Privacy Policy

Effective date: March 17, 2026

This Privacy Policy (the "Policy") describes how personal data of users is collected, processed, and protected on the "Todo List" service (the "Service"), available at todo.keepware.ru and through the mobile application.

1. Data Controller

The data controller is Maksim Gerasimenko (the "Controller").

Contact email: mngeras@yandex.ru

2. Data we collect

Data	Purpose	Legal basis
Email	Account registration, verification, password reset	User consent
Username	Identification in shared lists	User consent
Password (hash)	Authentication	Performance of contract
Tasks and task lists	Providing the core Service functionality	Performance of contract
IP address	Protection from abuse (rate limiting)	Legitimate interest

3. Purpose of processing

Personal data is processed solely for the following purposes:

• Providing access to the Service and its features
• Enabling collaboration between users on shared task lists
• Email verification and account recovery
• Security and abuse prevention

4. Data storage

Personal data is stored on a server located in the Russian Federation, in compliance with applicable data protection laws (including Federal Law No. 152-FZ "On Personal Data").

Passwords are stored as BCrypt hashes and cannot be recovered in plain form.

Email verification and password reset tokens are stored as SHA-256 hashes.

5. Retention period

Personal data is retained until the user deletes their account. Upon account deletion, all user data (including tasks, list memberships, and personal settings) is permanently erased.

6. Disclosure to third parties

The Controller does not share personal data with third parties, except where required by the laws of the Russian Federation.

The Service does not use third-party analytics, advertising networks, or tracking systems.

7. Data protection

The following safeguards are in place:

• Encrypted connection (HTTPS / TLS 1.2+)
• JWT authentication with limited token lifetime
• BCrypt password hashing
• Rate limiting to protect against brute-force attacks
• Daily database backups

8. User rights

The user has the right to:

• Access their personal data (via the API or the application interface)
• Modify their data (email, username, password)
• Delete their account and all associated data
• Withdraw consent to data processing (by deleting the account)

9. Account deletion

A user may delete their account by:

• Using the mobile application (Settings → Delete account)
• Contacting the Controller at mngeras@yandex.ru

10. Cookies

The Service does not use cookies for tracking. Authentication is implemented via JWT tokens stored locally on the user's device.

11. Changes to this Policy

The Controller reserves the right to amend this Policy. The current version is always available at todo.keepware.ru/privacy/en.

← Back to home