Privacy Policy
Last updated: April 18, 2026 · Effective date: April 18, 2026
This Privacy Policy explains how GanttFather ("we", "us", "our") collects, uses, stores, and shares information when you visit ganttfather.com (the "Website") or use the GanttFather web application at app.ganttfather.com (the "Service"). It applies to all users, including visitors, registered account holders, and invited collaborators.
By using the Website or the Service you agree to this Policy. If you do not agree, please do not use the Website or Service.
1. Who we are (Data Controller)
GanttFather is operated as an independent product. You can reach us for any privacy or support matter at [email protected].
2. Information we collect
2.1 Information you provide
- Account data: first and last name, email address, password hash (never the plaintext password), and profile picture. When you sign up with Google, we receive your name, email, profile picture, and a stable Google user ID through our identity provider.
- Project content: projects, tasks, schedules, dependencies, progress, notes, assignments, virtual resources, integrations, and any other content you or your collaborators create inside the Service.
- Invitations and collaborators: email addresses of people you invite and the roles you assign them.
- Support and feedback: messages, screenshots, and logs you voluntarily submit through in-app feedback, email, or forms.
2.2 Information we collect automatically
- Authentication metadata: sign-in provider (email/password or Google), email-verified flag, preferred locale, last sign-in timestamp, and session tokens issued by our identity provider.
- Usage and device data: IP address, approximate geographic location derived from IP, user agent, operating system, browser, referrer, and pages visited.
- Application preferences: view mode, column widths, language, and similar UI state stored in your browser.
- Diagnostic data (optional, cookie-gated): crash reports, stack traces, performance traces, and — if enabled — a sampled session replay of the UI to help reproduce bugs. See the Cookie Policy.
2.3 Information we do not collect
We do not collect payment card data, biometric data, health data, or precise GPS location. We do not knowingly collect personal information from children under 16.
3. How we use your information
- Create and authenticate your account and keep your session secure.
- Deliver the Service: store project data, sync in real time, and share content with the collaborators you invite.
- Send transactional email (password reset, email verification, invitation notices, security alerts).
- Protect the Service against abuse, spam, brute-force attacks, and fraud.
- Diagnose crashes and improve reliability, only with your consent where required.
- Comply with legal obligations and enforce our Terms of Service.
4. Legal basis for processing (GDPR)
- Contract — to provide the Service you signed up for (Art. 6(1)(b) GDPR).
- Legitimate interest — security, fraud prevention, basic server logs (Art. 6(1)(f)).
- Consent — optional analytics, error diagnostics with session replay, and non-essential cookies (Art. 6(1)(a)). You can withdraw consent at any time.
- Legal obligation — tax, accounting, and lawful-request compliance (Art. 6(1)(c)).
5. Sub-processors and third parties
We rely on a small number of processors to operate the Service. Each is bound by a data-processing agreement and processes data only on our instructions. The list below shows the categories of processors we use. A current list of named sub-processors is available on request by emailing [email protected].
Processor categories
| Category | Purpose | Region |
|---|---|---|
| Identity provider | Account authentication and session tokens | United States / Global |
| Edge / CDN provider | Content delivery, DDoS protection, bot mitigation | Global |
| Error diagnostics provider | Crash reports, performance, optional session replay (consent-gated) | United States (EU region available) |
| Transactional email provider | Password reset, email verification, invitation and security notices | United States |
| Application database | Stores your account and project content | United States |
| Optional project-sync integration | Imports or syncs items only when you explicitly connect a third-party project tool | User-selected tenant region |
6. International transfers
Your data may be processed in the United States or other countries where our sub-processors operate. Where we transfer personal data from the European Economic Area, the United Kingdom, or Switzerland, we rely on the European Commission's Standard Contractual Clauses (SCCs) or equivalent safeguards provided by each sub-processor.
7. Data retention
- Account data: retained while your account is active and for up to 90 days after account deletion.
- Project content: retained while your account is active. Deleting a project removes it from the Service; backup copies may persist for up to 35 days.
- Server logs: typically 30 days.
- Error diagnostics: 90 days by default.
- Invitation records: until accepted, revoked, or 30 days, whichever comes first.
We may retain data longer when required by law, to resolve disputes, or to enforce our agreements.
8. Your rights
Depending on your jurisdiction (GDPR, UK GDPR, CCPA, LGPD, PIPEDA), you have the right to:
- Access a copy of your personal data.
- Correct inaccurate or incomplete data.
- Delete your account and associated personal data ("right to be forgotten").
- Export your project data in a portable format (Excel, JSON).
- Object to or restrict certain processing.
- Withdraw consent for optional cookies at any time.
- Lodge a complaint with your supervisory authority.
To exercise these rights, email [email protected] from the address associated with your account. We respond within 30 days.
9. Security
We use TLS 1.2+ for all traffic, encrypt data at rest in our database, hash passwords with industry-standard algorithms (delegated to our identity provider), scope agent tokens with least privilege, and rotate signing keys regularly. No system is perfectly secure; you are responsible for keeping your credentials confidential.
10. Children's privacy
The Service is not directed to children under 16 and we do not knowingly collect their personal information. If you believe a child has provided us with data, contact us and we will delete it.
11. Automated decision-making
We do not make decisions producing legal or similarly significant effects based solely on automated processing of your personal data.
12. Changes to this Policy
We may update this Policy from time to time. We will post the new version on this page and update the "Last updated" date. Material changes will be announced in-app or by email at least 14 days in advance where feasible.
13. Contact
For privacy, security, or general questions, email [email protected].
This document is provided for informational purposes and is tailored to GanttFather's current processing activities. It is not a substitute for legal advice. Consult qualified counsel in your jurisdiction before relying on it for regulatory compliance.