Privacy Policy

1. Introduction

Welcome to OpenIssue. This Privacy Policy explains how Sheep Meadow Road Games Oy ("we", "us", or "our") collects, uses, discloses, and safeguards your information when you use our service at openissue.io.

We are committed to protecting your privacy and ensuring you have a positive experience on our service. This policy complies with the General Data Protection Regulation (GDPR) and Finnish data protection laws.

2. Information We Collect

2.1 Information You Provide

When you register for an account, we collect:

• Email address
• Name (optional)
• Organization name
• Payment information (processed by Stripe, not stored by us)

Note: If you register with email and password, your password is securely hashed before storage and is never stored in plain text. You may also authenticate through third-party OAuth providers (Google, GitHub, or Linear) or via one-time passwords (OTP) sent to your email.

2.2 Information from Third-Party Services

When you connect your Linear account:

• Linear OAuth access tokens (encrypted)
• Linear team and project information you choose to make public
• Issue data from selected Linear projects
• Linear user IDs and names for issue assignments

2.3 Automatically Collected Information

• IP address
• Browser type and version
• Device information
• Usage data and analytics
• Cookies and similar tracking technologies

3. How We Use Your Information

We use the collected information for the following purposes:

• Service Provision: To create and manage your public boards, sync with Linear, and provide core functionality
• Account Management: To create and maintain your account, process payments, and manage subscriptions
• Communication: To send service updates, security alerts, and respond to your inquiries
• Improvement: To analyze usage patterns and improve our service
• Security: To detect and prevent fraud, abuse, and security issues
• Legal Compliance: To comply with applicable laws and regulations

Legal Basis for Processing (GDPR)

• Contract Performance: Processing necessary to provide our services
• Consent: Where you have given explicit consent
• Legitimate Interests: For service improvement and security
• Legal Obligation: To comply with applicable laws

4. Data Sharing and Disclosure

We do not sell your personal information. We may share your information with:

4.1 Service Providers

We use the following third-party service providers to operate the Service:

• Hetzner: Database and application hosting (server located in Finland)
• Stripe: Payment processing (data may be processed in the U.S., GDPR compliant with SCCs)
• Scaleway: Email delivery services (EU data centers)
• Linear: Issue data source integration; we receive issue data from Linear (data processed in the U.S., GDPR compliant with SCCs)
• Google: OAuth authentication provider (data processed in the U.S., GDPR compliant with SCCs)
• GitHub: OAuth authentication provider (data processed in the U.S., GDPR compliant with SCCs)

We use self-hosted analytics within the EU and do not share analytics data with third parties.

4.2 Public Information

Information you choose to make public through your public boards will be visible to anyone with access to those boards. This includes issue titles, descriptions, statuses, and any attachments you choose to include.

4.3 Legal Requirements

We may disclose your information if required by law, court order, or to protect our rights, property, or safety.

5. Data Storage and Security

We implement appropriate technical and organizational measures to protect your personal data:

• Data encryption in transit (HTTPS/TLS) and at rest
• Passwords securely hashed using industry-standard algorithms (never stored in plain text)
• OAuth tokens stored encrypted in secure databases
• Regular security audits and updates
• Access controls and authentication requirements
• Primary data storage in EU data centers where available

While we strive to protect your information, no method of transmission over the internet is 100% secure. We cannot guarantee absolute security.

6. Your Rights (GDPR)

Under GDPR, you have the following rights:

• Right to Access: Request a copy of your personal data
• Right to Rectification: Request correction of inaccurate data
• Right to Erasure: Request deletion of your data ("right to be forgotten")
• Right to Restrict Processing: Request limitation of data processing
• Right to Data Portability: Receive your data in a machine-readable format
• Right to Object: Object to processing based on legitimate interests
• Right to Withdraw Consent: Withdraw consent at any time
• Right to Lodge a Complaint: File a complaint with your supervisory authority

To exercise any of these rights, please contact us at hi@openissue.io. We will respond without undue delay and in any event within one month of receiving your request. This period may be extended by two further months where necessary, taking into account the complexity and number of requests, in which case we will inform you of the extension within the first month.

7. Data Retention

We retain your personal data only for as long as necessary:

• Active Accounts: Data retained while your account is active
• Deleted Accounts: Most data deleted within 30 days, some financial records retained for legal compliance (up to 7 years)
• Public Board Data: Deleted when boards are removed or accounts closed
• Analytics Data: Aggregated and anonymized data may be retained indefinitely

8. Cookies and Tracking

We only use strictly necessary cookies required for authentication and core service functionality (such as session management). These cookies do not require consent as they are essential for the Service to operate.

We do not use analytics cookies, advertising cookies, or any other non-essential tracking cookies. Our analytics are self-hosted within the EU and do not use cookies.

9. International Data Transfers

As we are based in the EU (Finland), we prioritize EU data processing. Our primary database and application hosting (Hetzner, server in Finland) and email services (Scaleway) operate within EU data centers. However, some sub-processors (Stripe, Linear, Google, GitHub) may process data outside the EU/EEA, primarily in the United States. When this occurs, we ensure appropriate safeguards are in place, including:

• Standard Contractual Clauses (SCCs) approved by the EU Commission
• Adequacy decisions by the EU Commission
• Service providers certified under the EU-U.S. Data Privacy Framework where applicable

10. Children's Privacy

OpenIssue is not intended for individuals under the age of 16. We do not knowingly collect personal information from children. If you believe we have collected information from a child, please contact us immediately at hi@openissue.io.

11. Automated Decision-Making

We do not use automated decision-making or profiling that produces legal effects or similarly significant effects on you. Any automated processing we perform (such as usage analytics) is used solely for service improvement and does not affect your access to or use of the Service.

12. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of significant changes by:

• Posting the new policy on this page
• Updating the "Last updated" date
• Sending an email notification for material changes

For material changes that affect how we process your personal data, we will seek your renewed consent where required by GDPR. If you do not agree with the updated policy, you may stop using the Service and request deletion of your data.

13. Contact Us

If you have questions about this Privacy Policy or wish to exercise your rights, please contact us:

You also have the right to lodge a complaint with the Finnish Data Protection Ombudsman (Tietosuojavaltuutettu) if you believe we have not complied with data protection laws.