Privacy Policy
Effective Date: March 16, 2026 · Last Updated: March 18, 2026
Cadence (“Cadence,” “we,” “our,” or “us”) operates the team management software and related services available at cadencehq.co (collectively, the “Service”). This Privacy Policy explains what personal data we collect, how we use it, who we share it with, your rights over your data, and how you can contact us with questions or requests.
By accessing or using the Service, you acknowledge that you have read and understand this Privacy Policy. If you do not agree, please do not use the Service.
This policy applies to all users worldwide, including residents of the European Union / European Economic Area (“EU/EEA”), the United Kingdom, California, and other US states with applicable privacy laws.
1. Information We Collect
1.1 Information You Provide Directly
- Account Information: Your name, email address, and password when you register for an account or accept a workspace invitation.
- Profile Information: Optional details such as job title, department, and profile photo that you choose to add to your account.
- Workspace Data: All content you create, upload, or store within the Service, including tasks, goals, KPIs, 1:1 meeting notes, team structures, comments, and any other information you input.
- Payment and Billing Information: Billing name, billing address, and payment card details submitted during checkout. Payment transactions are processed exclusively by our third-party processor, Stripe. We do not store raw credit card numbers on our servers.
- Communications: Any messages, support requests, feedback, or other correspondence you send to us.
1.2 Information Collected Automatically
- Usage Data: Pages visited, features accessed, actions taken within the Service, session duration, and timestamps.
- Device and Technical Data: IP address, browser type and version, operating system, device identifiers, and referring URLs.
- Cookies and Similar Technologies: See Section 7 (Cookies) for full details.
- Server Log Data: Access logs including request timestamps, HTTP status codes, response times, and error reports generated by our infrastructure.
1.3 Information from Third Parties
We may receive limited information from authentication providers if you use a third-party login (e.g., Google OAuth). We do not purchase personal data from data brokers.
2. How We Use Your Information
We use the information we collect to:
- Provide and operate the Service: Authenticate your account, deliver the features you use, and store your workspace data.
- Process payments: Manage subscriptions, billing cycles, free trials, and payment failure notifications through Stripe.
- Send transactional communications: Account confirmation, password reset, workspace invitation, and billing receipt emails via Resend. These emails are essential to the Service and cannot be opted out of while you maintain an active account.
- Send marketing and product communications: Onboarding sequences, product updates, and feature announcements. You may opt out of these at any time (see Section 5).
- Monitor and improve the Service: Analyze usage patterns, diagnose errors, measure performance, and conduct research to improve features and user experience via Vercel Analytics and PostHog.
- Maintain security: Detect, prevent, and respond to fraud, abuse, unauthorized access, and other security incidents.
- Comply with legal obligations: Fulfill our obligations under applicable law, respond to lawful requests from government authorities, and enforce our Terms of Service.
- Customer support: Respond to your inquiries and resolve disputes.
We do not sell your personal data. We do not use your workspace content to train machine learning models. We do not share your data with advertisers or ad networks.
3. Legal Bases for Processing (GDPR / UK GDPR)
For users in the EU, EEA, and United Kingdom, we process personal data under the following legal bases:
- Contract performance (Art. 6(1)(b) GDPR): Processing necessary to provide the Service you have signed up for, including account management and payment processing.
- Legitimate interests (Art. 6(1)(f) GDPR): Security monitoring, fraud prevention, product analytics, and service improvement, where these interests are not overridden by your rights.
- Legal obligation (Art. 6(1)(c) GDPR): Compliance with applicable laws and regulations, including financial record-keeping.
- Consent (Art. 6(1)(a) GDPR): Marketing emails and non-essential analytics cookies, where we request your consent. You may withdraw consent at any time without affecting prior processing.
We do not engage in automated decision-making or profiling that produces legal or similarly significant effects on individuals.
4. Third-Party Service Providers (Sub-processors)
We disclose personal data only to the following vetted service providers who process data on our behalf for the purposes described below. Each provider is bound by data processing agreements consistent with applicable privacy law.
| Provider | Purpose | Data Shared |
|---|---|---|
| Supabase | Database hosting and user authentication (PostgreSQL) | All account and workspace data |
| Vercel | Application hosting, edge network delivery, and web analytics | IP address, usage data, device info |
| Stripe | Payment processing and subscription management | Billing name, address, card details |
| Resend | Transactional and marketing email delivery | Name, email address |
| PostHog | Product analytics, feature flag management, and event tracking | Usage data, pseudonymized identifiers |
We may also disclose personal data: (a) to comply with a legal obligation or lawful governmental request; (b) to protect the rights or safety of Cadence, our users, or others; or (c) in connection with a merger, acquisition, or sale of substantially all of our assets, in which case we will notify you before your data is transferred and becomes subject to a different privacy policy.
5. Your Rights and Choices
Subject to applicable law, you have the following rights regarding your personal data:
- Access: Request a copy of the personal data we hold about you.
- Correction: Request that we correct inaccurate or incomplete personal data.
- Deletion (“Right to be Forgotten”): Request deletion of your personal data. We will delete or anonymize your data upon request, subject to legal retention requirements.
- Portability: Request a structured, machine-readable copy of your personal data that you can transfer to another service.
- Restriction: Request that we restrict processing of your data in certain circumstances.
- Objection: Object to processing based on legitimate interests. You may also object at any time to processing for direct marketing purposes.
- Withdraw Consent: Where processing is based on consent, you may withdraw it at any time without affecting the lawfulness of prior processing.
Email unsubscribe: All marketing emails include a one-click unsubscribe link in compliance with CAN-SPAM (15 U.S.C. § 7704) and RFC 8058. To opt out of marketing emails, use the unsubscribe link in any marketing email, visit your account settings, or contact us at hello@cadencehq.co. Unsubscribes are honored within 10 business days.
EU/EEA and UK users: You have the right to lodge a complaint with your local supervisory authority (e.g., your national Data Protection Authority or the UK ICO) if you believe we have not complied with applicable data protection law.
To exercise any of these rights, contact us at hello@cadencehq.co. We will respond within 30 days (or 45 days for complex requests, with notice). We will not discriminate against you for exercising your privacy rights.
6. US State Privacy Rights
US residents may have additional rights under state privacy laws. The following rights apply where required by your state:
| State | Law | Effective |
|---|---|---|
| California | CCPA / CPRA (Cal. Civ. Code § 1798.100 et seq.) | Jan 2020 / Jan 2023 |
| Colorado | CPA (C.R.S. § 6-1-1301 et seq.) | Jul 2023 |
| Connecticut | CTDPA (Pub. Act 22-15) | Jul 2023 |
| Virginia | VCDPA (Va. Code § 59.1-575 et seq.) | Jan 2023 |
| Utah | UCPA (Utah Code § 13-61-101 et seq.) | Dec 2023 |
| Texas | TDPSA (Tex. Bus. & Com. Code § 541.001 et seq.) | Jul 2024 |
| Oregon | OCPA (ORS § 646A.570 et seq.) | Jul 2024 |
| Montana | MCDPA (Mont. Code § 30-14-3201 et seq.) | Oct 2024 |
| Florida | FDBR (Fla. Stat. § 501.701 et seq.) | Jul 2024 |
| Iowa | ICDPA (Iowa Code § 715D) | Jan 2025 |
| Delaware | DPDPA (Del. Code tit. 6, § 12D-101 et seq.) | Jan 2025 |
| New Hampshire | NH Privacy Act (RSA 507-H) | Jan 2025 |
| New Jersey | NJDPA (N.J. Stat. § 56:8-166.1 et seq.) | Jan 2025 |
| Tennessee | TIPA (Tenn. Code § 47-18-3201 et seq.) | Jul 2025 |
| Indiana | INCDPA (Ind. Code § 24-15) | Jan 2026 |
| Arkansas | ADPA (Ark. Code § 4-110-101 et seq.) | Jul 2024 |
Under these laws, you may have the right to: (1) know what personal data we collect and how it is used; (2) access your personal data; (3) correct inaccurate personal data; (4) delete your personal data; (5) opt out of the sale or sharing of personal data (we do not sell personal data); (6) opt out of targeted advertising (we do not engage in targeted advertising); (7) opt out of profiling for decisions with legal or significant effects (we do not engage in such profiling); and (8) non-discrimination for exercising your rights.
California residentsmay additionally: (a) request disclosure of specific pieces of personal information collected in the past 12 months; (b) request deletion of personal information; and (c) designate an authorized agent to submit requests on their behalf. Cadence does not “sell” or “share” personal information as defined by CCPA/CPRA and does not process “sensitive personal information” for purposes beyond those permitted without an opt-out right.
To submit a verified consumer request, contact us at hello@cadencehq.co. We will acknowledge your request within 10 business days and respond within 45 days (extendable by 45 additional days with notice).
7. Cookies and Tracking Technologies
We use the following categories of cookies:
| Category | Description | Can Opt Out |
|---|---|---|
| Strictly Necessary | Session cookies required for authentication and security. Cannot be disabled without breaking the Service. | No |
| Analytics | Vercel Analytics and PostHog collect pseudonymized data on page views, feature usage, and performance to help us improve the Service. | Yes |
| Preferences | Store your UI preferences (e.g., theme, language) across sessions. | Yes |
We do not use advertising cookies, cross-site tracking cookies, or third-party ad networks. To opt out of analytics cookies, you may use your browser’s built-in cookie controls, the PostHog opt-out, or contact us at hello@cadencehq.co.
8. Data Retention
We retain your personal data for the following periods:
- Active accounts: We retain account information and workspace data for as long as your account is active.
- After account deletion: We delete or anonymize your personal data within 90 days of account deletion, except where longer retention is required by law.
- Financial records: Payment and billing records are retained for up to 7 years to comply with tax and accounting regulations.
- Server logs: Raw server and access logs are retained for up to 90 days for security and debugging purposes.
- Backup snapshots: Database backups may retain data for up to 30 days after deletion before being fully purged from backup systems.
- Legal holds: If data is subject to a legal hold, dispute, or regulatory requirement, we may retain it longer than the standard periods above.
9. Data Security
We implement reasonable technical and organizational security measures to protect your personal data against unauthorized access, disclosure, alteration, or destruction. These include:
- HTTPS/TLS encryption for all data in transit
- AES-256 encryption at rest via Supabase
- Row-level security (RLS) policies in our database
- Bcrypt password hashing
- Access controls limiting staff access to personal data
No security measure is 100% foolproof. If you discover a security vulnerability, please report it responsibly to hello@cadencehq.co before public disclosure.
9A. Security Incidents and Breach Notification
In the event of a personal data breach, we will:
- EU/EEA users (GDPR Article 33): Notify the relevant supervisory authority within 72 hours of becoming aware of the breach, where feasible and where required by applicable law.
- Affected user notification: Notify affected users without undue delay when the breach is likely to result in a high risk to their rights and freedoms, including a description of the nature of the breach, categories of data affected, likely consequences, and measures taken or proposed.
- US users: Notify affected individuals in accordance with applicable state breach notification laws, typically within 30–60 days depending on the jurisdiction. We comply with the Arkansas Personal Information Protection Act and all other applicable state laws.
To report a potential security vulnerability, contact hello@cadencehq.co before public disclosure.
10. International Data Transfers
Cadence is operated in the United States. If you access the Service from outside the US, your personal data will be transferred to and processed in the United States or other countries where our sub-processors operate.
For transfers of personal data from the EU/EEA or UK to the United States and other third countries, we rely on the following transfer mechanisms:
- Standard Contractual Clauses (SCCs) as approved by the European Commission for transfers to our sub-processors.
- The UK International Data Transfer Agreement (UK IDTA) for transfers from the United Kingdom.
For questions about international data transfers, contact us at hello@cadencehq.co.
11. Children’s Privacy
The Service is not directed to, and we do not knowingly collect personal data from, children under the age of 16. If we learn that we have inadvertently collected personal data from a child under 16, we will delete it promptly. If you believe we have collected such data, please contact us at hello@cadencehq.co.
12. Do Not Track
Some browsers send “Do Not Track” (DNT) signals. We currently do not respond to DNT signals because there is no industry-standard interpretation of how to respond. We will continue to monitor industry developments and may implement DNT support in the future. You may opt out of analytics cookies as described in Section 7.
13. Changes to This Policy
We may update this Privacy Policy from time to time. When we make material changes, we will notify you by email to the address associated with your account and by updating the “Last Updated” date above at least 30 days before the changes take effect. Your continued use of the Service after the effective date constitutes your acceptance of the revised policy. If you do not agree to the revised policy, please delete your account before the effective date.
14. Contact Us
For privacy questions, requests to exercise your rights, or complaints regarding our data practices, please contact us:
Cadence
Email: hello@cadencehq.co
Website: cadencehq.co
Mailing Address: Cadence, c/o Sean Davis, Bentonville, AR 72712
EU/EEA users may also contact your local Data Protection Authority. A list of EU DPAs is available at edpb.europa.eu.
Data Processing Agreement: Enterprise customers and organizations subject to GDPR who require a Data Processing Agreement (DPA) may request one by contacting hello@cadencehq.co. We will provide a DPA covering roles, data storage, security controls, sub-processing, and data subject rights assistance.
See also: Terms of Service