Privacy Policy
1. Controller
The controller responsible for data processing is:
Ibragim Barakhoev
Troststraße 20-30/5/13
1100 Vienna
Austria
Email: info@qdoapp.com
2. Data we collect
We process the following data:
- Email address (when you sign up for an account or the waitlist)
- Account credentials (password — stored as a salted bcrypt hash, never in plain text)
- Tasks, folders, labels, goals, habits, and reminders you create in the app
- Settings and preferences (theme, default values, etc.)
- Smart Add input text (only when you choose to use the AI Smart Add feature)
- Technical data (IP address, server logs — retained briefly for security and abuse prevention)
3. Purpose of processing
We use your data for:
- Providing the QDo app: storing your tasks, syncing across your sessions, and operating the features you use
- Account verification and password resets
- Managing the launch waitlist (where applicable)
- Sending essential service emails (verification, password reset, important account notices)
- Generating AI-powered task suggestions when you opt in to Smart Add
- Security, abuse prevention, and meeting our legal obligations
4. Legal basis
Processing is based on:
- Your consent (Art. 6(1)(a) GDPR) — for the waitlist and any optional features
- Performance of a contract (Art. 6(1)(b) GDPR) — to operate the QDo app for you once you sign up
- Our legitimate interests (Art. 6(1)(f) GDPR) — for security, abuse prevention, and basic operational logging
5. Email verification & double opt-in
When you sign up for the waitlist, you receive a confirmation email. Your subscription is only completed once you confirm.
When you sign up for an account, we send you a verification email to confirm your address. Your account is created either way, but verifying helps us reach you for password resets and important account notices.
6. Sub-processors
We use a small number of carefully chosen third-party providers to operate QDo. Each one only sees the minimum data required for its function.
- Hostinger (Lithuania, EU) — application hosting and database storage. Data location: EU. Receives all account and task data necessary to run the app.
- Brevo (France, EU) — transactional emails (account verification, password reset, waitlist confirmation). Data shared: email address only.
- OpenRouter (USA) — AI-powered task parsing for the Smart Add feature. Data shared per request: the text you typed plus the IDs, titles, and due dates of your pending tasks. No email, name, descriptions, folders, or labels are sent. Smart Add is opt-in — if you don’t use it, no data is sent to OpenRouter.
- Backblaze (USA) — encrypted off-site backups of the database. All backup data is AES-256-GCM encrypted on our server before upload; Backblaze stores only the encrypted blob and cannot decrypt it.
7. International data transfers
Some of our sub-processors are based outside the EU (OpenRouter and Backblaze in the USA). Where data is transferred internationally, we rely on the following safeguards under Art. 44 ff. GDPR:
- Data minimization — only the minimum data needed for the specific function is sent. For OpenRouter, your name, email, and task descriptions never leave the EU.
- Encryption — backups sent to Backblaze are encrypted before upload, so the provider cannot read the contents.
- User opt-in — transfers to OpenRouter only happen when you choose to use the Smart Add feature.
- Contractual safeguards — we use providers that offer Standard Contractual Clauses (SCCs) or equivalent protections.
8. Storage duration
We retain your data only for as long as necessary:
- Account data (tasks, folders, settings, etc.) is stored as long as your account is active. You can delete your account at any time from Account → Delete account, which removes everything immediately.
- Waitlist email addresses are stored until you withdraw your consent (unsubscribe).
- Server logs are retained for a short period for security and abuse prevention, then automatically rotated out.
- Smart Add inputs are not stored beyond the request itself. Cached suggestions expire within minutes.
9. Your rights
Under the GDPR, you have the right to:
- Access the personal data we hold about you (Art. 15)
- Rectify inaccurate data (Art. 16)
- Erasure — have your data deleted (Art. 17). You can do this in one click via Account → Delete account.
- Data portability — export your data in a machine-readable format (Art. 20). Available via Account → Export, in JSON or human-readable text.
- Restrict processing (Art. 18)
- Object to processing based on legitimate interests (Art. 21)
- Withdraw consent at any time, where processing is based on consent
- Lodge a complaint with the Austrian Data Protection Authority (Datenschutzbehörde) or the supervisory authority in your country of residence
To exercise any of these rights, contact us at info@qdoapp.com.