Privacy Policy

Plan2Done — operated by Jan Hamsch und Kai Hamsch GbR

Last updated: March 15, 2026

Important Notice: This English version is a translation for convenience only. The German version (Datenschutzerklärung) available at plan2done.app/datenschutz is the legally binding and authoritative version. In case of any discrepancy between this translation and the German original, the German version prevails.

1. Data Controller

The controller responsible for the processing of personal data within the meaning of the General Data Protection Regulation (GDPR) and the German Federal Data Protection Act (BDSG) is:

Jan Hamsch und Kai Hamsch GbR
Schutternstr. 23a
77974 Kürzell, Germany
Email: hello@fade.de

For all privacy-related inquiries, please contact us at: hello@fade.de

2. Scope

This Privacy Policy applies to all personal data processed in connection with the use of the Plan2Done service (accessible via plan2done.app and associated subdomains, mobile applications and APIs) as well as visits to our website plan2done.app.

3. Categories of Data Processed

We process the following categories of personal data:

3.1 Registration and Account Data

Name, email address, password (encrypted / via authentication service provider)
Profile picture (optional)
Organization name and settings

3.2 Usage Data

Log data (IP address, browser type, operating system, access times, URLs visited)
Device identifiers
Interaction data within the platform (e.g., boards created, tasks, comments)

3.3 Communication Data

Content of support requests and emails
In-app messages between users

3.4 Payment Data

Billing address
Payment method (credit card, SEPA direct debit, etc. — card data is processed exclusively by Stripe and is never stored on our servers)
Transaction history, subscription status

3.5 Customer Data (Data Processing on Your Behalf)

All content entered by you and your users into the Service (projects, tasks, documents, files, comments, etc.) — processed by us as a data processor under Art. 28 GDPR. You remain solely responsible as data controller for this data.

4. Purposes and Legal Bases for Processing

| Processing Purpose | Legal Basis | | --------------------------------------------------------- | ------------------------------------------------------ | | Providing, operating and improving the Service | Art. 6(1)(b) GDPR (contract performance) | | Account creation and authentication | Art. 6(1)(b) GDPR | | Payment processing and subscription management | Art. 6(1)(b) GDPR | | Customer support and communication | Art. 6(1)(b) / Art. 6(1)(f) GDPR (legitimate interest) | | Security, abuse and fraud prevention | Art. 6(1)(f) GDPR (legitimate interest) | | Service improvement analytics (anonymized) | Art. 6(1)(f) GDPR | | Compliance with legal retention and reporting obligations | Art. 6(1)(c) GDPR | | Sending product and marketing communications | Art. 6(1)(a) GDPR (consent) | | Processing Customer Data on behalf of the customer | Art. 28 GDPR (DPA) |

5. Data Processing on Behalf of Customers

Where we process personal data that you, as data controller, enter into the Service (e.g., data relating to your employees, clients or contacts), we act as a data processor within the meaning of Art. 28 GDPR. You remain solely legally responsible for this data. Upon request, we will enter into a Data Processing Agreement (DPA) with you.

6. Recipients and Sub-Processors

We work with carefully selected service providers who may process personal data on our behalf as sub-processors. We ensure that these providers maintain the required level of data protection (Art. 28(2)–(4) GDPR).

6.1 Authentication — Clerk

For user management and authentication, we use Clerk, Inc. (USA). Data transfers to the USA are based on the EU–U.S. Data Privacy Framework and/or appropriate Standard Contractual Clauses (Art. 46 GDPR).
Privacy information: https://clerk.com/privacy

6.2 Payment Processing — Stripe

Payments are processed by Stripe Payments Europe, Ltd. (Ireland, EU). Card data never reaches our servers. Stripe processes payment data to PCI-DSS standards.
Privacy information: https://stripe.com/privacy

6.3 Hosting and Infrastructure

The Service is hosted on servers provided by Hetzner Cloud GmbH (data centers in Germany). Data storage takes place within the European Union where possible. For transfers to third countries, appropriate safeguards (Standard Contractual Clauses) are applied.

6.4 Email Delivery

Account-related emails (such as confirmations, password resets) are sent via our authentication provider Clerk, Inc. (using services like Sendgrid). Invitations and other system emails are sent via Mailjet SAS.

We share personal data with government authorities or third parties only where required by law or where you have expressly consented.

7. International Data Transfers

Where we engage service providers that process data outside the European Economic Area (EEA), we ensure an adequate level of data protection through appropriate safeguards (Art. 44–49 GDPR):

Standard Contractual Clauses (SCC) under EU Commission Implementing Decision 2021/914
EU–U.S. Data Privacy Framework (DPF) where the recipient is certified
Other appropriate safeguards as applicable

Further information on the safeguards used is available upon request.

8. Cookies and Tracking

8.1 Strictly Necessary Cookies

We use technically necessary cookies that are required for the operation of the Service, authentication and security. These cookies cannot be disabled without materially impairing the functionality of the Service.

8.2 Analytics and Performance Cookies

With your consent, we use analytics cookies to understand how the Service is used (e.g., page views, user journeys). You can withdraw your consent at any time via the cookie settings.

8.3 Cookie Management

The cookie consent banner on our website allows you to accept or decline non-essential cookies. Further settings are available in your browser preferences.

8.4 No Advertising Tracking

We do not sell personal data to third parties and do not use cookies for targeted advertising tracking.

9. Retention Periods and Deletion

We retain personal data only for as long as necessary for the purposes of processing or for as long as statutory retention obligations require.

| Data Category | Retention Period | | -------------------------------- | --------------------------------------------------------------- | | Account data | Until account deletion + 90 days | | Payment data and invoices | 10 years (statutory tax retention obligations under German law) | | Support communications | 3 years (statutory limitation period) | | Log data | 90 days | | Backup data | Max. 90 days after deletion request | | Customer Data after contract end | 30 days in read-only mode, then deleted |

After expiry of the retention period, data is securely deleted or anonymized.

10. Your Rights as a Data Subject

You have the right to exercise the following rights against us:

10.1 Right of Access (Art. 15 GDPR)

You may request information about which personal data we process about you, for what purposes and on what legal basis.

10.2 Right to Rectification (Art. 16 GDPR)

You may request the correction of inaccurate or completion of incomplete personal data.

10.3 Right to Erasure (Art. 17 GDPR)

You may request the deletion of your personal data where the conditions of Art. 17 GDPR are met (e.g., data no longer necessary, consent withdrawn, no overriding legal basis).

10.4 Right to Restriction of Processing (Art. 18 GDPR)

In certain situations, you may request that processing be restricted (e.g., when accuracy of data is contested, or you have objected to processing).

10.5 Right to Data Portability (Art. 20 GDPR)

You have the right to receive your personal data in a structured, commonly used and machine-readable format and to transmit it to another controller, where processing is based on consent or contract and carried out by automated means.

10.6 Right to Object (Art. 21 GDPR)

You have the right, on grounds relating to your particular situation, to object to the processing of your personal data where such processing is based on Art. 6(1)(f) GDPR (legitimate interests). We will cease processing unless we can demonstrate compelling legitimate grounds that override your interests.

10.7 Right to Withdraw Consent (Art. 7(3) GDPR)

Where processing is based on your consent, you may withdraw it at any time with effect for the future. Withdrawal does not affect the lawfulness of processing prior to the withdrawal.

10.8 Right to Lodge a Complaint (Art. 77 GDPR)

You have the right to lodge a complaint with a supervisory authority. The competent authority depends on your place of residence or work. Our competent authority is:

Der Landesbeauftragte für den Datenschutz und die Informationsfreiheit Baden-Württemberg (LfDI BW)
Lautenschlagerstraße 20, 70173 Stuttgart

10.9 Exercising Your Rights

To exercise any of the above rights, please send an email to hello@fade.de. We may request appropriate proof of identity for verification purposes. We will respond to requests within one month (Art. 12 GDPR), or within up to three months for complex requests, with timely interim notification.

11. Data Security

We implement technical and organizational security measures to protect your data against accidental or intentional loss, destruction, alteration or unauthorized access. Our security measures include, among others:

Encryption of data in transit via TLS/HTTPS
Encryption of data at rest
Access controls and rights management
Regular security reviews
Privacy by Design principles

Since absolute security cannot be guaranteed, we recommend that you also implement your own security measures.

12. Minors

The Service is not directed at persons under the age of 16. We do not knowingly collect personal data from children under 16. If you discover that a child has provided us with data without parental consent, please contact us at hello@fade.de so we can delete such data.

13. Automated Decision-Making and Profiling

We do not make automated decisions within the meaning of Art. 22 GDPR that have legal or similarly significant effects on you. We do not carry out profiling based on your personal characteristics.

14. Amendments to This Privacy Policy

We may update this Privacy Policy for legitimate reasons, including changes to the Service, new legal requirements or changes in data processing practices. Material changes will be communicated at least 30 days before taking effect via email or through the Service. The date of the most recent update is always shown at the top of this document.

15. Contact

For all privacy-related inquiries, please contact:

Jan Hamsch und Kai Hamsch GbR — Data Protection
Schutternstr. 23a
77974 Kürzell, Germany
Email: hello@fade.de

Effective date: March 15, 2026 — The German version (Datenschutzerklärung) is the legally binding version.