Privacy Policy

Last updated: February 4, 2026

1. Introduction

This Privacy Policy governs your use of NotoDo ("we," "us," "our," or "Company") services, including our web application and mobile applications (the "Service"). This policy explains how we collect, use, process, and protect your personal data in compliance with the General Data Protection Regulation (GDPR) and other applicable EU privacy laws.

Data Controller: NotoDo B.V., registered in the Netherlands

By using our Service, you acknowledge that you have read and understood this Privacy Policy. If you do not agree with this policy, please do not use our Service.

2. Legal basis for processing

We process your personal data based on the following legal grounds under GDPR Article 6:

• Consent: When you explicitly consent to specific processing activities
• Contract Performance: To provide our services and fulfill our contractual obligations
• Legitimate Interest: For business operations, security, and service improvement
• Legal Obligation: To comply with applicable laws and regulations

3. Data we collect

3.1 Information you provide directly

• Account Information: Email address, name, password (encrypted)
• Profile Data: Optional profile information, preferences, settings
• User Content: Tasks, notes, and other content you create within the Service
• Communication Data: Messages you send to our support team

3.2 Information we collect automatically

• Technical Data: IP address, browser type, device information, operating system
• Usage Data: How you interact with our Service, features used, session duration
• Performance Data: Error logs, crash reports (anonymized)

3.3 Cookies and similar technologies

We use essential cookies and similar technologies. You can manage cookie preferences through your browser settings. For detailed information, see our Cookie Policy.

4. How we use your data

We process your personal data for the following purposes:

• Service Provision: To provide, maintain, and improve our task management services
• Account Management: To create and manage your account, authenticate access
• Communication: To respond to inquiries, provide customer support
• Security: To protect against fraud, abuse, and security threats
• Legal Compliance: To comply with applicable laws and regulations
• Service Improvement: To analyze usage patterns and improve our Service (with anonymized data)

5. Data sharing and disclosure

We do not sell your personal data. We may share your data in the following limited circumstances:

5.1 Service providers

We work with trusted third-party service providers who process data on our behalf:

• Cloud hosting providers (AWS, Google Cloud)
• Email service providers
• Analytics services (anonymized data only)
• Customer support tools

All service providers are bound by data processing agreements ensuring GDPR compliance.

5.2 Legal requirements

We may disclose your data when required by law, court order, or to protect our legal rights and safety.

5.3 Business transfers

In case of merger, acquisition, or sale, your data may be transferred to the new entity, subject to the same privacy protections.

6. International data transfers

Your data may be processed in countries outside the EU/EEA. We ensure appropriate safeguards through:

• Adequacy Decisions: Transfers to countries with adequate protection levels
• Standard Contractual Clauses: EU-approved data transfer agreements
• Data Processing Addendums: With all non-EU service providers

7. Data retention

We retain your personal data only as long as necessary:

• Account Data: Until account deletion, plus 30 days for backup removal
• Usage Data: 2 years for service improvement purposes
• Support Communications: 3 years for quality assurance
• Legal Obligations: As required by applicable law

8. Your rights under GDPR

As an EU data subject, you have the following rights:

8.1 Right of access

Request confirmation of data processing and obtain a copy of your personal data.

8.2 Right to rectification

Request correction of inaccurate or incomplete personal data.

8.3 Right to erasure ("Right to be forgotten")

Request deletion of your personal data under certain circumstances.

8.4 Right to restrict processing

Request limitation of processing your personal data.

8.5 Right to data portability

Receive your personal data in a structured, machine-readable format.

8.6 Right to object

Object to processing based on legitimate interests or for direct marketing.

8.7 Rights related to automated decision-making

We do not use automated decision-making or profiling that significantly affects you.

9. Data security

We implement appropriate technical and organizational measures to protect your data:

• Encryption: Data encrypted in transit and at rest
• Access Controls: Role-based access with multi-factor authentication
• Regular Security Audits: Periodic security assessments and updates
• Employee Training: Staff trained on data protection principles
• Incident Response: Procedures for handling data breaches

10. Data breach notification

In case of a personal data breach that poses high risk to your rights, we will:

• Notify the relevant supervisory authority within 72 hours
• Inform affected individuals without undue delay
• Provide clear information about the breach and remedial actions

11. Children's privacy

Our Service is not intended for children under 16. We do not knowingly collect personal data from children. If we become aware of such collection, we will delete the data immediately and take steps to prevent future occurrences.

12. Marketing communications

We may send service-related communications necessary for account management. For marketing communications, we rely on your explicit consent, which you can withdraw at any time by:

• Clicking "unsubscribe" in marketing emails
• Contacting privacy@notodo.app
• Updating preferences in your account settings

13. Third-party links

Our Service may contain links to third-party websites. We are not responsible for their privacy practices. Please review their privacy policies before providing personal information.

14. Supervisory authority

You have the right to lodge a complaint with your local data protection authority if you believe we have not handled your personal data in accordance with GDPR. For Netherlands-based users, this is the Autoriteit Persoonsgegevens (AP).

15. Contact information

16. Policy updates

We may update this Privacy Policy to reflect changes in our practices or legal requirements. Material changes will be communicated through:

• Email notification to registered users
• Prominent notice on our Service
• Updated "last modified" date

Continued use of our Service after policy updates constitutes acceptance of the revised policy.

17. GDPR compliance statement

This Privacy Policy has been designed to comply with the General Data Protection Regulation (EU) 2016/679 and other applicable EU and national privacy laws. We are committed to protecting your privacy rights and maintaining transparency in our data processing activities.

This Privacy Policy is effective as of the date shown above and governs our collection, use, and disclosure of your personal information.