Appearance
Privacy Policy
Last updated: 26 March 2026
Back to code B.V. ("we", "us", "our") operates the Kendo project management platform at kendo.dev. This privacy policy explains what personal data we collect, why we collect it, and what rights you have.
1. Who we are
| Company | Back to code B.V. |
| Address | Europaweg 31, 9723 AS Groningen, The Netherlands |
| KvK | 85421340 |
| [email protected] |
We are both the controller and processor of your personal data within the meaning of the General Data Protection Regulation (GDPR).
2. What data we collect
2.1 Waitlist (kendo.dev)
| Data | Purpose | Legal basis |
|---|---|---|
| Email address | Notify you when Kendo is available | Consent (Art. 6(1)(a) GDPR) |
You can unsubscribe at any time using the link in every waitlist email.
2.2 Account data (app.kendo.dev)
| Data | Purpose | Legal basis |
|---|---|---|
| First name, last name | Display in the app, team collaboration | Contract performance (Art. 6(1)(b)) |
| Email address | Authentication, notifications | Contract performance (Art. 6(1)(b)) |
| Password | Authentication (stored hashed, never in plain text) | Contract performance (Art. 6(1)(b)) |
| Profile picture | Display in the app | Contract performance (Art. 6(1)(b)) |
| Two-factor authentication secret | Account security (stored encrypted) | Legitimate interest (Art. 6(1)(f)) |
| Notification preferences | Email notification settings | Contract performance (Art. 6(1)(b)) |
2.3 Project data
When you use Kendo, you create and store project-related data including issues, comments, time entries, sprints, epics, reports, and attachments. This data belongs to your workspace and is processed solely to provide the service.
Legal basis: Contract performance (Art. 6(1)(b) GDPR).
2.4 GitHub integration
If you connect your GitHub account, we store an OAuth token to sync repositories and issues. We do not access your GitHub data beyond what is required for the integration. You can disconnect GitHub at any time from your settings.
Legal basis: Consent (Art. 6(1)(a) GDPR).
2.5 Technical data
| Data | Purpose | Legal basis |
|---|---|---|
| IP address | Server logs, security | Legitimate interest (Art. 6(1)(f)) |
| Session identifier | Maintain your login session | Contract performance (Art. 6(1)(b)) |
We do not use analytics services, tracking pixels, or advertising cookies.
3. Cookies
We use only strictly necessary cookies:
| Cookie | Purpose | Duration |
|---|---|---|
| Session cookie | Keeps you logged in | 120 minutes (or until browser close) |
| CSRF token | Protects against cross-site request forgery | Session |
| Remember token | "Remember me" functionality | 30 days |
These cookies are essential for the application to function and do not require consent under the ePrivacy Directive. We do not place any tracking, analytics, or marketing cookies.
For more details, see our Cookie Policy.
4. Where your data is stored
All data is stored and processed within the European Union:
| Component | Provider | Location |
|---|---|---|
| Application server | Fly.io | Amsterdam, Netherlands |
| Database (MySQL) | Fly.io | Amsterdam, Netherlands |
We do not transfer your personal data outside the EU/EEA. If this changes in the future, we will update this policy and ensure appropriate safeguards are in place (e.g., Standard Contractual Clauses).
5. Who has access to your data
- You and your workspace members — Project data is shared within your Kendo workspace according to the permissions set by your workspace administrator.
- Back to code B.V. — Our team may access your data for support, debugging, or legal compliance. Access is limited to what is necessary.
- Infrastructure providers — Fly.io processes data on our behalf under a Data Processing Agreement (DPA). They do not access your data for their own purposes.
We do not sell, rent, or share your personal data with third parties for marketing purposes.
6. How long we keep your data
| Data | Retention |
|---|---|
| Waitlist email | Until you unsubscribe or the waitlist closes |
| Account data | For the duration of your account, plus 30 days after deletion |
| Project data | For the duration of your workspace, deleted when the workspace is removed |
| Server logs | Maximum 90 days |
| Backups | Maximum 30 days, then permanently deleted |
When you delete your account, we soft-delete your data for 30 days (to allow recovery if needed), after which it is permanently removed.
7. Your rights
Under the GDPR, you have the following rights:
| Right | Description |
|---|---|
| Access | Request a copy of the personal data we hold about you |
| Rectification | Ask us to correct inaccurate data |
| Erasure | Ask us to delete your data ("right to be forgotten") |
| Restriction | Ask us to restrict processing of your data |
| Portability | Receive your data in a structured, machine-readable format |
| Objection | Object to processing based on legitimate interest |
| Withdraw consent | Withdraw consent at any time (e.g., waitlist, GitHub integration) |
To exercise any of these rights, email us at [email protected]. We will respond within 30 days.
8. Data security
We take appropriate technical and organisational measures to protect your data:
- Passwords are hashed (bcrypt)
- Two-factor secrets are encrypted at rest
- Sessions are encrypted and stored server-side (database)
- All connections use HTTPS/TLS
- Cookies are HTTP-only and Secure-flagged
- CSRF protection on all state-changing requests
Data breach notification
In the event of a personal data breach that poses a risk to your rights and freedoms, we will notify the Dutch Data Protection Authority (Autoriteit Persoonsgegevens) within 72 hours of discovery, as required by Article 33 GDPR. If the breach is likely to result in a high risk to you, we will also inform you directly without undue delay.
9. Children
Kendo is not directed at children under the age of 16. We do not knowingly collect personal data from children. If you believe we have collected data from a child, please contact us and we will delete it promptly.
10. Changes to this policy
We may update this privacy policy from time to time. When we make significant changes, we will notify you by email or through the application. The "last updated" date at the top of this page reflects when the policy was last revised.
11. Complaints
If you believe we are processing your personal data unlawfully, you have the right to lodge a complaint with the Dutch Data Protection Authority (Autoriteit Persoonsgegevens):
- Website: https://autoriteitpersoonsgegevens.nl
- Phone: 088 - 1805 250
12. Contact
For any questions about this privacy policy or your personal data:
Back to code B.V. Europaweg 31, 9723 AS Groningen, The Netherlands [email protected]