Agendara

Privacy Policy

Last updated: March 2026

1. Data Controller

The data controller for Agendara is 10ideen.at. If you have any questions about this privacy policy or your personal data, please contact us at the address provided on our website. You can reach us via our contact page.

2. Personal Data We Collect

We collect and process the following categories of personal data:

Account Information

  • Name and email address
  • Profile image (if provided)
  • Password (stored as a cryptographic hash, never in plain text)

Session Data

  • IP address
  • Browser user agent string
  • Session token (stored in an HttpOnly cookie)

Single Sign-On (SSO) Data

If you sign in via Google, GitHub, Apple, or Microsoft, we store:

  • OAuth access and refresh tokens
  • Provider account identifier
  • Granted OAuth scopes

Calendar Data

If you connect an external calendar (Google Calendar or Apple Calendar), we store:

  • Calendar names and identifiers
  • Event details: title, description, location, start and end times, all-day status, and your response status
  • Calendar connection credentials (encrypted)
  • Synchronization tokens for incremental sync

Apple Reminders Data

If you connect Apple Reminders via the iOS app, we store:

  • Sync configuration and enabled status
  • Reminder list identifiers, names, and colors
  • Your selection of which lists to sync
  • Mappings between reminders and Agendara tasks
  • Pending sync queue for offline changes

Device Tokens

  • Expo push token for background sync notifications
  • Device platform (e.g. iOS)

Task and Scheduling Data

  • Projects: name, description, color, status
  • Tasks: title, description, priority, status, effort estimates
  • Steps: title, effort estimates, completion status
  • Tags and tag assignments
  • Scheduled time slots: date, start and end times, status
  • Work hours: day-of-week schedule with start and end times
  • Event filters: title patterns used for availability calculation
  • Calendar feed URL: a secret token used to serve your scheduled task slots as an iCal feed to external calendar applications

3. Purpose and Legal Basis

We process your personal data for the following purposes:

  • Providing the service: managing your account, authenticating sessions, syncing calendars, syncing Apple Reminders, scheduling tasks, and calculating availability
  • Transactional emails: sending password reset and email verification messages

The legal basis for processing is contract performance (Art. 6(1)(b) GDPR) — the processing is necessary to provide the time management service you have signed up for.

4. Third-Party Services

We share data with the following third parties:

  • Resend: for sending transactional emails (password reset, email verification). Your email address is shared with Resend for this purpose.
  • Google Calendar API: if you connect a Google Calendar, event data is synced via Google's API.
  • Apple CalDAV: if you connect an Apple Calendar, event data is synced via Apple's CalDAV protocol.
  • OAuth providers (Google, GitHub, Apple, Microsoft): if you use single sign-on, authentication data is exchanged with the respective provider.
  • Google Analytics: we use Google Analytics to collect anonymous usage statistics. Google may process your IP address and browser data. See Google's Privacy Policy.
  • Cloudflare Turnstile: the contact form uses Cloudflare Turnstile for spam protection. This service may process your IP address and browser data to verify that you are a real user.
  • OpenAI: when you use the AI step suggestion feature, your task title and description are sent to OpenAI's API to generate step suggestions. No other personal data is shared. See OpenAI's Privacy Policy.
  • Apple Reminders: if you enable Apple Reminders sync in the iOS app, reminder data (titles, notes, completion status, list assignments) is read from and written to Apple Reminders on your device.
  • Expo Push Notifications: we use Expo's push notification service to deliver silent background sync triggers to your iOS device. Only a device token and a content-less notification payload are sent. See Expo's Privacy Policy.

5. Cookies

Agendara uses a single session cookie to authenticate your login. This cookie is HttpOnly, Secure, and uses SameSite=Lax. We do not use any advertising cookies.

We use Google Analytics to collect anonymous usage statistics (e.g. page views, referral source, browser type). Google Analytics sets its own cookies. You can opt out of Google Analytics by installing the Google Analytics Opt-out Browser Add-on.

6. Data Retention

Your personal data is retained for as long as your account is active. When you delete your account, all associated data — including sessions, calendar connections, events, tasks, projects, steps, tags, scheduled slots, work hours, event filters, reminder sync data, reminder lists, and device tokens — is permanently deleted (cascade deletion).

7. Your Rights

Under the GDPR, you have the following rights regarding your personal data:

  • Access: request a copy of your personal data
  • Rectification: correct inaccurate personal data
  • Erasure: delete your account and all associated data
  • Data portability: receive your data in a structured, machine-readable format
  • Restriction: restrict the processing of your data
  • Objection: object to the processing of your data
  • Complaint: lodge a complaint with a data protection authority

8. Automated Decision-Making

Agendara's scheduling algorithm is transparent and fully controlled by you — you set your work hours, select which calendar events to consider, and decide how tasks are scheduled.

The optional AI step suggestion feature uses OpenAI to propose step breakdowns for your tasks. This feature is user-initiated, requires explicit confirmation, and all suggestions are fully editable before being applied. It does not make decisions on your behalf without your control.

9. Data Security

We protect your data through server-side sessions stored in a PostgreSQL database, HttpOnly and Secure cookies, hashed passwords, and encrypted calendar connection credentials. All communication occurs over HTTPS.

Calendar feed URLs contain a secret token that grants read-only access to your scheduled task slots. You can regenerate or disable this token at any time from your account settings.

All data is stored on servers located in Frankfurt, Germany, within the European Union.