GetItDone Logo

Privacy Statement for GetItDone

Version 1.1 – Last updated: March 18, 2025

In accordance with Article 13 of the General Data Protection Regulation (GDPR)

1. Controller

The controller responsible for data processing is:

Simon Schwer
WolfringstraĂźe 14
90765 FĂĽrth, Germany
Email: info@getitdone-app.de
VAT ID: [YOUR VAT ID HERE]

2. Overview of Data Processing

We are committed to protecting your personal data. This privacy statement explains how we process your data when you use our GetItDone software and website.

GetItDone is designed with data minimization principles in mind. However, to deliver our core service of AI-enhanced project management, we need to process certain project data.

2.1 Data Processing Principles

We adhere to the following principles when processing your data:

  • Data minimization – we collect and process only what is necessary
  • Purpose limitation – we use data only for the purposes specified in this statement
  • Storage limitation – we retain data only as long as necessary
  • Integrity and confidentiality – we implement appropriate technical and organizational measures

2.2 Operating Modes

GetItDone offers three modes of operation with different data processing implications:

a) No AI Mode: All project data remains on your local device. Only anonymous installation IDs and version information are sent to our servers for update purposes and installation statistics.

b) API Key Mode: When you choose to use your own API key from third-party AI providers (Google Cloud, OpenAI), your project data is sent directly to these providers. The API keys are stored only on your local device using your operating system's encryption features and are never stored in plain text. We never store, transmit, or have access to your third-party API keys.

c) GetItDone Pro Subscription: When using our subscription service, your project data is processed through our proxy server to facilitate AI requests. We do not store your project data but temporarily process it to fulfill your AI requests.

2.3 Age Restriction

GetItDone is intended for users who are at least 16 years of age. We do not knowingly collect personal data from individuals under 16 years of age. If we become aware that we have collected personal data from an individual under 16 years of age, we will take steps to delete such information from our systems.

3. Personal Data We Process

3.1 When visiting our website:

The following data is automatically collected when you access our website:

  • IP address (stored temporarily and anonymized using IP masking within 24 hours)
  • Date and time of the request
  • Browser type and version
  • Operating system
  • Referrer URL (previously visited page)
  • HTTP status code

These data are used exclusively to ensure the functionality of the website and to optimize our services. These data are not combined with other data sources and are automatically deleted after 7 days.

3.2 When using the contact form or forum:

If you use the contact form or register for the forum, we collect:

  • Your name (if provided)
  • Your email address
  • The content of your message or posts
  • Account creation date and time
  • Last login date and time (for forum accounts)
  • IP address (for security purposes, anonymized after 7 days)

These data are used solely to process your inquiry or facilitate forum participation. Contact form data is retained until your inquiry is resolved, after which it is deleted unless legal requirements necessitate longer retention. Forum account data is retained until you delete your account or request its deletion.

3.3 When using reCAPTCHA:

Our website uses Google reCAPTCHA (v3) to protect our forms from spam. This service may collect personal data such as:

  • Information about your browser, device, and browsing behavior
  • Cookies set by Google (including _GRECAPTCHA cookies that expire after 6 months)
  • Your IP address
  • Mouse movements and typing patterns
  • Information about operating system and active plugins
  • Display size and resolution
  • Date and language settings

This data is processed by Google in accordance with their privacy policy (https://policies.google.com/privacy). We use reCAPTCHA based on our legitimate interest in protecting our website from automated abuse.

By using the contact form or other forms protected by reCAPTCHA, you acknowledge that the Google LLC reCAPTCHA service will process data about you for the purpose of determining whether you are a human being or an automated system. This processing is subject to Google's privacy policy and terms of service.

3.4 When using the GetItDone software:

In all modes: An anonymous installation ID (UUID) for installation statistics and version information for update purposes. This data is retained indefinitely but contains no personal information.

In subscription mode: Your email address and password (stored with bcrypt encryption) for account management and authentication with our proxy service. JWT tokens are also used for secure authentication, with access tokens that expire after 60 minutes and refresh tokens that are encrypted and stored locally on your device for up to 30 days using your operating system's encryption. Refresh tokens are never stored on our servers in unencrypted form. For Windows users, passkey credentials may be stored securely on your device if you opt to use passkey authentication. Project data is processed through our proxy server to facilitate AI requests but is not stored permanently on our servers beyond the duration needed to process your request (typically seconds).

In API key mode: No personal data is processed by us; your project data is sent directly to third-party AI providers. We never store or have access to your third-party API keys. For your security, these API keys are stored with encryption using your operating system's security features and never in plain text on your device.

Authentication services: For authentication purposes (login, password reset, and email verification), we use SendGrid as our email service provider. When you use these features, your email address is processed by SendGrid solely to deliver the authentication email. SendGrid retains this data for up to 5 days. SendGrid may set cookies and collect usage data as described in their privacy policy (https://www.twilio.com/legal/privacy).

Project data processing: When using AI features (in both API Key and Subscription modes), your project information is processed in real-time and sent to AI providers. This includes not only your direct input but also project context information such as project status, imported documents, task descriptions, and other project-related content that provides context for AI processing. We have agreements with all our AI providers (OpenAI and Google Cloud) that your data will not be used for training their AI models.

Error logs: In case of application errors, technical information may be logged to assist with troubleshooting. These logs include:

  • Error timestamp
  • Error type and message
  • Software version
  • Operating system information
  • Anonymous installation ID

These logs do not contain your project data and are automatically deleted after 30 days.

3.5 When subscribing to GetItDone Pro:

  • Email address (retained for the duration of the subscription plus 90 days after cancellation)
  • Payment information (processed by Stripe, not stored on our servers)
  • Subscription start and end dates
  • Usage statistics (number of AI requests made)
  • IP address used for subscription (stored for fraud prevention purposes)

3.6 Cookies and Local Storage

Our website uses the following cookies:

Essential Technical Cookies:

  • WordPress session cookies: Temporary cookies that expire when you close your browser. Used to maintain your session while navigating the website.
  • wpforo_sticky_header: Forum cookie to remember user preferences. Duration: 1 month.
  • wordpresslogged_in[hash]: Authentication cookie to identify logged-in users. Duration: Session.
  • wordpresssec[hash]: Security cookie for WordPress. Duration: Session.

Third-party Cookies:

  • _GRECAPTCHA: Set by Google reCAPTCHA to distinguish humans from bots. Duration: 6 months.
  • stripe_*: Set by Stripe for payment processing (only when making payments). Duration: Varies by specific cookie.
  • SendGrid cookies: SendGrid may set cookies to facilitate email delivery and track email interactions. Duration: Varies by specific cookie.

You can manage or delete cookies through your browser settings. Blocking all cookies may impact the functionality of our website, particularly the forum and contact forms.

4. Legal Basis for Processing

We process your data based on the following legal grounds:

  • Article 6(1)(b) GDPR: To fulfill our contractual obligations (e.g., subscription service, providing AI functionality)
  • Article 6(1)(c) GDPR: To comply with legal obligations
  • Article 6(1)(f) GDPR: To pursue our legitimate interests (e.g., ensuring software functionality, improving services, preventing fraud and abuse)

4.1 Data Processing Roles

No AI Mode: We only process anonymous installation statistics and update information. In this mode, we act as the data controller for the limited data collected.

API Key Mode: When you use your own API key, we do not process your project data. We act solely as a software provider, and you establish a direct relationship with the third-party AI provider. You are the data controller for your project data, and the third-party AI provider is your data processor. We are not involved in this processing relationship.

Pro Subscription Mode: When using our subscription service, we act as a data processor for the project data that passes through our proxy server. This processing is necessary for fulfilling our contract with you (providing the AI-enhanced project management service you've subscribed to). You remain the data controller for this data, and we are your data processor. Additionally, we act as a data controller for your account information (email address, password, subscription details).

Authentication Services: For authentication-related processes, SendGrid acts as our data processor when sending authentication emails. We remain the data controller for your authentication data.

We maintain records of processing activities in accordance with GDPR Article 30 for all personal data processed under our responsibility.

We do not require explicit consent on every software startup, as the processing is necessary for the performance of our contract with you or falls under legitimate interests (for anonymous usage statistics).

5. Data Recipients

Your personal data may be shared with the following recipients:

  • Stripe: For payment processing in subscription mode. Data shared includes your email address and payment information.
  • SendGrid: For authentication email delivery. Data shared includes your email address and temporary authentication codes.
  • Third-party AI providers (OpenAI, Google Cloud): When using AI features. Data shared includes your project data submitted for AI processing.
  • WebGo: Our website hosting provider in Germany. All website data is hosted on their servers located in Germany.
  • Google: When using reCAPTCHA for form protection.

We have ensured that all service providers comply with data protection regulations through appropriate data processing agreements that include Standard Contractual Clauses where necessary for international transfers.

6. Data Retention

  • Server logs: Automatically collected server log data are deleted after a maximum of 7 days.
  • Contact inquiries: Data from contact inquiries are deleted once the inquiry has been processed (typically within 30 days), unless legal retention requirements apply.
  • Error logs: Error logs in subscription mode are retained for 30 days, after which they are automatically deleted.
  • Authentication data: SendGrid retains email addresses and authentication codes for up to 5 days.
  • Access tokens: JWT access tokens expire after 60 minutes.
  • Refresh tokens: JWT refresh tokens are encrypted and stored locally on your device for up to 30 days.
  • Subscription data: Email addresses and account information are retained for the duration of the subscription plus 90 days after cancellation.
  • Anonymous installation IDs: Retained for analytical purposes but contain no personal information.
  • Forum account data: Retained as long as your account remains active. You may request deletion at any time by contacting us at info@getitdone-app.de.
  • Payment data: Stripe retains payment data according to their privacy policy and legal requirements. We do not store payment data on our servers.

7. Data Processing Outside the EU/EEA

When using AI features (either via API key mode or subscription mode), your data may be transferred to servers outside the European Union or European Economic Area, depending on the third-party AI provider's infrastructure. These transfers are protected by:

For subscription mode: Appropriate safeguards such as EU Standard Contractual Clauses (2021 version) with our AI service providers. We have conducted transfer impact assessments for each provider and implemented additional technical measures where necessary.

For API key mode: Your direct relationship with the AI provider (we do not control or participate in these transfers).

Authentication emails are processed by SendGrid, which is based in the United States. This transfer is protected by EU Standard Contractual Clauses (2021 version) and additional technical measures as detailed in our data processing agreement with SendGrid.

The specific locations where your data may be processed include:

  • United States (OpenAI, Google Cloud, SendGrid)
  • EU countries (all providers maintain some EU infrastructure)

We regularly reassess the adequacy of protection for these international transfers and will notify you of any significant changes.

8. Cookies and Similar Technologies

8.1 Essential Cookies

Our website uses technically necessary cookies to ensure its functionality. These cookies are set based on our legitimate interest in providing a functioning website (Article 6(1)(f) GDPR). They include:

  • Session cookies that expire when you close your browser
  • Authentication cookies for the forum
  • Security cookies to protect against unauthorized access

Most of these cookies are automatically deleted when you close your browser. You can configure your browser to reject cookies, but this may limit the functionality of our website.

8.2 reCAPTCHA

When using our contact form, Google reCAPTCHA may set cookies to detect whether the form is being completed by a human or an automated system. The _GRECAPTCHA cookie has a duration of 6 months. Other temporary cookies may be set during the verification process.

You can learn more about Google's privacy practices at https://policies.google.com/privacy.

8.3 Forum Cookies

Our forum (using the wpforo WordPress plugin) uses cookies to maintain your login session and preferences. These cookies include:

  • Authentication cookies (wordpresslogged_in*)
  • Forum preference cookies (wpforo_sticky_header)
  • Security cookies

These cookies are necessary for the functioning of the forum and are set only when you register or log in.

8.4 Cookie Management

You can manage cookies through your browser settings. Most browsers allow you to:

  • View and delete existing cookies
  • Block third-party cookies
  • Block all cookies (though this may affect website functionality)
  • Delete cookies when you close your browser
  • Browse in "private" or "incognito" mode

Instructions for managing cookies in common browsers:

  • Chrome: Settings > Privacy and security > Cookies and other site data
  • Firefox: Options > Privacy & Security > Cookies and Site Data
  • Safari: Preferences > Privacy > Cookies and website data
  • Edge: Settings > Site permissions > Cookies and site data

9. Your Rights

Under GDPR, you have the following rights:

  • Right to access (Article 15 GDPR): To know what data we process about you.
  • Right to rectification (Article 16 GDPR): To correct inaccurate or incomplete data.
  • Right to erasure (Article 17 GDPR): To delete your data, subject to legal retention requirements.
  • Right to restriction of processing (Article 18 GDPR): To limit how we process your data.
  • Right to data portability (Article 20 GDPR): To receive your data in a machine-readable format.
  • Right to object (Article 21 GDPR): To object to the processing of your data.
  • Right to withdraw consent (Article 7(3) GDPR): To withdraw previously given consent at any time.

9.1 How to Exercise Your Rights

To exercise these rights, please contact us at info@getitdone-app.de with a clear description of your request. We will respond to your request within 30 days. For verification purposes, we may ask for additional information to confirm your identity, such as:

  • Confirmation of email address
  • Basic account information
  • Other identifying information necessary to verify your identity

For complex requests or in case of a high volume of requests, we may extend this period by an additional 60 days, in which case we will inform you within the first 30 days.

9.2 Account Deletion Process

For account deletion requests, please contact us via the contact form or email. We will delete your account and associated personal data within 30 days of your verified request, except for information we are legally required to retain. The account deletion process includes:

  • Verification of your identity
  • Deletion of your user account and associated data
  • Removal from our mailing lists
  • Confirmation email once deletion is complete

10. Right to Lodge a Complaint

You have the right to lodge a complaint with a supervisory authority. In Germany, this is usually the data protection authority of your federal state.

The supervisory authority responsible for the controller is:

Bayerisches Landesamt fĂĽr Datenschutzaufsicht (BayLDA)
Promenade 18
91522 Ansbach
Germany
Website: https://www.lda.bayern.de
Email: poststelle@lda.bayern.de

11. Data Security

We implement appropriate technical and organizational measures to protect your personal data against accidental or unlawful destruction, loss, alteration, unauthorized disclosure, or access. These measures include:

  • Encryption: HTTPS/TLS 1.3 for all data transfers, bcrypt for password storage with appropriate salt values
  • Access controls: Role-based access controls, least privilege principle, multi-factor authentication for administrative access
  • Regular security updates: Monthly security patches for all systems and dependencies
  • Vulnerability management: Regular vulnerability scanning and timely patching
  • Firewalls and network security: Web application firewall, network segmentation, intrusion detection
  • Monitoring: Real-time monitoring for suspicious activities and automated alerts
  • Backup procedures: Regular encrypted backups with integrity verification
  • Data minimization: Collection and retention of only necessary data
  • Employee training: Regular security awareness training for all staff with access to systems
  • Incident response plan: Documented procedures for handling potential data breaches
  • Third-party audits: Periodic security assessments by external specialists

We regularly test, assess, and evaluate the effectiveness of these measures to ensure the ongoing security of processing.

12. No Automated Decision-Making

We do not use your personal data for automated decision-making or profiling that would produce legal effects or similarly significantly affect you.

13. Data Protection Impact Assessment

We have conducted a Data Protection Impact Assessment (DPIA) for the processing of project data through our AI proxy service, as this processing involves transmitting potentially sensitive data to third-party providers. Measures identified in this assessment have been implemented to minimize risks, including data minimization, strict encryption, and contractual safeguards with our AI providers.

14. Changes to this Privacy Statement

We may update this privacy statement from time to time to reflect changes in our practices or for legal, operational, or regulatory reasons. We will notify you of any material changes through the Software or via email if you are a subscription user. The current version will always be available on our website.

Material changes will be communicated at least 30 days before they take effect. Each updated version will include a revision date and version number at the top of the document.

15. Contact for Data Protection Inquiries

For questions regarding data protection, please contact:

Simon Schwer
WolfringstraĂźe 14
90765 FĂĽrth, Germany
Email: info@getitdone-app.de

Version: 1.2
Last updated: March 30, 2025