Privacy Policy
Information about the processing of your personal data according to GDPR
Table of Contents
1. Data Controller
The data controller within the meaning of the General Data Protection Regulation (GDPR) and other national data protection laws as well as other data protection provisions is:
2. Legal Basis for Processing
We process your personal data on the following legal bases:
- Art. 6(1)(a) GDPR:Consent - You have given us your consent for processing
- Art. 6(1)(b) GDPR:Contract performance - Processing is necessary for the fulfillment of our contract
- Art. 6(1)(c) GDPR:Legal obligation - Processing is necessary to fulfill legal obligations
- Art. 6(1)(f) GDPR:Legitimate interest - Processing serves our legitimate interests
3. What Data Do We Collect?
Automatically Collected Data
When visiting our website, the following data is automatically collected:
- IP address (anonymized)
- Date and time of request
- Browser type and version
- Operating system
- Referrer URL
- Pages visited
Data You Provide
- Email address (upon registration)
- Name (optional)
- Profile picture (optional)
- Content you create (boards, cards, comments)
- Communication with our support
4. Registration & User Account
Registration is required to use our services. During registration, we process:
Email / Password
Your email address serves as your username and for notifications. Passwords are stored securely hashed.
OAuth Login
When logging in via Google or GitHub, we only receive the data necessary for authentication (email, name, profile picture).
Legal basis: Art. 6(1)(b) GDPR (Contract performance)
5. Payment Processing
For payment processing, we use the service Stripe (Stripe Payments Europe, Ltd., 1 Grand Canal Street Lower, Dublin 2, Ireland).
Data processed by Stripe:
- Payment information (credit card data, IBAN)
- Transaction data
- Billing address
We do not store any credit card data ourselves. This data is processed directly by Stripe and protected according to PCI DSS standards.
Stripe Privacy Policy: https://stripe.com/privacy
7. Hosting & Infrastructure
Vercel
Website hosting and edge functions
Vercel Inc., 340 S Lemon Ave #4133, Walnut, CA 91789, USA
Supabase
Database and authentication
Supabase Inc., USA (EU server location available)
Data processing agreements (DPA) are in place with all service providers in accordance with Art. 28 GDPR. For data transfers to the USA, Standard Contractual Clauses (SCCs) are used.
8. Third-Party Services
Anthropic (Claude AI)
For AI-powered features, we use the Claude API from Anthropic. Your inputs are transmitted to Anthropic for processing.
9. Your Rights
Under GDPR, you have the following rights:
Right of Access
Art. 15 GDPR - Information about your stored data
Right to Rectification
Art. 16 GDPR - Correction of incorrect data
Right to Erasure
Art. 17 GDPR - Deletion of your data ('Right to be forgotten')
Right to Restriction
Art. 18 GDPR - Restriction of processing
Right to Data Portability
Art. 20 GDPR - Receive your data in machine-readable format
Right to Object
Art. 21 GDPR - Object to processing
Right to Lodge a Complaint
You have the right to lodge a complaint with a data protection supervisory authority. The supervisory authority responsible for us is:
The Hamburg Commissioner for Data Protection and Freedom of Information
Ludwig-Erhard-Str. 22, 7. OG
20459 Hamburg
10. Changes to This Privacy Policy
We reserve the right to adapt this privacy policy to comply with changed legal situations or changes to our service. You will always find the current version on this page. We will notify you of significant changes by email.
Last updated: November 2025