SprintHelm

Privacy Policy

Effective date: 2 April 2026  ·  Version 1.0

1. Who We Are

SprintHelm (“we”, “us”, or “our”) operates the sprint planning platform at app.sprinthelm.com and the marketing website at sprinthelm.com.

For the purposes of the UK GDPR and EU GDPR, SprintHelm is the data controller for personal data collected through the Service. For questions or to exercise your rights, contact us at privacy@sprinthelm.com.

2. Data We Collect

Account data

  • Email address (required for all sign-up methods)
  • Full name (collected during onboarding, optional)
  • Organisation name (collected during onboarding)
  • Sign-in method (email/password, magic link, or Google OAuth)

Sprint planning data

  • Ticket titles and identifiers you submit
  • Ticket attributes: effort estimates, impact scores, type, and epic grouping
  • Team configuration: team name, number of developers, seniority level
  • Scoring weight preferences
  • Sprint history (plans you save or export)

Note: Please avoid including personal names, email addresses, or other personal information of your team members in ticket titles or descriptions. Sprint planning data should describe work items, not individuals.

Technical data

  • IP address and approximate location (country/region)
  • Browser type and version
  • Session tokens and authentication cookies (managed by Supabase Auth)
  • Basic usage logs (page visits, feature usage) for service improvement

Google OAuth data (if used)

If you sign in with Google, we receive your email address, display name, and profile picture from Google. We use the email address for account identification and the display name for personalisation. We do not receive access to your Google Drive, Calendar, or other Google services.

3. How We Use Your Data

PurposeLegal basis (GDPR)
Providing and operating the ServiceContract performance (Art. 6(1)(b))
Sending authentication emails (magic links, confirmation)Contract performance (Art. 6(1)(b))
Generating AI executive summaries from sprint dataContract performance (Art. 6(1)(b))
Improving the Service (aggregated analytics)Legitimate interests (Art. 6(1)(f))
Sending product update emails (if opted in)Consent (Art. 6(1)(a))
Complying with legal obligationsLegal obligation (Art. 6(1)(c))

4. Third-Party Sub-Processors

We share your data with the following third-party services to operate the platform. Each is bound by appropriate data processing agreements.

Supabase

Database, authentication, and file storage. Data is stored in EU (West Europe) region servers.

Data: account data, sprint planning data, session tokens

EU hosted

Anthropic (Claude API)

AI language model used to generate executive summaries of your sprint plan. When you request an AI summary, your sprint data (ticket titles, scores, team configuration, and sprint statistics) is transmitted to Anthropic's API for processing.

Data transmitted: ticket titles, effort scores, priority scores, team name, team size, capacity metrics, Monte Carlo results. Not transmitted: your email, name, or account details.

Anthropic's privacy policy applies to this processing: anthropic.com/privacy

US

Vercel

Hosting and edge network for the web application. May process request metadata (IP address, headers).

Data: request logs, IP addresses

Global CDN

Google (OAuth only)

If you choose “Continue with Google”, Google authenticates your identity and shares your email and name with us. Google's privacy policy governs that exchange.

Data: email address, display name (sign-in only)

Optional

We do not sell your data to any third party. We do not share your data with advertisers or data brokers.

5. International Data Transfers

Your account data and sprint data are stored on Supabase servers in the EU (West Europe region).

When AI executive summaries are generated, sprint data is transmitted to Anthropic's API, which is operated from the United States. This constitutes an international transfer under GDPR. This transfer is covered by Anthropic's Standard Contractual Clauses (SCCs) with their EU customers. By using the AI summary feature, you consent to this transfer.

Vercel's global CDN may process request data at edge locations worldwide. This is limited to technical routing data and does not include your account or sprint planning data.

6. Data Retention

  • Active accounts: Data retained for as long as your account is active
  • Deleted accounts: Personal data permanently deleted within 30 days of account deletion
  • Anonymised aggregate data (e.g. usage statistics with no personally identifiable information) may be retained indefinitely for service improvement
  • Legal obligations: Some data may be retained longer where required by applicable law (e.g. financial records)

7. Your Rights

Under UK GDPR and EU GDPR, you have the following rights:

  • Access: Request a copy of the personal data we hold about you
  • Rectification: Request correction of inaccurate or incomplete data
  • Erasure: Request deletion of your personal data (“right to be forgotten”)
  • Portability: Request your data in a machine-readable format
  • Object: Object to processing based on legitimate interests
  • Restrict processing: Request that we limit how we use your data
  • Withdraw consent: Withdraw consent for any consent-based processing (e.g. marketing emails)

To exercise any of these rights, email privacy@sprinthelm.com. We will respond within 30 days. If you are not satisfied with our response, you have the right to lodge a complaint with your local data protection authority (in the UK: the ICO at ico.org.uk).

8. California Residents (CCPA)

If you are a California resident, you have additional rights under the California Consumer Privacy Act (CCPA):

  • The right to know what personal information is collected, used, shared, or sold
  • The right to delete personal information
  • The right to opt out of the sale of personal information
  • The right to non-discrimination for exercising your CCPA rights

We do not sell personal information. We do not share personal information for cross-context behavioural advertising.

9. Cookies

SprintHelm uses the following cookies:

  • Authentication cookies (essential): Set by Supabase Auth to maintain your signed-in session. These are HTTP-only, SameSite=Lax cookies and cannot be accessed by JavaScript. Required for the Service to function.
  • Vercel analytics (if enabled): Aggregated, anonymised page view data with no cross-site tracking. No cookie is set for analytics unless you consent.

We do not use advertising cookies, third-party tracking pixels, or fingerprinting.

10. Security

We implement appropriate technical and organisational measures to protect your data:

  • All data transmitted over HTTPS/TLS
  • Authentication session tokens stored in HTTP-only cookies (not accessible to JavaScript)
  • Passwords hashed using bcrypt (Supabase Auth)
  • Database access restricted to authenticated service roles
  • Regular dependency security reviews

No system is completely secure. If you discover a security vulnerability, please disclose it responsibly to security@sprinthelm.com.

11. Children

The Service is not directed at persons under 18 years of age. We do not knowingly collect personal data from anyone under 18. If you believe we have inadvertently collected data from a minor, contact us at privacy@sprinthelm.com and we will delete it promptly.

12. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of material changes by email and by posting a notice on the Service at least 14 days before changes take effect. The “Effective date” at the top of this page indicates when the policy was last updated.

13. Contact

For privacy-related enquiries: privacy@sprinthelm.com

For general enquiries: hello@sprinthelm.com