Privacy Policy

Last updated: April 2026

What we collect

Tokanban collects only the data necessary to provide the service:

• Account information — name, email address, and hashed password (or GitHub/Google OAuth profile if you sign in with an OAuth provider).
• Workspace and project data — tasks, comments, sprints, and other content you create through the CLI, API, MCP tools, or dashboard.
• API keys and agent keys — stored securely and used to authenticate programmatic access.
• Usage metadata — timestamps, request counts, and error logs for operational monitoring.

How we use your data

Your data is used solely to operate and improve Tokanban. Specifically:

• To authenticate you and authorize access to your workspaces.
• To store and serve your tasks, projects, and related content.
• To send transactional emails (account verification, password resets) if applicable.
• To monitor service health and debug issues.

What we do not do

• We do not sell, rent, or share your personal data with third parties.
• We do not use your data for advertising or profiling.
• We do not train AI models on your data.

Data storage

Data is stored on Cloudflare infrastructure (Workers, Durable Objects, D1, KV, R2). Passwords are hashed with bcrypt. Sessions use secure, HTTP-only cookies. API keys are stored as irreversible hashes.

Cookies

Tokanban uses a single session cookie (__session) to maintain your login state. We do not use tracking cookies, analytics cookies, or third-party cookies.

Account deletion

You can request deletion of your account and all associated data by contacting us. Upon deletion, your personal data, workspace data, and API keys are permanently removed.

Changes to this policy

We may update this policy from time to time. Material changes will be communicated through the dashboard or email.

Contact

Questions about this policy? Reach us via the support channels listed in your dashboard.