Privacy Policy
Effective date: March 14, 2026
This Privacy Policy explains what personal data Balladic (“we”, “us”, “our”) collects, why we collect it, and how we process it when you use the Balladic project tracking service (“Service”). It applies to all visitors and users of balladic.com and the Service.
We are the data controller for personal data collected through the Service. For data we process on behalf of organisations using Balladic (where the organisation determines the purposes), see our Data Processing Agreement.
1. Who We Are
Balladic is a project tracking and collaboration service operated from Denmark.
| Controller | Balladic, operated by FORN Studio (CVR 39172569) |
| Address | Søborg Hovedgade 177C 3TH, 2860 Søborg, Denmark |
| Contact | [email protected] |
| Applicable law | Laws of Denmark, GDPR (Regulation (EU) 2016/679) |
| Supervisory authority | Datatilsynet (Danish Data Protection Agency) |
2. What Data We Collect
Account data. When you create an account, we collect your name, email address, and profile picture. If you sign in with GitHub, we receive your name, email address, and avatar from GitHub via OAuth 2.0 (using the user:email scope). Your GitHub ID is stored to link your account for future sign-ins.
Content. You create projects, tasks, comments, and upload file attachments. We store this content to provide the Service. File attachments are stored in Cloudflare R2 object storage. Profile pictures are resized into multiple variants and stored in a public bucket.
Usage data. We collect interaction signals - specifically which feed items you click on or dismiss - to personalise your feed ranking. This data is scoped to your account and is not shared.
Activity data. We track when you last accessed the Service to show your online status to other members of your projects.
Technical data. When you use the Service, we automatically collect your IP address, browser type, device information, and page interactions through our analytics and error tracking tools (PostHog and Sentry). For unauthenticated visitors, analytics data is collected using in-memory storage only - no cookies are set and no data persists across page loads. For authenticated users, session replays are captured for 10% of sessions, and 100% of sessions where an error occurs.
3. How We Collect Your Data
We collect data in three ways:
- Directly from you. When you create an account, set up projects, create tasks, write comments, upload files, or update your profile.
- From third parties. When you sign in with GitHub, we receive your profile information and verified email addresses from GitHub’s API.
- Automatically. When you use the Service, we collect technical data through cookies, analytics tools, and error tracking. We also record your activity timestamps and interaction signals.
Providing your name and email address is required to create an account and use the Service. If you do not provide this data, you cannot use the Service. All other data collection flows from your use of the Service.
4. How We Use Your Data
We process your personal data for the following purposes:
Providing the Service. We use your account data and content to operate the Service - authentication, task management, collaboration, notifications, search, and file storage. Your content is indexed in our search engine to enable search within your projects. Legal basis: performance of contract (GDPR Art. 6(1)(b)).
Email communications. We send you emails for password resets, project invitations, and - if enabled - notifications about activity in your projects (new comments, mentions, task assignments, approval requests). You control which notification emails you receive through your account preferences, and every notification email includes an unsubscribe option. Legal basis: performance of contract (GDPR Art. 6(1)(b)).
Feed personalisation. We use your interaction signals to rank your feed using online learning (stochastic gradient descent). The learned model is stored per-user and is not shared. This is automated processing that affects how content is ordered in your feed, but it does not produce legal or similarly significant effects - it only determines the display order of your own projects’ activity. You can object to this processing at any time by contacting us. Legal basis: performance of contract (GDPR Art. 6(1)(b)).
AI-powered features. Features such as AI overviews, suggested tasks, and conversation summaries use the Mistral AI API. Your content is anonymised before being sent to Mistral AI - user names are replaced with pseudonyms and de-anonymised upon return. Mistral AI does not use your data to train its models. If the AI service is unavailable, the Service falls back to non-AI alternatives. Legal basis: performance of contract (GDPR Art. 6(1)(b)).
Analytics. We use PostHog to understand how the Service is used, identify issues, and improve functionality. PostHog is hosted in the EU (Frankfurt, Germany). We identify users by ID and name to associate analytics with accounts. Legal basis: legitimate interest in improving the Service (GDPR Art. 6(1)(f)). You can object to analytics processing - see Section 9.
Error tracking. We use Sentry to detect and diagnose errors. Sentry is hosted in the EU (Frankfurt, Germany). Browser performance tracing is sampled at 10%. Legal basis: legitimate interest in maintaining service reliability (GDPR Art. 6(1)(f)).
Payment processing. If you use a paid plan, Stripe processes your payment information. We send your name and email to Stripe to create a customer record. We do not store your payment card details - Stripe handles this directly. Legal basis: performance of contract (GDPR Art. 6(1)(b)).
Rate limiting. We use your IP address for rate limiting to protect the Service from abuse. IP addresses are held in memory only and are not persisted. Legal basis: legitimate interest in protecting the Service (GDPR Art. 6(1)(f)).
5. Cookies
Cookies are small text files placed on your device by websites you visit. We use two categories of cookies:
Essential cookies
These cookies are strictly necessary for the Service to function. They are set for all visitors who sign in.
| Cookie | Purpose | Duration | HttpOnly |
|---|---|---|---|
balladic_access | JWT access token for authentication | 15 minutes | Yes |
balladic_refresh | Refresh token for maintaining sessions | 90 days | Yes |
balladic_access_exp | Access token expiration timestamp (allows the client to know when to refresh) | 15 minutes | No |
Analytics cookies (authenticated users only)
When you create an account, you accept this Privacy Policy, which includes the use of analytics cookies. These cookies are only set after you sign in - unauthenticated visitors are tracked using in-memory storage only, which does not persist across page loads and does not place any cookies.
| Cookie | Purpose | Duration | Set by |
|---|---|---|---|
ph_*_posthog | PostHog analytics - identifies your session for usage analytics | 1 year | PostHog |
Sentry session replays are also only enabled for authenticated users. Sentry does not set persistent cookies - replay data is captured in-memory during your session.
All cookies use the Secure flag (transmitted over HTTPS only) and SameSite protection.
Because essential cookies are strictly necessary for the Service to operate and analytics cookies are only set for authenticated users who have accepted this Privacy Policy, no cookie consent banner is required. You can delete cookies through your browser settings. Note that deleting authentication cookies will sign you out of the Service.
6. Third-Party Services
We use the following third-party services to operate Balladic. For the full sub-processor list and data protection obligations, see our Data Processing Agreement.
| Service | Purpose | Data shared | Location |
|---|---|---|---|
| Railway | Application hosting | All service data (hosted on their infrastructure) | Netherlands (EU) |
| Cloudflare | CDN, DNS, object storage | Web traffic, file attachments, profile pictures | EU (with global edge network) |
| Stripe | Payment processing | Name, email, payment details | EU/US |
| Mistral AI | AI-powered features | Anonymised project and task content | France (EU) |
| Sentry | Error tracking | Error traces, browser performance data | Germany (EU) |
| PostHog | Product analytics | Usage events, user ID, name, session replays | Germany (EU) |
| Resend | Transactional email delivery | Email addresses, notification content | US |
We do not sell your personal data to third parties. We do not use your content to train machine learning models.
Links within the Service or our website to third-party websites are governed by those websites’ own privacy policies. We are not responsible for the privacy practices of third-party websites.
7. Data Location and Transfers
All primary infrastructure is hosted within the European Union, with servers in the Netherlands (Amsterdam), Germany (Frankfurt), and France.
Where third-party services process data outside the EU/EEA (Cloudflare’s global edge network, Stripe’s US operations, Resend’s US infrastructure), we ensure appropriate safeguards are in place through the EU-US Data Privacy Framework (DPF) and/or Standard Contractual Clauses (SCCs).
8. Data Retention
We retain your personal data for as long as your account is active and you use the Service.
When you delete your account, we delete your personal data within 90 days. This includes your account data, content, file attachments, search index entries, and profile pictures. Backups containing your data are rotated and overwritten within this same period.
Payment records are retained as required by applicable tax and accounting laws.
Pending notification emails are deleted when you dismiss the related notification or when they are delivered.
9. Your Rights
Under GDPR, you have the following rights regarding your personal data:
- Access. You can request a copy of the personal data we hold about you.
- Rectification. You can update or correct inaccurate data. Most data can be edited directly in the Service.
- Erasure. You can request deletion of your personal data. You can also delete your account through the Service, which triggers deletion of all your data.
- Restriction. You can request that we restrict the processing of your data in certain circumstances.
- Portability. You can request your data in a structured, commonly used, machine-readable format.
- Objection. You can object to processing based on legitimate interest (analytics and error tracking). We will stop processing unless we have compelling legitimate grounds.
- Complaint. You have the right to lodge a complaint with a supervisory authority. Our lead authority is Datatilsynet (Danish Data Protection Agency) at datatilsynet.dk.
To exercise any of these rights, contact us at [email protected]. We will respond within 30 days.
10. Automated Decision-Making
The Service uses automated processing in two areas:
- Feed ranking. Your feed is ordered by an algorithm that learns from your interaction signals (clicks and dismissals). This affects display order only - it does not restrict access to any content, and it does not produce legal or similarly significant effects.
- AI features. Conversation summaries and daily overviews are generated by Mistral AI based on anonymised content. These are informational aids and do not make decisions about you.
Neither system makes decisions that produce legal effects or similarly significant effects concerning you. You can contact us at [email protected] if you have questions or concerns about automated processing.
11. Children
The Service is not directed at children under the age of 16. We do not knowingly collect personal data from children under 16. If you believe a child has provided us with personal data, contact us at [email protected] and we will delete it.
12. Changes to This Policy
We will update this Privacy Policy when our practices change or when required by law. We will post the revised version on our website with an updated effective date. If we make material changes, we will notify you by email or through the Service at least 30 days before the changes take effect.
13. Contact
For questions about this Privacy Policy or to exercise your data protection rights, contact us at [email protected].