Privacy Policy

Version 1.0 — 7 April 2026

This privacy policy explains how OpenKarl ("we", "us") collects, uses, and protects your personal data when you use our services at booth2boardroom.com and its subdomains. We comply with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018.

1. Data Controller

Karl Findlay is the data controller. Contact: karlfindlay@gmail.com

2. What We Collect

When you create an account, we collect:

• Email address — used as your login identifier
• Display name — shown in the apps (optional, defaults to your email prefix)
• Password — stored as a cryptographic hash (PBKDF2-SHA256, 100,000 iterations). We never store your actual password.
• Consent record — timestamp and version of this policy you agreed to
• Account timestamps — when your account was created and last updated

We do not collect your real name, address, phone number, date of birth, or payment information.

3. Why We Collect It

We process your data under UK GDPR Article 6(1)(a) — your explicit consent given at registration. Your data is used solely to:

• Authenticate you across our apps
• Display your chosen name in the interface
• Maintain account security

4. How We Store It

Your data is stored in Cloudflare D1, a serverless database operated by Cloudflare, Inc. Data is processed at Cloudflare edge locations. Cloudflare is certified under ISO 27001 and SOC 2 Type II. See Cloudflare's GDPR page.

5. Who Has Access

Only the data controller (Karl Findlay) has administrative access to the database. We do not share your data with third parties, sell it, or use it for marketing.

6. How Long We Keep It

Your data is kept for as long as your account exists. When you delete your account, your data is soft-deleted immediately (hidden from all queries) and permanently erased after 30 days.

7. Your Rights

Under UK GDPR, you have the right to:

• Access — download all your data via Account Settings
• Rectification — update your display name and password at any time
• Erasure — delete your account via Account Settings
• Portability — export your data as JSON via Account Settings
• Withdraw consent — delete your account to withdraw consent
• Complain — lodge a complaint with the ICO if you believe your data rights have been violated

8. Cookies

We use a single authentication cookie (openkarl_auth) to keep you logged in across our apps. This cookie is:

• HttpOnly (not accessible to JavaScript)
• Secure (only sent over HTTPS)
• SameSite=Lax (not sent on cross-site requests)
• Expires after 24 hours

We do not use tracking cookies, analytics cookies, or third-party cookies.

9. Changes to This Policy

If we update this policy, we will increment the version number and notify you on your next login. Continued use after notification constitutes acceptance.

← Back to OpenKarl Auth