Todolo – Privacy Policy

This Privacy Policy describes how Aviato Labs AB ("Todolo", "we", "us") processes personal data in connection with the Todolo platform.

Todolo is a cloud-based service used by organizations to manage operations, communication, training, and related activities.

Todolo primarily acts as a data processor on behalf of its customers ("Customer"), who are the data controllers.

2.1 Customer as Data Controller

The Customer determines:

• What personal data is processed
• The purpose of processing
• Who has access to the data

Depending on how the service is used, the following types of personal data may be processed:

• Name
• Email address
• Phone number (if provided)
• Role and workplace (unit/group)
• Language preferences
• User ID and login information
• IP address and usage logs
• Content submitted by users (e.g. messages, tasks, documents)

Todolo is not intended for processing sensitive personal data (special categories of personal data under GDPR), such as:

• Health data
• Biometric data
• Religious or political information

The Customer is responsible for ensuring that such data is not uploaded or processed in the service.

Todolo processes personal data to:

• Provide and operate the service
• Enable communication and collaboration within the Customer's organization
• Maintain security and prevent misuse
• Provide support and improve the service

The legal basis for processing is determined by the Customer as data controller.

When Todolo acts as a data controller, processing is based on:

• Performance of a contract
• Legitimate interests (e.g. service improvement, security)
• Legal obligations

Todolo retains personal data:

• For as long as the Customer uses the service
• As required to fulfill legal obligations

After termination of the service:

• Data may be deleted in accordance with Todolo's retention policies
• Backup data may remain for a limited period for disaster recovery

Todolo may use trusted third-party providers ("subprocessors") to operate the service, including:

• Cloud hosting providers
• Infrastructure and analytics services
• Communication services

All subprocessors are bound by data protection obligations.

At the moment, a list of subprocessors is available only upon request; it is not yet published on Todolo's website.

Personal data may be processed outside the EU/EEA.

In such cases, Todolo ensures appropriate safeguards, such as:

• Standard Contractual Clauses (SCCs)
• Other lawful transfer mechanisms

Todolo implements appropriate technical and organizational measures to protect personal data, including:

• Encryption in transit and at rest
• Access controls and authentication
• Logging and monitoring
• Regular security reviews

Individuals have rights under GDPR, including:

• Right of access
• Right to rectification
• Right to erasure
• Right to restriction
• Right to data portability
• Right to object

Requests should primarily be directed to the Customer (data controller).

Todolo will assist the Customer in responding to such requests where required.

Todolo may use cookies and similar technologies to:

• Ensure functionality
• Improve user experience
• Analyze usage

Further details are available in Todolo's Cookie Policy.

Todolo may update this Privacy Policy from time to time.

Material changes will be communicated in advance.

For questions regarding this Privacy Policy, please contact:

Aviato Labs AB (Todolo)

Email: info[at]todolo.se

Address: Aviato Labs AB, Tredje Langgatan 36, 413 27, Gothenburg