Taulu
Sign in Start a board

Privacy notice

Last updated: 6 May 2026

Who we are

Taulu is operated by sampsa.dev oy, a Finnish limited liability company (Y-tunnus 3183970-6, VAT FI31839706), registered at Fredikanterassi 7 C 120, 00520 Helsinki, Finland. sampsa.dev oy is the data controller for personal data processed through Taulu.

For privacy questions write to [email protected] with the word “privacy” in the subject line.

What we collect

  • Account data: your email address, the timestamp of when you confirmed it, and the OAuth identity (provider plus subject id) you linked, if any.
  • Content: boards you create, sticky notes, text, attachments, kanban columns and cards, mindmap nodes, shapes, connectors, tables, checklists, and similar collaborative canvas data. Stored in our Postgres database and in our object store with server-side encryption at rest, both hosted in Helsinki, Finland.
  • Integration credentials: when you connect Trello or Miro to import boards, we store the OAuth access and refresh tokens you authorised, encrypted at rest. We use them only to fetch the content you choose to import, and you can revoke them any time from the third-party service or from Settings.
  • Photo-import submissions: when you choose to extract a pasted or dropped image into board items, the image bytes are sent to our AI sub-processor (Mistral AI SAS, France) for that single request. The resulting items and the original image are placed on your canvas under your control; we do not retain a separate copy of the submission.
  • Voice rooms: each board has an opt-in voice space (one default Board room plus any breakout rooms a facilitator opens). When you join a room your audio is end-to-end encrypted between participants using per-room SFrame keys; our routing server (voice.taulu.app) forwards only encrypted media packets and never sees plaintext audio. Voice state (room membership, in-room text chat) is held in memory only and is never persisted to disk: a server restart resets the voice space. Joining is opt-in every time, your microphone is muted by default, and viewers (read-only board access) can listen but cannot publish audio.
  • Session telemetry: IP address, user-agent string, and timestamps for login, logout, and sensitive mutations. Retained for incident response and support.
  • Privacy preferences: the choices you set on your privacy settings, plus the time each was saved.

How we use it

  • Service operation (contract, Art. 6(1)(b)): everything required to actually run the collaborative canvas. Storing your boards, syncing them between your devices, authenticating you.
  • Error monitoring (legitimate interest, Art. 6(1)(f)): automatic error reports with your content and personal identifiers scrubbed, used to identify and fix bugs. Retention: 90 days. You can object in Settings → Privacy.
  • Abuse prevention and debugging (legitimate interest): an audit log of administrative actions, plus the break-glass observer path that lets operators view a board when responding to incidents. Every observation is recorded.
  • Product updates: emails a few times a year, only if you opt in (consent, Art. 6(1)(a)).
  • Usage analytics: aggregate product analytics, only if you opt in (consent, Art. 5(3) ePrivacy + Art. 6(1)(a) GDPR).

What we don’t do without your consent

  • No pre-ticked consent boxes. Marketing and analytics default to off.
  • No sharing of your content with other users unless you explicitly invite them or grant support access.
  • No selling data to third parties. Ever.
  • No profiling for automated decisions.

Support access

When you ask for debugging help you can grant Taulu support staff a time-boxed (24-hour or 7-day) read-only session to view a specific board. We recommend this over a generic “let staff see my stuff” toggle: it’s scoped, expirable, revocable at any time from Settings, and every session is audit-logged.

Operators retain a separate break-glass observer path for incident response. It is never silent. Every session is audited and recorded.

Your rights (GDPR, UK GDPR, similar)

  • Access: request a copy of the data we hold on you.
  • Correction: update your email in Settings, or ask us for any other field.
  • Deletion: email [email protected] from your account address to request deletion. We delete your user row, boards in your personal org, and granted board memberships within 30 days of the request. A self-serve deletion flow in Settings is on the roadmap. Past audit-log entries referencing your actions are retained for the integrity of the audit trail (legal obligation basis).
  • Withdraw consent: flip any toggle off in Settings → Privacy. Withdrawal stops future processing in that category.
  • Objection: you can object to processing under legitimate interest, including error reporting and audit logging. For error reporting, the toggle in Settings implements this directly.
  • Portability: boards can be exported as JSON or PNG from the canvas UI. Reach out if you need a structured data export for other fields.
  • Complaint: you have the right to complain to your local data protection authority.

Retention

  • Account data: while your account exists. Deleted on request.
  • Board content: while the board is live. Soft-deleted boards are hard-purged after a short delay.
  • Inactive organisations: if an organisation has no paid subscription and no editor activity for 12 consecutive months we email the owner and admins to flag the dormancy. If inactivity continues past 24 months we send a final 30-day notice and then hard-delete the organisation’s boards, attachments, and related Customer Content. Signing in or making any edit at any point resets the clock. We retain a single audit-log row recording the deletion event itself for the integrity of the audit trail.
  • Audit events: retained indefinitely for legal and security integrity.
  • Error reports: 90 days.
  • Backups: encrypted database snapshots retained for 14 days locally, longer in offsite storage per our ops process.

Sub-processors

We use a small number of service providers to run Taulu. Each is bound by contract to process your data only on our instructions and to maintain appropriate security measures. Application, database, object storage, and voice routing are hosted on EU cloud infrastructure in Helsinki, Finland, with encrypted offsite backups in another EU region.

Sub-processor Purpose Personal data involved Location
UpCloud Ltd Hosting: managed Kubernetes (application servers), managed Postgres database, S3-compatible Managed Object Storage for attachments, and the voice routing server (voice.taulu.app). Encrypted at rest. The voice routing server processes only end-to-end encrypted media packets and never sees plaintext audio. All data we process for you. Helsinki, Finland (fi-hel1); Managed Object Storage in UpCloud’s europe-1 region (Finland, Sweden, Germany); offsite encrypted backups in a second UpCloud region.
Paddle.com Market Ltd & Paddle Payments Ltd Subscription billing and merchant of record (EU entity: Dublin). Billing name, email, address, payment method metadata. UK / Ireland
Mistral AI SAS Photo-import OCR (Mistral Large 3 vision). Invoked only when you explicitly extract a pasted or dropped image. The image bytes you submitted plus the structured response. No account identifier, board id, or other Taulu metadata is sent. Mistral does not train on API inputs per its commercial API terms. Paris, France (EU)
Brevo (Sendinblue SAS) Transactional email delivery: magic-link sign-in, account notifications. Recipient email address and message content. France (EU)
Cloudflare, Inc. DNS, TLS termination, DDoS / WAF. IP address, user-agent string, plus standard request metadata. Global (EU edge for EU traffic)
MaxMind GeoLite2 Country lookup for session audit (local database, no per-request call). IP address (only locally, never sent to MaxMind). Local only
OAuth identity providers (Google, GitHub) Sign-in if you choose this method. Only the provider identifier and email you have shared with us. US / EU
Trello (Atlassian Pty Ltd) Only if you connect a Trello account: importing boards into Taulu on your behalf. OAuth identifiers and the Trello content you choose to import. US / EU
Miro (RealtimeBoard, Inc.) Only if you connect a Miro account: importing boards into Taulu on your behalf. OAuth identifiers and the Miro content you choose to import. US / EU
Asana, Inc. Only if you connect an Asana account: importing projects into Taulu on your behalf. OAuth identifiers and the Asana content you choose to import. US / EU
Atlassian Pty Ltd (Jira) Only if you connect a Jira account: importing projects into Taulu on your behalf. OAuth identifiers and the Jira content you choose to import. US / EU
Mural (Tactivos, Inc.) Only if you connect a Mural account: importing murals into Taulu on your behalf. OAuth identifiers and the Mural content you choose to import. US / EU
Monday.com Ltd Only if you connect a Monday account: importing boards into Taulu on your behalf. OAuth identifiers and the Monday content you choose to import. Israel / EU
AppSignal B.V. Error monitoring with user content and identifiers scrubbed. Stack traces, scrubbed request metadata. Amsterdam, Netherlands (EU)

Paddle is our payments sub-processor and the merchant of record. For the transaction itself Paddle is an independent data controller for billing purposes, per its own privacy policy.

We will update this list when we add or change a sub-processor. Material changes also bump the version of this notice.

If you use Taulu to process personal data of your own customers, employees, or contacts (so that you are the controller and we are the processor for that content), our standing Data Processing Addendum applies. No signature is needed; it is incorporated into the Terms of Service by reference.

Cookies

Taulu sets a small number of strictly-necessary cookies: a Phoenix session cookie that keeps you signed in, an opt-in “remember me” token that extends a sign-in for up to 90 days, a signed theme-preference cookie (_taulu_theme), and a short-lived helper cookie used by the Miro install handoff. Cloudflare adds its own anti-DDoS cookies. We do not set marketing, advertising, or third-party analytics cookies. Full list with retention details: Cookies.

Changes to this notice

When this notice changes in a substantive way we ask you to review and re-save your privacy preferences the next time you sign in. Minor edits (typos, clarifications) do not trigger a re-prompt.

Contact

sampsa.dev oy
Fredikanterassi 7 C 120
00520 Helsinki
Finland
[email protected] with the word “privacy” in the subject line.