Do you like cookies?

We use cookies to understand how you explore our pages – because, just like you, we're always learning and aiming to get better every day! You can accept all for a full experience, or decline if you're not feeling the cookies today.

Skip to content

Privacy Policy

Privacy Policy for octo.do

Last updated: February 2026

1. Controller

The controller responsible for data processing on this website is Octily GmbH. See Legal Notice for contact details.

2. Data We Collect

When you use octo.do, we collect and process the following personal data:

- Account data: Your email address and hashed password, collected during registration to create and manage your account. - Task data: Task titles, WSJF scores, categories, and completion status that you create within the application. - Usage data: Basic analytics such as login timestamps, feature usage patterns, and device/browser type, collected via Supabase to improve the service. - Payment data: If you subscribe to a paid plan, your payment details are processed directly by Stripe. We store only a reference to your Stripe customer ID and subscription status; we never store your credit card number.

3. Legal Basis for Processing

We process your data based on the following legal grounds under the General Data Protection Regulation (GDPR):

- Art. 6(1)(b) GDPR – Performance of a contract: Processing your account data, task data, and payment data is necessary for the performance of the contract between you and Octily GmbH (i.e., providing the octo.do service). - Art. 6(1)(f) GDPR – Legitimate interest: We process basic usage analytics to maintain, improve, and secure our service. Our legitimate interest is ensuring a stable, performant, and user-friendly product. You may object to this processing at any time (see Section 6).

4. Third-Party Processors

We share your data with the following third-party service providers who process data on our behalf:

- Supabase Inc. – Database hosting, user authentication, and real-time data synchronization. Supabase hosts our data in the European Union (EU). - Stripe Inc. – Payment processing for paid subscriptions. Stripe is based in the United States and operates under EU Standard Contractual Clauses (SCCs) to ensure an adequate level of data protection for international transfers. - Lovable (GPT Engineer Inc.) – OAuth authentication services and AI-assisted development platform used during application development.

5. Data Retention

- Account data is retained for as long as your account is active. When you delete your account, all associated personal data is permanently removed within 30 days. - Task data for completed tasks is kept indefinitely in your archive unless you explicitly purge it or delete your account. - Usage analytics are retained in aggregated, non-identifiable form and may be kept indefinitely for statistical purposes. - Payment records are retained as required by applicable tax and accounting laws (typically 10 years under German law).

6. Your Rights Under GDPR

As a data subject, you have the following rights:

- Right of access (Art. 15 GDPR): You may request confirmation of whether we process your personal data and obtain a copy of that data. - Right to rectification (Art. 16 GDPR): You may request correction of inaccurate personal data. - Right to erasure (Art. 17 GDPR): You may request deletion of your personal data, subject to legal retention obligations. - Right to restriction of processing (Art. 18 GDPR): You may request that we restrict the processing of your data under certain conditions. - Right to data portability (Art. 20 GDPR): You may request to receive your personal data in a structured, commonly used, machine-readable format. - Right to object (Art. 21 GDPR): You may object to the processing of your personal data based on legitimate interest at any time. - Right to lodge a complaint: You have the right to lodge a complaint with a supervisory authority if you believe your data is being processed unlawfully.

To exercise any of these rights, please contact us at octily@octily.com.

7. International Data Transfers

Our primary database is hosted by Supabase in the European Union. Payment processing by Stripe may involve data transfers to the United States, which are safeguarded by EU Standard Contractual Clauses (SCCs) in accordance with Art. 46(2)(c) GDPR.

8. Cookies and Local Storage

octo.do uses only essential storage mechanisms. We do not use tracking cookies, advertising cookies, or third-party analytics cookies.

- localStorage: Used to store your authentication session token and your language preference. These are strictly necessary for the functioning of the application. - No tracking cookies: We do not deploy any cookies for marketing, advertising, or cross-site tracking purposes.

9. Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices or legal requirements. When we make material changes, we will notify you by posting the updated policy on this page with a revised "Last updated" date. We encourage you to review this policy periodically.

10. Contact

For any questions or concerns regarding data protection, or to exercise your rights, please contact us at:

Octily GmbH Email: octily@octily.com

See Legal Notice for full contact details and registered address.

9. AI-Assisted Data Processing

octo.do uses AI services provided through the Lovable AI Gateway, which routes to Google Gemini. When you use AI-assisted features (chatbot, email-to-task conversion, title suggestions), relevant data – including task titles, descriptions, and email content – is sent to these third-party AI providers for processing. This processing is based on Art. 6(1)(b) GDPR (performance of contract). AI providers process data as sub-processors under appropriate data processing agreements. You can avoid AI processing by not using AI-powered features.

10. Minimum Age

You must be at least 16 years old to use octo.do (Art. 8 GDPR). By creating an account, you confirm that you meet this age requirement.

11. Right to Withdraw Consent

Where processing is based on your consent, you may withdraw that consent at any time. You can: disconnect email integrations from Settings; decline cookies via the consent banner; delete your account to remove all data. Withdrawal of consent does not affect the lawfulness of processing carried out before withdrawal.