1. Introduction
IS.TEAM LLC ("IS.TEAM," "we," "us," or "our") operates the is.team platform, a collaborative project management and productivity service. This Privacy Policy explains how we collect, use, disclose, and safeguard your personal information when you use our website at https://is.team and our associated applications, APIs, and services (collectively, the "Service").
Please read this policy carefully. By accessing or using the Service, you acknowledge that you have read, understood, and agree to be bound by this Privacy Policy. If you do not agree, you must discontinue use immediately.
This policy is incorporated into and governed by our Terms of Service.
2. Definitions
| Term | Meaning |
|---|---|
| Personal Information | Any data that identifies or can reasonably identify you |
| User Content | Tasks, notes, comments, boards, files, and audio you create on the Service |
| Workspace | An organizational unit containing boards, members, and settings |
| Third-Party Integration | GitHub, Slack, Google Drive, Figma, or other external services connected to the Service |
| Subprocessor | A vendor we engage to process personal information on our behalf |
3. Information We Collect
3.1 Information You Provide Directly
Account Registration
- Full name and display name
- Email address
- Password (stored as a bcrypt/Firebase-managed hash; we never store plaintext passwords)
- Profile photo (optional)
- Language and timezone preferences
Workspace and Collaboration Data
- Workspace names, descriptions, and configuration settings
- Board names, column titles, task titles, descriptions, priorities, assignees, labels, due dates, and story points
- Notes and rich-text content created on the canvas
- Comments, @mentions, and reactions
- File attachments (images, documents, and other files uploaded to tasks)
- Time tracking entries (manually entered or timer-started durations)
- Canvas layout data (node positions, edge connections, zoom level)
Voice and Audio Data (Meeting Notes Feature)
- Audio recordings of meetings initiated by you using the "Record" function
- AI-generated transcripts of those recordings
- Extracted action items derived from transcripts
- You are solely responsible for obtaining consent from all meeting participants before recording; see Section 13 (Voice Recording and Consent).
Payment and Billing Information
- Plan selections and billing period preferences
- All payment card data is collected and processed directly by Stripe, Inc. (our payment processor) and is never transmitted to or stored on IS.TEAM servers. We receive only non-sensitive billing metadata from Stripe such as subscription status, plan type, last four digits of the card, and billing country.
Communications
- Emails and messages you send to hi@is.team or our support channels
- Survey responses and feedback submissions
- Referral invitations sent on your behalf
3.2 Information We Collect Automatically
Log and Usage Data
- IP address and approximate geographic location (city/country)
- Browser type, version, and operating system
- Device type (desktop, mobile, tablet) and screen resolution
- Pages visited, features used, and click-path analytics
- Session duration, entry and exit pages
- HTTP referrer URL
Canvas and Interaction Data
- Cursor position and movement within shared canvases (used for real-time collaboration presence; ephemeral, not persistently stored beyond the session)
- Board and node interaction patterns (resize, drag, zoom)
- Feature usage frequency (e.g., number of AI requests made, webhooks triggered)
Desktop Timer Application Data
- API token (stored locally on your device; never transmitted to IS.TEAM servers — authentication occurs directly between the Desktop Timer and the IS.TEAM API)
- Workspace, board, and task identifiers accessed during use
- Time entries created and saved to the server
- The Desktop Timer does not collect analytics, crash reports, or telemetry data. It communicates only with IS.TEAM API endpoints to authenticate, fetch workspace/board/task data, and save time entries.
Crash and Performance Data
- JavaScript errors and stack traces
- API response times and error codes
- Client-side performance metrics
Cookies and Similar Technologies
- See our Cookie Policy for full details.
3.3 Information from Third-Party Integrations
When you connect a third-party service, we collect only the data necessary to provide the integration feature. Specific data collected per integration:
| Integration | Data We Access | How We Use It |
|---|---|---|
| GitHub | Repository names, pull request titles/states/URLs, issue titles/states/URLs, your GitHub username | Link PRs/issues to tasks; update task status on merge/close |
| Slack | Workspace name, channel list, your Slack user ID | Send task assignment and comment notifications to Slack |
| Google Drive | File names, MIME types, thumbnail URLs, shared links, your Drive username | Attach Drive files to tasks; display previews |
| Figma | File names, project names, thumbnail URLs, embed tokens | Attach Figma files to tasks; display in-app previews |
| Zapier / Make.com | Webhook payloads you configure (task data as defined in Developer & API Terms) | Execute automations via incoming/outgoing webhooks |
We do not read or store the full contents of your GitHub repositories, Slack message histories, Google Drive file contents, or Figma design layer data beyond what is listed above.
OAuth access tokens for third-party integrations are stored encrypted in Firebase Firestore. Refresh tokens are stored with AES-256 encryption. You may revoke any integration at any time through Workspace Settings → Integrations.
3.4 Information from Third Parties
Referral Program
- If someone refers you, we record the referral relationship (referrer ID and your user ID) to credit the referral reward.
Analytics and Advertising Partners
- We may receive aggregated demographic or interest data from analytics providers to understand our audience. This data is not linked to your individual account without your consent.
4. Legal Basis for Processing (EEA/UK Users)
If you are located in the European Economic Area (EEA) or United Kingdom, we process your personal information under the following legal bases:
| Processing Activity | Legal Basis |
|---|---|
| Providing the Service and account management | Contract performance (Art. 6(1)(b) GDPR) |
| Payment processing and fraud prevention | Contract performance + Legitimate interest |
| Sending service-critical emails (receipts, security alerts) | Contract performance |
| Sending marketing emails | Consent (Art. 6(1)(a)) — you may withdraw at any time |
| Security monitoring and abuse prevention | Legitimate interest (Art. 6(1)(f)) |
| Analytics and product improvement | Legitimate interest (Art. 6(1)(f)) — with opt-out available |
| Legal compliance (tax records, DMCA) | Legal obligation (Art. 6(1)(c)) |
You may withdraw consent at any time without affecting the lawfulness of processing prior to withdrawal.
5. How We Use Your Information
We use the information we collect to:
Provide and Improve the Service
- Create and maintain your account and workspace
- Render boards, tasks, notes, and canvas state across devices
- Enable real-time collaboration (cursor presence, co-editing)
- Process AI requests (Meeting Notes transcription, AI Task Assistant, AI Workflow Planner)
- Execute webhook automations (incoming and outgoing)
- Process payments, manage subscriptions, and send billing receipts
Communications
- Send transactional emails: account verification, password reset, invitation notifications, payment receipts, subscription changes
- Send in-app notifications: task assignments, @mentions, comments, team invitations
- Send marketing emails only if you have opted in at registration or subsequently
- Respond to your support inquiries
Safety, Security, and Legal Compliance
- Detect and prevent fraud, abuse, and unauthorized access
- Enforce our Terms of Service and Acceptable Use Policy
- Comply with applicable law, subpoenas, court orders, and regulatory requests
- Resolve disputes and enforce our agreements
Analytics and Product Development
- Analyze feature usage to prioritize improvements
- Conduct A/B testing and usability research (aggregated or anonymized where possible)
- Generate aggregated, non-identifiable statistics about our user base
6. Sharing Your Information
We do not sell your personal information. We share information only in the circumstances described below.
6.1 With Other Users in Your Workspace
Information you add to a shared workspace (tasks, comments, board activity, cursor position, profile photo, display name) is visible to other members of that workspace according to their roles.
6.2 With Subprocessors
We engage the following third-party subprocessors to operate the Service:
| Subprocessor | Role | Location | Privacy/Security Info |
|---|---|---|---|
| Google Firebase (Google LLC) | Authentication, Firestore database, Realtime Database, Cloud Storage, Analytics | USA (global CDN) | Firebase Privacy |
| Stripe, Inc. | Payment processing and subscription management | USA | Stripe Privacy |
| Resend, Inc. | Transactional and notification email delivery | USA | Resend Privacy |
| Daily.co (Daily.co, Inc.) | Voice/video room infrastructure for Meeting Notes | USA | Daily Privacy |
| Google AI / Gemini (Google LLC) | AI transcription, task generation, workflow suggestions | USA | Google AI Terms |
| Cloudflare, Inc. | CDN, DDoS protection, DNS | USA (global CDN) | Cloudflare Privacy |
All subprocessors are bound by contractual obligations to process personal information only on our documented instructions and to implement appropriate security measures.
6.3 With Third-Party Integration Partners
When you connect a third-party integration, you authorize us to share relevant task and workspace data with that provider as necessary to fulfill the integration's purpose. Those providers' own privacy policies govern their use of the data they receive.
6.4 Business Transfers
If IS.TEAM is involved in a merger, acquisition, asset sale, financing, or bankruptcy, your information may be transferred as part of that transaction. We will provide notice via email and/or a prominent notice on the Service before personal information is transferred and becomes subject to a different privacy policy.
6.5 Legal Requirements
We may disclose your information if required to do so by law or in response to valid legal process (subpoena, court order, government request). We will notify you of such requests unless prohibited by law or where notification would be futile (e.g., emergency involving risk of harm).
6.6 Protection of Rights
We may disclose information where we believe in good faith that disclosure is necessary to protect the rights, property, or safety of IS.TEAM, our users, or the public, including to prevent fraud or imminent harm.
7. Cookies and Tracking Technologies
We use cookies, local storage, and similar technologies to operate the Service. Please see our Cookie Policy for a full list of cookies, their purposes, durations, and how to control them.
Summary:
- Strictly Necessary: Firebase authentication session tokens, CSRF tokens — cannot be disabled without breaking the Service
- Functional: User preferences (theme, language, canvas zoom) — disabled via Cookie Settings
- Analytics: Aggregated usage and performance metrics — disabled via Cookie Settings or opt-out
- Marketing: Interest-based personalization — only placed with your explicit consent
8. Data Retention
| Data Category | Retention Period |
|---|---|
| Active account and workspace data | Until account deletion |
| Deleted workspaces (soft delete) | 30 days (restoreable), then permanent deletion |
| Deleted user accounts | 60 days (restorable), then permanent deletion |
| Audio recordings (Meeting Notes) | Until you delete the associated transcript/task, or account deletion |
| AI transcripts and extracted tasks | Same as task data — until manually deleted or account deletion |
| Payment and billing records | 7 years (US tax law requirement) |
| Server access logs | 90 days rolling |
| Security and fraud logs | 1 year |
| Backup snapshots | 30-day rolling window |
| Marketing email consent records | Duration of account + 3 years (CAN-SPAM compliance) |
| Support communications | 2 years after resolution |
| Desktop Timer local data (API token) | Until app is uninstalled or token is manually cleared |
| Desktop Timer time entries (server-side) | Same as task data — until manually deleted or account deletion |
When you delete your account, we initiate deletion of your personal data within 60 days, except where retention is required by law (e.g., billing records) or where data has been shared with other workspace members (their copies are retained under their own accounts).
9. Your Rights and Choices
9.1 All Users
- Access: Request a copy of the personal information we hold about you
- Correction: Update your account information at any time through Account Settings
- Deletion: Delete your account and associated personal data through Account Settings → Delete Account (60-day soft delete, then permanent)
- Portability: Request an export of your data in a machine-readable format
- Marketing opt-out: Unsubscribe from marketing emails via the unsubscribe link in any marketing email or through Account Settings → Notifications
- Cookie preferences: Manage cookie settings through our Cookie Consent banner or browser settings
9.2 California Residents (CCPA / CPRA)
If you are a California resident, you have the following additional rights under the California Consumer Privacy Act (CCPA) as amended by the California Privacy Rights Act (CPRA), including the 2026 amendments:
- Right to Know: Request disclosure of the categories and specific pieces of personal information we have collected, the purposes of collection, and the categories of third parties with whom we share it
- Right to Delete: Request deletion of your personal information (subject to certain exceptions)
- Right to Correct: Request correction of inaccurate personal information
- Right to Opt-Out of Sale or Sharing: We do not sell or share (for cross-context behavioral advertising) your personal information. No opt-out is needed, but you may contact us to confirm. We honor browser-based opt-out preference signals (such as the Global Privacy Control) as valid opt-out requests per CPRA regulations.
- Right to Limit Use of Sensitive Personal Information: We do not use sensitive personal information for purposes beyond what is permitted by the CPRA (providing the Service, security, legal compliance). Under the 2026 CCPA amendments, neural data is classified as sensitive personal information; IS.TEAM does not collect neural data.
- Right to Non-Discrimination: We will not discriminate against you for exercising your rights
Submitting a CCPA Request: Email privacy@is.team with "CCPA Request" in the subject line. We will verify your identity and respond within 45 days (extendable by another 45 days with notice).
Authorized Agent: You may designate an authorized agent to submit requests on your behalf by providing a signed written authorization.
Categories of Personal Information Collected (CCPA Categories):
- Identifiers (name, email, IP address)
- Commercial information (subscription plan, billing history)
- Internet or electronic network activity (usage data, clickstream)
- Audio data (voice recordings when Meeting Notes feature is used)
- Professional or employment-related information (workspace role, team membership)
- Inferences (product usage patterns for improving the Service)
9.2.1 Other US State Privacy Laws
In addition to California, residents of other US states with comprehensive privacy laws (including Colorado, Connecticut, Virginia, Utah, Texas, Oregon, Montana, Delaware, Iowa, Tennessee, Indiana, and others enacted through 2026) may have similar rights to access, correct, delete, and opt out of certain data processing. To exercise any state-specific privacy rights, email privacy@is.team with your state of residence. We will respond within the timeframe required by your state's applicable law.
9.3 EEA and UK Residents (GDPR / UK GDPR)
You have the following rights under the General Data Protection Regulation (GDPR) or UK GDPR:
- Right of Access (Art. 15)
- Right to Rectification (Art. 16)
- Right to Erasure ("Right to be Forgotten") (Art. 17)
- Right to Restriction of Processing (Art. 18)
- Right to Data Portability (Art. 20)
- Right to Object to processing based on legitimate interests (Art. 21)
- Right to Withdraw Consent at any time (Art. 7(3))
- Right to Lodge a Complaint with your local supervisory authority
To exercise these rights, email privacy@is.team. We respond within 30 days.
Data Controller: IS.TEAM LLC, 123 Placeholder Street, Suite 100, Wilmington, DE 19801, USA
Note on International Transfers: IS.TEAM is based in the United States. If you are located in the EEA or UK, your personal information is transferred to the US under the EU-US Data Privacy Framework or Standard Contractual Clauses (SCCs) where applicable for our subprocessors.
9.4 Nevada Residents
Nevada residents may opt out of the future sale of personal information by emailing privacy@is.team. We do not sell personal information.
10. Data Security
We implement industry-standard technical and organizational measures to protect your personal information:
- Encryption in transit: All data transmitted between your browser and our servers uses TLS 1.2 or higher (HTTPS enforced via HSTS)
- Encryption at rest: Firebase Firestore, Cloud Storage, and Realtime Database data is encrypted at rest by Google using AES-256
- OAuth token encryption: Third-party integration access tokens and refresh tokens are encrypted with AES-256 before storage
- Password hashing: Firebase Authentication manages password storage using industry-standard hashing (bcrypt-based)
- Access controls: Production database access is restricted to authorized IS.TEAM personnel on a need-to-know basis with multi-factor authentication required
- Firestore Security Rules: All database access is governed by Firestore Security Rules that enforce role-based access at the workspace level
- Webhook HMAC signing: Outgoing webhooks are signed with HMAC-SHA256; recipients can verify authenticity using their webhook secret
- API token security: IS.AI LLM API tokens (
ist_prefix) are hashed before storage and scoped to individual boards - Audit logging: Security-relevant events (login attempts, permission changes, webhook triggers) are logged and retained for 1 year
Breach Notification: In the event of a data breach that poses risk to your rights and freedoms, we will notify affected users and relevant supervisory authorities as required by applicable law (typically within 72 hours under GDPR, or as required by applicable state breach notification laws).
No method of transmission or storage is 100% secure. You bear responsibility for maintaining the confidentiality of your account credentials.
11. Children's Privacy
The Service is not directed to children under the age of 16. We do not knowingly collect personal information from anyone under 16. If you are a parent or guardian and believe your child under 16 has provided personal information to us, please contact privacy@is.team immediately. We will delete such information promptly.
If we discover that a user under 16 has registered, we will terminate that account and delete associated data.
We do not knowingly collect personal information from children under 13 as defined by the Children's Online Privacy Protection Act (COPPA). Our Terms of Service require all users to be at least 16 years of age.
12. Voice Recording and Audio Data
The Meeting Notes feature allows you to record audio of meetings. This involves particular privacy considerations:
Your Responsibilities:
- Before recording any meeting, you must inform all participants that the meeting is being recorded
- You must obtain all legally required consents (federal and state wiretapping laws, including two-party consent states such as California, Delaware, Florida, Illinois, Maryland, Massachusetts, Montana, Nevada, New Hampshire, Pennsylvania, and Washington; Connecticut and Oregon require all-party consent for certain communication types)
- You must not use the recording feature to surreptitiously record anyone without their knowledge
How We Handle Audio:
- Audio is transmitted to Google Gemini (our AI transcription provider) for transcription processing
- Audio files are temporarily stored during processing and deleted after transcription is complete
- Transcripts and extracted action items are stored in your Firestore workspace and persist until you delete them
- We do not use your audio recordings or transcripts to train our AI models
- You may delete any transcript and its associated audio at any time
Third-Party Transcription (Daily.co and Google Gemini): Daily.co provides the underlying voice room infrastructure. Google Gemini processes audio for transcription. Both subprocessors are bound by data processing agreements. Their handling of audio data is also subject to their respective privacy policies (see Section 6.2).
13. AI Features and Data Processing
IS.TEAM incorporates AI-powered features including:
- Meeting Notes: Audio transcription and action item extraction (Google Gemini)
- AI Task Assistant (IS.AI): LLM-based task reading, commenting, status updates, and task movement via API
- AI Workflow Planner: Suggested board structures and task breakdowns
Data Used in AI Processing:
- For Meeting Notes: Your audio recording
- For IS.AI API: Board and task data from the specific board the token is scoped to
- For AI Workflow Planner: Task titles and descriptions you provide
Model Training: We do not use your User Content to train AI models. Data sent to Google Gemini is processed under our data processing agreement which restricts use to service provision.
Data Retention for AI Inputs: Audio sent for transcription is not persistently retained by IS.TEAM after processing. See the AI Supplementary Terms for additional details.
14. Third-Party Links and Services
The Service may contain links to third-party websites, applications, or services. This Privacy Policy does not apply to those third-party services. We encourage you to review the privacy policies of any third-party services you access through links on our platform.
Integration partner services (GitHub, Slack, Google Drive, Figma) are governed by their own privacy policies once you access them through their own interfaces.
15. Analytics and Tracking
We use Firebase Analytics (Google) to collect aggregated usage statistics. Firebase Analytics may use device identifiers and usage patterns for attribution and analytics purposes. You may limit data collection by:
- Opting out through our Cookie Settings
- Using your browser's Do Not Track (DNT) signal (we honor DNT where technically feasible)
- Using an ad blocker or analytics blocker
We do not currently engage in cross-site behavioral advertising or sell advertising audiences based on your usage of IS.TEAM.
16. Marketing Communications
We send marketing emails only to users who have provided explicit opt-in consent at registration or have subsequently opted in through Account Settings.
Each marketing email includes:
- Our physical mailing address
- A clear, one-click unsubscribe link
- Identification that the message is a commercial communication
You may unsubscribe at any time. Unsubscribes are processed within 10 business days. Note that unsubscribing from marketing emails will not affect transactional emails (account alerts, security notices, billing receipts) which are necessary for the Service.
17. Do Not Track
Some browsers have a "Do Not Track" (DNT) feature that transmits a signal to websites you visit indicating you prefer not to be tracked. We currently honor DNT signals by limiting non-essential tracking when a DNT signal is detected. However, no uniform technical standard for DNT compliance exists, and our response may vary.
18. Changes to This Privacy Policy
We may update this Privacy Policy from time to time. We will notify you of material changes by:
- Sending an email to your registered address at least 30 days before the change takes effect
- Displaying a prominent notice on the Service
Your continued use of the Service after the effective date of the revised policy constitutes your acceptance. If you do not agree with the changes, you must stop using the Service before the effective date and may request deletion of your data.
The "Last Updated" date at the top of this page indicates when this policy was most recently revised. We maintain an archive of previous policy versions available upon request.
19. Contact Us
For privacy-related inquiries, data requests, or to exercise your rights:
IS.TEAM LLC — Privacy 123 Placeholder Street, Suite 100 Wilmington, DE 19801 United States Email: privacy@is.team General Contact: hi@is.team Website: https://is.team
For EU/UK GDPR requests, please mark your email subject with "GDPR Request — [Type]" for expedited handling.
We will acknowledge your request within 5 business days and respond substantively within the timeframes required by applicable law.