Skip to content
Beta — Todoodah is free during beta. Your data may be reset before launch.

Privacy Policy

Last updated: March 2026

This Privacy Policy explains how Ofnof ("we", "us", "our") collects, uses, and protects your personal data when you use Todoodah ("the Service"). We are committed to protecting your privacy and processing your data in accordance with the General Data Protection Regulation (GDPR) and other applicable European data protection laws.

Data Controller

The data controller responsible for your personal data is:
Ofnof, the Netherlands
Email: contact@todoodah.com
Website: ofnof.com

Data We Collect

We collect the minimum data necessary to provide the Service:

  • Account data: Email address and password (stored as a cryptographic hash — we never store your password in plain text).
  • Content data: Todo items, list names, and list settings that you create within the Service.
  • Usage data: Your preferences (theme, sound settings, empty state mode).
  • Technical data: IP address and session tokens necessary for authentication and security.

Legal Basis for Processing

We process your personal data based on the following legal grounds (Art. 6 GDPR):

  • Contract performance (Art. 6(1)(b)): Processing necessary to provide the Service you signed up for — including account management, storing your todos, and enabling list sharing.
  • Legitimate interest (Art. 6(1)(f)): Processing necessary for security (e.g., rate limiting, fraud prevention) and service improvement.

How We Use Your Data

  • To create and maintain your account.
  • To store and sync your todos and lists across devices.
  • To enable shared list collaboration with other users.
  • To authenticate your sessions and protect against unauthorized access.

Data Sharing & Sub-processors

We do not sell your personal data. We use the following third-party processors to operate the Service:

ProcessorPurposeLocation
Hetzner Online GmbHServer hostingGermany, EU
Scaleway SASDatabase hostingFrance, EU
Migadu GmbHEmail hostingSwitzerland

All processors are located within the European Union or Switzerland (recognized as providing adequate data protection under GDPR). Your data never leaves the EU/EEA/Switzerland.

Data Retention

  • Account data: Retained for as long as your account is active. Deleted upon account deletion.
  • Content data: Retained for as long as your account is active. Deleted upon account deletion.
  • Session data: Automatically expired and removed after the session ends.

Your Rights

Under the GDPR, you have the following rights:

  • Access (Art. 15): Request a copy of your personal data.
  • Rectification (Art. 16): Correct inaccurate personal data.
  • Erasure (Art. 17): Request deletion of your personal data ("right to be forgotten"). You can delete your account directly in the app.
  • Data portability (Art. 20): Export your data in a structured format. Available via the account export feature in the app.
  • Restriction (Art. 18): Request restriction of processing.
  • Objection (Art. 21): Object to processing based on legitimate interest.

To exercise your rights, contact us at contact@todoodah.com.

You also have the right to lodge a complaint with a supervisory authority. In the Netherlands, this is the Autoriteit Persoonsgegevens.

Analytics

Our website uses Rybbit, a cookieless, privacy-friendly analytics tool self-hosted on our own infrastructure. Rybbit does not collect personal data, does not use cookies, and does not track individual users. It provides aggregate, anonymous usage statistics only.

Cookies

We use only essential cookies required for authentication. We do not use any tracking, analytics, or marketing cookies. For details, see our Cookie Policy.

Security

We implement appropriate technical and organizational measures to protect your data, including encrypted connections (TLS), hashed passwords, CSRF protection, rate limiting, and security headers.

Automated Decision-Making

The Service does not use automated decision-making or profiling as defined in Article 22 GDPR.

International Users

All data is stored and processed exclusively within the EU, EEA, and Switzerland. The protections described in this policy — based on the GDPR — apply to all users regardless of where you are located.

If you are a California resident: we do not sell your personal information as defined by the California Consumer Privacy Act (CCPA).

If you have questions about how your local privacy laws interact with our practices, please contact us.

Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of significant changes by updating the "Last updated" date at the top of this page.

Contact

For questions about this Privacy Policy or your personal data, contact us at contact@todoodah.com.