Legal

Privacy statement

This statement explains how TodoBase handles personal data when you use the public site, create an account, plan todos, write meeting notes, or connect Codex through MCP.

Last updated
Controller
BitBakkers, available through bitbakkers.nl.

Who is responsible

BitBakkers is responsible for TodoBase and acts as controller for the personal data described here. For privacy questions or data requests, use the contact details published at bitbakkers.nl.

Data we process

Account data

Email address, password hash, account timestamps, and password reset requests.

Workspace content

Todos, descriptions, estimates, planning dates, reference URLs, tags, comments, and meeting notes you create.

Security and session data

Session identifiers stored in a necessary cookie, user agent, IP address, and authentication timestamps.

MCP token data

Token names, hashed token values, token prefixes, last-used timestamps, and last-used IP addresses.

AI suggestion data

Meeting note content sent to OpenRouter only when you request AI todo suggestions.

Technical data

Server logs and diagnostics needed to keep the service secure and reliable.

Why we use the data

Purpose Legal basis
Create and secure your account, sign you in, and keep your workspace available. Performance of the service contract and legitimate interest in security.
Store and display todos, meeting notes, tags, comments, planning dates, and MCP tokens. Performance of the service contract.
Send password reset emails and important service messages. Performance of the service contract and legitimate interest in account recovery.
Generate optional AI todo suggestions from meeting notes. Your request to use that feature, as part of the service contract.
Protect the service from abuse, debug errors, and maintain reliable operations. Legitimate interest in security, reliability, and fraud prevention.
Meet legal, tax, accounting, or compliance duties if they apply. Legal obligation.

Cookies and local storage

TodoBase uses a strictly necessary signed session cookie to keep you signed in. The public theme toggle may store your theme preference in your browser. TodoBase does not currently use advertising cookies, profiling cookies, or third-party analytics cookies.

Processors and transfers

TodoBase may use infrastructure, email delivery, logging, hosting, and AI processing providers to run the service. Optional AI suggestions are sent through OpenRouter when you choose to use that feature. If personal data is transferred outside the EU/EEA, BitBakkers will rely on an adequacy decision or appropriate safeguards such as standard contractual clauses where required.

Retention

Account and workspace content is kept while your account exists or as long as needed to provide the service. Session and technical data is kept only as long as needed for security, debugging, and operations. Some records may be retained longer when required by law, dispute handling, backups, or abuse prevention.

Your rights

Depending on your location and the situation, you can ask to access, correct, erase, restrict, export, or object to processing of your personal data. Where processing is based on consent, you can withdraw that consent. You may also lodge a complaint with your local data protection authority.

Changes

This statement may be updated when TodoBase changes, providers change, or legal requirements change. Material changes will be reflected on this page with a new last-updated date.