Privacy Note

RetroWrap is intentionally built around data minimization and transparency.

Back to start

No data collection by us

RetroWrap does not collect personal data for us as a vendor or service provider. There is:

  • no tracking
  • no analytics
  • no telemetry
  • no advertising services
  • no marketing integrations
  • no external user account system
  • no automatic transfer of board content to third parties

Everything entered into a retrospective stays within the instance you run yourself.

Full transparency about stored content

RetroWrap is an open-source project. Its source code can be inspected, reviewed, modified, and self-hosted on your own infrastructure. That means it is transparent which data is processed at all — only the information required to operate the retrospective, such as:

  • retrospective title
  • card content
  • action items
  • optional display names entered by participants
  • internal access tokens for board links
  • technical state data such as phase, votes, and grouping information

There are no hidden background processes, no opaque data pipelines, and no undisclosed third-party collection.

Self-hosted by design

RetroWrap is intended to run locally or on your own server. This gives you full control over:

  • where data is stored
  • how backups are handled
  • who can access the system
  • how long data is retained
  • which security measures are applied, such as HTTPS, reverse proxies, or internal-only access

You define the hosting environment, and with that, your own privacy and security standards.

Link-based access

Access is handled entirely through generated links with tokens. There is no traditional login system and no user account database. This reduces complexity and avoids unnecessary personal data processing. It also means: anyone with the corresponding link can access that retrospective, so links should be treated as confidential.

Local browser storage

For technical reasons, RetroWrap may store small pieces of data in the user's browser, for example:

  • the participant name entered for a retro
  • a local participant token
  • temporary UI state

This data remains in the browser on that device and is not reported to us.

Operator responsibility

Because RetroWrap is self-hosted, the responsibility for privacy-compliant operation lies with the operator of the instance. This includes, in particular:

  • securing the server
  • enabling HTTPS in production
  • protecting database files and backups
  • controlling who receives access links and exports

License and auditability

RetroWrap is released as open-source software under the MIT License. For transparency and quick review, the license text is included below. 

MIT License

Copyright (c) 2026 RetroWrap contributors

Permission is hereby granted, free of charge, to any person obtaining a copy
of this software and associated documentation files (the "Software"), to deal
in the Software without restriction, including without limitation the rights
to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
copies of the Software, and to permit persons to whom the Software is
furnished to do so, subject to the following conditions:

The above copyright notice and this permission notice shall be included in all
copies or substantial portions of the Software.

THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
SOFTWARE.