Privacy Policy

Personal Data Protection — GDPR

Last updated: May 27, 2026

This Privacy Policy describes how CMTech ("we", "our", "us") collects, uses, stores, and protects your personal data when you use the OptiDo Service. It complies with the General Data Protection Regulation (GDPR – EU Regulation 2016/679).

1. Data Controller

The data controller for your personal data is:

CMTech, Self-employed (Auto-entrepreneur)

Address: 182 chemin de Chabrier, 07130 Saint Péray, France

Contact email: legal@cmtech.cloud

2. Data We Collect

Account data

Upon registration: email address, first and last name, hashed password, authentication provider (if signing in via Google, GitHub, Twitter/X, or Facebook).

Profile picture (if provided by the third-party provider).

Usage data

Content you create: list names, task titles and descriptions, notes, due dates, priorities, attachments.

Interaction data: actions performed in the app (create, edit, delete tasks), timestamps.

Preferences: selected language, theme (light/dark), app settings.

Billing data

For paid subscriptions: transaction history, subscribed plan, subscription status. Full payment card details are processed and stored exclusively by Stripe and are never accessible to us.

Technical data

IP address (collected by Firebase on requests), browser and OS type, connection and error logs (for security and debugging).

AI data (Pro and Family+ plans)

When you use AI features, the content of your tasks (titles, descriptions, context) may be transmitted to our AI providers (Groq Inc. or Anthropic PBC) to generate responses. These providers do not retain data beyond request processing, per their respective privacy policies.

3. Purposes and Legal Bases

Providing the Service (Legal basis: contract performance)

Account creation and management, syncing your lists and tasks, family sharing features, service notifications.

Billing and subscription management (Legal basis: contract performance)

Payment processing via Stripe, issuing invoices and receipts, managing renewals and cancellations.

AI features (Legal basis: contract performance / consent)

Analysing your tasks and generating smart suggestions and time estimates, at your explicit request.

Security and fraud prevention (Legal basis: legitimate interest)

Detecting unauthorised access, preventing abuse, and maintaining the security of the Service.

Service improvement (Legal basis: legitimate interest)

Anonymised statistical analysis of Service usage to improve features and performance.

Legal obligations (Legal basis: legal obligation)

Retaining billing data in compliance with accounting and tax obligations (10 years for accounting records).

4. Recipients and Sub-processors

Your data may be shared with the following sub-processors, solely for the purposes described:

Google LLC / Firebase

Service: authentication (Firebase Auth), database (Firestore), file storage (Firebase Storage).

Location: EU and/or USA (Standard Contractual Clauses – SCCs).

Privacy policy: https://policies.google.com/privacy

Stripe, Inc. / Stripe Payments Europe Limited

Service: payment processing and subscription management.

Location: EU (Stripe Payments Europe Limited, Dublin, Ireland) / USA.

Privacy policy: https://stripe.com/privacy

Groq Inc. (AI provider)

Service: AI request processing (Pro/Family+ users only).

Location: USA (SCCs / adequate transfer mechanisms).

Privacy policy: https://groq.com/privacy-policy

Anthropic PBC (alternative AI provider)

Service: AI request processing (depending on service configuration).

Location: USA (SCCs / adequate transfer mechanisms).

Privacy policy: https://www.anthropic.com/privacy

Resend (transactional email)

Service: sending transactional emails (registration confirmation, family invitations, etc.).

Privacy policy: https://resend.com/legal/privacy-policy

Vercel Inc. (hosting)

Service: web application hosting. Location: United States.

5. International Data Transfers

Some of our sub-processors (Google/Firebase, Groq, Anthropic) are based in the United States. These transfers are governed by Standard Contractual Clauses (SCCs) adopted by the European Commission, ensuring an adequate level of protection for your data.

You can obtain a copy of the safeguards in place by contacting legal@cmtech.cloud.

6. Data Retention

Account data

Retained for the duration of your account's activity, then deleted within 30 days of account deletion or deletion request.

User-created content (tasks, lists, notes)

Deleted upon your request or upon account deletion.

Billing data

Retained for 10 years from the transaction date, as required by accounting and tax law.

Technical logs

Retained for a maximum of 90 days for security and debugging purposes.

AI data

Not retained by AI providers beyond the processing of the request. A daily usage counter (without content) is retained for 90 days.

7. Your Rights

Under the GDPR, you have the following rights regarding your personal data:

• Right of access (Art. 15 GDPR): obtain a copy of your personal data.

• Right to rectification (Art. 16 GDPR): correct inaccurate or incomplete data.

• Right to erasure / "right to be forgotten" (Art. 17 GDPR): request deletion of your data.

• Right to restriction of processing (Art. 18 GDPR): limit how your data is used.

• Right to data portability (Art. 20 GDPR): receive your data in a structured, machine-readable format.

• Right to object (Art. 21 GDPR): object to processing based on legitimate interest.

• Right to withdraw consent: withdraw your consent at any time, without affecting the lawfulness of prior processing.

• Right not to be subject to automated decision-making (Art. 22 GDPR).

To exercise your rights, contact us at legal@cmtech.cloud. We will respond within one month (extendable to three months for complex requests).

You also have the right to lodge a complaint with your national supervisory authority. In France: the CNIL (www.cnil.fr).

8. Data Security

We implement appropriate technical and organisational measures to protect your personal data:

• HTTPS/TLS encryption for all communications;

• Secure authentication managed by Firebase Auth;

• Firestore security rules denying direct client-side writes;

• Access to data restricted to authorised personnel;

• Passwords stored in hashed form by Firebase Auth.

In the event of a data breach posing a risk to your rights and freedoms, we will notify you without undue delay in accordance with Article 34 of the GDPR.

9. Minors

The Service is intended for persons aged 16 or over. We do not knowingly collect personal data from children under 16. If you believe a minor has provided us with their personal data, please contact us at legal@cmtech.cloud.

10. Cookies and Local Storage

OptiDo uses browser local storage (localStorage) to save your preferences (theme, language, authentication state). These mechanisms are described in detail in our Cookie Policy, available at https://optido.cmtech.cloud/legal/cookies.

11. Changes to this Policy

We reserve the right to update this Privacy Policy at any time. For material changes, we will notify you by email or in-app notification. The current version is always available at https://optido.cmtech.cloud/legal/privacy.

12. Contact

For any questions about this Privacy Policy or your personal data: legal@cmtech.cloud

To lodge a complaint with the CNIL: www.cnil.fr — 3 place de Fontenoy, TSA 80715, 75334 Paris Cedex 07, France