What is the GDPR?
The General Data Protection Regulation (GDPR) is a regulation designed to help citizens and residents of the European Union (EU) protect their personal data by specifying how such data may be collected, processed, and stored. At Doist, we're fully compliant as of May 25th, 2018.
Is Doist GDPR compliant?
Yes. Doist and our services, Todoist and Twist, are fully compliant with the GDPR as of May 25th, 2018.
Are our customers able to use Doist products and services without risking a breach of the GDPR?
Yes, from our end. Of course, if your customers are in a location where the GDPR applies, they need to make sure their business operation is compliant with the GDPR in its own right.
What types of personal data does Doist collect?
When registering for Todoist and/or Twist you voluntarily give us information such as your name and email address. You can access and update this information at any time in your personal Account Settings.
In addition, when you use our services, you give us consent to use the following data:
- IP address
- Device ID
- Name and surname (optional, not processed)
- Job (optional, not processed)
- Phone number (optional, not processed)
- VAT ID (optional)
- Invoice address (for Pro and Business accounts)
Why does Doist collect personal data?
The data we collect is required for us to provide you with our services and is used to improve Twist and Todoist.
How can I access and export my personal data?
To have your personal data exported, please contact us.
We provide full access to data via our API, allowing you to obtain the personal data that was provided to us and/or transfer it to another controller. You can find our API for Twist and Todoist here:
Please note that payment information and integrations are not available via our API. In case you want to obtain this information, please contact us.
Who owns my data in Todoist?
When using Todoist on an individual plan under a default personal workspace, Doist is considered a Data Processor which means that we control how your user data is processed and are responsible for the data to be processed within GDPR regulations. By using our service, you grant Doist the right to share your content with other authorized users within the context of our collaboration features and functionalities.
By sharing your content with other Todoist users (including in team workspaces or in shared projects within a personal workspace), you grant each of those users the right to access your content through our service, and to use, reproduce, distribute, display, edit, perform, and otherwise interact with such content.
When you create or join a team workspace (which in this case is considered organizational), you agree to comply with the policies of the applicable organization and any agreement between you and that organization. It means the organization is the owner of all user content in the respective workspace. All user content in the organizational workspace may be shared with the organization and may be modified, deleted, or accessed by the organization. The organization may terminate your access to the organizational workspace at any time and you may not be able to access your content in that workspace. By transferring any content to the organizational workspace, you grant the organization broad rights to your user content.
Does Doist use third-party services to process data?
We use GDPR-compliant third-party services and hosting partners such as Stripe, AWS, and Google Workspace. In these cases, we take the necessary safeguards to ensure that we are GDPR compliant when sending and receiving data from a third party. Check out Todoist’s security and privacy policies and Twist’s security and privacy policies for more information.
Do you provide a list of relevant third-party services?
Yes. When necessary, we use the following GDPR-compliant third-party services:
- Amazon Web Services
- CloudBees Rollout
- Meta (Facebook)
- Google Analytics
- Microsoft Azure
- Microsoft Visual Studio App Center
What cookies do you use?
We use the following cookies:
- Strictly necessary cookies: required to perform your login functionality, user authentication, and security;
- Functional cookies: used to recognize you when you return to our website and personalize our content for you, greet you by name, and remember your preference;
- Analytical and advertising cookies: used to help us understand how users engage with our product. We use a handful of third-party cookies: Google Analytics (analyzing website traffic and user behavior), Datadog (monitoring web performance and user experience), Stripe (handling payments and pricing/upgrade page), Zendesk (loading images and providing support or Help Center), YouTube (displaying videos on Help Center pages), Cloudinary (loading and optimizing images).
Do you process any Data outside the EU?
Yes, we do. We process data in North Virginia, USA using Amazon Web Services (AWS). We only collect as little data as possible, and all data is encrypted using AES 256 encryption.
Do you ever sell any data?
No, we never sell data.
Do you store any personal data once I've deleted my account?
Upon deleting your account, all your personal data will be removed from our production systems. Only an encrypted copy of your data will remain on our backup archives for 90 days. After this period, all data associated with your account will be deleted permanently. Please note that we don't provide the encrypted copy from our backup archives upon request.
Does Doist offer a Data Processing Agreement (DPA)?
Yes. We offer a DPA that has been pre-signed on behalf of Doist. It can be completed by filling out your details and signing it here.
How is personal data protected?
We restrict staff access to personal data to a very small number of employees who need access for specific reasons to improve Todoist and Twist.
We regularly test, assess and evaluate the effectiveness of our processes and technology.
We use encryption to safeguard data.
How is personal data encrypted?
When user data is stored in servers and databases, Doist uses AES 256 encryption. When the data is being sent or received, it is encrypted with TLS 1.1 or above. Data backups on our servers are encrypted with AES256 and signed by RSA with 2048 key length.
Additionally, Todoist creates automatic backups within the app on a daily basis for Pro and Business users. We take the necessary safeguards to ensure that these are well protected by maintaining a security system that prevents unauthorized access.
Since GDPR has various requirements, your compliance needs will depend on your precise circumstances. If you have specific questions or needs, please contact us.
How is my content protected? Can your employees read my content?
User content, such as tasks and comments, resides in our data stores, which get shielded from internet traffic, and have a strict access policy inside the company. Access to it is audited, requires multiple layers of authentication, and is only allowed for a valid business purpose. In other words, there's no way for any entitled internal employee to access it without others knowing. The need to access user content is pretty rare.
Are the deleted tasks also deleted from your servers?
Yes, after a while. The system first marks records as deleted before actually deleting them. Soft deletions ensure content is inaccessible by client applications. Hard deletions occur later, deferred in time. The system's behavior supports our multi-device synchronization mechanisms. Records marked as deleted help synchronization algorithms to perform data state conflict resolution.
User content is also present in database backups. They exist for business continuity, in case we ever face a disastrous scenario of data loss, a long period of data unavailability, or data corruption. All data, including backups, are kept encrypted at rest. To date, we have never needed to use database backups.
Database backups do not allow access to each user's data. Instead, we can restore them into a live database, where regular data access controls apply. The backups are rotated automatically and won't last more than 94 days.