GDPR & Data Processing

Effective February 1, 2026

TODO for AI Kft. ("TODOforAI") is an EU company (Budapest, Hungary) and complies with the EU General Data Protection Regulation (GDPR). This page explains how data processing works when you use TODOforAI, and lists the third-party providers we rely on.

Your Data Stays Yours

When TODOforAI works on your todos, it handles your business data — contacts, invoices, emails, account access. Under GDPR:

  • You are the data controller — it's your data, and you decide what it's used for.
  • TODOforAI is the data processor — we process it only on your instructions, to get your todos done. We don't use your business data for anything else, and we don't train AI models on it.

For your own account data (sign-up, billing, product emails), TODOforAI acts as the controller — that's covered by our Privacy Policy.

Data Processing Agreement (DPA)

Our GDPR Article 28 Data Processing Agreement covers processing instructions, confidentiality, security measures, breach notification (within 48 hours), data deletion, audit rights, and international transfers. Contact privacy@todofor.ai to receive a signable copy.

Third-Party Providers (Sub-processors)

To provide the service, we rely on the following providers. Where data leaves the EU, transfers are protected by the EU–US Data Privacy Framework (DPF) or the EU Standard Contractual Clauses (SCCs).

ProviderPurposeLocation of ProcessingTransfer Mechanism
Hetzner Online GmbHCloud infrastructure & hostingFinland / Germany (EU)N/A (EU)
Anthropic, PBCAI model inference (Claude)USAEU–US DPF / SCCs
OpenAI, L.L.C. / OpenAI Ireland LtdAI model inference (GPT)USA / EUEU–US DPF / SCCs
Google LLC / Google Ireland LtdAI model inference (Gemini)USA / EUEU–US DPF / SCCs
OpenRouter, Inc.AI model routing / inferenceUSASCCs
Stripe Payments Europe, Ltd.Payment processingEU / USAEU–US DPF / SCCs
Resend, Inc.Transactional email deliveryUSASCCs
Cloudflare, Inc.CDN, DNS & network securityGlobal (EU PoPs)EU–US DPF / SCCs

AI model providers are engaged only to the extent your todos require model inference. API data is not used by these providers to train their models under the applicable API terms.

Third-party services that you connect yourself (e.g. your own Gmail, CRM, or invoicing accounts) are operated under your own agreements with those services and are not sub-processors of TODOforAI.

Changes to this List

We will update this page at least 14 days before adding or replacing a provider, giving customers the opportunity to object on reasonable data-protection grounds, as described in our DPA.

Last Updated: February 1, 2026