Privacy Policy
This notice describes the processing of personal data under the GDPR. All data is processed exclusively within the EU.
Controller
[First and last name] [Address] Email: [email address]
Data processed
Account data (sign-in via the identity provider), organization and team data, checklist content and its submissions (including public submissions with a name, signature, and IP address), and uploaded photos.
Purposes and legal bases
Providing and operating the application (Art. 6(1)(b) GDPR – contract), security and abuse prevention (lit. f – legitimate interest), and legal obligations (lit. c).
Cookies and local storage
Only strictly necessary cookies and local storage are used: an HttpOnly session cookie holding an opaque, random session identifier for sign-in, a cookie for the language selection, and an appearance preference (light/dark). No tracking, analytics, or advertising cookies are used.
Processors
Hosting: Hetzner Online GmbH (EU data centre). Email: Mailjet (Sinch, EU). Identity management and object storage are self-hosted (no third party).
Retention
Data is kept while the account/organization exists or where statutory retention applies. [Retention periods depend on the use case – to be reviewed legally.]
Data security
Tenant separation is enforced at the database level (row-level security), data in transit is encrypted with TLS, and access is limited to authorized accounts.
Your rights
Access, rectification, erasure, restriction, portability, and objection. You may lodge a complaint with the Austrian Data Protection Authority (dsb.gv.at).
Data export and erasure
Submissions can be exported as a file from within the application. On request, personal data is erased; for public submissions the name and IP address are anonymised and any signature or photo files are permanently deleted, while the immutable submission record is retained.
Automated decision-making
No automated decision-making, including profiling, takes place.
Contact
For privacy enquiries: [email address].