Privacy Policy

Last Updated: February 14, 2026

ByteJoy LLC operates CastleHQ, a tool built for teams to manage projects and collaborate. This notice describes our practices for personal information when you visit castlehq.com, create an account, use the service (including subdomains), or interact with our communications.

Privacy matters to us. We limit ourselves to the data required to deliver and maintain the service. We do not sell personal information under any circumstances. When you use CastleHQ to store or manage your team's own information—such as tasks, messages, files, discussions, or profile images—this policy does not govern your handling of that content. In those situations, we act solely as a data processor acting on your directions. Your own privacy rules apply there. See our terms of service for more on processing, or reach out for our data processing agreement (DPA).

How We Protect Information

Security is a priority. We apply encryption to data while it moves (SSL/TLS) and when stored. We maintain regular backups, restrict team access, provide ongoing training, and rely on DigitalOcean's cloud infrastructure for additional layers of protection. No setup is unbreakable, but we take consistent steps to reduce risks.

Data We Collect and Our Reasons

We stick to essentials only—no extras.

Basics for Signing Up and Logging In

To create or access an account, we need your name, email address, and organization name. These allow account setup, identity checks, and delivery of critical notices like resets or alerts about the service.

Payments and Subscriptions

Paddle processes all billing. We keep none of the card numbers, addresses, or related payment details ourselves—Paddle manages that securely. We receive only confirmation data from Paddle to verify subscription status.

User-Generated Content

CastleHQ stores the items you and your team create or upload: posts, tasks, attachments, conversations, avatars, etc. This storage enables normal use and sharing within your team. We do not repurpose it except when you specifically request help (e.g., in a support ticket). Deleted items vanish from live systems immediately, though backups may retain copies for up to 30 days to allow recovery if needed.

Security and Access Logs

We record IP addresses at signup, login, or during security reviews to detect suspicious patterns and block fraud. Our hosting (DigitalOcean App Platform) handles these logs, kept per their rules—currently up to 90 days. Future security additions like DDoS protection would involve short-term similar logging by those services.

Usage and Performance Tracking

We sometimes gather anonymized or aggregated details about browsers, operating systems, and page interactions. This helps us spot trends and refine the product. Third-party analytics may assist here.

Preventing Abuse

No CAPTCHA or bot-detection is active now. Should we implement any, it would use temporary checks without permanent extra storage.

Marketing and Promotion

We do not currently run advertisements or use third-party tracking technologies. If this changes in the future, we will update this policy and provide required notices before any such activity begins.

Communications You Send Us

Support emails or feedback submissions are retained to address problems and make improvements. We archive them for future reference. No call or meeting recordings occur currently.

Cookies and Tracking Tools

CastleHQ uses only first-party session cookies required for authentication and core functionality. We do not use third-party cookies, analytics cookies, or advertising cookies. Turning cookies off in your browser will break features like login and session management.

Do-Not-Track Signals

Some browsers transmit Do-Not-Track (DNT) signals. There is currently no uniform standard for interpreting these signals. We do not respond to DNT signals at this time.

Who Sees or Receives Your Information

We share only when strictly necessary and vet partners thoroughly.

Partners and Providers

We rely on these services to operate:

• DigitalOcean – hosting and platform.
• Resend – email delivery.
• Paddle – payments.
• Anthropic and OpenAI – limited support assistance (may see message content during issue resolution).

They receive only required portions and operate under tight privacy obligations.

Team Access

Our staff views content only with your clear approval (e.g., documented consent for support) or in extreme cases to address violations like spam or unlawful use. Serious issues may lead to reports to authorities.

Aggregated Information

We do not produce or distribute combined/anonymous statistics from user content currently.

Legal Obligations

Valid court orders or subpoenas are met only after resistance where possible. We try to alert you beforehand unless barred. Tax or audit requests receive only narrow billing facts.

Company Changes

In an acquisition or merger, data moves with the service. We would inform you of major shifts ahead of time.

Deletion and Retention Practices

Content you remove becomes inaccessible right away (soft-deleted initially for possible recovery). Permanent deletion clears it from active systems. Backups hold copies no longer than 30 days. After account termination or extended inactivity, we keep only legally or operationally required remnants, then erase them.

Data Location and International Transfers

Our headquarters is in Ocala, Florida, USA. Data resides primarily on DigitalOcean servers in the United States. For users in the EU, UK, or equivalent jurisdictions, we apply appropriate safeguards for transfers. A Data Processing Agreement including Standard Contractual Clauses is available—email privacy@castlehq.com to request it. We supply it as required for compliance.

Children and Minors

CastleHQ is not directed at individuals under the age of 16. We do not knowingly collect personal information from children. If you believe a minor has provided us with personal data, please contact privacy@castlehq.com and we will promptly delete it.

Your Rights and Choices

These options apply universally, location aside:

• Access / Know: Request details on what we hold about you.
• Correct: Fix any errors.
• Delete: Ask for removal (account closure often needed for complete erasure; some items may persist for legal obligations like disputes).
• Export: Download your data via the organization dashboard export feature.
• Object / Restrict: Halt specific processing, such as any marketing uses (minimal in our case).

Send requests to privacy@castlehq.com. We handle them promptly—typically within 30 days—and charge nothing unless requests become unreasonable.

California Residents

If you are a California resident, additional disclosures and rights under the California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA) apply to you. Please see our California Privacy Notice for those details.

Policy Changes and Contact

We may revise this notice as needed. Significant updates come with email alerts and in-app messages. Questions? Concerns? Write to privacy@castlehq.com—we respond.