Privacy Policy

Last updated: March 2026

This Privacy Policy informs you about how we process personal data when you use this application. It has been prepared in accordance with the EU General Data Protection Regulation (GDPR) and the German Federal Data Protection Act (BDSG).

1. Controller

The controller responsible for data processing within the meaning of Art. 4 No. 7 GDPR is:

Justus Zimmermann
Tizianstraße 121
80638 München, Germany
Phone: +49 1512 1357649
Email: hi@justus-dev.de

2. Overview of Data Processed

Depending on how you use the application, we process the following categories of personal data:

Account data (name, email address, profile picture)
Authentication tokens from your GitHub account
User-generated content (organizations, projects, tasks, milestones, comments, documents)
Activity and audit data (actions performed, timestamps)
Temporary rate-limiting identifiers

3. Authentication and Account Data

This application uses GitHub as its sole authentication provider via OAuth 2.0 (powered by NextAuth.js). When you sign in, the following data is received from GitHub and stored in our database:

Name – your GitHub display name
Email address – your primary GitHub email
Profile picture – your GitHub avatar URL
OAuth tokens – access token, refresh token, ID token, token expiry, and scope
GitHub account identifiers – provider name and provider account ID

Sessions are managed using JSON Web Tokens (JWT) stored in an HTTP-only cookie in your browser. No session data is stored server-side.

Legal basis: Art. 6(1)(b) GDPR – processing is necessary for the performance of a contract to which you are a party (providing access to the service).

4. User-Generated Content

All content you create within the application is stored in our PostgreSQL database. This includes:

Organizations – name, membership roles (Owner, Admin, Member)
Organization access codes – cryptographic invite tokens
Projects – name, description, association to an organization
Tasks – title, description, active status, creator reference
Task comments – title, description, resolution status, creation timestamp
Milestones – title, description, due date, active status
Documents – title, description, document URL, creator reference

Legal basis: Art. 6(1)(b) GDPR – processing is necessary to deliver the core functionality of the service you have signed up for.

5. Audit Logs

For each project, the application records an audit trail of significant actions. Each entry contains:

The type of action (Create, Update, or Delete)
A human-readable description of the action
A reference to the user who performed the action
A precise timestamp

Legal basis: Art. 6(1)(f) GDPR – our legitimate interest in maintaining accountability, traceability, and operational integrity within projects.

6. Rate Limiting and Temporary Cache Data

To protect the application against abuse, we implement rate limiting on API endpoints using Upstash Redis. Rate limit counters are stored temporarily (with a short time-to-live) under a key composed of the application name and a user or request identifier. No content, messages, or sensitive personal data is stored in the cache. All entries expire automatically.

Upstash, Inc. operates the Redis service. Data may be processed outside the European Economic Area. Upstash provides appropriate safeguards as required by Chapter V GDPR (including Standard Contractual Clauses where applicable).

Legal basis: Art. 6(1)(f) GDPR – our legitimate interest in protecting the availability and security of the service.

7. Hosting and Infrastructure

The application and its PostgreSQL database are hosted exclusively on Railway (Railway Corp., San Francisco, CA, USA). All user data stored in the database resides on Railway's infrastructure. Data may therefore be processed outside the European Economic Area. Railway provides appropriate data protection guarantees in accordance with Art. 44 et seq. GDPR.

Legal basis: Art. 6(1)(b) GDPR – necessary to operate and deliver the service; Art. 6(1)(f) GDPR – legitimate interest in reliable infrastructure.

8. GitHub as Identity Provider

Authentication is handled by GitHub, Inc. (88 Colin P Kelly Jr St, San Francisco, CA 94107, USA), a subsidiary of Microsoft Corporation. When you authenticate, your browser communicates directly with GitHub's OAuth endpoints. GitHub's own Privacy Policy applies to that interaction. We receive only the profile data described in Section 3 above.

GitHub's privacy policy: https://docs.github.com/en/site-policy/privacy-policies/github-general-privacy-statement

9. Cookies and Session Tokens

This application uses only technically necessary cookies. Specifically, NextAuth.js sets an HTTP-only, secure cookie containing a signed JWT to maintain your login session. No tracking cookies, analytics cookies, or advertising cookies are used.

Cookie	Purpose	Duration
next-auth.session-token	Authentication session (JWT)	Session / 30 days
next-auth.csrf-token	CSRF protection	Session

Legal basis: Art. 6(1)(b) GDPR – technically necessary for the provision of the service.

10. No Tracking or Analytics

We do not use any web analytics tools (such as Google Analytics or Matomo), advertising networks, pixel trackers, session recording, or fingerprinting technologies. We do not create behavioural profiles and we do not sell or share your data with any advertising platform.

11. Data Retention

Personal data is retained for as long as your account is active and as long as necessary to deliver the service. In particular:

Account and profile data – retained until you request deletion of your account.
User-generated content – retained until explicitly deleted by you or an authorized organization administrator, or until account deletion.
Audit logs – retained for the lifetime of the associated project.
Rate-limit counters – automatically expire within seconds to minutes; no persistent storage.

We do not retain data beyond what is operationally or legally required. You may request deletion at any time (see Section 13).

12. Third-Party Processors

We engage the following third-party data processors. Each processes data only on our behalf and under our documented instructions:

Railway Corp.

San Francisco, CA, USA

Application hosting and managed PostgreSQL database. All persistent application data is stored on Railway's infrastructure.

Upstash, Inc.

USA

Managed Redis service used exclusively for API rate-limiting counters. No content or sensitive personal data is stored.

GitHub, Inc. (Microsoft)

San Francisco, CA, USA

OAuth 2.0 identity provider. GitHub processes your authentication request under its own privacy policy; we receive only a defined subset of profile data.

All processors listed above are based in the United States. Data transfers are carried out on the basis of appropriate safeguards pursuant to Art. 46 GDPR (in particular Standard Contractual Clauses) or, where applicable, an adequacy decision pursuant to Art. 45 GDPR.

13. Your Rights

Under the GDPR (Arts. 15–21) you have the following rights with regard to your personal data:

Right of access (Art. 15 GDPR)

You may request a copy of all personal data we hold about you.

Right to rectification (Art. 16 GDPR)

You may request correction of inaccurate or incomplete data.

Right to erasure (Art. 17 GDPR)

You may request deletion of your personal data where no overriding legal obligation requires us to retain it.

Right to restriction (Art. 18 GDPR)

You may request that we limit processing of your data in certain circumstances.

Right to data portability (Art. 20 GDPR)

You may request your data in a structured, commonly used, machine-readable format.

Right to object (Art. 21 GDPR)

You may object to processing carried out on the basis of legitimate interests (Art. 6(1)(f) GDPR).

To exercise any of these rights, please contact us at hi@justus-dev.de. We will respond within one month as required by Art. 12(3) GDPR.

14. Right to Lodge a Complaint

Without prejudice to any other administrative or judicial remedy, you have the right to lodge a complaint with a supervisory authority if you consider that the processing of your personal data infringes the GDPR (Art. 77 GDPR).

The competent supervisory authority for the controller (Bavaria, private sector) is:

Bayerisches Landesamt für Datenschutzaufsicht (BayLDA)
Promenade 18
91522 Ansbach, Germany
Phone: +49 (0)981 180093-0
Website: www.lda.bayern.de

15. Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in the application or applicable law. The current version is always available at /data-policy. Material changes will be communicated to registered users where required by law.