Legal

Privacy Policy

Last updated: May 24, 2026

1. Who we are

KnotDo is operated by VARO Industries ("we," "us," "our"). For privacy inquiries, contact us at [email protected].

This Privacy Policy explains how we collect, use, store, and protect your personal data when you use KnotDo ("the Service"). We comply with the EU General Data Protection Regulation (GDPR) and applicable data protection laws.

2. Data we collect

Account data: When you register, we collect your email address, name, and hashed password (we never store plaintext passwords). If you sign in with Google or GitHub, we receive your email and name from those services.

Task data: The tasks, lists, notes, subtasks, and tags you create ("Your Content"). This data belongs to you and is stored to provide the Service.

Session data: We use secure, httpOnly session cookies to keep you signed in. These expire when you sign out or after a period of inactivity.

Technical data: We log server errors, API response times, and basic request metadata (IP address, user agent) for security and debugging purposes. These logs are retained for 30 days and not used for marketing.

We do not collect: advertising identifiers, browsing history outside of KnotDo, or any data from your device beyond what you explicitly submit to the Service.

3. How we use your data

  • To provide the Service — storing your tasks, syncing across devices, sending email notifications you've opted into
  • To authenticate you — managing your session and verifying your identity
  • To send transactional emails — password resets, invite notifications, critical service alerts. No marketing emails without your explicit opt-in.
  • To improve the Service — aggregated, anonymous usage patterns (e.g., how often the Kanban view is used). No individual-level tracking.
  • For security — detecting abuse, fraud, and unauthorized access

We do not use your data for advertising. We do not sell your data. We do not use Your Content to train AI or machine learning models.

4. Legal basis for processing (GDPR)

  • Contract performance — processing necessary to provide the Service you've signed up for (account data, task data, session cookies)
  • Legitimate interests — security logging, error tracking, and aggregated usage analytics that don't override your rights
  • Legal obligation — where we're required to retain or disclose data by law

5. Data storage and security

Your data is stored on servers located in the European Union (Hetzner, Germany). We do not transfer your personal data outside the EU/EEA.

Security measures include:

  • All data encrypted in transit via HTTPS/TLS 1.3
  • Passwords hashed with bcrypt (cost factor 12) — never stored in plaintext
  • API keys and session tokens stored as hashed values
  • Session cookies set as httpOnly and Secure (immune to JavaScript access)
  • Optional two-factor authentication (TOTP) for all accounts
  • Automated database backups with 30-day retention

No system is 100% secure. In the event of a data breach affecting your personal data, we will notify you within 72 hours as required by GDPR.

6. Third-party services

We use a limited set of third-party services to operate KnotDo:

  • Google OAuth / GitHub OAuth — optional sign-in methods. We only receive your email and name; we do not receive access to your Google Drive, GitHub repos, or other data.
  • SMTP provider — for sending transactional emails (password resets, notifications). Only your email address is shared.
  • Hetzner — EU-based server and database hosting.

We do not use Google Analytics, Meta Pixel, or any advertising trackers. We do not embed third-party tracking scripts.

7. Cookies

We use only strictly necessary cookies:

  • Session cookie (next-auth.session-token) — keeps you signed in. Expires on sign-out or browser close. httpOnly, Secure.
  • CSRF token — protects form submissions. Session-scoped.

We do not use advertising cookies, analytics cookies, or third-party tracking cookies. No cookie consent banner is required for strictly necessary cookies under GDPR.

8. Your rights (GDPR)

If you are in the EU/EEA, you have the following rights:

  • Access — request a copy of all personal data we hold about you
  • Rectification — correct inaccurate personal data
  • Erasure ("right to be forgotten") — delete your account and all associated data
  • Portability — export your task data in JSON or CSV format
  • Restriction — request we limit processing of your data
  • Objection — object to processing based on legitimate interests

To exercise any of these rights, email [email protected] or use the self-service tools in Account Settings. We will respond within 30 days.

You also have the right to lodge a complaint with your national data protection authority.

9. Data retention

  • Active accounts — data retained as long as your account is active
  • Deleted accounts — Your Content deleted within 30 days of account deletion; email address retained for 90 days to prevent re-registration abuse, then permanently deleted
  • Server logs — retained 30 days, then deleted
  • Password reset tokens — expire after 1 hour and are deleted after use

10. Children

KnotDo is not directed at children under 16. We do not knowingly collect personal data from anyone under 16. If you believe we have collected data from a child, contact us immediately at [email protected].

11. Changes to this policy

We may update this Privacy Policy. We will notify you of material changes by email or by a prominent notice in the Service at least 14 days before the changes take effect. The "Last updated" date at the top of this page reflects the most recent revision.

12. Contact

For privacy questions or to exercise your rights: [email protected]

For security concerns: [email protected]

For general enquiries: Contact form