GDPR & Data Processing
Effective February 1, 2026
TODO for AI Kft. ("TODOforAI") is an EU company (Budapest, Hungary) and complies with the EU General Data Protection Regulation (GDPR). This page explains how data processing works when you use TODOforAI, and lists the third-party providers we rely on.
Your Data Stays Yours
When TODOforAI works on your todos, it handles your business data — contacts, invoices, emails, account access. Under GDPR:
- You are the data controller — it's your data, and you decide what it's used for.
- TODOforAI is the data processor — we process it only on your instructions, to get your todos done. We don't use your business data for anything else, and we don't train AI models on it.
For your own account data (sign-up, billing, product emails), TODOforAI acts as the controller — that's covered by our Privacy Policy.
Data Processing Agreement (DPA)
Our GDPR Article 28 Data Processing Agreement covers processing instructions, confidentiality, security measures, breach notification (within 48 hours), data deletion, audit rights, and international transfers. Contact privacy@todofor.ai to receive a signable copy.
Third-Party Providers (Sub-processors)
To provide the service, we rely on the following providers. Where data leaves the EU, transfers are protected by the EU–US Data Privacy Framework (DPF) or the EU Standard Contractual Clauses (SCCs).
| Provider | Purpose | Location of Processing | Transfer Mechanism |
|---|---|---|---|
| Hetzner Online GmbH | Cloud infrastructure & hosting | Finland / Germany (EU) | N/A (EU) |
| Anthropic, PBC | AI model inference (Claude) | USA | EU–US DPF / SCCs |
| OpenAI, L.L.C. / OpenAI Ireland Ltd | AI model inference (GPT) | USA / EU | EU–US DPF / SCCs |
| Google LLC / Google Ireland Ltd | AI model inference (Gemini) | USA / EU | EU–US DPF / SCCs |
| OpenRouter, Inc. | AI model routing / inference | USA | SCCs |
| Stripe Payments Europe, Ltd. | Payment processing | EU / USA | EU–US DPF / SCCs |
| Resend, Inc. | Transactional email delivery | USA | SCCs |
| Cloudflare, Inc. | CDN, DNS & network security | Global (EU PoPs) | EU–US DPF / SCCs |
AI model providers are engaged only to the extent your todos require model inference. API data is not used by these providers to train their models under the applicable API terms.
Third-party services that you connect yourself (e.g. your own Gmail, CRM, or invoicing accounts) are operated under your own agreements with those services and are not sub-processors of TODOforAI.
Changes to this List
We will update this page at least 14 days before adding or replacing a provider, giving customers the opportunity to object on reasonable data-protection grounds, as described in our DPA.
Last Updated: February 1, 2026