RU · EN

Privacy Policy

Effective date: March 17, 2026

This Privacy Policy (the "Policy") describes how personal data of users is collected, processed, and protected on the "Todo List" service (the "Service"), available at todo.keepware.ru and through the mobile application.

1. Data Controller

The data controller is Maksim Gerasimenko (the "Controller").

Contact email: mngeras@yandex.ru

2. Data we collect

DataPurposeLegal basis
EmailAccount registration, verification, password resetUser consent
UsernameIdentification in shared listsUser consent
Password (hash)AuthenticationPerformance of contract
Tasks and task listsProviding the core Service functionalityPerformance of contract
IP addressProtection from abuse (rate limiting)Legitimate interest

3. Purpose of processing

Personal data is processed solely for the following purposes:

4. Data storage

Personal data is stored on a server located in the Russian Federation, in compliance with applicable data protection laws (including Federal Law No. 152-FZ "On Personal Data").

Passwords are stored as BCrypt hashes and cannot be recovered in plain form.

Email verification and password reset tokens are stored as SHA-256 hashes.

5. Retention period

Personal data is retained until the user deletes their account. Upon account deletion, all user data (including tasks, list memberships, and personal settings) is permanently erased.

6. Disclosure to third parties

The Controller does not share personal data with third parties, except where required by the laws of the Russian Federation.

The Service does not use third-party analytics, advertising networks, or tracking systems.

6.1. Global task-suggestion dictionary

When a task is created, the original text of its title (as you typed it) may be added to a shared dictionary of task suggestions — the same text that appears in your own list, made available as a candidate completion for other users typing a new task. A dictionary entry stores only the text and a count of distinct users who typed it, with no user identifier, email, or IP address. Entries are exposed through the public endpoint GET /api/suggestions (accessible to anyone, including unauthenticated clients) only after enough distinct users have typed the same title.

Private tasks are never added to the dictionary. Titles that look like emails or phone numbers, or contain profanity, are dropped at write time. Titles longer than 30 characters and texts containing no letters (emoji-only / digit-only) are also skipped.

If a string that contains someone's personal data (a name, address) makes it into the public dictionary, contact the operator to have it removed — the administrator can mark it hidden.

Entries that have not been used for more than one year are removed automatically.

7. Data protection

The following safeguards are in place:

8. User rights

The user has the right to:

9. Account deletion

A user may delete their account by:

10. Cookies

The Service does not use cookies for tracking. Authentication is implemented via JWT tokens stored locally on the user's device.

11. Changes to this Policy

The Controller reserves the right to amend this Policy. The current version is always available at todo.keepware.ru/privacy/en.

← Back to home