SprintFlint SprintFlint

Privacy Policy

Last Updated: January 2, 2026

1. Introduction

Welcome to SprintFlint. We are committed to protecting your privacy and handling your data in an open and transparent manner. This Privacy Policy explains how we collect, use, store, and share your information when you use our sprint-based project management platform.

SprintFlint is operated from the United Kingdom and complies with the UK General Data Protection Regulation (UK GDPR) and applicable data protection laws.

Data Controller: SprintFlint, Beaumont Drive, Cheltenham, United Kingdom

2. Information We Collect

2.1 Account Information

When you create an account with SprintFlint, we collect:

  • Email address (required for authentication and communications)
  • First and last name (required for profile and collaboration features)
  • Time zone preference (to display dates and times correctly)
  • Password hash (if using password authentication; stored using bcrypt encryption)
  • Google account data (if you sign in with Google: email, name, and profile picture from your Google account)
  • Account type (admin or member role designation)
  • Terms acceptance timestamp (when you accepted our Terms of Service)
  • Profile avatar (optional; stored securely on AWS S3)
  • API token (if you generate one for external integrations; can be revoked anytime)
  • Referral code (unique code for our referral programme)
  • Referral relationships (who referred you, and who you've referred)

2.2 Usage Data

When you use SprintFlint, we collect data you create and generate:

  • Organisation data: Organisation names, settings, memberships, and seat counts
  • Project data: Project names, descriptions, repository URLs, and prefixes
  • Sprint data: Sprint names, dates, goals, team assignments, and import history
  • Issue data: Issue titles, descriptions (rich text), story points, status, positions, assignees, tags, and activity logs
  • Comments: Comment content (rich text) and timestamps
  • File attachments: Images and files uploaded in issue descriptions or comments (stored securely on AWS S3)
  • Audit logs: Changes to issues, sprints, and projects with timestamps and user attribution
  • Notification preferences: Your chosen notification delivery channels (database, email, in-app)

2.3 Integration Data

If you connect third-party services to SprintFlint:

GitHub Integration

  • Access token: Encrypted OAuth token for API access (revoked when you disconnect)
  • Username: Your GitHub username for display purposes
  • Pull request data: PR numbers, titles, states, branch names, author information (login and avatar URL), and timestamps for PRs linked to your issues
  • Repository access: Read access to repositories you select for linking

Notion Integration

  • Access token: Encrypted OAuth token for API access (revoked when you disconnect)
  • Workspace information: Workspace name and ID
  • Page data: Page titles and content when importing sprints from Notion

AI-Powered Features

When you use AI-powered features (such as sprint import from Notion), we may send data to AI providers:

  • OpenAI or Anthropic: Content being processed (e.g., Notion page content during import)
  • Data sent: Only the specific content needed for the AI task; no account credentials or personal data
  • Data retention: We do not store AI prompts or responses beyond the immediate task

AI providers process data according to their own privacy policies. We use API access which typically does not use your data to train their models.

2.4 Automatically Collected Information

When you access SprintFlint, we automatically collect:

  • IP address (for security and analytics)
  • Browser type and version (for compatibility and debugging)
  • Device information (operating system, screen size)
  • Session data (login times, feature usage)
  • Cookies (see our Cookie Policy for details)

2.5 Analytics & Monitoring

Google Analytics 4: We use Google Analytics to collect:

  • Page views and navigation patterns
  • Feature usage and user flows
  • Aggregate statistics about how teams use SprintFlint

Apollo.io: We use Apollo.io for B2B visitor tracking to collect:

  • Company identification from IP address
  • Page views and browsing behaviour
  • Visitor engagement metrics

Note: Google Analytics and Apollo.io only load if you consent to analytics cookies via our cookie banner.

Sentry Error Monitoring: We use Sentry to collect:

  • JavaScript and server-side error logs
  • Browser performance metrics
  • Hashed user context for error attribution
  • Stack traces and debugging information

3. How We Use Your Information

We use your information to:

  • Provide the service: Manage your organisations, projects, sprints, and issues
  • Authenticate you: Send magic link emails or verify passwords
  • Send notifications: Alert you about issue updates, comments, sprint deviations, and assignments
  • Calculate analytics: Generate velocity forecasts, deviation alerts, and completion rates
  • Process payments: Manage subscriptions and billing through Stripe
  • Enable integrations: Connect to GitHub and Notion on your behalf
  • Track referrals: Attribute referrals and manage rewards
  • Improve SprintFlint: Understand how features are used and identify bugs
  • Provide support: Respond to your inquiries and troubleshoot issues
  • Ensure security: Detect and prevent unauthorised access or malicious activity
  • Comply with legal obligations: Respond to lawful requests from authorities

4. Legal Basis for Processing (GDPR)

Under UK GDPR, we process your personal data based on:

  • Contract performance: Processing necessary to provide SprintFlint services you've signed up for
  • Legitimate interests: Analytics, security monitoring, and service improvement (balanced against your privacy rights)
  • Consent: Analytics cookies and marketing communications (you can withdraw consent anytime)
  • Legal obligation: Compliance with applicable laws and regulations

5. Data Sharing & Third-Party Services

5.1 Third-Party Services We Use

We share data with the following trusted third-party services to operate SprintFlint:

Service Purpose Data Shared
Postmark Email delivery Email address, name, email content (magic links, notifications)
Stripe Payment processing Billing email, organisation name, payment card details (entered directly into Stripe's secure form)
AWS S3 File storage Profile avatars, rich text attachments in issues and comments
GitHub API Integration (optional) OAuth access token (encrypted), repository data, pull request metadata
Notion API Sprint import (optional) OAuth access token (encrypted), workspace and page data
Google Analytics Usage analytics (with consent) Account ID, IP address (anonymised), page views, feature usage
Apollo.io B2B visitor tracking (with consent) IP address, company identification, page views, browsing behaviour
Sentry Error monitoring Hashed user context, error logs, browser/server info
Google OAuth Sign in with Google (optional) Email, name, profile picture (only if you choose Google sign-in)
OpenAI / Anthropic AI-powered features (optional) Content being processed (e.g., Notion pages during import)
Font Awesome CDN Icon library IP address (for CDN delivery; may set cookies)
Heroku Cloud hosting All data (stored securely in PostgreSQL databases)
Redis Real-time features & background jobs Temporary session and job data

5.2 Payment Processing

We use Stripe to process all payments securely:

  • PCI DSS Compliance: Your payment card details are entered directly into Stripe's secure payment form and never touch our servers
  • Data we store: Stripe customer ID, subscription status, plan type, seat quantity, and invoice history references
  • Data Stripe stores: Payment card details, billing address, transaction history
  • For more information, see Stripe's Privacy Policy

5.3 What We Do NOT Do

  • We do NOT sell your personal data to advertisers or data brokers
  • We do NOT share your project data with other users (except team members you invite to your organisation)
  • We do NOT use your data for purposes beyond providing SprintFlint services
  • We do NOT send marketing emails unless you explicitly opt in
  • We do NOT store your payment card details on our servers

5.4 Legal Disclosures

We may disclose your information if required by law, court order, or government request, or to protect our rights, property, or safety.

6. Data Storage & Security

6.1 Where We Store Data

Your data is stored securely in:

  • PostgreSQL databases with encryption at rest
  • AWS S3 for file storage (avatars and attachments)
  • UK/EU data centres (or equivalent with GDPR-compliant safeguards)
  • Secure cloud infrastructure with regular backups

6.2 Security Measures

We protect your data using:

  • HTTPS/TLS encryption for all data transmission (forced SSL in production)
  • HTTP-only, Secure cookies to prevent XSS attacks
  • CSRF protection on all forms
  • Bcrypt password hashing (12 stretches in production)
  • Magic link tokens: Single-use, 30-minute expiry, cleared after use
  • Database-backed "remember me" tokens: 2-month validity, cleared on logout
  • Encrypted integration tokens: GitHub and Notion access tokens are encrypted at rest using Rails encrypted attributes
  • API token security: Tokens are securely generated and can be revoked at any time
  • Multi-tenant data isolation: Organisation data is logically separated
  • Regular security updates and dependency audits

6.3 Admin Impersonation

SprintFlint uses the "devise_masquerade" gem, which allows super admins to temporarily log in as other users for support purposes. This feature:

  • Is only accessible to super admins (or in development environments)
  • Is logged in our audit trail
  • Is used solely for troubleshooting and customer support

7. Cookies & Tracking Technologies

We use cookies to provide essential functionality and analytics. For detailed information about the cookies we use, please see our Cookie Policy.

Cookie Consent: When you first visit SprintFlint, you'll see a cookie consent banner allowing you to accept all cookies or only essential ones. Your choice is remembered for 365 days.

Summary of cookies:

  • Essential: Session cookies, CSRF tokens, remember me, UI preferences, referral tracking, cookie consent
  • Analytics: Google Analytics (_ga, _gid, _gat) - only loaded with your consent
  • Third-party: Stripe (during checkout), Font Awesome CDN

8. Your Rights (GDPR)

Under UK GDPR, you have the following rights regarding your personal data:

8.1 Right to Access

You can request a copy of all personal data we hold about you. Contact us at [email protected] to request an export.

8.2 Right to Rectification

You can update your profile information (name, email, timezone) directly in SprintFlint settings at any time.

8.3 Right to Erasure ("Right to be Forgotten")

You can delete your account through your profile settings. Upon deletion:

  • Your account is deactivated immediately
  • Data is retained for 30 days in case you change your mind
  • After 30 days, all data is permanently deleted
  • Audit logs may be retained for 1 year for security purposes

8.4 Right to Data Portability

You can export your project data (issues, sprints, comments) in machine-readable format. Contact [email protected] to request an export.

8.5 Right to Object

You can opt out of:

  • Analytics cookies: Choose "Essential Only" in our cookie consent banner, or use the Google Analytics Opt-Out browser add-on
  • Marketing emails: Unsubscribe link in emails (if you opted in)

8.6 Right to Restrict Processing

You can request that we limit how we process your data while we resolve a dispute or verify accuracy.

8.7 Right to Lodge a Complaint

If you believe we've mishandled your data, you can file a complaint with the UK Information Commissioner's Office (ICO): https://ico.org.uk

9. Data Retention

  • Active accounts: Data retained indefinitely while you use SprintFlint
  • Deleted accounts: 30-day grace period, then permanent deletion
  • Audit logs: Retained for 1 year for security and compliance
  • Backup data: Retained for 30 days in encrypted backups
  • Analytics data: Google Analytics retains data per their retention policy (26 months by default)
  • Integration tokens: Deleted immediately when you disconnect an integration
  • Referral data: Retained while your account is active; deleted with your account

10. International Data Transfers

SprintFlint operates primarily from the UK. If data is transferred outside the UK/EU:

  • We use Standard Contractual Clauses (SCCs) or equivalent GDPR-compliant safeguards
  • Third-party services (Stripe, Postmark, Google, Sentry, AWS) have adequate data protection measures
  • Data is encrypted in transit and at rest

11. Children's Privacy

SprintFlint is not intended for use by individuals under 18 years of age. We do not knowingly collect personal data from children. If we discover that a child's data has been collected, we will delete it promptly.

12. Changes to This Privacy Policy

We may update this Privacy Policy to reflect changes in our practices or legal requirements. When we make material changes:

  • We will update the "Last Updated" date at the top of this page
  • We will notify you via email at least 30 days before changes take effect
  • We will provide a summary of changes if they are significant

13. Contact Us

If you have questions about this Privacy Policy or want to exercise your GDPR rights, please contact us:

  • Email: [email protected]
  • Subject Line: "Privacy Inquiry" or "Data Request"
  • Address: SprintFlint, Beaumont Drive, Cheltenham, United Kingdom

We will respond to all requests within 30 days as required by UK GDPR.

Cookies Policy Privacy Policy Terms of Service About SprintFlint Press API Contact Support
© 2026 SprintFlint. All Rights Reserved.

We use cookies to provide essential functionality and improve your experience. Analytics cookies help us understand how you use SprintFlint.

Learn more