Privacy Policy

Last updated: June 17, 2026

This Global Privacy Policy ("Policy") describes how Boardman Labs Inc. ("Boardman Labs," "we," "us," or "our"), the parent company that operates the Zlaip platform, collects, uses, discloses, and protects personal information when you visit our websites, use our applications, or otherwise interact with our workflow accountability services (collectively, the "Service").

Effective date: June 17, 2026

This Policy is designed to meet common global expectations, including the EU General Data Protection Regulation (GDPR), UK GDPR, California Consumer Privacy Act as amended by the CPRA (CCPA/CPRA), and other applicable privacy laws.

By using the Service, you acknowledge this Policy. If you do not agree, do not use the Service.

Who we are and how to contact us
Scope and roles
Personal information we collect
Sources of personal information
Why we use personal information (purposes and legal bases)
AI and automated processing
How we disclose personal information
Sub-processors and service providers
International data transfers
Data retention
Security
Your privacy rights
Region-specific notices
Cookies and similar technologies
Marketing communications
Children's privacy
Data breach notification
Changes to this Policy
Contact and complaints

1. Who we are and how to contact us

Data controller (general):
Boardman Labs Inc. (operates Zlaip)
1279 Northmount Street Oshawa, ON L1G 7M7 Canada

Privacy inquiries: privacy@zlaip.com
Data subject requests: privacy@zlaip.com (subject: "Privacy Request")
Support: support@zlaip.com
Security: security@zlaip.com

Where required by law, we will appoint an EU/UK representative and publish their contact details on this page.

2. Scope and roles

This Policy applies to personal information we process about:

Visitors to our websites
Registered account holders
Magic-link and invited users accessing a specific agreement
Counterparties who communicate with you through the Service

Controller vs. processor. Boardman Labs Inc. is generally the data controller for account, website, and Service-operation data. For Content you and your counterparty submit within an Agreement, you and your counterparty may be independent controllers (or joint controllers) of that Content as between yourselves; Boardman Labs processes it to provide the Service under our Terms and this Policy.

3. Personal information we collect

We collect the categories of personal information below. Exact data depends on how you use the Service.

3.1 Identifiers and account data

Full name, display name, business name
Email address
Account ID, party ID, session and device identifiers
Profession, country, timezone, currency preferences
Profile photo (if uploaded)
Authentication tokens and OAuth provider IDs (Google, Apple, LinkedIn, etc.)

3.2 Agreement and workflow data

Project titles, intake questionnaires, contract text/PDFs
General contract sections, legal terms, milestones, change orders
Accountability Chat messages, reactions, read receipts, attachments metadata
Approval records, signatures, lock events, dispute records
Invoice and payment-readiness state (not full payment card numbers)

3.3 Payment and billing data

Billing contact information
Subscription status and transaction references from payment processors
Connected payout/account identifiers from providers (Stripe, PayPal, Wise, etc.)

We do not intentionally collect or store full payment card numbers on our servers.

3.4 Technical and usage data

IP address, browser type, operating system, device type
Log files, crash reports, performance metrics
Feature usage, clickstream, and diagnostic events
Security signals (failed logins, abuse detection)

3.4 Communications

Support tickets and email correspondence
In-product feedback and survey responses

3.5 Inferences (limited)

We may derive workflow signals (e.g., risk level, scope-drift likelihood) from Agreement Content using automated systems. These are used to surface suggestions in-product, not to make solely automated decisions with legal or similarly significant effects without human involvement.

4. Sources of personal information

We collect personal information from:

You — when you register, complete onboarding, create agreements, chat, or contact support
Your counterparties — when they invite you, message you, or act on shared agreements
Authentication providers — when you choose social sign-in
Integrations you enable — e.g., Slack, Figma, email sync
Payment processors — transaction and connection status
Automatically — through cookies, logs, and similar technologies when you use the Service

5. Why we use personal information (purposes and legal bases)

Purpose	Examples	GDPR legal bases (where applicable)
Provide the Service	Accounts, agreements, chat, locks, exports	Contract (Art. 6(1)(b)); Legitimate interests (Art. 6(1)(f))
Security & fraud prevention	Authentication, abuse detection, audit logs	Legitimate interests; Legal obligation
AI-assisted features	Parsing contracts, workflow detectors, health scoring	Contract; Legitimate interests; Consent where required
Communications	Invites, transactional email, security alerts	Contract; Legitimate interests
Product improvement	Analytics, debugging, feature research	Legitimate interests; Consent where required
Marketing (optional)	Product updates, newsletters	Consent or Legitimate interests where permitted
Legal compliance	Tax, law enforcement requests, disputes	Legal obligation; Legitimate interests

Legitimate interests include operating a secure accountability platform, preventing misuse, and improving reliability, balanced against your rights.

We do not sell personal information for money. We do not share personal information for cross-context behavioral advertising as "selling" or "sharing" under the CCPA/CPRA.

We do not use your private contracts, deliverables, or chat messages to train public third-party foundation models for unrelated commercial products.

6. AI and automated processing

We use automated systems, including AI, to:

Structure contracts and intake into milestones and sections
Detect workflow signals (scope drift, revision usage, approval intent, silence, payment cues)
Compute Agreement Health™ scores and risk indicators
Draft non-binding reminders or intervention cards

Human confirmation required for binding actions (locking agreements, approvals, payment release). Automated outputs are advisory.

You may contact privacy@zlaip.com for information about automated processing relevant to your account. We do not engage in solely automated decision-making that produces legal or similarly significant effects without human review, except as permitted by law and disclosed to you.

7. How we disclose personal information

We disclose personal information only as described below:

Agreement counterparties — Content and actions visible within a shared Agreement according to product permissions
Service providers / sub-processors — hosting, email, analytics, monitoring, support, AI inference providers, payment processors, under contracts requiring appropriate safeguards
Integrations you authorize — when you connect third-party tools
Professional advisers — lawyers, accountants, insurers under confidentiality
Business transfers — merger, acquisition, financing, or sale of assets, subject to this Policy
Legal and safety — to comply with law, court order, or protect rights, safety, and integrity of users and the Service

We may disclose aggregated or de-identified information that cannot reasonably identify you.

8. Sub-processors and service providers

We use trusted providers to operate the Service. Categories include:

Cloud infrastructure (e.g., hosting, databases, object storage)
Email and notifications
Authentication (OAuth providers)
Analytics and error monitoring (e.g., PostHog for product analytics; Cloudflare Web Analytics for aggregated site metrics)
Payment processing (Stripe, PayPal, Wise, and similar)
AI / machine-learning APIs (for parsing and detection, under data-processing terms)
Customer support tools

We require subprocessors to process personal information only on our instructions and implement appropriate security measures. A list of material sub-processors may be provided on request to privacy@zlaip.com.

9. International data transfers

Boardman Labs is based in Canada. We may process and store information in Canada, the United States, and other countries where we or our providers operate.

When we transfer personal information from the EEA, UK, or Switzerland to countries without an adequacy decision, we rely on appropriate safeguards such as:

Standard Contractual Clauses (SCCs) approved by the European Commission
UK International Data Transfer Agreement or Addendum
Other lawful transfer mechanisms required by applicable law

You may request a copy of relevant safeguards by contacting privacy@zlaip.com.

10. Data retention

We retain personal information only as long as necessary for the purposes described in this Policy, unless a longer period is required or permitted by law.

Data category	Typical retention
Account profile	While account is active + reasonable period after closure
Session/device logs	Months to limited years (security and troubleshooting)
Agreement Content (unlocked)	While Agreement active + per product deletion rules
Locked Vault / audit records	Extended retention to preserve integrity and accountability
Support tickets	As needed for case history and legal compliance
Marketing preferences	Until you opt out + suppression record

When you delete an account, we delete or anonymize personal information where feasible. Locked agreement records may be retained where necessary for other Parties' accountability, legal obligations, or dispute resolution.

11. Security

We implement administrative, technical, and organizational measures designed to protect personal information, including:

Encryption in transit (TLS)
Access controls and role-based permissions
Hash-chained append-only audit logs for critical accountability events
Monitoring and incident response procedures
Vendor security review for material subprocessors

No method of transmission or storage is 100% secure. You are responsible for protecting your credentials and devices.

12. Your privacy rights

Depending on your location, you may have the following rights, subject to exceptions:

Access — confirm whether we process your data and obtain a copy
Rectification — correct inaccurate data
Erasure — request deletion where applicable
Restriction — limit processing in certain cases
Portability — receive data you provided in a structured, machine-readable format
Objection — object to processing based on legitimate interests or direct marketing
Withdraw consent — where processing is consent-based
Opt out — of sale/sharing (we do not sell) and certain targeted advertising where applicable

How to exercise rights: Email privacy@zlaip.com with subject "Privacy Request." We will verify your identity before responding. We respond within timelines required by law (e.g., 30 days under GDPR, 45 days under CCPA/CPRA).

Limitations. Rights may be limited where we must retain locked accountability records, comply with law, or where requests are manifestly unfounded or excessive.

You may also use in-product settings to update profile data, manage integrations, and revoke devices where available.

13. Region-specific notices

13.1 EEA, UK, and Switzerland

Controller: Boardman Labs Inc. (see Section 1)
Supervisory authority: You may lodge a complaint with your local data protection authority
Legal bases: See Section 5
Transfers: See Section 9

13.2 United States — California (CCPA/CPRA)

California residents have additional rights:

Right to know categories and specific pieces of personal information collected
Right to delete subject to exceptions
Right to correct inaccurate personal information
Right to opt out of sale or sharing — we do not sell or share personal information for cross-context behavioral advertising
Right to limit use of sensitive personal information — we use sensitive information only as necessary to provide the Service
Non-discrimination for exercising privacy rights

Categories collected (last 12 months): identifiers, commercial information, internet activity, professional information, inferences (limited), and content you provide (see Section 3).

Authorized agent: You may designate an authorized agent with written permission and verification.

Shine the Light: We do not disclose personal information to third parties for their direct marketing purposes as defined under California Civil Code § 1798.83.

13.3 Other U.S. states

Residents of Virginia, Colorado, Connecticut, Utah, Texas, Oregon, and other states with comprehensive privacy laws may have similar rights. Contact privacy@zlaip.com to exercise them.

13.4 Canada

Personal information is handled in accordance with applicable federal and provincial privacy laws (including PIPEDA where applicable). You may contact us to access or correct your information.

13.5 Brazil (LGPD)

Brazilian data subjects may exercise rights under the Lei Geral de Proteção de Dados by contacting privacy@zlaip.com.

13.6 Australia

We handle personal information in accordance with the Privacy Act 1988 (Cth) where applicable. Contact us to access or correct information or lodge a complaint with the Office of the Australian Information Commissioner.

14. Cookies and similar technologies

We use cookies, local storage, and similar technologies for:

Type	Purpose
Strictly necessary	Authentication, session continuity, security, load balancing
Functional	Preferences (e.g., theme, sound settings)
Analytics	Usage measurement and performance via PostHog (where enabled) and Cloudflare Web Analytics (cookieless, aggregated)

Your choices:

Browser settings to block or delete cookies
In-product controls where we offer them

Disabling strictly necessary cookies may prevent sign-in or core features.

We do not use cookies for cross-site advertising profiles.

15. Marketing communications

We may send product updates or marketing email where permitted by law and with your consent where required. You may opt out via unsubscribe links or by emailing privacy@zlaip.com.

Transactional messages (security alerts, invites, agreement notifications) are not marketing and may still be sent while you use the Service.

16. Children's privacy

The Service is not directed to individuals under 18 (or the age of digital consent in your jurisdiction, if higher). We do not knowingly collect personal information from children. If you believe a child has provided information, contact privacy@zlaip.com and we will take appropriate steps to delete it.

17. Data breach notification

We maintain incident response procedures. If we become aware of a personal data breach likely to result in risk to your rights, we will notify you and/or regulators as required by applicable law (e.g., GDPR Articles 33–34).

18. Changes to this Policy

We may update this Policy from time to time. We will post the revised version with an updated effective date and, for material changes, provide additional notice (in-product, email, or prominent website notice) where required by law.

19. Contact and complaints

Privacy team: privacy@zlaip.com

Postal: Boardman Labs Inc., Attn: Privacy — Zlaip, 1279 Northmount Street, Oshawa, ON L1G 7M7, Canada

If you are in the EEA/UK and believe we have not addressed your concern, you have the right to complain to your local supervisory authority.

This Policy should be read together with our Terms of Service.

← Back to profile setup

Table of contents