Privacy Policy
Last updated: March 10, 2026
1. Data Controller
GoalPath is operated by Nielsen Tech AB, a company registered in Sweden.
- Org. nr: 559415-9500
- VAT: SE559415950001
- Address: Igeldammsgatan 22 d, 112 49 Stockholm, Sweden
If you have questions about how your data is processed, contact us at: hello@goalpath.app
2. Information We Collect
Account Information
When you create an account via Google, GitHub, or Microsoft sign-in, we receive and store:
- Name and email address
- Profile photo URL (hosted by the sign-in provider)
- Authentication tokens from your sign-in provider (used to maintain your session)
Project Data
When you use GoalPath, we store the data you and your team members create:
- Projects, milestones, items, and subtasks
- Comments, notes, and descriptions
- Team membership, roles, and assignments
- Votes and prioritization scores
- Activity logs recording who performed which actions (e.g. "Alice created milestone X")
Payment Information
Payment card details are collected and processed entirely by Stripe. We never see or store your card number. We store a Stripe customer ID and subscription ID to manage your plan.
Communication Records
We log emails sent through the platform (invitations, progress reports, payment notifications) including recipient address and content, for delivery tracking and troubleshooting.
Automatically Collected Information
With your consent (via the cookie banner), we collect analytics data through:
- Vercel Analytics — anonymous page view and performance metrics
- Google Analytics (GA4) — page views, feature usage events
- Microsoft Clarity — session recordings and heatmaps to understand how users interact with the interface
- Resonance — conversion events (trial/paid) for marketing attribution
All analytics tools are loaded only after you accept cookies via the consent banner. You can withdraw consent at any time using the "Manage Cookies" link in the footer.
Without consent, only strictly necessary cookies are used (a session cookie for authentication).
3. How and Why We Process Your Data
We process personal data under the following legal bases (GDPR Article 6):
| Purpose | Legal Basis |
|---|---|
| Providing the service (account, projects, collaboration) | Performance of contract (Art. 6(1)(b)) |
| Payment processing | Performance of contract (Art. 6(1)(b)) |
| AI-generated progress reports and summaries | Performance of contract (Art. 6(1)(b)) — core product feature |
| Service-related emails (invites, payment issues, trial reminders) | Performance of contract (Art. 6(1)(b)) |
| Activity logging and audit trail | Legitimate interest (Art. 6(1)(f)) — accountability and collaboration |
| Analytics and usage tracking | Consent (Art. 6(1)(a)) |
| Session recording (Microsoft Clarity) | Consent (Art. 6(1)(a)) |
4. Sub-Processors and Data Sharing
We do not sell your personal information. We share data with the following service providers who process it on our behalf:
| Provider | Purpose | Data Location | Transfer Mechanism |
|---|---|---|---|
| Neon | Database hosting | Frankfurt, Germany (EU) | N/A (EU) |
| Vercel | Application hosting, analytics | EU (functions), US (analytics) | EU-US Data Privacy Framework |
| OpenAI | AI report generation, embeddings | US (zero data retention) | SCCs via OpenAI Ireland Ltd |
| Stripe (Stripe Payments Europe Ltd) | Payment processing | EU (Ireland) | N/A (EU entity) |
| AWS (SES) | Email delivery | Stockholm, Sweden (EU) | N/A (EU region) |
| Google (GA4) | Analytics (consent-based) | US | EU-US Data Privacy Framework |
| Microsoft (Clarity) | Session recording (consent-based) | US | EU-US Data Privacy Framework |
| Google, GitHub, Microsoft (OAuth) | Authentication | US | EU-US Data Privacy Framework |
We also share data when required by law or to protect our rights.
5. AI-Powered Features
GoalPath uses OpenAI's API to generate progress reports, milestone summaries, and item improvements. When these features are used:
- Project data (milestone names, item titles, activity descriptions) is sent to OpenAI for processing
- OpenAI operates under a zero data retention policy — your data is not stored after processing and is not used to train models
- Activity descriptions may include team member names as part of activity log text (e.g. "Alice completed task X")
- Payment information and email addresses are never sent to OpenAI
6. Data Security
We implement technical and organizational measures to protect your data:
- All data in transit is encrypted via TLS. Database is encrypted at rest.
- Payment card data is handled entirely by Stripe and never touches our servers
- API keys are stored as SHA-256 hashes (not in plaintext)
- Authentication uses signed JWT tokens with 24-hour expiry
- Database hosted on Neon (SOC 2 certified, ISO 27001)
7. Your Rights Under GDPR
If you are in the European Economic Area, you have the following rights:
- Access — Request a copy of the personal data we hold about you
- Rectification — Correct inaccurate data (you can edit your name in your profile)
- Erasure — Request deletion of your personal data
- Restriction — Request that we restrict processing in certain circumstances
- Portability — Request your data in a machine-readable format
- Objection — Object to processing based on legitimate interest
- Withdraw consent — For analytics and tracking, use the "Manage Cookies" link in the footer. For email notifications, use the opt-out setting in your project profile.
To exercise any of these rights, email us at hello@goalpath.app. We will respond within 30 days.
8. Data Retention
We retain your data for as long as your account is active or as needed to provide our services:
- Account data — Retained while your account is active. Upon deletion request, personal data is removed within 30 days.
- Project data — Retained while the project exists. Visible to all project members.
- Email delivery logs — Retained for troubleshooting purposes.
- Background operation logs — Automatically deleted after 14 days.
9. Cookies and Tracking
We use the following cookies and tracking technologies:
- Session cookie (strictly necessary) — An encrypted authentication cookie to keep you signed in. This does not require consent.
- Analytics cookies (consent required) — Google Analytics, Microsoft Clarity, Vercel Analytics, and Resonance. These are only loaded after you click "Accept" on the cookie banner.
You can change your cookie preferences at any time using the "Manage Cookies" link in the page footer.
10. Chrome Extension
The GoalPath Chrome Extension allows you to report bugs, ideas, and feedback directly from any webpage. This section describes how data is handled by the extension.
Data Collected by the Extension
When you submit a report through the extension, the following data is captured:
- Screenshot — A capture of the visible area of the current browser tab, taken only when you initiate a report
- Page URL and title — The address and title of the page you are viewing
- Console errors — Recent JavaScript errors and warnings from the browser console on the current page
- Browser information — Your browser name and version (e.g. "Chrome 120")
Data Transmission
All data collected by the extension is transmitted securely over HTTPS to GoalPath servers. Screenshots are uploaded directly to our cloud storage via signed URLs. No data is sent to any third-party service.
Local Storage
The extension stores only your selected project ID in chrome.storage.local so it remembers your last-used project between sessions. No personal data, screenshots, or page content is stored locally.
No Tracking or Analytics
The extension does not include any analytics, tracking scripts, or telemetry. It does not run in the background and only activates when you click the extension icon. No data is shared with third parties.
11. Children's Privacy
Our service is not intended for users under 16 years of age. We do not knowingly collect personal information from children under 16.
12. Changes to This Policy
We may update this Privacy Policy from time to time. We will notify you of material changes by posting the new policy on this page and updating the "Last updated" date. For significant changes, we may also notify you by email.
13. Contact Us
If you have questions about this Privacy Policy or wish to exercise your data protection rights, contact us at: hello@goalpath.app
You also have the right to lodge a complaint with a supervisory authority. In Sweden, this is the Swedish Authority for Privacy Protection (IMY): www.imy.se