Privacy Policy
Short and honest. GDPR-compliant. Last updated: May 2026.
Data controller
Who is responsible for your data
The data controller for All Story Points is Pixel Target Krzysztof Binkiewicz, a sole proprietorship registered in Poland.
Scope
This policy covers data processed when you use the All Story Points website (allstorypoints.com) and web application (app.allstorypoints.com). It complies with the EU General Data Protection Regulation (GDPR).
What we collect
Account data
Email address (required). Display name (optional). Timezone. Your password is stored as a bcrypt hash — we never see the plaintext.
Team & sprint data
Project names, sprint records, team member names or aliases, roles, availability. You control this data. Aliases are fully supported — real names are never required.
Security logs
IP address, browser user-agent, and login outcomes (success/failure) are logged for brute-force protection. Automatically purged after 90 days.
Usage analytics
Google Analytics collects anonymised usage patterns (page views, navigation flows). No personal identifiers are linked. You can opt out via browser settings or the GA opt-out extension.
Cookies
We use two types of cookies. Essential cookies (asp_access, asp_refresh) are httpOnly JWT tokens required for authentication — they cannot be disabled without losing access to your account. Analytics cookies set by Google Analytics are non-essential and off by default — you are asked for consent on your first visit via the cookie banner. You can change your preference at any time using the Cookie settings link in the footer.
Legal basis & how we use it
Under GDPR Art. 6, we process your data on the following legal bases:
Core service delivery
Account data, team/sprint data, and auth cookies — necessary to provide the service you signed up for.
Security
Security logs (IP, user-agent, login outcomes) — necessary to detect and prevent brute-force attacks and account takeovers.
Analytics
Google Analytics cookies — off by default, loaded only after you accept via the consent banner. Withdraw consent at any time via the Cookie settings link in the footer.
Billing records
Transaction records retained for 7 years as required by Polish tax law (even after account deletion).
Providing the service
Sprint forecasting, velocity calculations, capacity tracking, and all core features. Data is used only for the purpose it was collected.
Transactional emails
Email confirmation on registration, password reset links, and billing-related notifications. No marketing emails without explicit consent.
What we never do
We do not sell, rent, or share your personal data with third parties for advertising. We do not use your sprint or team data to train AI models or for any purpose other than providing All Story Points to you.
Third-party processors
We use a small number of third-party services to operate. Each processes only what is strictly necessary.
Stripe
Payment processing. Handles all card data under PCI DSS compliance. We never receive or store raw card numbers. Governed by Stripe's Privacy Policy.
Google Analytics
Anonymised usage statistics (page views, navigation). IP addresses are anonymised. Data is subject to Google's Privacy Policy and may be stored outside the EU under SCCs.
SMTP provider
Used only to send transactional emails (email confirmation, password reset). Your email address is passed to deliver the message. No marketing use.
Retention & security
How long we keep your data
Billing records (transaction ID, plan, amount, date) are retained for 7 years even after account deletion, as required by Polish tax legislation. No personal sprint or team data is retained after account deletion.
How we protect your data
Passwords hashed with bcrypt (12 rounds). Authentication via httpOnly, SameSite cookies — inaccessible to JavaScript. All billing handled by Stripe (PCI DSS). Sensitive data encrypted at rest. HTTPS enforced everywhere.
International transfers
Primary data is stored within the EU. Stripe and Google Analytics may transfer data outside the EU under Standard Contractual Clauses (SCCs) approved by the European Commission.
Your rights
Under GDPR you have the following rights regarding your personal data. We respond to all requests within 30 days.
Access
Request a copy of all personal data we hold about you.
Rectification
Correct inaccurate or incomplete personal data. Most account data is editable directly from your Profile.
Erasure
Delete your account and all associated data from Profile → Delete Account. Billing records are retained per legal obligation (7 years).
Restriction
Request that we restrict processing of your data in certain circumstances while a complaint or dispute is resolved.
Portability
Request your data in a structured, machine-readable format. Contact us at hello@allstorypoints.com.
Object & withdraw consent
Object to processing based on legitimate interest, or withdraw consent for analytics at any time via browser settings. Withdrawing consent does not affect prior lawful processing.
Children & policy updates
Children
All Story Points is not directed at persons under the age of 16. We do not knowingly collect personal data from minors. If you believe we have inadvertently collected such data, contact us immediately at hello@allstorypoints.com and we will delete it promptly.
Policy updates
We may update this Privacy Policy from time to time. For material changes we will notify you by email at least 14 days before they take effect. The current version is always at allstorypoints.com/privacy with the "last updated" date at the top.
Questions about your data?
We take privacy seriously and respond to all enquiries within 30 days.