Privacy Policy

Backlog.cloud is a product operated by Alconbury Tech Ltd, a company registered in England and Wales (company number 17031730). In this policy, "we", "us", and "our" refer to Alconbury Tech Ltd. "You" means the person or organisation using the service.

For the personal data we collect to run our own business (for example, your account details and billing information), we act as the data controller. For personal data inside the meetings, transcripts, and content you bring into the product, we act as a data processor on your behalf. Our obligations as a processor are set out in a separate Data Processing Agreement available on request.

If you have any questions about this policy, or you want to exercise your rights, contact us at privacy@backlog.cloud.

We built Backlog.cloud to turn meetings into production-ready backlog items. To do that we handle meeting audio, transcripts, and the content you generate from them. A few things worth saying up front:

• We do not use your content to train AI models. Our AI sub-processor is contractually prohibited from training on customer data.
• You own your data. You can export it at any time. You can delete it at any time.
• We encrypt your data in transit (TLS) and at rest (AES-256).
• We only share personal data with sub-processors that are contractually bound to protect it, and only to the extent they need to run a specific part of the service.
• Some of our sub-processors are based outside the UK and EU. When data is transferred, we rely on approved safeguards (Standard Contractual Clauses and the UK International Data Transfer Addendum).
• You have rights under UK GDPR and EU GDPR, including access, correction, deletion, and the right to complain to a regulator.

The rest of this page is the long version.

We only collect data we actually need to run the service. The categories below describe what we hold and why.

Account and identity data

Name, work email address, a hashed password or third-party login identifier, organisation name, role, time zone, and language. We collect this when you sign up or are invited to a workspace.

Workspace and content data

Projects, backlogs, backlog items, notes, uploaded files, meeting links you paste in, and any content you generate or edit inside the product. This is your operational content and we handle it on your instructions.

Meeting data

When you ask the service to join a meeting, we handle the meeting audio and video, the transcript produced from it, speaker labels, participant names and emails exposed by the meeting platform, join and leave times, and any chat messages shared during the call. We only process this for the specific meeting you connected.

Integration data

When you connect a third-party tool (for example, an issue tracker or code host) we store the access tokens required to call that tool on your behalf, along with the identifiers for the projects, boards, or repositories you choose to link. We never request broader scopes than the ones needed for the features you enable.

Billing data

Company name, billing address, VAT number where applicable, the plan you are on, and invoice history. Card and bank details are handled by our payment processor. We do not see or store full card numbers.

Usage and device data

Product events (for example, which pages you viewed, which features you used, and how long an artefact took to generate), IP address, browser and device type, and timestamps. We use this to operate the service, debug problems, prevent abuse, and understand how the product is used in aggregate.

Support and correspondence

Emails, messages, and any screenshots or recordings you send us when you contact support or share feedback.

Under UK GDPR and EU GDPR we have to tell you the lawful basis for each use of your data. For most of what we do, that basis is the contract we have with you, our legitimate interests in running a product responsibly, or a legal obligation.

To provide the service you asked for (contract)

Creating your account, authenticating you, joining the meetings you connect, transcribing those meetings, generating the backlog items you request, pushing those items into the tools you have integrated, processing your payments, and sending you the transactional emails the product relies on.

To run a responsible business (legitimate interests)

Keeping the service secure, detecting abuse and fraud, monitoring errors, analysing aggregate usage to improve the product, responding to your support requests, and communicating operational changes. You can object to this processing at any time and we will assess whether we can continue on another basis.

To comply with the law (legal obligation)

Keeping accounting and tax records, responding to lawful requests from regulators or law enforcement, and meeting any other statutory obligations that apply to us.

Because you agreed (consent)

Non-essential cookies, optional analytics, and marketing emails. You can withdraw consent at any time without affecting the service.

We do not carry out automated decisions that produce legal or similarly significant effects on you.

Meetings are sensitive by nature, so this section is deliberately specific.

When you instruct the service to join a meeting, a bot enters the call under a visible display name, is listed as a participant, and records audio and video for transcription. Every major meeting platform notifies participants that a bot has joined. The bot does not speak, does not unmute itself, and does not share any content into the call.

It is your responsibility, as the organiser or as the workspace admin, to make sure participants are informed that the meeting is being recorded and transcribed, and to obtain any consent required under local law. If any participant objects, remove the bot before the meeting starts.

We only keep the audio, video, and transcript for as long as needed to generate the artefacts you asked for, and for the retention period you set in your workspace. You can delete a meeting and its transcript at any time from the dashboard. When you do, we remove it from our primary systems within 24 hours and from backups within 35 days.

We do not use meeting content for any purpose other than running the service you asked for. We do not train AI models on meeting content. We do not share meeting content with third parties except the sub-processors listed further down, which only handle it to provide a specific piece of the service.

Backlog.cloud uses a third-party large language model to turn meeting content and your notes into structured backlog items. The raw input, the generated output, and a small amount of metadata are sent to the model provider over an encrypted connection.

Our contract with the model provider prohibits them from using your content to train or improve their models. Inputs and outputs are retained by the model provider only for a short operational window (typically up to 30 days) for abuse monitoring, and then deleted.

We do not run our own AI training. We do not sell or rent your content for model training elsewhere.

We use a small number of third-party providers to run specific parts of the service. Each provider is bound by a written data processing agreement that restricts how they can handle your data. Where a provider is outside the UK and EU, we rely on approved transfer safeguards (Standard Contractual Clauses and the UK International Data Transfer Addendum).

The categories below describe what each provider does without naming the specific vendors. A current list of named sub-processors, along with their locations, is available in our Data Processing Agreement on request, and we will notify workspace admins before we add or change a sub-processor in a way that affects customer data.

• Cloud infrastructure and database provider: hosting the application, storing your account data and generated content.
• AI model provider: generating structured backlog items from your meeting content and notes. Contractually prohibited from training on customer data.
• Meeting bot provider: joining calls, capturing audio and video, and producing transcripts.
• Authentication provider: managing secure login and session handling.
• Payment processor: handling card payments and subscription billing under PCI DSS.
• Transactional email provider: sending service emails such as invitations, password resets, and billing notifications.
• Error monitoring and product analytics providers: collecting crash reports, performance traces, and aggregate product usage to keep the service reliable.
• Customer support tooling: managing support conversations and tickets.

We are based in the United Kingdom, but some of our sub-processors operate from the United States and other countries. When your data is transferred outside the UK or the European Economic Area, we rely on one of the following safeguards:

• An adequacy decision from the UK government or the European Commission, where one is in place.
• The European Commission Standard Contractual Clauses, combined with the UK International Data Transfer Addendum, supplemented by technical measures such as encryption and access controls.
• The EU-US Data Privacy Framework and the UK extension where the receiving organisation is certified under it.

If you want to see a copy of the safeguards that apply to a specific transfer, contact us at privacy@backlog.cloud and we will share the relevant extract.

Security is not a marketing claim, it is a set of practices. Ours include:

• TLS for all data in transit, AES-256 for data at rest.
• Role-based access controls, with production access limited to a small number of named engineers.
• Audit logging on sensitive administrative actions.
• Secrets managed through a dedicated secrets manager, not in source code.
• Dependency scanning, static analysis, and code review before anything ships to production.
• Backups of primary data, with tested restore procedures.
• A documented incident response process. If a personal data breach affects you, we will notify you without undue delay and, where legally required, within 72 hours of becoming aware of it.

No online service is immune from attack, so in addition we ask you to protect your own account: use a strong unique password, enable two-factor authentication where available, and do not share your login.

We keep personal data only for as long as we need it, or as long as the law requires.

• Account data: for as long as your account is active. When you delete your account, we remove it from our primary systems within 30 days, and from backups within 90 days.
• Workspace and content data: for as long as the workspace is active, or until you delete it.
• Meeting audio, video, and transcripts: in line with the retention period you set, or until you delete the meeting. Defaults are shown in the dashboard.
• Billing records: retained for at least 6 years to meet UK accounting and tax law.
• Security and access logs: up to 12 months.
• Support correspondence: up to 3 years after the last interaction.

Under UK GDPR and EU GDPR you have the following rights in relation to your personal data:

• Access: ask us for a copy of the personal data we hold about you.
• Rectification: ask us to correct data that is inaccurate or incomplete.
• Erasure: ask us to delete your data where we no longer have a lawful basis to keep it.
• Restriction: ask us to stop processing your data in certain circumstances.
• Portability: ask us to provide your data in a machine-readable format, or to send it to another provider.
• Objection: object to processing we carry out on the basis of legitimate interests.
• Withdraw consent: withdraw consent for any processing we carry out on that basis, without affecting the legality of what we did before.
• Complain to a regulator: in the UK, the Information Commissioner’s Office (ico.org.uk). In the EU, your local supervisory authority.

To exercise any of these rights, email privacy@backlog.cloud from the address on your account. We will respond within one month. We may need to verify your identity before acting on the request.

If your personal data is inside a workspace controlled by your employer or another organisation, contact them first. They are the controller of that content and we act on their instructions.

We use cookies and similar technologies sparingly. The essential ones keep you logged in, protect against cross-site request forgery, and remember your workspace. These do not require consent.

We also use a small number of analytics and performance technologies to understand how the product is used in aggregate and to detect errors. Where these are not strictly necessary, we ask for your consent before setting them, and you can change your choice at any time from the cookie settings link in the footer.

We do not use advertising cookies. We do not sell data to ad networks.

Backlog.cloud is a workplace tool and is not directed at anyone under the age of 16. We do not knowingly collect personal data from children. If you believe a child has given us personal data, contact us and we will delete it.

We may update this policy from time to time. When we make a material change, we will notify workspace admins by email and update the "last updated" date at the top of this page. We will not make changes that reduce your rights without giving you reasonable notice.

For privacy questions, data requests, or to request our Data Processing Agreement, email privacy@backlog.cloud.

Postal address: Alconbury Tech Ltd, registered office as shown on the UK Companies House register (company number 17031730).

If you are not satisfied with our response, you have the right to complain to the UK Information Commissioner’s Office at ico.org.uk or to your local data protection authority in the EU.