Privacy Notice

Date of Last Revision: 29 May 2026  ·  Effective: 29 May 2026

Vindaris ("Vindaris", "we", "us", or "our") knows that your, and your Users' (see definition below) ("you", or "your"), Personal Information is important. We appreciate the trust you place in us when you visit the Vindaris website at vindaris.com (the "Website") and use the Vindaris platform at app.vindaris.com (together with the Website, the "Services"). We process the Personal Information we receive from you in accordance with applicable laws, in particular the General Data Protection Regulation (Regulation (EU) 2016/679, "GDPR") and the German Federal Data Protection Act ("BDSG").

This Privacy Notice describes the Personal Information we collect, how we use and share it, the legal bases for processing, and the rights granted to you by mandatory law. When you leave the Services, this Privacy Notice no longer applies; any subsequent website, application or service has its own notice and terms.

In this Notice, "Personal Information" means any information relating to an identified or identifiable natural person within the meaning of Art. 4(1) GDPR.

Please read this Notice carefully. If you do not agree with this Notice or any part of it, you must not access or use any part of the Services. If you change your mind in the future, you must stop using the Services and may exercise the rights set out in Section 9 below.

PLEASE NOTE: If you enter Personal Information of your end users, employees, contacts or other individuals ("Users") into the Vindaris platform, you are the controller of that Personal Information and Vindaris acts as a processor on your behalf under Art. 28 GDPR. You must incorporate this Notice — or equivalent terms — into your own privacy notice that you deliver to your Users, and you must ensure that you have a valid legal basis for entering their Personal Information into the Services.

1. Controller

The controller responsible for the processing of Personal Information on the Website and through the Services is:

For all data protection enquiries please contact us at privacy@vindaris.com. We have not appointed a Data Protection Officer because we are not required to do so under Art. 37 GDPR or § 38 BDSG.

2. Personal Information We Collect

When you use the Services we collect (1) technical information necessary to deliver the Services and to secure them, and (2) information you or your Users voluntarily submit. The specific categories depend on how you engage with the Services.

2.1 Information You Provide to Us

Account Information. When you register, or when an administrator ("Administrator") creates an account for you, or when you accept an invitation to join an organisation, we collect your name, e-mail address, password (stored only as a bcrypt hash; we never store plaintext passwords), and optionally your job title, avatar, timezone, mobile number, and organisation name. We may also store multi-factor authentication ("MFA") settings (e.g. e-mail OTP enabled / disabled).

Billing and Tax Information. If you subscribe to a paid plan (Growth, Pro, or any successor tier), we collect billing name, billing address, VAT identification number (where applicable), and the subscription tier and status. We do not store payment card numbers, IBAN, CVC, or any other payment-instrument data. Such data is collected, processed and stored exclusively by our payment service provider Mollie B.V. (see Section 5).

User Content. You and your Users may create, upload, paste, or sync content into the Services — including objectives, key results, goals, projects, tasks, comments, attachments, organisational charts, custom views, board configurations, and any free-text fields ("User Content"). User Content may, depending on what you enter, contain Personal Information of you, your colleagues, your customers or other individuals.

Integration Data. If you choose to connect a third-party tool that you already use — for example a CRM, chat tool, calendar, task list, meeting-transcript service, e-mail provider, or other productivity tool (see the integrations page for the current list of supported tools) — you authorise us to receive Personal Information and content from that tool via OAuth or API key. The exact categories depend on the integration and may include task titles, descriptions, due dates, assignees, e-mail metadata, meeting transcripts, action items, chat messages, and contact records. OAuth tokens and API keys are stored encrypted at rest (AES-256-GCM).

Support and Communications. When you contact us by e-mail, through the contact form, or through any in-app support channel, we process your name, e-mail address, the content of your message, and any attachments you provide.

Other Information You Choose to Provide. You may voluntarily provide additional information at any time, for example when participating in surveys, beta programmes, or sales discussions.

2.2 Information Collected via Automated Means

Device and Usage Information. When you access the Services we automatically record date/time stamps, IP address (anonymised after 24 hours in web log files), HTTP status codes, the URL requested, the referring URL, browser type and version, operating system, device identifiers, crash data, and the pages and features you view, click, or otherwise interact with. We use this information to operate, secure, debug and improve the Services and to detect abuse.

Audit Logs. For security, compliance and accountability we keep audit logs of administrative actions, authentication events, permission changes, billing events, and data-subject-rights requests. Audit logs may include actor user ID, action, target object, IP address and user agent.

Single Sign-On. If you choose to authenticate via a third-party identity provider (e.g. Google or Microsoft), we receive the information that provider releases to us under the OAuth/OpenID scopes you approve, typically your name, e-mail address and provider account identifier. Your interactions with the identity provider are governed by that provider's privacy notice.

Cookies and Similar Technologies. The Website and Services use strictly necessary cookies (session cookie, CSRF token, language preference, authentication token). We do not use advertising or cross-site tracking cookies. If we add optional analytics in the future we will request your prior consent and offer an opt-out via a cookie banner.

3. How We Use Personal Information

We use the Personal Information we receive or collect for the following purposes:

• To provide and operate the Services, including creating and securing your account, processing your subscription, synchronising your integrations, generating digests, sending notifications, and rendering dashboards.
• To communicate with you about your account, security or maintenance notices, changes to this Notice or to our terms, and to provide customer support.
• To send service-related and, subject to consent or applicable opt-out rules, marketing e-mails about features, releases, and educational content. You can unsubscribe from marketing e-mails at any time via the link at the bottom of any such e-mail or by contacting us.
• To personalise and improve the Services, including measuring feature usage, debugging, A/B testing, and prioritising the roadmap.
• For aggregated and anonymised analytics, which we may use without restriction.
• To detect, prevent, and respond to fraud, abuse, security incidents, technical issues, and violations of our Terms.
• To comply with our legal, accounting and tax obligations, to establish, exercise or defend legal claims, and to respond to lawful requests from public authorities.
• For AI-assisted features (alignment suggestions, work-graph extraction, narrative detection, conflict resolution suggestions, meeting digestion). See Section 6.

4. Legal Bases for Processing (EEA, UK, Switzerland)

If GDPR applies to the processing, we rely on the following legal bases:

• Performance of a contract (Art. 6(1)(b) GDPR) — to provide the Services to you, to bill you, and to respond to pre-contractual requests.
• Legitimate interests (Art. 6(1)(f) GDPR) — to secure, debug, monitor and improve the Services, to prevent fraud and abuse, for direct B2B communications with our existing customers, and to defend our legal interests. We balance these interests against your interests, rights and freedoms; you may object at any time (see Section 9).
• Consent (Art. 6(1)(a) GDPR) — for any processing that requires consent, including connecting optional integrations that read your data, optional analytics cookies, and unsolicited marketing communications. You may withdraw consent at any time with effect for the future.
• Compliance with a legal obligation (Art. 6(1)(c) GDPR) — to keep invoice and tax records, to respond to lawful authority requests, and to meet other statutory duties.
• Vital interests / public interest (Art. 6(1)(d), (e) GDPR) — only in rare cases where this is necessary.

5. Who We Share Personal Information With

We do not sell Personal Information. We disclose Personal Information only as described below.

5.1 Sub-processors (Art. 28 GDPR)

We engage sub-processors to provide the Services. Each sub-processor is bound by a data processing agreement that imposes confidentiality, security and limited-purpose obligations on them. The current, authoritative list of sub-processors is maintained on our Security page.

We will give reasonable advance notice of new sub-processors. Your continued use of the Services after such notice constitutes acceptance; if you do not accept, you may terminate your subscription in accordance with the Terms.

5.2 Native Integrations You Authorise

You may choose to connect third-party tools that you already use (for example CRMs, chat tools, calendars, task lists, meeting-transcript services, e-mail providers, or other productivity tools) to Vindaris. Those tools are operated by their respective providers and are not sub-processors of Vindaris — they are your own tech stack, and the providers are independent controllers for the data held on their platforms. When you connect such a tool, you instruct us to read data from its API on your behalf and to write data back where the integration supports it. Vindaris does not share data from one integrated tool with another third-party tool, with any other Vindaris customer, or with any unrelated party. Your use of those third-party tools is governed by their own terms and privacy notices, which we do not control and for which we accept no responsibility.

Vindaris's use and transfer to any other app of information received from Google APIs will adhere to the Google API Services User Data Policy, including the Limited Use requirements.

5.3 Group Companies, Advisers, and Professional Services

We may share Personal Information with our affiliates, accountants, auditors, lawyers, tax advisers, and insurers where necessary for the management of our business and to comply with legal obligations.

5.4 Legal, Safety, and Compliance

We may disclose Personal Information where we believe in good faith that disclosure is necessary to (i) comply with applicable law, regulation, legal process, or governmental request, (ii) enforce our Terms and other agreements, (iii) detect, prevent or address fraud, security or technical issues, or (iv) protect against harm to the rights, property or safety of Vindaris, its customers, Users, or the public.

5.5 Change of Control

If we are involved in a merger, acquisition, financing, restructuring, sale of assets, bankruptcy, insolvency or other change of control, Personal Information may be transferred or assigned as part of, or in contemplation of, that transaction. We will require any acquirer to honour the commitments in this Notice or provide you with prior notice and the opportunity to object where required by law.

6. AI-Assisted Features

Certain features of the Services use a third-party large-language-model provider, currently Mistral AI (Mistral models, processed in the EU), to generate suggestions, summaries, alignments, or other inferred outputs from User Content you submit to that feature. When you invoke such a feature:

• We send only the content and metadata necessary to fulfil your request to the model provider.
• The model provider acts as our sub-processor and is contractually prohibited from using the data to train models.
• Model outputs are statistical predictions and may be inaccurate, incomplete, biased, or misleading. You must independently verify outputs before acting on them. We provide AI features "as is" and on an "as available" basis, without any warranty of accuracy, fitness, non-infringement, or merchantability.
• You must not submit content to AI features that you are not lawfully entitled to process for that purpose, including special-category data (Art. 9 GDPR) unless you have established a valid legal basis.

7. International Data Transfers

Our hosting, database, backups, transactional e-mail and AI processing all take place within the EU/EEA. We do not transfer Personal Information to recipients outside the EU/EEA. Should an international transfer become necessary in the future, we will rely on an appropriate transfer mechanism under Chapter V GDPR (such as an adequacy decision or the EU Commission Standard Contractual Clauses, 2021/914), supplemented by additional technical and organisational safeguards, and we will update this notice accordingly. A copy of the relevant transfer mechanism is available on request at privacy@vindaris.com.

If you connect third-party tools (Section 5.2) that are operated outside the EU/EEA, Personal Information you instruct us to read from or write to those tools may transit through or be stored in those third countries on the basis of your instruction. We do not control those providers' transfer mechanisms.

8. Retention

We retain Personal Information only as long as necessary for the purpose for which it was collected, or as required by law:

• Server access logs: 7 days.
• Audit logs: up to 12 months, then deleted or anonymised.
• Account and User Content: for the duration of the contract plus 30 days, after which the account and its User Content may be deleted or anonymised; Administrators may shorten this on request.
• Integration tokens: until you disconnect the integration or your account is terminated.
• Invoice and tax data: 10 years (§ 147 AO, § 257 HGB).
• Support correspondence: up to 3 years after termination of the contract.
• Backups: rolling retention up to 35 days, after which they are securely overwritten.

9. Your Rights as a Data Subject

Subject to the conditions and exceptions provided by GDPR and other applicable mandatory law, you have the following rights. We grant only the rights mandated by applicable law; nothing in this Notice creates additional or broader rights.

• Right of access (Art. 15 GDPR). You may obtain the data export described below.
• Right to rectification (Art. 16 GDPR). You may correct most account fields yourself in the application; otherwise contact us.
• Right to erasure (Art. 17 GDPR). You may request anonymisation of your user record via the in-app GDPR erasure flow. Note that User Content created in an organisation account belongs to that organisation; only the Administrator (or your manager, where applicable) can request its deletion. We retain audit-log entries with the actor field anonymised where retention is required by law (Art. 17(3)(b), (e) GDPR).
• Right to restriction (Art. 18 GDPR).
• Right to data portability (Art. 20 GDPR). You may export your Personal Information in JSON format via the in-app data-export flow.
• Right to object (Art. 21 GDPR) to processing based on legitimate interests or for direct marketing.
• Right to withdraw consent (Art. 7(3) GDPR), without retroactive effect.
• Right to lodge a complaint (Art. 77 GDPR) with the supervisory authority of your habitual residence, place of work or place of the alleged infringement (see Section 14).

To exercise any right, contact privacy@vindaris.com. We may require you to verify your identity and we may decline or limit a request to the extent permitted by law (for example where the request is manifestly unfounded or excessive, or where overriding legitimate grounds for processing apply). We will respond within the period required by law (typically one month, extendable by two further months for complex requests).

Only the Administrator of an organisation account can close that account. The Administrator may end any User's access at any time. Only the Administrator or your manager may request deletion of User Content held in the organisation account.

10. Security

We implement technical and organisational measures as required by Art. 32 GDPR, including row-level tenant isolation in our database, encryption of integration tokens at rest, TLS in transit, password hashing with bcrypt, optional multi-factor authentication, role-based access controls, principle-of-least-privilege for internal access, and audit logging. We periodically review and update these measures. See our Security page for more detail.

However, no Internet, e-mail or storage system is ever fully secure or error-free. We do not warrant or guarantee that the Services or your Personal Information will be free from unauthorised access, loss, misuse, alteration, or destruction. Please keep this in mind when disclosing any information to us via the Internet, and protect your account credentials accordingly.

11. Google API Services User Data Policy

Vindaris uses Google APIs (specifically the Google Tasks API) to read and write task data on your behalf once you explicitly connect your Google account from the Integrations settings page. Vindaris’s use and transfer to any other app of information received from Google APIs will adhere to the Google API Services User Data Policy, including the Limited Use requirements.

Concretely, this means:

• Scopes requested. openid, email, profile at sign-in for identity, and https://www.googleapis.com/auth/tasks only after you click “Connect Google Tasks” in your Integrations settings.
• How the data is used. Google Tasks data is synchronised into your Vindaris workspace so you can view, edit, and align those tasks with your goals and strategies. Changes you make in Vindaris are written back to Google Tasks (two-way sync). The data is shown only to members of your workspace as permitted by your in-app sharing settings and is filtered by Postgres Row-Level-Security on every read.
• How the data is stored. Synced task content is persisted in our EU-based Postgres database (Hetzner, Falkenstein) alongside your other workspace data. OAuth access and refresh tokens are encrypted at rest using AES-256-GCM with a key held outside the database; they are used solely to call Google APIs on your behalf and are never logged, exported, or shared.
• No transfer to third parties. We do not sell, rent, license, or otherwise transfer data obtained from Google APIs to any third party. We do not use this data for advertising, retargeting, credit assessment, or training generalised AI/ML models. The only sub-processors that touch the data are our hosting provider (Hetzner) and our database (self-managed Postgres on Hetzner) as listed in Section 5.
• No human access. No Vindaris employee reads data obtained from Google APIs except (a) with your explicit consent for support, (b) where necessary for security investigations, or (c) where required by law.
• Deletion. You can revoke Vindaris’s access at any time. The granular path is Settings → Integrations → Google Tasks → Disconnect, which deletes our copy of your tokens and the synced tasks they produced. You can also delete your entire account via Settings → Privacy & Data → Delete my account, which anonymises all data under GDPR Art. 17. Independently, you can revoke the OAuth grant from your Google account permissions page.

If you have questions about how Vindaris handles data obtained from Google APIs, contact us at privacy@vindaris.com.

12. Children

The Services are directed to business users and are not intended for individuals under the age of 16. We do not knowingly collect Personal Information from children under 16 without verifiable parental or guardian consent. If you believe a child has provided Personal Information to us, please contact privacy@vindaris.com and we will take reasonable steps to delete it.

13. Disclaimer and Limitation of Liability Regarding This Notice

This Notice describes our current data-processing practices. We make no representations, warranties or guarantees of any kind, whether express or implied, regarding the Services, the information described in this Notice, its accuracy, completeness, currency, or fitness for any particular purpose, except to the extent required by mandatory law. To the maximum extent permitted by applicable law, we exclude all warranties, conditions and representations not expressly stated in our written Terms.

To the maximum extent permitted by applicable law, our liability in connection with this Notice and the processing of your Personal Information is limited as set out in our Terms. Nothing in this Notice limits liability that cannot be limited under applicable law, including liability for intent, gross negligence, injury to life, body or health, or under the German Product Liability Act.

14. Supervisory Authority and Complaints

You have the right to lodge a complaint with a competent supervisory authority. The authority competent for our registered office is:

15. Third-Party Links and Co-Branded Pages

The Services may contain links to third-party websites, applications, or services that we do not operate. This Notice does not apply to those properties, and we are not responsible for their content, terms or privacy practices. The inclusion of any link does not imply endorsement.

16. "Do Not Track"

We do not currently respond to "Do Not Track" or similar browser signals, because no industry standard for compliance has yet been established.

17. Changes to this Notice

We may amend this Notice at any time to reflect changes in the law, our practices, or the Services. The current version is the version published on the Website; the "Date of Last Revision" indicates when it was last updated. Material changes will be notified to registered users by e-mail or in-app message. By continuing to use the Services after a revised Notice takes effect, you confirm that you have read and accepted the latest version.

18. Contact

If you have questions or comments about this Notice, our privacy practices, or to exercise your rights, please contact us: