Effective date: March 17, 2026
This Privacy Policy (the "Policy") describes how personal data of users is collected, processed, and protected on the "Todo List" service (the "Service"), available at todo.keepware.ru and through the mobile application.
The data controller is Maksim Gerasimenko (the "Controller").
Contact email: mngeras@yandex.ru
| Data | Purpose | Legal basis |
|---|---|---|
| Account registration, verification, password reset | User consent | |
| Username | Identification in shared lists | User consent |
| Password (hash) | Authentication | Performance of contract |
| Tasks and task lists | Providing the core Service functionality | Performance of contract |
| IP address | Protection from abuse (rate limiting) | Legitimate interest |
Personal data is processed solely for the following purposes:
Personal data is stored on a server located in the Russian Federation, in compliance with applicable data protection laws (including Federal Law No. 152-FZ "On Personal Data").
Passwords are stored as BCrypt hashes and cannot be recovered in plain form.
Email verification and password reset tokens are stored as SHA-256 hashes.
Personal data is retained until the user deletes their account. Upon account deletion, all user data (including tasks, list memberships, and personal settings) is permanently erased.
The Controller does not share personal data with third parties, except where required by the laws of the Russian Federation.
The Service does not use third-party analytics, advertising networks, or tracking systems.
When a task is created, the original text of its title (as you typed it) may be added to a shared dictionary of task suggestions — the same text that appears in your own list, made available as a candidate completion for other users typing a new task. A dictionary entry stores only the text and a count of distinct users who typed it, with no user identifier, email, or IP address. Entries are exposed through the public endpoint GET /api/suggestions (accessible to anyone, including unauthenticated clients) only after enough distinct users have typed the same title.
Private tasks are never added to the dictionary. Titles that look like emails or phone numbers, or contain profanity, are dropped at write time. Titles longer than 30 characters and texts containing no letters (emoji-only / digit-only) are also skipped.
If a string that contains someone's personal data (a name, address) makes it into the public dictionary, contact the operator to have it removed — the administrator can mark it hidden.
Entries that have not been used for more than one year are removed automatically.
The following safeguards are in place:
The user has the right to:
A user may delete their account by:
The Service does not use cookies for tracking. Authentication is implemented via JWT tokens stored locally on the user's device.
The Controller reserves the right to amend this Policy. The current version is always available at todo.keepware.ru/privacy/en.
← Back to home