Privacy Policy

1. Introduction

Todoless ("we", "us", "our"), operated from Switzerland, is committed to protecting your privacy. This Privacy Policy explains how we collect, use, store, and share your personal information when you use our task management application ("the Service"), available at todoless.app and via mobile apps. This policy complies with the EU General Data Protection Regulation (GDPR), the Swiss Federal Act on Data Protection (FADP), and the California Consumer Privacy Act (CCPA). By using the Service, you consent to the practices described in this policy.

2. Information We Collect

Information you provide:

• Account information: email address, display name, username, profile picture, timezone, and language preferences
• Content you create: tasks, projects, sections, labels, comments, notes, and file attachments
• Preferences and settings: theme, notification preferences, view configurations, and keyboard shortcuts
• Payment information: subscription tier selection and billing interval (payment details are processed directly by our payment provider and never stored on our servers)

Information collected automatically:

• Productivity metrics: hourly and daily task completion patterns, completion velocity, deadline performance, estimation accuracy, priority distribution, and workflow statistics
• Session data: IP address, device type, operating system, browser type, and session duration
• Activity logs: timestamps of task creation, completion, updates, and collaboration events
• Technical data: error logs, performance metrics, and feature usage patterns

Information from third parties:

• Social authentication: when you sign in with Google or Facebook, we receive your name, email address, and profile picture as authorized by your OAuth consent
• Data imports: when you import data from Trello or Todoist, we process the task and project data contained in your export files

We do not collect sensitive personal data such as health information, biometric data, racial or ethnic origin, political opinions, or religious beliefs. Multi-Factor Authentication uses time-based codes (TOTP), not biometric data.

3. Legal Basis for Processing (GDPR Article 6)

We process your personal data based on the following legal grounds:

• Contract performance: processing necessary to provide the Service, including account management, data storage, synchronization, and collaboration features
• Legitimate interest (Art. 6(1)(f)): error tracking and crash reporting via Sentry (EU data residency); bot and fraud protection on sign-up and login forms via Google reCAPTCHA v3 (Google LLC, USA); security monitoring and abuse prevention — processed to ensure application stability and security. For Sentry, no personal data is collected, only technical error details. For reCAPTCHA, a limited set of technical and behavioral signals (IP, browser characteristics, interaction patterns) is processed by Google. Both services run as essential and do not require cookie consent
• Consent (Art. 6(1)(a)): usage analytics (Firebase Analytics), performance monitoring (Firebase Performance Monitoring), marketing communications, and optional AI-powered features — you may grant or withdraw consent at any time through the cookie consent banner or Settings > Privacy
• Legal obligation: compliance with tax regulations, court orders, and applicable data protection laws

4. How We Use Your Information

We use the information we collect to:

• Provide, maintain, and synchronize the Service across your devices
• Generate your personal productivity analytics, completion patterns, and dashboard insights
• Enable collaboration features including shared projects, comments, and team performance metrics
• Send notifications about task deadlines, project updates, and collaboration activities
• Process subscription payments and manage billing through our payment provider
• Power AI features including task generation, subtask creation, and smart filtering
• Provide customer support and respond to your inquiries
• Detect and prevent fraud, abuse, unauthorized access, and security threats

5. AI and Automated Processing

Our AI-powered features process your task titles, descriptions, and project context to generate suggestions such as subtasks, project templates, and smart filters. This processing occurs on our servers and the data is not shared with third-party AI providers.

We do not use your personal data or content to train machine learning models. AI features are optional — you can choose not to use them without any impact on the core functionality of the Service. No automated decisions with legal or significant effects are made based on your data.

6. Data Storage and Security

Your data is stored in the European Union (AWS region eu-central-1, Frankfurt) using Amazon Web Services infrastructure. We employ multiple layers of security: DynamoDB with encryption at rest (AES-256) for application data; S3 with server-side encryption for file attachments; AWS Cognito for secure authentication with support for MFA (TOTP); TLS 1.2+ encryption for all data in transit; automated malware scanning for all uploaded files; and regular automated backups with 30-day retention.

While we implement industry-standard security measures, no method of electronic storage or transmission is 100% secure. We continuously monitor and improve our security practices but cannot guarantee absolute security.

7. Information Sharing and Sub-processors

We do not sell, rent, or trade your personal information. We never use your data for advertising purposes. We may share your information only in the following limited circumstances:

• Collaboration: when you share projects, collaborators can see project tasks, comments, and your contributions according to the permission level you set (viewer, editor, or admin)
• Sub-processors: we use Amazon Web Services (cloud infrastructure, EU region), Google Firebase (analytics and performance monitoring — only when consent is granted), Sentry (error tracking and crash reporting, EU data residency — runs as essential service), payment processors (subscription billing), Google reCAPTCHA v3 (bot and fraud protection on authentication forms; Google LLC, USA, processed under the EU-US Data Privacy Framework), and a malware scanning service (file security). All sub-processors are bound by data processing agreements
• Legal requirements: we may disclose information when required by law, regulation, court order, or governmental authority
• Business transfers: in connection with a merger, acquisition, or sale of assets, your data may be transferred to the successor entity with equivalent privacy protections

A current list of our sub-processors is available upon request at privacy@todoless.app.

8. International Data Transfers

Your primary data is stored in the EU (Frankfurt, Germany). Some processing services, such as analytics queries, may operate in other AWS regions (e.g., us-east-1). All international data transfers to AWS are protected by EU Standard Contractual Clauses (SCCs) incorporated into our agreements with AWS. Google reCAPTCHA v3 processes a limited subset of technical signals (IP, browser characteristics, interaction patterns) on Google LLC infrastructure in the USA under the EU-US Data Privacy Framework adequacy decision (10 July 2023) and Standard Contractual Clauses as a fallback safeguard. Switzerland benefits from an EU adequacy decision for data transfers. We ensure that all cross-border transfers maintain the same level of data protection required by GDPR.

9. Data Retention

We retain your data according to the following schedule:

• Active account data: retained for the duration of your account
• Completed tasks: completed tasks and their associated data (subtasks, comments, attachments) are automatically deleted after a retention period that depends on your subscription plan — 30 days for Free accounts, 365 days for Pro and Enterprise accounts. This deletion is permanent and irreversible. Active and in-progress tasks are retained indefinitely. You may manually delete any task at any time through the application interface
• Deleted file attachments: permanently removed after 30 days (soft delete period)
• Deleted account: 30-day grace period after deletion request, then permanent and irreversible removal of all personal data
• Analytics data: anonymized and aggregated after account deletion; no longer linked to your identity
• System backups: automatically rotated every 30 days; deleted data is purged from backups within this window

10. Your Rights

Under GDPR (EU/EEA/Switzerland):

• Right of access: request a copy of your personal data (Settings > Privacy > Export Data, or contact us for a formal DSAR). We respond within 30 days
• Right to rectification: update your account information at any time through Settings > Account
• Right to erasure: delete your account and all associated data through Settings > Privacy > Delete Account. A 30-day grace period applies
• Right to data portability: export your data in JSON or CSV format (limited to one request per 24 hours, download available for 7 days)
• Right to restrict processing: request limitation of specific data processing activities
• Right to object: opt out of marketing communications, analytics, performance monitoring, and legitimate interest processing through the cookie consent banner or Settings > Privacy
• Right to lodge a complaint: you may file a complaint with your local Data Protection Authority (e.g., the Swiss FDPIC, or your national DPA within the EU)

Under CCPA/CPRA (California residents):

• Right to know: request disclosure of the categories and specific pieces of personal information we collect
• Right to delete: request deletion of your personal information
• Right to opt-out: we do not sell personal information, so no opt-out is required. We do not use your data for cross-context behavioral advertising
• Right to non-discrimination: exercising your privacy rights will not result in different pricing or service levels

11. Cookies and Tracking Technologies

On your first visit, a cookie consent banner lets you choose which non-essential tracking categories to accept or reject. Your preferences are stored locally and remembered for subsequent visits. You can change your preferences at any time via the cookie consent banner (accessible from Settings > Privacy).

Cookie and tracking categories:

• Essential (always active): authentication cookies managed by AWS Cognito for session management; localStorage and sessionStorage for user preferences (theme, language, view settings); Sentry for error tracking and crash reporting (EU data residency, no PII collected); Google reCAPTCHA v3 for bot and fraud protection on sign-up and login forms — sets a _GRECAPTCHA cookie (6-month duration, .google.com domain) and processes IP address, browser characteristics, and interaction signals (mouse and keystroke patterns) on a legitimate-interest basis to prevent automated abuse. The reCAPTCHA badge is shown on authentication pages; Google's Privacy Policy and Terms of Service apply to this processing. These are strictly necessary and cannot be disabled
• Analytics (requires your consent): Firebase Analytics to understand how you use the application. Collects anonymized usage data such as screen views and user interactions. Data is processed by Google in accordance with their privacy policy. Only activated after you explicitly grant consent
• Performance (requires your consent): Firebase Performance Monitoring to measure page load times, network latency, and application responsiveness. Only activated after you explicitly grant consent

Additional information:

• Mobile application: AsyncStorage for session tokens and local preferences. No cookies are used
• We do not use third-party advertising cookies, tracking pixels, or cross-site tracking for marketing purposes
• Apart from the limited technical and behavioral signals collected by Google reCAPTCHA for bot protection on authentication forms (see Essential cookies), no fingerprinting techniques are employed for user identification, profiling, or marketing tracking
• If you reject analytics cookies, any previously set analytics cookies (_ga, _gid) are automatically cleared

12. Children's Privacy

The Service is not intended for children under 16 years of age. We do not knowingly collect personal information from children under 16. If you become aware that a child under 16 has created an account, please contact us at privacy@todoless.app and we will promptly delete the account and associated data.

13. Changes to This Policy

We may update this Privacy Policy to reflect changes in our practices or legal requirements. For material changes, we will provide at least 30 days' advance notice via email and in-app notification. We maintain a changelog of significant updates. Your continued use of the Service after the effective date constitutes acceptance of the updated policy.

14. Contact Us

If you have questions about this Privacy Policy, want to exercise your data rights, or wish to request our current sub-processor list, please contact us at privacy@todoless.app. For formal Data Subject Access Requests (DSAR), please include "DSAR" in the subject line to ensure timely processing within the 30-day statutory period.