🎓 Join live OKR certification with a coach | March 2025

Sign up
Book a demo
Start free trial

Privacy Policy

Scope of this Privacy Policy

We are Objectives Board Ltd., doing business as Oboard ('we', 'us', or 'our') located at Level 3, (Suite No. 2974), Tower Business Centre, Tower Street, Swatar, Birkirkara BKR 4013, Malta, and we welcome you (‘You’ or ‘Client’) to our website. We operate the website https://oboard.io (the 'Site'), as well as any other related products and services that refer to or link to this Privacy Policy. 

This Privacy Policy applies to You when You visit and use the Site, use our Services, and to our other online presences, such as our social media appearances. Our Services include the following products: Oboard Web app available at this Site, OKR Board for Jira & Confluence, OKR Board for Salesforce and OKR Board for monday.com, and this Privacy Policy is applicable to all the four products. We are the controller of Your personal data within the meaning of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (“General Data Protection Regulation” or “GDPR”) with the exemption of certain data processing activities (e.g. processing of data generated by You or Your employee and/or an end-user associated with You as it is detailed further in this Privacy Policy). 

When we process personal data, we do so in accordance with the rules set down by the General Data Protection Regulation, which is considered to be the highest legal and privacy standard in the world, and we expand our commitment to process personal data in accordance with the GDPR to users of the Services located outside the European Economic Area as well. 

For more information as to this Privacy Policy and for exercising Your rights as the data subject, You may and is advised to contact Oboard at [email protected]

Processing of Personal Data

We may receive Your personal data from third-party sources, including when You use OKR Board for Jira & Confluence and OKR Board for Salesforce, from Jira which is owned and/or operated by Atlassian, and from the Salesforce ecosystem. For more information, please refer to the Atlassian Privacy Policy at: https://www.atlassian.com/legal/privacy-policy and to the Salesforce Privacy Centre at: https://www.salesforce.com/products/privacy-center/. We may also receive Your personal data from monday.com when You use OKR Board for monday.com. For more information please refer to the Privacy Policy of monday.com at: https://monday.com/l/privacy/privacy-policy/

Types of Data Processed

While using the Service, we may process certain types of data that can be used to identify You, including:

  • Your name;
  • Email address;
  • User names;
  • OKR titles, descriptions, groups, parent elements, nested items, comments, and other attributes;
  • Column configurations;
  • Usage Data (user actions, user preferences, performance metrics);
  • Your billing details when You subscribe to the Services, including through our payment providers;
  • Other items of data that You provide to us, directly or indirectly, through Your use of the Services, associated social media platforms and/or accounts from which You permit us to process data.

Legal Basis for Processing 

The legal basis for Oboard’s processing of Your data in relation to the main purpose of the Services is the necessity to perform the contract with You and/or to which You are party (Article 6 (1) b) of the GDPR). This also applies to the processing of Your data in order to take steps at the request of You prior to entering into a contract.

We may also process certain types of Your data and/or maintain certain types of data processing activities based on Your consent to process Your personal data for one or more specific purposes (Article 6 (1) a) of the GDPR). In such instances, You will have the right to withdraw Your consent at any time.

Under certain circumstances, Oboard may be required to disclose or to undertake another processing operation or set of operations on Your personal data if required to do so by law or in response to valid requests by public authorities (e.g. a court or a government agency). In such instances the legal basis for processing is the necessity for compliance with a legal obligation to which Oboard is subject (Art. 6 (1) c) of the GDPR). 

If Oboard is involved in a merger, acquisition, or asset sale, Your personal data may be transferred. Oboard will provide notice before Your personal data is transferred and becomes subject to a different Privacy Policy. In such instances, processing (transfer) of Your personal data will be subject to a comprehensive analysis of Your interests or fundamental rights and freedoms, and the legal basis for processing (transfer) of Your personal data will be the legitimate interests (performance of our business activities) pursued by Oboard or by a third party (Article 6 (1) f) of the GDPR).

When You process personal data of Your employee or of Your OKR board administrator, agent or contractor (end-user associated with you) for whom subscriptions to the Services have been purchased, and who has been supplied user credentials for the Services by Your (or by Oboard at Your request), You act as a data controller within the meaning of the GDPR. In this respect and by agreeing to this Privacy Policy You confirm that You have a legal basis for processing the personal data of Your employees or end-users.

Purposes for Processing of Personal Data

The way Oboard uses Your personal data depends on the purpose of the processing. We process and use Your personal data in order:

  • to deliver the Services and enable You to access and use the Services;
  • to improve the Services and to continue optimization of the Services;
  • to prevent and address technical problems, and maintain the security and functionality of the Services;
  • to contact and communicate with You;
  • to provide You with support, if requested;
  • for advertising and marketing, including sending You information about Oboard’s products and services where we have Your consent to do so;
  • to evaluate or conduct a merger, divestiture, restructuring, reorganization, dissolution, or other sale or transfer of some or all of Oboard’s assets, whether as a going concern or as part of bankruptcy, liquidation, or similar proceeding, in which personal data held by Oboard about our Service users is among the assets transferred.

Sharing of Personal Data with Third-party Entities 

When You use the Services we may share Your personal data with Your consent, at Your direction or when we have another legal basis with third-party entities, including:

  • with our corporate affiliates and subsidiaries;
  • with third parties performing services to support our core business functions and internal operations;
  • with third parties (including agents and subcontractors) assisting us in providing information, products, and the Services to you;
  • to support our audit, compliance, and corporate governance functions;
  • in connection with a change of ownership or control of all or part of our business (such as a merger, acquisition, reorganization, or bankruptcy);
  • with credit reporting agencies and courts, tribunals, and regulatory authorities where You fail to pay for services provided to you.

Sharing Data with Third-Parties

When You use the Services we may share Your personal data with third-party entities, including the following entities:

1. Amplitude, Inc.

Link: https://amplitude.com

Location: 🇺🇲United States of America

Address: 201 Third Street, Suite 200, San Fransico, CA 94103

Contact person’s name, position and contact details: Liz Fisher, General Counsel; [email protected]; Amplitude, Inc.; Attn: Privacy; 631 Howard Street, Floor 5; San Francisco, CA 94105

Description of the processing: processing of usage data (user actions, user preferences, performance metrics).

2. Amazon Web Services EMEA SARL

Link: https://www.amazon.com/

Location: 🇳🇱Netherlands

Address: 38 Avenue John F. Kennedy, L-1855, Luxembourg

Contact person’s name, position and contact details: Steve Schmidt, Chief Information Security Officer; [email protected] 

Description of the processing: cloud hosting of data (OKR title, description, owner, business group, comments, linked Jira issues titles, etc.).

3. Google Ireland Limited

Link: https://www.google.com/

Location: 🇮🇪Ireland

Address: Google Building Gordon House, Barrow St, Dublin 4

Contact person’s name, position, and contact details: Emil Ochotta, Data Protection Officer. (Sunnyvale, the U.S.A); https://support.google.com/cloud/contact/dpo

Description of the processing: processing of usage data (user actions, user preferences, performance metrics).

Transfer of Personal Data

Whereas (personal) data about Your use of our Website can also be transferred to the USA and stored there, the security of the transfer is secured by standard contractual clauses and/or other mechanisms that comply with the GDPR.

Visibility of Personal Data of Employees

If you use, access, or engage with the Services as an employee and/or as an end-user associated with the Client (your employer), your personal data, including the profile information or content you upload to the Services, may be shared with other members of your OKR Board or the Client (your employer) administering your OKR Board.

Security and Retention of Personal Data

The security of Your Personal Data is important to Oboard, but remember that no method of transmission over the Internet, or method of electronic storage is 100% secure. While Oboard strives to use commercially acceptable means to protect personal data, with respect to Your employee and/or an end-user associated with Your generated data, You act as a controller within the meaning of the GDPR and You shall undertake appropriate technical and organizational measures to secure the data as well.

Oboard uses privacy-enhancing technologies to protect personal data while providing the Services, which may vary depending on the product You use, including:

  • pseudonymisation and anonymisation;
  • encryption for data in transit (TLS 1.2 and TLS 1.3) and data at rest (AES-256);
  • access control;
  • secure deletion.

Oboard has implemented technical and organizational measures to ensure the security of personal data:

  • internal policies and procedures such as the Data Security Policy and the Clean Desk Policy;
  • security assessment is conducted;
  • penetration tests are being conducted on an annual basis.

When processing personal data within Our OKR Board for Jira and OKR Board for Salesforce products, Oboard takes part in available security programs such as the Atlassian Marketplace Security Bug Bounty Program. Atlassian is considered to have a best-in-class marketplace bug bounty program to increase security and trust for all Marketplace apps. Participating Marketplace Partners have a possibility to proactively combat security risks before they arise by incentivizing security researchers to find vulnerabilities. 

Oboard will retain Your personal data for as long as Your account is in existence or otherwise as necessary to provide You the Services, or as otherwise required or permitted by applicable law. 

With respect to Your use of Oboard’s OKR Board for Jira, the minimum storage period post un-install is 90 days, whereas the maximum storage period post un-install is 365 days.

Sub-Processors We Engage

In order to provide the Services to You Oboard may engage sub-processors to process personal data on behalf of You and by agreeing to this Privacy Policy, including by agreeing to the Legal Terms where this Privacy Policy is incorporated, You authorize us to engage the sub-processors listed below. Where Oboard engages the sub-processors, the processing of Your data is governed by a contract or other legal act which is binding both on Oboard and the respective sub-processor. Below You may familiarise yourself with the respective legal acts governing the processing.

Sub-ProcessorServices PerformedContract or Other Legal Act Governing the Processing 
AmplitudeAnalytics services (clickstream)Data Processing Addendum
Amazon Web ServicesCloud servicesAWS GDPR Data Processing Addendum & Supplementary Addendum to the AWS GDPR Data Processing Addendum
Google AnalyticsWeb analytics servicesGoogle Ads Data Processing Terms
FronteggIdentity servicesData Processing Addendum
Stripe Payment servicesData Processing Agreement
CalendlyAppointments schedulingData Processing Addendum
AtlassianLicense management and Payment service (applicable to OKR Board for Jira only)Atlassian Data Processing Addendum
SegmentWeb analytics servicesData Processing Addendum
TypeformForms and survey servicesData Processing Agreement
MailchimpMarketing servicesData Processing Addendum
monday.comPayment service (applicable to OKR Board for monday.com only)Data Processing Addendum 

Processing of Data Generated by You

When You or Your employee and/or an end-user associated with You generates, inputs and/or processes personal data when using the Services, You act as a controller within the meaning of the GDPR and You are responsible for the respective data processing activities. In respect to such data processing activities, Oboard shall be considered as the data processor within the meaning of the GDPR. Oboard will process the following types of data generated by You or Your employee and/or an end-user associated with You:

  • Email address;
  • User names;
  • OKR titles, descriptions, groups, parent elements, nested items, comments, and other attributes;
  • Usage Data (user actions, user preferences, performance metrics);
  • Column configurations;
  • Any other (personal) data that You or Your employee and/or an end-user associated with You generate within the Services.

If you use, access or engage with the Services as an employee and/or as an end-user associated with the Client (your employer), your data is processed by your employer and your employer may collect your (personal) data via the Services. Your employer is responsible for these data processing activities. In this case, we only act as a processor for your employer and are bound by the instructions of your employer.

Your employer will provide you with further information on data processing by your employer when you use the Services.

Your Rights

For Oboard’s help to exercise Your rights as the data subject the primary mechanism for sending a request shall be via e-mail to: [email protected].

Right to rectification

On a request made by You, the inaccurate personal data concerning You will be rectified without undue delay. The personal data is inaccurate if it is incorrect or misleading as to any matter of fact.

Taking into account the purposes of the processing, You have the right to have incomplete personal data completed, including by means of providing a supplementary statement.

Right to access

On a request made by You, confirmation as to whether or not personal data concerning You are being processed will be provided and, where that is the case, access to the personal data and the following information will be granted:

(a) the purposes of the processing;

(b) the categories of personal data concerned;

(c) the recipients or categories of recipients to whom the personal data have been or will be disclosed, in particular recipients in third countries;

(d) where possible, the envisaged period for which the personal data will be stored, or, if not possible, the criteria used to determine that period;

(e) the existence of the right to request from rectification or erasure of personal data or restriction of processing of personal data concerning You or to object to such processing;

(f) where the personal data are not collected from You, any available information as to their source;

(g) the existence of automated decision-making, including profiling, and, at least in those cases, meaningful information about the logic involved, as well as the significance and the envisaged consequences of such processing for You;

(h) in the case of the personal data breach and whenever it is not possible for the Oboard to communicate the breach to You because there is insufficient data stored to contact You, all relevant information regarding the breach;

Please note that we do not carry out automated decision-making, including profiling, and we do not intend to carry out automated decision-making, including profiling in the future. 

A copy of the personal data undergoing processing will be provided without affecting the rights and freedoms of others. For any further copies requested by You, a reasonable fee based on administrative costs may be charged. Where You make the request by electronic means, and unless otherwise requested by You, the information will be provided in a commonly used electronic form.

Right to restriction of processing

On a request made by You, the processing will be restricted if one of the following applies:

(a) the accuracy of the personal data is contested by You, for a period enabling Oboard to verify the accuracy of the personal data;

(c) Oboard no longer needs the personal data for the purposes of the processing, but they are required by You for the establishment, exercise, or defense of legal claims;

(d) You have objected to processing pending the verification of whether the legitimate grounds of Oboard override those of You.

Where processing has been restricted under the above-mentioned conditions, such personal data will, with the exception of storage, only be processed with Your consent or for the establishment, exercise, or defense of legal claims or for the protection of the rights of another natural or legal person.

The restriction of processing will be communicated to each recipient to whom the personal data have been disclosed unless this proves impossible or involves disproportionate effort. On a request made by You, You will be informed about the recipients of Your personal data. 

Right to data portability 

Where the processing is carried out by automated means and on a request made by You, You will receive the personal data concerning You, which You have provided to Oboard.

The personal data concerning You will be provided in a structured, commonly used and machine-readable format with the possibility to transmit those data to another controller. Where technically feasible and on a request made by You, the personal data will be transmitted directly to another controller. 

Right to object

Where the processing is based on the legitimate interests pursued by Oboard or by a third party and on a request made by You objecting to the processing of the personal data, the respective personal data will no longer be processed. The exception can be made when Oboard has compelling legitimate grounds for the processing that override the interests, rights, and freedoms of You or for the establishment, exercise, or defense of legal claims.

Where personal data are processed for direct marketing purposes and on a request made by You objecting to the processing of personal data for direct marketing purposes, the personal data will no longer be processed for such purposes.

You will be allowed to exercise Your right to object by automated means using technical specifications.

Right to erasure (“right to be forgotten”)

Where one of the situations mentioned below applies and on a request made by You requesting the erasure of personal data, the personal data concerning You will be erased without undue delay:

(a) the personal data are no longer necessary in relation to the purposes for which they were collected or otherwise processed;

(b) You withdraw consent on which the processing is based, and where there is no other legal ground for the processing;

Our Service may give You the ability to delete certain information about You from within the Service. You may update, amend, or delete Your personal data at any time by signing in to Your Account if You have one, and visiting the account settings section that allows You to manage Your personal data.

Right to opt-out of sale or sharing (for California residents)

Oboard will not sell or share Your personal data (information): we do not provide for the possibility to sell or share Your personal data (information) as the purpose for processing of Your personal data (information). We process Your personal data (information) in accordance with the purpose limitation principle of the GDPR, which is considered to be the world’s most demanding privacy law and requirements which we fulfill with respect to You regardless of Your place of incorporation, residence, or Your principal place of business. 

Note that sharing within the meaning of the Rights to opt-out of this Privacy Policy refers specifically to sharing for cross-context behavioral advertising, which is the targeting of advertising to You based on Your personal data (information) obtained from Your online activity across numerous websites.

You have the right to request Us stop selling or sharing Your personal data (information), however, note that we do not sell or share Your personal data (information) nor do we intend to start selling or sharing Your personal data (information) regardless of any possible updates to this Privacy Policy. You still may request us to exercise Your right to opt-out of sale or sharing including by contacting Oboard at [email protected]

Changes

We may change this Privacy Policy from time to time and at Oboard's sole discretion. We encourage You to frequently check this page for any changes to this Privacy Policy. Your continued use of this site and the Services after any change in this Privacy Policy will constitute Your acceptance of such change.

Objectives Board Ltd.