Privacy Policy
Last updated: December 17, 2025
Your privacy matters to us. This policy explains how we collect, use, and protect your personal information when you use Round Two. We're committed to transparency and compliance with international data protection laws, including GDPR and CCPA.
1. Introduction
Round Two ("we," "our," or "us") is a trademark of Square One, a digital design business in the Netherlands. We are committed to protecting your privacy and ensuring transparency about how we collect, use, and safeguard your personal information.
This Privacy Policy explains our practices regarding the collection, use, disclosure, and protection of information when you use our feedback board platform (the "Service"). By using our Service, you agree to the collection and use of information in accordance with this policy.
This policy complies with the General Data Protection Regulation (GDPR) for users in the European Union, the California Consumer Privacy Act (CCPA) for California residents, and other applicable data protection laws.
2. Data Controller
Square One is the data controller responsible for your personal data. If you have any questions about this Privacy Policy or our data practices, please contact us at:
Email: info@squareone.nl
3. Information We Collect
We collect several types of information to provide and improve our Service:
3.1 Account Information
- Email address (required for account creation)
- Full name or display name
- Password (stored in encrypted form)
- User type (platform user or end user)
3.2 Workspace and Board Data
- Workspace name and domain
- Board titles, descriptions, and settings
- Brand colors and logo URLs
- Board visibility settings (public, link-only, password-protected, invite-only)
- Password hashes for password-protected boards
3.3 User-Generated Content
- Feedback items (title, description, status)
- Comments (author name, optional email, content)
- Votes (associated with user ID or anonymous session ID)
- Board invitations (email addresses and tokens)
3.4 Payment and Subscription Information
- Billing address
- Payment method details (processed securely by Stripe)
- Subscription details, including seat count and billing history
- Invoice information and payment records
- Tax identification numbers (VAT numbers, EIN, etc.) if provided
- Stripe customer ID and subscription ID
Note: We do not store full credit card numbers. All payment processing is handled by Stripe, a PCI-compliant payment processor. Tax identification information is stored securely and included on invoices as provided.
3.5 Usage and Technical Data
- IP addresses
- Browser type and version
- Device information
- Session identifiers
- Access timestamps
- Usage patterns and interactions with the Service
3.6 Cookies and Tracking
We use cookies and similar tracking technologies. For detailed information, please see our Cookie Policy.
4. How We Use Your Information
We use the collected information for the following purposes:
- To provide, maintain, and improve our Service
- To authenticate users and manage accounts
- To process payments and manage subscriptions
- To enable user-generated content (feedback, comments, votes)
- To generate AI-powered summaries of feedback (using Anthropic)
- To send important service-related communications
- To respond to your inquiries and provide customer support
- To detect, prevent, and address technical issues and security threats
- To comply with legal obligations
- To enforce our Terms of Service and Acceptable Use Policy
5. Legal Basis for Processing (GDPR)
For users in the European Economic Area (EEA), we process your personal data based on the following legal grounds:
- Contractual necessity: To fulfill our contract with you (providing the Service)
- Legitimate interests: To improve our Service, ensure security, and prevent fraud
- Consent: Where you have provided explicit consent (e.g., for optional features)
- Legal obligation: To comply with applicable laws and regulations
6. Data Sharing and Third-Party Services
We share your information with the following third-party service providers who help us operate the Service:
6.1 Supabase
We use Supabase for database hosting, authentication, and backend infrastructure. Supabase may process your data in EU or US data centers. Supabase is GDPR compliant and acts as a data processor on our behalf.
6.2 Stripe
We use Stripe for payment processing. Stripe is a US-based, PCI-compliant payment processor. When you make a payment, your payment information is sent directly to Stripe and is subject to Stripe's privacy policy.
6.3 Anthropic
We use Anthropic's AI services to generate summaries of feedback items. When you create or update feedback, the content may be sent to Anthropic for processing. Anthropic is a US-based company.
6.4 Vercel
We use Vercel for hosting and content delivery. Vercel operates a global CDN and may process your data in various regions.
6.5 Other Disclosures
We may also disclose your information:
- If required by law or legal process
- To protect our rights, property, or safety, or that of our users
- In connection with a business transfer (merger, acquisition, etc.)
- With your explicit consent
We do not sell your personal information. We do not share your personal information with third parties for their marketing purposes.
7. International Data Transfers
Your information may be transferred to and processed in countries other than your country of residence. These countries may have data protection laws that differ from those in your country.
When we transfer personal data from the EEA to countries outside the EEA, we ensure appropriate safeguards are in place, such as:
- Standard Contractual Clauses approved by the European Commission
- Other legal mechanisms recognized by applicable data protection laws
8. Data Retention
We retain your personal data only for as long as necessary to fulfill the purposes outlined in this Privacy Policy, unless a longer retention period is required or permitted by law.
- Account data: Retained until you delete your account or request deletion
- User-generated content: Retained until deleted by you or the board owner
- Payment records: Retained as required by law (typically 7 years for tax purposes)
- Usage logs: Retained for up to 12 months for security and troubleshooting purposes
When you delete your account, we will delete or anonymize your personal data within 30 days, except where we are required to retain it for legal or legitimate business purposes.
9. Your Rights
Depending on your location, you may have the following rights regarding your personal data:
9.1 GDPR Rights (EU/EEA Users)
- Right of access: Request a copy of your personal data
- Right to rectification: Request correction of inaccurate data
- Right to erasure: Request deletion of your personal data ("right to be forgotten")
- Right to restrict processing: Request limitation of how we process your data
- Right to data portability: Request your data in a machine-readable format
- Right to object: Object to processing based on legitimate interests
- Right to withdraw consent: Withdraw consent where processing is based on consent
9.2 CCPA Rights (California Residents)
- Right to know: Request disclosure of categories and specific pieces of personal information collected
- Right to delete: Request deletion of personal information
- Right to opt-out: Opt-out of the sale of personal information (we do not sell your data)
- Right to non-discrimination: We will not discriminate against you for exercising your rights
9.3 Exercising Your Rights
To exercise any of these rights, please contact us at info@squareone.nl. We will respond to your request within 30 days (or as required by applicable law).
You may also be able to exercise some rights directly through your account settings, such as updating your profile information or deleting your account.
10. Security
We implement appropriate technical and organizational measures to protect your personal data against unauthorized access, alteration, disclosure, or destruction. These measures include:
- Encryption of data in transit (HTTPS/TLS)
- Encryption of sensitive data at rest
- Secure password hashing (bcrypt)
- Row-level security policies in our database
- Regular security assessments and updates
- Access controls and authentication
However, no method of transmission over the Internet or electronic storage is 100% secure. While we strive to use commercially acceptable means to protect your data, we cannot guarantee absolute security.
11. Children's Privacy
Our Service is not intended for children under the age of 16. We do not knowingly collect personal information from children under 16. If you are a parent or guardian and believe your child has provided us with personal information, please contact us immediately. If we become aware that we have collected personal information from a child under 16, we will take steps to delete such information.
12. Changes to This Privacy Policy
We may update this Privacy Policy from time to time. We will notify you of any material changes by:
- Posting the new Privacy Policy on this page
- Updating the "Last updated" date
- Sending you an email notification (for significant changes)
- Displaying a notice on our Service
Your continued use of the Service after any changes constitutes acceptance of the updated Privacy Policy.
13. Contact Us
If you have any questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us:
Email: info@squareone.nl
Data Controller: Square One
Service: Round Two
Location: Netherlands