Privacy Policy

Overview

5000fish, Inc. ("we", "us", "our") operates DashboardFox, a cloud-hosted business intelligence and reporting platform. This Privacy Policy explains what personal data we collect, why we collect it, how we use and protect it, and what rights you have over it.

This policy applies to the DashboardFox management portal (my.dashboardfox.app / my-eu.dashboardfox.app), our marketing website (dashboardfox.com), and related services operated by 5000fish, Inc. It does not apply to Yurbi (yurbi.com), which is a separate product with its own policies.

This policy should be read alongside our Data Retention Policy and, for customers subject to GDPR, our Data Processing Agreement.

Who this policy applies to

This policy covers account holders and administrative users of DashboardFox — agency owners, account administrators, and billing contacts who register and manage accounts through our management portal.

If you are an end user inside a DashboardFox workspace, your privacy is governed by the policy of the organization that operates that workspace — not by this document.

What we collect

Identity & account information

When you register for DashboardFox, we collect:

• Full name and email address (your primary identifier)
• Password (stored as a one-way bcrypt hash — we cannot read it)
• Profile avatar URL, if provided
• Company name and billing address (collected at billing profile setup)

Two-factor authentication

If you enable two-factor authentication, we store:

• Your chosen 2FA method (authenticator app, SMS, or both)
• Phone number and country code (SMS 2FA only — used exclusively for this purpose, never for marketing or other contact)
• Authenticator secrets, backup codes, and verification state

Login & session data

For security and fraud prevention, we record:

• Timestamp, IP address, and device (browser user agent) for each login
• Failed login attempts and account lockout events
• IP address and user agent for each active session
• Session tokens (JWTs) and their expiry timestamps

Billing data

We store a billing profile containing your name, billing email, company name, and full billing address. Transaction records (amount, currency, billing period, payment status) are retained for 7 years for tax and accounting purposes.

We never store full payment card numbers. Card data is tokenised and managed entirely by our PCI-compliant payment processors (Stripe, Authorize.net, Chargebee). We hold a payment token reference only.

Workspace & agency membership

We record which workspaces and agencies you belong to, your role within each, and — for users with billing access — which workspaces you have billing permissions for. We also retain a log of previous email addresses associated with your account to support billing continuity and fraud prevention.

Audit logs & consent records

We maintain a 7-year audit log of significant account events: logins, profile changes, password and email changes, 2FA modifications, account lockouts, suspicious login alerts, and GDPR/privacy requests. Each entry captures user ID, IP address, user agent, the action taken, and a timestamp. Consent events — including acceptance of Terms of Service and HelpHub support widget consent — are recorded in this audit log and are included in your data export on request.

Support interactions

When you contact us via live chat (HelpCrunch), support tickets (DoneDone), or our AI assistant (Chatbase), we collect your name and email address alongside the content of your interaction. HelpCrunch live chat is available to Scale plan subscribers and accounts with multiple paid workspaces. All three tools are accessible through our HelpHub support widget, which requires explicit consent before activation — this consent is recorded in your audit log.

Product analytics

We use UserMaven to understand how the management portal is used — which features are accessed, navigation patterns, and session activity. UserMaven receives your user identifier and company name as part of this. UserMaven is hosted in Germany (Hetzner) and does not involve a cross-border data transfer. Analytics are not collected inside customer workspaces.

Marketing communications

Agency owners and team members added to an agency account are included in our marketing list (Dynosend) when they register. You can unsubscribe at any time via the link in any marketing email. Transactional emails (billing receipts, security alerts, service notices) do not have an unsubscribe option, but agency owners can configure which transactional notification types are sent from within the management portal.

Marketing website

When you visit dashboardfox.com, we collect standard analytics data (page views, referrer, approximate location, browser and device type) via UserMaven. Cookie consent is required before analytics cookies are set. See Cookies & tracking below.

What we do not collect

• Personal data of end users inside customer workspaces
• Data from live database connections — these are queried on demand and nothing is retained
• Payment card numbers (tokenised by payment processors)
• Phone numbers for any purpose other than SMS 2FA
• Data from users in workspaces where HelpHub has been disabled by the workspace administrator

How we use your data

We do not sell your personal data. We do not use your data to train AI or machine learning models. We do not share your data with advertisers.

Legal basis for processing (GDPR)

If you are located in the European Economic Area or the United Kingdom, we process your personal data under the following legal bases:

Performance of a contract (Article 6(1)(b))

Account registration, authentication, service delivery, billing, and subscription management are necessary to fulfil our contract with you.

Legitimate interests (Article 6(1)(f))

We rely on legitimate interests for security logging, fraud and abuse prevention, product analytics, and improving the service. We have assessed that these interests are not overridden by your privacy rights given the limited scope of data involved and the security measures in place.

For existing customers and trial users, we also rely on legitimate interests to send marketing communications about DashboardFox, consistent with the reasonable expectations created at the time of registration (the "soft opt-in"). You may opt out at any time.

Legal obligation (Article 6(1)(c))

Billing records, tax data, and GDPR compliance audit logs are retained to satisfy financial, tax, and regulatory legal obligations.

Consent (Article 6(1)(a))

Where we rely on consent — specifically for analytics cookies and for activation of the HelpHub support widget — you may withdraw consent at any time without affecting the lawfulness of prior processing. Cookie consent is managed via our consent manager; HelpHub consent is managed via your profile settings.

Data sharing & sub-processors

We do not sell or rent your personal data to third parties. We share data only with the sub-processors required to operate DashboardFox. All sub-processors are bound by data processing agreements and are listed in our Sub-processor Registry.

Key sub-processors involved in processing management account data include:

• OVH Cloud (US) / Hetzner (EU) — cloud infrastructure and hosting
• Backblaze B2 — encrypted backup storage, region-matched to your account region
• Cloudflare — CDN, WAF, and DNS
• Chargebee — subscription and billing management
• Stripe — payment processing (EU customers)
• Authorize.net — payment processing (US customers)
• Maileroo — transactional email delivery
• Dynosend — marketing email
• Twilio — SMS for two-factor authentication
• HelpCrunch — live chat support
• DoneDone — support ticketing
• Chatbase — AI support assistant
• UserMaven — product and website analytics
• Concord — consent management and e-signature

We may disclose personal data if required to do so by law, court order, or government authority, or where disclosure is necessary to protect the rights, property, or safety of 5000fish, Inc., our customers, or others.

In the event of a merger, acquisition, or sale of all or substantially all of our assets, personal data may be transferred to the acquiring entity. We will provide notice before any such transfer and before your data becomes subject to a different privacy policy.

Retention

We retain personal data for as long as your account is active and for the periods described in our Data Retention Policy. Key periods:

Your rights

Rights under GDPR (EU & UK)

If you are located in the European Economic Area or the United Kingdom, you have the following rights under the GDPR and UK GDPR:

• Access — request a copy of the personal data we hold about you
• Rectification — ask us to correct inaccurate or incomplete data
• Erasure — ask us to delete your personal data (subject to legal retention obligations)
• Restriction — ask us to restrict processing while a dispute is resolved
• Portability — receive your data in a structured, machine-readable format
• Objection — object to processing based on legitimate interests, including for direct marketing
• Withdraw consent — where processing is based on consent, withdraw it at any time

You can submit a request directly from the management portal (account owners) or by emailing team@dashboardfox.com. We will respond within 30 days. For complex requests we may extend this by a further 30 days with written notice explaining the reason for the extension.

Note that some data — billing records, tax data, and GDPR compliance audit logs — must be retained for the periods described above regardless of an erasure request, as required by applicable law.

You also have the right to lodge a complaint with your national data protection supervisory authority. For EU residents, find your local authority at edpb.europa.eu. For UK residents, the relevant authority is the Information Commissioner's Office (ICO).

Rights under US State Privacy Laws

If you are a California resident or a resident of another US state with applicable privacy legislation, you have the following rights. California's CCPA/CPRA provides the broadest protections and sets the baseline — residents of other states (including Virginia, Colorado, Connecticut, Texas, Delaware, and others) have substantively similar rights under their respective laws:

• Know — request disclosure of the categories and specific pieces of personal information we collect, use, disclose, and sell
• Delete — request deletion of personal information we have collected
• Correct — request correction of inaccurate personal information
• Opt out of sale or sharing — DashboardFox does not sell or share personal information for cross-context behavioural advertising. This right does not apply, but we state it for transparency.
• Non-discrimination — we will not discriminate against you for exercising any CCPA right

To submit a CCPA request, email team@dashboardfox.com or submit a request from the management portal. We will respond within 45 days, with a possible 45-day extension for complex requests.

Self-service options

Account owners can action many requests directly from the management portal without contacting us:

• Update profile information and email address
• Delete your account (anonymises management account data)
• Delete workspaces (triggers the 30-day deletion cycle)
• Export your data (GDPR data export, available on request)
• Manage cookie consent preferences (profile page)
• Configure which transactional email notifications are sent

Cookies & tracking

We use cookies and similar technologies on our marketing website and management portal. We use Concord to manage consent — you will be asked for your preferences before any non-essential cookies are set.

Cookie categories

• Strictly necessary — session management, security, and authentication. These cannot be disabled as they are required for the service to function.
• Functional — remember your preferences and settings (e.g. language, consent choices).
• Analytics — UserMaven collects page views, navigation paths, and feature usage to help us improve DashboardFox. Analytics cookies require your consent. UserMaven is hosted in Germany and does not transfer data outside the EU.

Cookie consent is requested on first visit to dashboardfox.com and on my.dashboardfox.app / my-eu.dashboardfox.app. You can update your preferences at any time via the cookie icon in the bottom-left of any page, or via your profile settings in the management portal. Cookie consent is not required within customer workspace apps (slug.dashboardfox.app).

For a full list of cookies set, see our Cookie Policy.

International data transfers

DashboardFox operates two regions. When you register, your data is stored in the region you select:

Some sub-processors operate outside the EEA. Where personal data is transferred to countries without an EU adequacy decision, we rely on the following mechanisms:

• Standard Contractual Clauses (SCCs) — Cloudflare, Chargebee, Twilio, Chatbase, and others
• EU-US Data Privacy Framework (DPF) certification — Dynosend, Concord, Better Stack
• Stripe Ireland entity — EU payment processing remains within the EEA

A full breakdown of transfer mechanisms per sub-processor is available in our Sub-processor Registry.

Security

We design DashboardFox with security as a core requirement. Key measures include:

• Isolated architecture — every customer workspace runs in a dedicated, isolated PostgreSQL database. A security incident affecting one workspace cannot affect any other.
• Encryption — data is encrypted at rest using AES-256 and in transit using TLS 1.2 or higher.
• WAF & DDoS protection — all traffic passes through Cloudflare's web application firewall.
• Annual penetration testing — conducted by BeagleSecurity.
• Cyber liability insurance — maintained by 5000fish, Inc.
• SOC 2 Type II — in progress; architecture designed for compliance from day one.

If you discover a potential security vulnerability, please report it through our Vulnerability Disclosure Policy. For data breaches affecting your account, see our Breach Notification Policy.

Children

DashboardFox is intended for use by individuals aged 18 or older. We do not knowingly collect personal data from anyone under the age of 18. If you believe a minor has registered an account, please contact us at team@dashboardfox.com and we will delete the account promptly.

Changes to this policy

We may update this policy from time to time. For material changes — changes that affect your rights or how we use your data in a significant way — we will notify account owners by email at least 30 days before the changes take effect. Minor clarifications may be made without advance notice.

The "Last updated" date at the top of this page always reflects the date of the most recent revision. Your continued use of DashboardFox after any changes take effect constitutes your acceptance of the updated policy.

Contact

5000fish, Inc. is the data controller for personal data processed under this policy. Privacy inquiries, data subject requests, and GDPR-related correspondence should be directed to:

• Email: team@dashboardfox.com
• Company: 5000fish, Inc.

We aim to respond to all privacy inquiries within 5 business days, and to data subject access requests within the statutory timeframes described in Your Rights above.