Privacy Policy

Last Updated: June 2026

At boardofthoughts.com, we respect your privacy and are committed to maintaining a minimal data collection footprint. Omni Flow Limited("we", "us", or "our"), operating as the primary Data Controller, builds and deploys this Service in compliance with the United Kingdom General Data Protection Regulation (UK GDPR), the UK Data Protection Act 2018, and the European Union General Data Protection Regulation (EU GDPR).

Because our application architecture intentionally bypasses the creation of user accounts, profiles, email lists, or dashboard panels, we do not collect typical demographic or behavioral data. This Privacy Policy details exactly what limited data points are captured, processed, and secured when you interact with our public digital wall.

1. Data Categories We Process & Capture Mechanism

We process data directly from your interactions and through automated API sequences:

User-Generated Payload Content: The text string (up to 280 characters) that you willingly input into the form. Important: Because the fundamental purpose of this Service is to display content on a public live wall, any personal identifying data, social media handles, or contact information that you voluntarily choose to type into the submission box will become instantly visible to the global public. Do not type information you wish to keep private.
Automated Infrastructure Metadata & Technical Logs: When you load the Website, our hosting providers (Vercel) and database synchronization layers (Supabase) automatically log your IP address, browser client type, operating system version, and precise timestamps of request sequences. These logs are mandatory to maintain technical integrity, identify malicious network spikes (DDoS), and prevent script-bot abuse.
Financial Compliance & Transactional Data: Omni Flow Limited does not ingest, view, or store raw credit card numbers, CVV codes, or banking credentials on our local servers. All payment processing is handled externally and securely by our PCI-DSS compliant partner, Stripe Inc. When a payment is successfully processed, Stripe returns restricted metadata to our system backend, which includes a unique Stripe Session ID, payment status, country code of the card issuer, and the text payload linked to that payment session.

2. Legal Bases for Data Processing Under GDPR

Pursuant to Article 6 of the GDPR, we process your limited personal data under the following legal frameworks:

Performance of a Contract (Article 6(1)(b) GDPR): Processing your payment credentials via Stripe and storing your text payload in our database is fundamentally necessary to fulfill our contractual obligation to deliver the service you paid for — specifically, publishing your Thought on the digital Wall.
Legitimate Interests (Article 6(1)(f) GDPR): Capturing network metadata and tracking IP connection sequences is required to secure our digital asset, prevent fraud, block spam scripts, and maintain the stable runtime of the Supabase and Vercel infrastructure.
Legal Obligations (Article 6(1)(c) GDPR):We retain precise financial transaction references linked to Stripe IDs to comply with standard corporate accounting, tax recording, and anti-money laundering (AML) laws enforced by His Majesty's Revenue and Customs (HMRC) in the United Kingdom.

3. Data Retention Windows & Structural Erasure

3.1 Public Content: Because the core artistic premise of the Service is the construction of a permanent digital archive, your published text payload is stored in our active database and displayed on the public Wall indefinitely for the operational lifecycle of the website project, or until it is suppressed via the Content Policy protocols outlined in our Terms.

3.2 Infrastructure Logs: Technical connection data, server request logs, and raw IP addresses used during the form submission are stored securely inside our infrastructure access logs for a maximum period of 90 (ninety) days, after which they are automatically deleted or completely anonymized.

4. Third-Party Infrastructure Processors & International Transfers

To operate a modern, high-speed, serverless architecture, we share your limited transaction data with three core data processors. These processors operate under strict Data Processing Addendums (DPAs) and comply with global privacy standards:

Vercel Inc. (San Francisco, USA / Global Edge Networks): Handles the routing, hosting, and global loading optimization of the front-end interface.
Supabase Inc. (Singapore / USA / Global Cloud Infrastructure): Hosts the secure cloud PostgreSQL database, executing the data architecture and live WebSockets.
Stripe Inc. (San Francisco, USA / Global Financial Infrastructure): Manages the secure collection, processing, encryption, and compliance of the €10.00 EUR fees.

Where data routing or storage requires cross-border transfers outside the United Kingdom or the European Economic Area (EEA), such transfers are fully protected and legitimized by the execution of approved Standard Contractual Clauses (SCCs) and the UK International Data Transfer Agreement (IDTA).

5. Data Subject Rights & Verification Mandate

Under the UK/EU GDPR, you possess statutory rights, including the Right to Access the data we store about you and the Right to Erasure ("Right to be Forgotten").

If you have inadvertently typed sensitive private data (such as an email, real full name, or tracking link) into a published Thought and wish to have it permanently erased from the public domain, you must email your request to contact@boardofthoughts.com. Because we do not use accounts, you must explicitly verify your identity by providing the matching financial data points: your original checkout email address used on Stripe and your official Stripe Receipt ID. If ownership is mathematically verified against our secure database records, we will delete or fully redact the personal identifying information within 30 days.

Note: Data erasure requests executed under privacy laws do not entitle the user to a refund of the executed €10.00 EUR transaction fee.

6. Total Rejection of Tracking Cookies

boardofthoughts.com does not utilize marketing tracking cookies, behavioral pixel scripts, Google Analytics tracking IDs, or cross-site advertising identifiers. Our platform is built to be a clean, non-invasive digital ecosystem. Our payment processor, Stripe, may deploy essential, strictly functional security cookies within the checkout iframe to authenticate transactions, calculate risk metrics, and protect both you and our company from credit card fraud. These cookies do not track your browsing habits outside the payment interface.

7. Corporate Contact Desk

For any questions regarding this Privacy Policy, your data tracking boundaries, or to execute your statutory GDPR data rights, please contact our corporate data desk at: contact@boardofthoughts.com.