Mirrors/super-productivity
1
0
Fork 0
mirror of https://github.com/johannesjo/super-productivity.git synced 2026-01-23 02:36:05 +00:00
Code Issues Projects Releases Wiki Activity
super-productivity/packages/super-sync-server/public/privacy.template.html
Johannes Millan 2f7a00371a fix(supersync): improve GDPR compliance in legal documents 
- Remove placeholder address text from privacy policies (DE/EN)
- Expand HTML privacy policy with full GDPR disclosures:
  - Legal bases (Art. 6), data subject rights (Art. 15-22)
  - Supervisory authority, retention periods, DPA info
  - Cookies/tracking and automated decision-making sections
- Align HTML terms with German ToS:
  - Add proper termination notice periods (2 weeks/good cause)
  - Add 6-week notice for ToS amendments
  - Add consumer withdrawal rights (14 days)
  - Add ODR platform link and jurisdiction info
2026-01-15 12:48:18 +01:00

321 lines
11 KiB
HTML
Raw Blame History

This file contains ambiguous Unicode characters

This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

<!doctype html>
<html lang="en">
<head>
<meta charset="UTF-8" />
<meta
name="viewport"
content="width=device-width, initial-scale=1.0"
/>
<title>Privacy Policy - SuperSync</title>
<link
rel="stylesheet"
href="style.css"
/>
<style>
.content-container {
max-width: 800px;
margin: 0 auto;
background: var(--card-bg);
padding: 2rem;
border-radius: var(--radius);
box-shadow: 0 4px 6px rgba(0, 0, 0, 0.1);
text-align: left;
}
h1 {
margin-bottom: 1.5rem;
color: var(--primary);
}
h2 {
margin-top: 2rem;
margin-bottom: 1rem;
color: var(--text);
}
h3 {
margin-top: 1.5rem;
margin-bottom: 0.75rem;
color: var(--text);
}
p {
margin-bottom: 1rem;
color: var(--text);
}
ul {
margin-bottom: 1rem;
padding-left: 2rem;
}
li {
margin-bottom: 0.5rem;
}
.back-link {
display: inline-block;
margin-bottom: 1rem;
color: var(--text-light);
text-decoration: none;
}
.back-link:hover {
color: var(--primary);
}
address {
font-style: normal;
margin: 1rem 0;
padding: 1rem;
background: rgba(255, 255, 255, 0.05);
border-radius: 0.5rem;
}
.note {
font-style: italic;
color: var(--text-light);
font-size: 0.9em;
}
</style>
</head>
<body>
<div class="content-container">
<a
href="/"
class="back-link"
>← Back to Home</a
>
<h1>Privacy Policy</h1>
<p>Last updated: December 9, 2025</p>
<p class="note">
Note: This is a translation for convenience only. In case of discrepancies between
the German and the English version, the German version shall prevail.
</p>
<h2>1. Introduction</h2>
<p>
With this Privacy Policy, we inform you about the type, scope, and purpose of the
processing of personal data ("Data") within the scope of using the service
<strong>Super Productivity Sync</strong>. This policy also explains your rights
under the General Data Protection Regulation (GDPR).
</p>
<h2>2. Data Controller</h2>
<address>
{{ PRIVACY_CONTACT_NAME }}<br />
{{ PRIVACY_ADDRESS_COUNTRY }}<br />
<br />
Email:
<a href="mailto:{{ PRIVACY_CONTACT_EMAIL }}">{{ PRIVACY_CONTACT_EMAIL }}</a>
</address>
<p>
A Data Protection Officer has not been appointed as the statutory requirements for
this are not met (fewer than 20 persons constantly involved in data processing).
</p>
<h2>3. What Data We Process</h2>
<h3>(1) Inventory Data</h3>
<ul>
<li>Email address</li>
<li>Password (stored exclusively as a cryptographic hash)</li>
<li>Registration date</li>
<li>Account status information (e.g., Active, Inactive)</li>
</ul>
<h3>(2) Content Data</h3>
<p>
This includes all data you save in the "Super Productivity" app and synchronize
via the Service:
</p>
<ul>
<li>Tasks</li>
<li>Projects</li>
<li>Notes</li>
<li>Time tracking entries</li>
<li>Settings</li>
</ul>
<p class="note">
Note: If End-to-End Encryption (E2EE) is activated, this data exists on our server
exclusively in encrypted form.
</p>
<h3>(3) Meta and Log Data</h3>
<p>Technically necessary when accessing the server:</p>
<ul>
<li>IP address</li>
<li>Time of access</li>
<li>App version / Browser type</li>
<li>Operating system</li>
<li>Error and diagnostic information</li>
</ul>
<h2>4. Legal Basis for Processing</h2>
<p>We process your data based on the following legal bases:</p>
<h3>(1) Performance of Contract (Art. 6(1)(b) GDPR)</h3>
<ul>
<li>Storage of your account</li>
<li>Synchronization of your content</li>
<li>Technical provision of the Service</li>
<li>Sending security-relevant system emails (e.g., password reset)</li>
</ul>
<h3>(2) Legitimate Interest (Art. 6(1)(f) GDPR)</h3>
<ul>
<li>Server and service security</li>
<li>Detection and defense against misuse (DDoS, brute force attacks)</li>
<li>Error analysis and stability improvement</li>
</ul>
<h3>(3) Legal Obligations (Art. 6(1)(c) GDPR)</h3>
<p>
This applies to tax retention obligations for paid plans or official requests for
information.
</p>
<h2>5. Hosting and Infrastructure</h2>
<p>The Service is hosted by:</p>
<address>
<strong>Alfahosting GmbH</strong><br />
Ankerstraße 3b<br />
06108 Halle (Saale)<br />
Germany<br />
Website: <a href="https://alfahosting.de/">https://alfahosting.de/</a>
</address>
<p>
<strong>Data Location:</strong> Processing takes place exclusively on servers in
Germany.
</p>
<p>
<strong>Data Processing Agreement:</strong> We have concluded a Data Processing
Agreement (DPA) with Alfahosting GmbH in accordance with Art. 28 GDPR. No transfer
to a third country takes place via the hoster.
</p>
<h2>6. Data Processing during Synchronization</h2>
<h3>A) Standard Synchronization (without E2EE)</h3>
<ul>
<li>Your content data is transmitted via TLS/SSL transport encryption.</li>
<li>
It is stored in our database on the server. No end-to-end encryption is used
here.
</li>
<li>
Access by the Provider is technically possible but occurs exclusively if
required for maintenance, diagnosis, or defense against technical disturbances.
</li>
</ul>
<h3>B) End-to-End Encryption (E2EE optional)</h3>
<p>If you enable E2EE in the app:</p>
<ul>
<li>Your data is encrypted locally on your device before transmission.</li>
<li>The server stores only encrypted data blocks ("Blobs").</li>
<li>
We have <strong>no access</strong> to your keys and cannot restore, decrypt, or
view the data.
</li>
<li>Loss of the key results in permanent data loss.</li>
</ul>
<h2>7. Email Sending</h2>
<p>
We send exclusively transactional emails (e.g., password reset, email address
confirmation, security-relevant system messages). Data processing is carried out
based on Art. 6(1)(b) GDPR (Performance of Contract).
</p>
<p>
<strong>Service Provider:</strong> Emails are sent technically via the mail
servers of our hosting provider <strong>Alfahosting GmbH</strong> (see Section 5).
No external email marketing providers are used. The data thus remains within the
German infrastructure.
</p>
<h2>8. Storage Duration and Deletion</h2>
<h3>(1) Account Deletion</h3>
<p>
If you delete your account via the app settings, we will delete your inventory
data and content data immediately, but no later than within
<strong>7 days</strong> from all active systems.
</p>
<h3>(2) Inactivity (Free Accounts)</h3>
<p>
We reserve the right to delete free accounts that have not been used for more than
<strong>12 months</strong>. This will only occur after prior notification to the
registered email address.
</p>
<h3>(3) Server Log Files</h3>
<p>
Log data (IP addresses) are automatically deleted after
<strong>7 to 14 days</strong>, unless security-relevant incidents require longer
storage.
</p>
<h3>(4) Statutory Retention Obligations</h3>
<p>
For paid accounts, we are obliged to retain invoice-relevant data for up to
<strong>10 years</strong> in accordance with statutory requirements.
</p>
<h2>9. Transfer to Third Parties</h2>
<p>Data is generally not transferred to third parties unless:</p>
<ul>
<li>You have expressly consented (Art. 6(1)(a) GDPR),</li>
<li>
It is necessary for the performance of the contract (e.g., transfer to payment
service providers for premium accounts),
</li>
<li>It serves the technical provision (see Hosting),</li>
<li>Or we are legally obliged to do so (e.g., to law enforcement agencies).</li>
</ul>
<p>We <strong>never</strong> sell your data to third parties or advertisers.</p>
<h2>10. Your Rights</h2>
<p>Under the GDPR, you have the following rights at any time:</p>
<ul>
<li><strong>Right of Access</strong> to your data stored by us (Art. 15 GDPR)</li>
<li><strong>Right to Rectification</strong> of incorrect data (Art. 16 GDPR)</li>
<li><strong>Right to Erasure</strong> of your data (Art. 17 GDPR)</li>
<li><strong>Right to Restriction of Processing</strong> (Art. 18 GDPR)</li>
<li>
<strong>Right to Data Portability</strong> (export of your data) (Art. 20 GDPR)
</li>
<li><strong>Right to Object</strong> to processing (Art. 21 GDPR)</li>
<li><strong>Right to Withdraw Consent</strong> (Art. 7(3) GDPR)</li>
</ul>
<p>
To exercise your rights (e.g., deletion), a simple email is sufficient:
<a href="mailto:{{ PRIVACY_CONTACT_EMAIL }}">{{ PRIVACY_CONTACT_EMAIL }}</a>
</p>
<h2>11. Right to Lodge a Complaint</h2>
<p>
You have the right to lodge a complaint with a data protection supervisory
authority. The authority responsible for us is:
</p>
<address>
<strong
>The Saxon Data Protection Commissioner (Sächsischer
Datenschutzbeauftragter)</strong
><br />
Website:
<a href="https://www.saechsdsb.de/">https://www.saechsdsb.de/</a>
</address>
<h2>12. Cookies and Tracking</h2>
<p>
The SuperSync service uses only technically necessary session cookies for
authentication. We do not use tracking cookies, analytics services, or advertising
technologies.
</p>
<h2>13. Automated Decision-Making</h2>
<p>
We do not use automated decision-making or profiling as defined by Art. 22 GDPR.
</p>
<h2>14. Contact</h2>
<p>If you have any questions about data protection, please contact us:</p>
<p>
Email:
<a href="mailto:{{ PRIVACY_CONTACT_EMAIL }}">{{ PRIVACY_CONTACT_EMAIL }}</a>
</p>
</div>
</body>
</html>
Reference in a new issue View git blame Copy permalink