TodoFlow.io is committed to protecting the privacy and security of personal data in accordance with the General Data Protection Regulation (GDPR). This page explains our GDPR compliance measures and your rights as a data subject.

1. Data Controller Information

TodoFlow.io acts as a data controller for personal data collected through our services:

• Company: TodoFlow.io
• Address: [Company Address]
• Data Protection Officer: dpo@todoflow.io

2. Legal Basis for Processing

We process personal data based on the following legal grounds:

2.1 Contract Performance

Processing necessary to provide our services to you, including:

• Account creation and management
• Providing the task management service
• Processing payments
• Customer support

2.2 Legitimate Interests

Processing necessary for our legitimate business interests, including:

• Improving our services and user experience
• Ensuring security and preventing fraud
• Analytics and product development

2.3 Consent

Where required, we obtain your explicit consent for:

• Marketing communications
• Non-essential cookies
• Special categories of data (if applicable)

2.4 Legal Obligations

Processing necessary to comply with legal obligations, such as tax and accounting requirements.

3. Your Rights Under GDPR

As a data subject, you have the following rights:

4. How to Exercise Your Rights

To exercise any of your rights, please contact our Data Protection Officer:

• Email: dpo@todoflow.io
• Subject Line: GDPR Request - [Your Request Type]

We will respond to your request within 30 days. In complex cases, we may extend this period by an additional 60 days with notice.

5. Data Retention

We retain personal data only for as long as necessary:

• Account data: Until account deletion + 30 days
• Transaction records: 7 years (legal requirement)
• Analytics data: 26 months (anonymized after)
• Support tickets: 3 years after resolution

6. International Data Transfers

When we transfer personal data outside the European Economic Area (EEA), we ensure appropriate safeguards are in place:

• Standard Contractual Clauses (SCCs) approved by the European Commission
• Transfers to countries with adequacy decisions
• Binding Corporate Rules where applicable

7. Security Measures

We implement technical and organizational measures to protect personal data:

• Encryption of data in transit (TLS 1.3) and at rest (AES-256)
• Access controls and authentication
• Regular security audits and penetration testing
• Employee training on data protection
• Incident response procedures

8. Data Breach Notification

In the event of a personal data breach, we will:

• Notify the relevant supervisory authority within 72 hours
• Notify affected individuals without undue delay when there is high risk
• Document all breaches and remediation actions

9. Sub-Processors

We use the following sub-processors to provide our services:

10. Supervisory Authority

You have the right to lodge a complaint with a supervisory authority if you believe your data protection rights have been violated. The lead supervisory authority for TodoFlow.io is [Authority Name and Contact].

11. Contact

For any GDPR-related inquiries:

• Data Protection Officer: dpo@todoflow.io
• General Privacy: privacy@todoflow.io