← Cross-Board Card Dependencies

Privacy Policy

Effective 9 May 2026.

What this is

Cross-Board Card Dependencies is a Trello Power-Up I run as a one-person operation. It lets you link cards across boards in a Trello workspace, billed per-workspace via PayPal. This page explains what data I keep about you and your workspace, where it lives, and how to make me delete it.

What I store

The minimum I need to make the Power-Up work. No more.

When anyone in your workspace opens a board with the Power-Up enabled, my server receives a Trello-issued JWT containing the Trello member ID, the workspace ID, and the current board ID. I keep:

  • Your Trello member ID, so I know who is asking when the iframe makes a request.
  • Your workspace ID and your role in it (admin or member), so only admins can change billing.
  • Card metadata for cards you reference in a dependency: id, name, URL, and archived flag. Without this the card-back section can’t show “Blocked by Card X” without asking Trello again every time someone opens the card.
  • Subscription state: trial end date, PayPal subscription ID, plan, and status (trialing, active, past due, suspended, canceled).
  • A copy of every PayPal webhook event I receive, stored as JSON. I keep these for billing-dispute support. They include the payer references PayPal sends. I don’t log them in plaintext anywhere else.

If you click “Authorize with Trello” to enable cross-board search, I also store an OAuth1 access token Trello issued. The token is AES-GCM encrypted at rest with a key only my server holds. It’s what lets me ask Trello “show me the cards across every board this user can see” on your behalf.

What I don't store

  • Your Trello password. I never see it.
  • Card descriptions, comments, attachments. I don’t request them. I don’t want them.
  • Your browsing activity on Trello outside the Power-Up.
  • Your payment card details. PayPal handles those. I don’t touch them.

Where it lives

Postgres on a server I rent from Hetzner Cloud in Helsinki, Finland. The database listens only on localhost. Nightly backups go to an encrypted volume on the same machine. Nothing is exported anywhere else right now.

Who I share it with

  • Atlassian (Trello). I call their API on your behalf using the OAuth1 token.
  • PayPal. They run the subscription and tell me when status changes via webhooks.
  • Hetzner. They host the box but don’t have application-level access.

No analytics vendors. No ad networks. No data brokers.

How long I keep it

As long as the workspace has the Power-Up enabled, plus 12 months for billing records so I can answer chargebacks. You can shorten that by emailing me to delete sooner.

How to make me delete it

Email [email protected] from a reply-able address I can verify against the workspace. I answer within 30 days, usually the same week. You can also revoke the OAuth1 token from your Trello account settings at any time, which immediately cuts off cross-board search even before I get the email.

Trello-specific compliance

This Power-Up follows Trello’s API Terms of Service. JWTs are verified per request. OAuth tokens are encrypted at rest. I don’t share information about a Trello user with anyone Trello hasn’t already shared it with.

Changes

If I change this policy I’ll bump the effective date at the top and email workspace admins. I won’t quietly broaden what I collect.

Contact

[email protected]