to main page

Data Protection Declaration for Customers

Data Protection Declaration for Customers

We, Alex Kirsch IT GmbH, as the operator of todoListo (hereinafter: we or us), take the protection of your personal data seriously and would like to inform you about data protection in our company.

We bear our responsibility under data protection law in compliance with the EU General Data Protection Regulation (Regulation (EU) 2016/679; hereinafter: GDPR) in order to protect the personal data of the person affected by processing (we will also speak to you as the person affected below you, or data subject).

Insofar as we decide on the purposes and means of data processing either alone or together with others, this primarily includes the obligation to inform you transparently about the type, scope, purpose, duration and legal basis of the processing (cf. Art. 13 and Art. 14 GDPR). With this declaration (hereinafter: Privacy Policy or Data Protection Declaration) we inform you how your personal data is processed by us if you make use of our paid offers.

In addition to these data protection regulations for customers, the data protection regulations for the website apply when visiting our website.

Name and contact details of the person responsible for processing and the company data protection officer

This data protection information applies to data processing by

Responsible person
Alex Kirsch IT GmbH, represented by the manager Dr. Alexandra Kirsch
Eckbergstr. 18/1, 72135 Dettenhausen, Tel.: +49 176 36067878, E-Mail: info@todo-listo.app

We are currently not obliged to appoint a data protection officer. You can contact the person responsible at any time using the contact details provided.

If you have any questions or comments about the collection and processing of your personal data, please get in touch with the aforementioned contacts.

Collection, processing and storage of personal data as well as the type and purpose of their use

Collection of personal data concerning you

As part of the use of our services, we collect personal data about you. However, our services are programmed in such a way that as little personal data as possible is processed.

Registration

When you register on our website, the following personal data is collected from you:

  • E-mail address
  • First and Last Name
  • Address with zip code and country
  • for business customers within the EU but outside of Germany, the sales tax identification number
The personal data is processed exclusively for the purpose of fulfilling the contract with you. The legal basis for this is Article 6 Paragraph 1 Sentence 1 Letter b GDPR.

Subscription payment

To complete a subscription, you must provide a means of payment. The following personal data is collected here:

  • E-mail address
  • First and Last Name
  • Address with zip code and country
  • for business customers within the EU but outside of Germany, the sales tax identification number
  • Bank details or payment details
This personal data is passed on to the payment service provider Stripe, a service provided by Stripe Inc. based in San Francisco, USA. The transfer takes place to process the payment process and thus to fulfill the contract concluded with you in accordance with Article 6 Paragraph 1 Sentence 1 lit. b GDPR. We have entered into an order processing agreement and standard contractual clauses with Stripe in accordance with the provisions of the EU Commission.

Use of our Services

If you use the free version of todoListo, personal data entered in the to-do list will not be processed by us. The data stays exclusively with you.

If you use the paid version of todoListo, personal data that you enter in your to-do list will be stored on the servers rented by us. The data is transmitted to the server in encrypted form and stored there.

The data processing takes place to fulfill the contract concluded with you, Art. 6 Paragraph 1 Sentence 1 lit. b GDPR.

Storage

We delete your personal data as soon as they are no longer necessary for the purposes for which we processed them. As a rule, we store your personal data for the duration of the usage or contractual relationship, Article 6 Paragraph 1 Sentence 1 lit. b GDPR. Your data is stored on our rented servers located in the European Union.

However, storage can take place beyond the specified time in the event of an (impending) legal dispute with you or other legal proceedings.

Legal requirements for the storage and deletion of personal data remain unaffected by the above (e.g. Section 257 HGB or Section 147 AO), Article 6 Paragraph 1 lit. c GDPR. If the storage period prescribed by the statutory provisions expires, the personal data will be blocked or deleted, unless further storage by us is necessary and there is a legal basis for this.

Data security

We use appropriate technical and organizational security measures to protect your personal data. Our security measures are continuously improved in line with technological developments.

No automated decision-making (including profiling)

We do not use your personal data for any automated decision-making process (including profiling).

Sharing of Data

As already explained, we pass on your personal data to our payment service provider for payment processing.

Furthermore, your personal data can be passed on to the following recipients:

  • Service providers for the operation of our website and the processing of the data stored or transmitted by the systems (e.g. for server and data center services, payment processing, IT security). The legal basis for the transfer is then Article 6 Paragraph 1 Clause 1 Letter b or Letter f GDPR;
  • tax consultants and law firms to fulfill our tax obligations or for legal prosecution. The legal basis is our legitimate interest in accordance with Article 6 Paragraph 1 Sentence 1 Letter f GDPR;
  • state bodies/authorities, insofar as this is necessary to fulfill a legal obligation. The legal basis for the transfer is Article 6 Paragraph 1 Clause 1 Letter c GDPR.

In addition, we only pass on your personal data to third parties if you have given your express consent to this in accordance with Article 6 Paragraph 1 Sentence 1 Letter a GDPR.

Data subject rights

You have the right

  • to request information about your personal data processed by us in accordance with Article 15 GDPR. In particular, you can obtain information about the processing purposes, the category of personal data, the categories of recipients to whom your data was or will be disclosed, the planned storage period, the existence of a right to correction, deletion, restriction of processing or objection, the existence of a Right to complain, the origin of your data, if not collected from us, and the existence of automated decision-making including profiling and, if necessary, meaningful information about their details;
  • in accordance with Art. 16 GDPR, to immediately request the correction of incorrect or incomplete personal data stored by us;
  • in accordance with Art. 17 GDPR, to request the deletion of your personal data stored by us, unless the processing is necessary to exercise the right to freedom of expression and information, to fulfill a legal obligation, for reasons of public interest or to assert exercise or defense of legal claims is required;
  • in accordance with Art. 18 GDPR, to demand the restriction of the processing of your personal data if you dispute the accuracy of the data, the processing is unlawful but you refuse to delete it and we no longer need the data, but you do you need them to assert, exercise or defend legal claims or you have objected to the processing in accordance with Art. 21 GDPR;
  • in accordance with Art. 20 GDPR, to receive your personal data that you have provided to us in a structured, common and machine-readable format or to request transmission to another person responsible;
  • in accordance with Art. 7 Para. 3 GDPR, to revoke your consent to us at any time. As a result, we are no longer allowed to continue the data processing based on this consent for the future and
  • to complain to a supervisory authority in accordance with Art. 77 GDPR. As a rule, you can contact the supervisory authority of your usual place of residence or work or our registry.

Right to object

If your personal data is processed on the basis of legitimate interests in accordance with Article 6 Paragraph 1 Clause 1 Letter f GDPR, you have the right to object to the processing of your personal data in accordance with Article 21 GDPR, provided there are reasons for this arising from your particular situation or the objection is directed against direct advertising. In the latter case, you have a general right to object, which we will implement without specifying a particular situation.

If you would like to make use of your right of revocation or objection, an e-mail to info@todo-listo.app is sufficient.

Updating and changing this data protection declaration

This data protection declaration is currently valid and has the status of August 2023.

Due to the further development of our website and offers or due to changed legal or official requirements, it may become necessary to change this data protection declaration.