details. Stripe handles the card.

Integrations you connect

• If you connect GitHub via OAuth, we store the OAuth access token, the GitHub account ID and login, and the granted scopes. We use them to list your repos, create pull requests on cards you mark as approved, merge them, and delete the merged branch.

API tokens and device codes

• For each token you create at /settings/tokens we store a bcrypt hash of the token, a short prefix for fast lookup, the creation and last-used timestamps, and an optional revocation timestamp. We never store the plain token after the moment it is shown to you on creation.
• Device-code login flows store a short-lived opaque code for about 5 minutes and delete it on use.

What we do NOT collect

• Your source code. The agent runs on your machine via the kabana CLI and we never receive a copy of the repo.
• Your AI provider API keys. The CLI calls Anthropic / OpenAI / similar directly from your machine.
• Files outside Kabana (we do not scan your disk, your editor, your shell, or any browser tab other than the Kabana web UI).

3. Why we collect it (legal bases)

• Contract: account, workspace, integration, billing data are all needed to provide the Service you signed up for.
• Legitimate interest: hashed tokens, audit timestamps, webhook dedup state, error logs that help us keep the Service working.
• Legal obligation: minimum tax and accounting records associated with billing, which we retain as required by law.

4. Sharing and processors

We use a small list of subprocessors to run the Service:

• Stripe for payment processing. Stripe receives your email and the charge details when you subscribe.
• The hosting provider running the Kabana app and database. They process all data we store, on our behalf.
• GitHub if you connect it. GitHub receives the OAuth requests you authorize.

We do not sell personal data, and we do not use your workspace data to train models.

5. International transfers

Our hosting provider and Stripe operate internationally, including in the United States. By using the Service you consent to your data being transferred to and processed in those locations under standard contractual clauses where applicable.

6. Retention

• Workspace data is kept for the lifetime of your account and deleted when you delete the account.
• Billing records are retained as required for tax and accounting (typically 5 to 7 years depending on jurisdiction) even after account deletion.
• Hashed tokens and device codes are deleted promptly on revoke or expiry.

7. Your rights

You have the right to:

• Access the data we hold about you. Use the export button in account settings to download your workspace as JSON, or write to support.
• Correct inaccurate data by editing it in the Service.
• Delete your account and all associated data using the delete button in account settings. Some billing records may be retained as required by law (see retention).
• Object or restrict processing. Reach out and we will work with you to honor it.
• Lodge a complaint with your local data protection authority if you believe we have mishandled your data.

8. Security

We use bcrypt for password and token hashing, JWT-strategy session cookies with the HttpOnly flag, TLS in transit, multi-tenant isolation enforced at the database query layer, and per-route ownership checks on every mutation. The agent runs on your machine, so your code never traverses our servers. We do our best, but no system is perfectly secure.

9. Children

Kabana is not directed at children under 16 and we do not knowingly collect data from them.

10. Changes

We may update this policy. The "Last updated" date above reflects the latest change. Material changes will be announced in the changelog. Continued use after a change is acceptance of the updated policy.

11. Contact

For privacy questions, data access requests, or anything else: write to the support email listed in your account settings, or to the address on our public site.