Privacy Policy

Last updated: 28 April 2026 · Also see: Terms & Conditions · Data & Security

Contents

1. Who We Are
2. What We Collect
3. How We Use Your Data
4. Legal Bases for Processing
5. Data Storage & Transfers
6. Third Parties
7. Cookies
8. Marketing
9. Your Rights
10. Data Retention
11. Children
12. Contact & Complaints

1. Who We Are

OKR Dash is operated by Waypoint Software Pty Ltd (ACN 695 352 295), a company incorporated in Australia ("we", "us", "our").

For users in the European Economic Area (EEA) and United Kingdom, Waypoint Software Pty Ltd acts as the data controller in respect of account and usage data, and as a data processor in respect of the OKR and goal content you enter into the Service on behalf of your organisation.

For any privacy enquiries, contact us at hello@okr-dash.com.

2. What We Collect

We collect the following categories of personal data:

Account data: your name (if provided), email address, and password hash when you register.
Profile data: optional information you add to your profile, such as a profile photo, bio or job title.
Content data: the OKRs, key results, check-ins, and other material you create within the Service.
Usage data: pages visited, features used, and general behavioural patterns - collected in aggregate and anonymised via Plausible Analytics.
Technical data: IP address (used for session management, not stored long-term), browser type, and device information.
Communications: any messages you send us by email or via in-product contact forms.
Billing data: subscription status and payment history. We do not store card numbers; card data is held by Stripe.

3. How We Use Your Data

We use your personal data for the following purposes:

Providing the Service: creating and maintaining your account, delivering features, processing payments.
Communication: sending transactional messages (e.g. password reset, subscription receipts) and product updates.
Service improvement: analysing aggregated, anonymised usage patterns to improve the product.
Support: investigating and resolving technical issues or support requests you raise.
Legal obligations: complying with applicable laws, including tax record-keeping requirements.
Security: detecting, preventing and responding to fraud, abuse or security incidents.

We do not sell, rent, or trade your personal data to third parties for their own marketing purposes.

4. Legal Bases for Processing (GDPR)

Where GDPR applies, we rely on the following legal bases:

Legal obligation: where processing is required to comply with applicable law.
Contract: processing necessary to provide the Service you have signed up for (account management, payment, customer support).
Legitimate interests: improving the Service, ensuring security, sending product-related communications. We balance our interests against your rights before relying on this basis.
Consent: for optional marketing emails. You may withdraw consent at any time via the unsubscribe link in any email.

5. Data Storage & Transfers

Your data is hosted on servers located in the European Union (AWS EU). We take reasonable steps to ensure that any transfer of data to service providers outside the EEA is protected by appropriate safeguards.

6. Third Parties

We share personal data with a small number of trusted service providers who process data on our behalf. They are only permitted to use your data to provide services to us and are bound by confidentiality obligations. For security and GDPR purposes, our full list of sub-processors is published on our Data & Security page.

We do not share personal data with any third parties for advertising or profiling purposes.

7. Cookies

We use a minimal number of cookies. We do not use Google Analytics or any advertising cookies.

Strictly necessary:
- session - maintains your login session. Without this cookie, you cannot stay signed in.
- __stripe_* (and similar) - set by Stripe to facilitate payment processing for Premium subscriptions.
Analytics (cookieless):
- We use Plausible Analytics, a privacy-friendly analytics tool that does not use cookies and does not collect personally identifiable information. All data is aggregated and anonymised. Please refer to Plausible's privacy policy for details.

Because we do not use tracking or advertising cookies, we do not display a cookie consent banner.

8. Marketing

8.1. From time to time we may send email that constitutes marketing - for example, information to help you get more out of the product, or news about new features. This is sent on the basis of our legitimate interest in helping users get value from the Service.

8.2. If you do not wish to receive marketing emails, you can opt out at any time using the unsubscribe link in every email, or by emailing us at hello@okr-dash.com. Transactional messages (e.g. account or billing notifications) are not affected by this preference.

9. Your Rights

Depending on where you are located, you may have the following rights in relation to your personal data:

Access: request a copy of the personal data we hold about you.
Rectification: ask us to correct inaccurate or incomplete data.
Erasure: request deletion of your personal data ("the right to be forgotten"), subject to certain legal exceptions.
Restriction: ask us to limit how we process your data in certain circumstances.
Portability: receive your personal data in a portable, machine-readable format.
Objection: object to processing based on legitimate interests, including direct marketing.
Withdraw consent: where processing is based on consent, withdraw it at any time without affecting the lawfulness of prior processing.

To exercise any of these rights, email us at hello@okr-dash.com. We will respond within 30 days. We may need to verify your identity before processing your request.

If you are located in the EEA or UK and believe we have not handled your data correctly, you have the right to lodge a complaint with your local data protection authority.

10. Data Retention

We retain your account data for as long as your account remains active. If you request account deletion, we will delete your personal data within 30 days, except where we are required to retain it for legal purposes (for example, billing records for tax compliance).

Anonymised, aggregated usage statistics are retained indefinitely.

11. Children

The Service is not directed at children under the age of 16. We do not knowingly collect personal data from children. If you believe we have collected information from a child under 16, please contact us at hello@okr-dash.com.

12. Contact & Complaints

For any questions about this policy or how we handle your data, contact us at:

Waypoint Software Pty Ltd
hello@okr-dash.com

We will do our best to address your concerns. If you are not satisfied with our response and you are located in the EEA or UK, you may escalate to your national data protection authority (for example, the ICO in the UK, or your national supervisory authority in the EU).