1. Data controller
The controller is Darius Schaub, Frickestraße 35, 20251 Hamburg, Germany. You can reach us at schaub.darius@gmail.com. Further statutory details are provided in the imprint.
Routine privacy enquiries can use the email above and the in-product account tools where offered. If we have not appointed a separate data protection officer, the same contacts apply.
2. Hosting
The application runs on internet-connected infrastructure that keeps TopTasks reachable and defended against abuse. Typical legal bases include GDPR Article 6(1)(b) (performance of contract and preparatory measures) and Article 6(1)(f) (security and availability), subject to tougher local duties where applicable. Hosting is operated by Hetzner. When hosting personnel process personal data solely under our documented instructions that relationship complies with GDPR Article 28 via data processing agreements.
3. Accounts and core service
Registration and login use details such as your email address, optional name or profile image, hashed passwords (when you choose password login), verification status, and related account metadata. Content you save—tasks, projects, and preferences—is stored so the planner stays in sync across sessions. Typical legal bases include Article 6(1)(b) for fulfilling the agreement; supplementary Article 6(1)(f) may cover narrow technical logs and anti-abuse safeguards that remain proportionate to your rights.
4. Authentication and cookies
Sessions use Auth.js / NextAuth. Cookies and related artefacts keep you securely signed in throughout a browser session. Turning them off prevents login from persisting. Tokens supporting email verification and password resets are tied to those security flows with the same contract-focused legal bases. Our cookie notice describes session storage in more detail.
5. Social sign-in
When you authenticate through GitHub, Google, or LinkedIn from the options on the login page, exchanging account metadata with those platforms may rely on GDPR Chapter V safeguards for transfers beyond the EU/EEA/UK. Connect only providers you trust for your workspace.
6. Transactional email
Operational messages such as address verification reminders and password reset links go out via Resend from our configured sending domain; the predominant legal basis is Article 6(1)(b) because the mails are strictly ancillary to delivering the application.
7. Retention
Personal data stays available while your account stays open and lawful retention statutes allow. When you finish using TopTasks we delete redundant personal data promptly unless overriding legal duties require retention.
8. Rights
Depending on jurisdiction you may request access, rectification, erasure, restriction, portability, and objection to certain processing—in the EU you also retain the right to complain to your supervisory authority. Where we rely on consent you can withdraw it for the future without affecting prior lawful processing.
9. Processor list highlights
A counterpart table outlining primary vendors is published as our Subprocessors disclosure and is refreshed when tooling changes materially.
10. Updates
When product features or the law evolve we revise this overview and notify active users inside the interface when a substantial change warrants it.