Privacy Policy

1. Introduction

This Privacy Policy explains how Dashboard ("we," "us," or "our") collects, uses, stores, and protects your personal information when you use our web application at dashboard.ws.stinsky.dev (the "Service"). We are committed to protecting your privacy and ensuring that your personal data is handled in accordance with the General Data Protection Regulation (GDPR), the California Consumer Privacy Act (CCPA), and other applicable data protection laws.

By using the Service, you acknowledge that you have read, understood, and agree to be bound by this Privacy Policy. If you do not agree with this Privacy Policy, you must not use the Service.

2. Data Controller

The data controller responsible for your personal data is the operator of this self-hosted Dashboard instance. As an open-source application, Dashboard may be self-hosted by any individual or organization. The entity hosting the instance you are using is the data controller for the purposes of applicable data protection legislation.

3. Information We Collect

3.1 Information provided through Google OAuth

When you sign in with Google, we receive and store the following information from your Google account:

• Your name
• Your email address
• Your profile picture URL
• Your Google account identifier (used solely for authentication)

We do not receive or store your Google password. Authentication is handled entirely by Google's OAuth 2.0 protocol.

3.2 Information you provide directly

When using the Service, you may provide:

• Widget configurations (e.g., GitHub tokens, Google Calendar service account keys, calendar IDs)
• Workspace names and organizational preferences
• Theme preferences
• An encryption password (never stored in plaintext — see Section 5)

3.3 Information generated through use

• Session tokens (JWT-based, for authentication)
• WebAuthn/passkey credential metadata (public keys, credential IDs — never biometric data)
• Timestamps of account creation and data modifications

3.4 Information we do NOT collect

• We do not use cookies for analytics or advertising
• We do not use any third-party analytics services (no Google Analytics, no Mixpanel, no Plausible, no telemetry of any kind)
• We do not collect IP addresses for tracking purposes
• We do not collect device fingerprints
• We do not collect browsing history or referrer information
• We do not serve advertisements or share data with advertisers
• We do not collect biometric data — WebAuthn authentication is handled entirely by your device's operating system

4. Legal Basis for Processing (GDPR)

We process your personal data on the following legal bases:

• Consent (Article 6(1)(a)): By signing in with Google and using the Service, you consent to the processing of your data as described in this Privacy Policy.
• Contractual necessity (Article 6(1)(b)): Processing is necessary to provide you with the Service — specifically, to authenticate you and store your dashboard configuration.
• Legitimate interest (Article 6(1)(f)): We have a legitimate interest in maintaining the security and integrity of the Service, including encrypting user data at rest and preventing unauthorized access.

5. How Your Data Is Stored and Protected

5.1 Encryption at rest

All user-specific data (workspaces, widget configurations, widget placements) is encrypted at rest using AES-256-GCM, an authenticated encryption standard. Each user has a separate, individually encrypted database file on the server.

5.2 Key derivation

Your encryption key is derived from your password using PBKDF2 with 600,000 iterations of SHA-512. The server stores only the salt and a wrapped (encrypted) copy of the Data Encryption Key (DEK). The server cannot decrypt your data without your password — this is commonly referred to as "zero-knowledge" encryption.

5.3 Key hierarchy

The system uses a two-level key hierarchy: a randomly generated Data Encryption Key (DEK) encrypts your data, and a Key Encryption Key (KEK) derived from your password wraps the DEK. This design allows you to register additional unlock methods (such as biometric authentication) without re-encrypting your entire database.

5.4 Biometric unlock

If you register a passkey (Touch ID, Face ID, Windows Hello), the DEK is additionally wrapped using a key derived from the WebAuthn PRF extension output, or stored in your browser's IndexedDB (protected by your device's origin isolation and operating system security). No biometric data is ever transmitted to or stored on the server.

5.5 Authentication metadata

User profiles, linked accounts, and session data are stored in a central database file on the server. This data is not encrypted with your personal key, as it is required for the authentication process before your password is provided. However, this data contains only authentication metadata — not your dashboard content.

6. How We Use Your Information

We use your personal information solely for the following purposes:

• To authenticate you and provide access to the Service
• To store and retrieve your encrypted dashboard configuration
• To display your name and profile picture within the application interface
• To manage your sessions and security credentials

We do not use your data for profiling, automated decision-making, advertising, marketing, or any purpose other than providing the Service.

7. Data Sharing and Third Parties

We do not sell, rent, lease, or share your personal data with any third parties. The only third-party services involved are:

• Google OAuth: Used solely for authentication. Google receives a standard OAuth authorization request and returns your basic profile information. We do not transmit any data back to Google beyond the standard authentication flow.
• GitHub API and Google Calendar API: If you configure widgets that connect to these services, API calls are made from the server on your behalf using credentials you provide (tokens, service account keys). These credentials are stored encrypted within your personal database and are never shared with any other party.

The server does not include any third-party scripts, tracking pixels, social media widgets, or advertising networks.

8. Data Retention

Your data is retained for as long as you maintain an active account. We do not impose a maximum retention period. You may delete your account and all associated data at any time (see Section 9).

Session tokens expire according to the JWT lifetime configured in the application (typically 30 days). Expired sessions are automatically purged from the central database.

9. Your Rights

Under the GDPR and other applicable data protection laws, you have the following rights:

9.1 Right of access (Article 15 GDPR)

You have the right to know what personal data we hold about you. You can view all stored data at any time by visiting the My Data page. This page is accessible even without signing in — you can look up your account by email to see metadata (file size, creation date, encryption status). When signed in, you can view the full contents of your stored data.

9.2 Right to rectification (Article 16 GDPR)

You can update your dashboard configuration, workspace names, and widget settings at any time through the application interface. Your name and profile picture are sourced from your Google account and update automatically.

9.3 Right to erasure (Article 17 GDPR)

You have the right to delete your account and all associated data at any time. When you delete your account through the Delete Account page, the following data is immediately and permanently destroyed:

• Your encrypted per-user database file (containing all workspaces, widget configurations, and placements)
• Your user profile record (name, email, profile picture URL)
• All linked account records
• All session records
• All WebAuthn/passkey credential records
• Encryption metadata (salt, wrapped keys)

Deletion is immediate and irreversible. No backups are retained. No soft-delete or grace period is applied. You can verify deletion by visiting the My Data page after account removal.

9.4 Right to data portability (Article 20 GDPR)

Your encrypted dashboard data is stored as a JSON file on the server. While the data is encrypted and cannot be read without your password, the data format (JSON) is a standard, machine-readable format. The My Data page shows you the full structure and contents of your stored data when you are signed in and unlocked.

9.5 Right to restrict processing (Article 18 GDPR)

As the Service processes your data only to provide its core functionality, restricting processing is equivalent to not using the Service. You may stop using the Service at any time and delete your account.

9.6 Right to object (Article 21 GDPR)

As we do not process your data for direct marketing, profiling, or any purpose based on legitimate interest beyond security, the right to object is not typically applicable. If you wish to object to any processing, please contact us and we will cease processing your data immediately by deleting your account.

10. Cookies and Local Storage

The Service uses the following client-side storage mechanisms:

• Session cookie (authjs.session-token): A single HTTP-only cookie used for authentication. This is strictly necessary for the Service to function and does not require consent under the ePrivacy Directive.
• Theme preference: Stored via the theme provider to respect your light/dark mode preference.
• IndexedDB (dashboard-keys): If you register a passkey on a browser without WebAuthn PRF support, the Data Encryption Key may be stored in IndexedDB for biometric unlock. This data is origin-isolated by your browser and is deleted when you sign out, delete your account, or clear browser data.

We do not use any analytics cookies, advertising cookies, or third-party cookies of any kind.

11. Children's Privacy

The Service is not directed to children under the age of 16 (or under the age of 13 in jurisdictions where this threshold applies). We do not knowingly collect personal data from children. If you believe a child has provided us with personal data, please contact us and we will promptly delete the account and all associated data.

12. International Data Transfers

As a self-hosted application, data is stored on the server where the instance is deployed. If you are accessing the Service from a jurisdiction different from where the server is located, your data may be transferred across international borders. By using the Service, you consent to this transfer. The encryption architecture ensures that even in the event of an unauthorized data access, your dashboard content remains encrypted and unreadable.

13. Security Breach Notification

In the event of a personal data breach that is likely to result in a risk to your rights and freedoms, we will notify affected users without undue delay and, where required by law, within 72 hours of becoming aware of the breach. Due to the zero-knowledge encryption architecture, a breach of the encrypted database files would not expose the content of your dashboard data without your password.

14. Open Source

Dashboard is open-source software. The complete source code is publicly available for inspection. This means you can independently verify our data handling practices, encryption implementation, and privacy claims. We believe transparency is the strongest form of privacy assurance.

15. Changes to This Privacy Policy

We may update this Privacy Policy from time to time. If we make material changes, we will update the "Last updated" date at the top of this page. Continued use of the Service after changes constitutes acceptance of the updated policy. We encourage you to review this Privacy Policy periodically.

16. Contact

If you have any questions about this Privacy Policy, wish to exercise your data protection rights, or have concerns about how your data is being handled, you may contact us by opening an issue on the project's GitHub repository or by emailing the instance administrator.