Tadoro

Privacy Policy

Based in GermanyDatabase in the EU

Tadoro is index, not filing cabinet

We're deliberately not a filing cabinet, Tadoro is not designed for the following four kinds of data. So your preparedness stays safe even if something goes wrong elsewhere.

  • No document contents

    No uploads, no scans, no PDFs. Please don't copy full contents of powers of attorney, wills, policies, or contracts into free-text fields. Tadoro records only organisational pointers, whether a document exists and where it is kept outside of Tadoro.

  • No passwords

    Please don't store passwords, PINs, TANs, recovery codes, or access credentials to banks, insurers, email accounts, password managers, or any other services in Tadoro.

  • No account numbers or IBANs

    Please don't enter IBANs, account numbers, credit-card data, or other payment data in Tadoro. The location field describes where information can be found, not its confidential content.

  • No medical records

    Tadoro doesn't replace clinical documentation. Please don't store diagnoses, findings, medication plans, or medical records. Record only organisational pointers, e.g. “medication list exists, kept in the emergency binder.”

Where to keep originals

Originals belong in a secure place – for example a fireproof safe at home, with a notary, or in official custody at the probate court (Nachlassgericht), where applicable for the given document. For wills in particular, what matters is compliance with the statutory form and that the original can be reliably located. For a digital backup, end-to-end encrypted cloud services with EU server location may be considered, such as Proton Drive (Switzerland, 5 GB free), Tresorit (Switzerland), or Filen (Germany). You record the storage location in Tadoro yourself – e.g. “Proton Drive · Preparedness folder”. Tadoro has no integration with these services and sees neither contents nor credentials.

The services named are examples and not a legal, technical, or security recommendation for your specific situation.

This privacy policy explains how personal data is processed when using Tadoro (tadoro.com).

1. Data Controller

Felix Hansen
Eichendorffstr. 4
50858 Köln
Germany
E-Mail: datenschutz@tadoro.com

1a. How responsibility is allocated at Tadoro

When you use Tadoro directly for private purposes, Tadoro is your data controller for that processing.

When your employer provides Tadoro as an employee benefit, Tadoro processes certain data in the so-called Employer Layer on behalf of your employer, in particular for provisioning, license and access management, invitations, support, and aggregated usage metrics.

As soon as you use Tadoro for your private Family Workspace, Tadoro is again the independent controller for that content. This concerns in particular the private organisation of family preparedness, responsibilities, and emergency information.

This Privacy Policy describes both layers and indicates, in each case, in which role Tadoro acts.

2. Data We Process

When using Tadoro, the following data may be processed:

  • Account and profile data: name, email address, authentication data, language preference, account status
  • Preparedness plan data: names and roles of family members, preparedness areas, status entries, responsibilities, storage locations, notes, emergency plans, export data
  • Invitation and role data: invited persons, roles, acceptance status, co-organizers, observers
  • Successor (Vertrauensperson) data: name, email address, optional note, time of designation
  • Payment and contract data: Stripe customer ID, payment status, invoice data, contract term, cancellation and refund status
  • Communication data: support requests, emails, feedback
  • Usage and security data: login timestamps, technical logs, error reports, security events, rate-limiting data
  • AI processing data: free-text input and derived structured recommendations, when you use AI-assisted features
  • Reflection data: a once-monthly mood check-in about preparedness (4 predefined options, no free text), timestamp, app path, and account context (plan age, trial or paid status)
  • Acceptance metadata: timestamp and version of accepted Terms of Service, sign-in channel chosen
  • Analytics and statistics data: only to the extent you have consented

Contacts at corporate customers

When companies deploy Tadoro as an employee benefit, we additionally process personal data of contact persons at the corporate customer, in particular for offers, contract conclusion, customer support, billing, and data-protection and legal communication.

This typically involves the name, business contact details, role, communication content, and contract- and billing-related information.

3. Purpose of Processing

We process data to provide the Tadoro service: authentication, preparedness-plan management, readiness assessments, coordination prompts, payment processing, support, security, abuse prevention, and to comply with legal obligations.

4. Legal Bases

Processing is carried out, depending on the operation, on the following legal bases:

  • Art. 6(1)(b) GDPR: provision of the user account, contract performance, preparedness-plan features, payment processing, support.
  • Art. 6(1)(c) GDPR: compliance with legal obligations, in particular commercial- and tax-law retention duties.
  • Art. 6(1)(f) GDPR: security, abuse prevention, error analysis, product improvement, and the establishment, exercise, or defense of legal claims.
  • Art. 6(1)(a) GDPR: optional consents, in particular for analytics cookies or voluntary AI features, where consent is obtained.
  • Tadoro is not designed to collect special categories of personal data within the meaning of Art. 9(1) GDPR in a structured manner. Guidance on the handling of inadvertent entries in free-text fields is set out in § 5b.

5. Recipients, Service Providers, and Data Processors

We only use service providers that we need for operating, securing, communicating, billing, and developing Tadoro. Where providers process data outside the EU or access from third countries is possible, we ensure the data-protection safeguards required for that.

Third-country transfers: some providers process data in the USA. For these we uniformly use EU Standard Contractual Clauses under Art. 46 GDPR, supplemented by additional safeguards and – where the provider is certified – the EU-US Data Privacy Framework. Copies of the safeguards are available on request.

Necessary services

ProcessorPurposeLocationRole
SupabaseDatabase, authenticationEU (Frankfurt)Processor
VercelHosting, edge networkEU (Frankfurt); global edge; US admin access (SCCs)Processor
StripePayment processing (no card data stored with us)Ireland + USAIndependent controller (payment)
ResendTransactional emails, drip series, business inquiries via /partnersUSAProcessor
Anthropic (Claude)AI-assisted analysis (onboarding, conversation guides, assessor brief – subject names anonymised before transfer; the assessor brief processes health/care data on the basis of explicit Art. 9(2)(a) GDPR consent). Family Workspace only, not the Employer Layer.Ireland + USAProcessor
UpstashRedis (rate limiting, token counters)EU (Frankfurt)Processor
SentryError + performance monitoringEUProcessor
Cloudflare TurnstileBot protection (sign-up, password reset)Global (edge); USAProcessor

Optional services

Active only if you consent (Google Analytics) or only if you click the link yourself (Calendly).

ProcessorPurposeLocationRole
Google AnalyticsAnonymous usage statistics (consent only)USAIndependent controller
CalendlyScheduling B2B2C consultations via /partners (only if you click the link)USAIndependent controller

The respective Data Processing Agreements (DPAs) are available on request. datenschutz@tadoro.com

The overview above concerns the processing for which Tadoro is the independent controller. If your employer provides Tadoro as an employee benefit, Tadoro processes certain data in the Employer Layer on behalf of the employer (see § 1a). The subprocessors used there, and the corresponding safeguards including any third-country transfers, are governed by the data processing agreement (Art. 28 GDPR) between Tadoro and the employer. A current overview of the subprocessors used in the Employer Layer is provided to corporate customers under the data processing agreement or on request.

5a. Data about family members and other persons

In Tadoro, users can also record information about family members or other persons where this is necessary for organising family preparedness or emergency planning. We expect such information to be recorded only where, in the specific case, sharing it is understandable and permissible.

It is best to let the affected persons know that you are recording their preparedness information in Tadoro – just as preparedness is discussed within a family anyway. Persons without their own Tadoro access (e.g. parents) are recorded by you as third persons. Because we do not collect this data directly from them, we usually cannot notify them ourselves (Art. 14(5)(b) GDPR); we therefore inform publicly via this Privacy Policy and ask you to involve those persons yourself where possible. Any person listed in a plan can contact datenschutz@tadoro.com at any time to request access, rectification, or erasure.

Tadoro processes such data solely to provide the platform in accordance with this Privacy Policy and is the independent controller for this purpose.

For the allocation between the Employer Layer and the Family Workspace, see § 1a.

Please do not enter passwords, PINs, TANs, full account numbers, IBANs, ID-card copies, diagnoses, medication plans, or full contents of legal, medical, or financial documents. Your confirmation of this responsibility is found in the Terms of Service (§ 3a).

Affected persons can contact us directly at any time if they wish to request access to, rectification, or erasure of their data.

5b. Special Categories of Personal Data (Art. 9 GDPR)

Tadoro is not designed to collect health data, diagnoses, or other special categories of personal data within the meaning of Art. 9(1) GDPR. The provided templates and input fields are intended in principle to document references, responsibilities, and storage locations, but not to store health detail data, diagnoses, complete findings, specific health values, or medication dosages themselves.

Users are therefore asked not to enter any diagnoses, health detail data, passwords, IBANs, or other particularly confidential detail information in free-text fields. A technical entry of such information in free-text fields cannot, however, be entirely excluded.

Where users enter information contrary to these notices that may contain special categories of personal data, Tadoro processes such information only within the scope of the storage, display, management, and deletion initiated by the user within the respective family workspace. No substantive analysis of such information for health purposes takes place.

Tadoro may introduce additional notices, technical input restrictions, or consent mechanisms where this becomes legally required or is expedient for further data minimisation.

5c. Mood Check-in

Once a month Tadoro asks you for a brief read on how you're feeling about preparedness (four predefined options, no free text). The feature is optional and can be turned off at any time under Settings → Reflection.

We store your chosen response, the timestamp, the in-app path at response time, and account-context data (e.g. how long your plan has existed and whether you are in trial or full-access state). We do not store free text or detailed medical information via this feature.

We use this data solely in aggregate to develop Tadoro with emotional calibration in mind (which surfaces feel stressful, where families experience relief). The data is not shared with third parties, not used for personalized advertising, and immediately discontinued on request via Settings.

Retention: reflection responses are retained for as long as your account exists. On account deletion they are irrevocably removed together with your other account and plan data (see § 8).

Legal basis: Art. 6(1)(f) GDPR (legitimate interest in developing the product with emotional calibration in mind, in the preparedness context). You may object to this processing at any time pursuant to Art. 21 GDPR by turning the check-in off in Settings or by contacting us at datenschutz@tadoro.com.

6. Cookies

Tadoro uses essential cookies and comparable technologies for authentication, security, and language preference. Optional analytics features (e.g. Google Analytics) are activated only with your consent. No advertising cookies are used.

7. Your Rights

You have the right to access, rectify, delete, and port your data (GDPR Art. 15, 16, 17, 20). Most of these rights can be exercised directly in Tadoro:

  • Access + portability: Settings → “Export your data.” A complete JSON export of all preparedness plans, topics, family members, and emergency plans is provided instantly.
  • Rectification: All data can be edited directly in the app.
  • Deletion: as plan-lead you can delete the plan or, where available, transfer the lead role to an eligible co-organizer. As a co-organizer or observer you can leave a plan via Settings → Family & Roles. Settings → “Delete account” additionally removes you from all preparedness plans and deletes your account.
  • Listed as a person in someone’s preparedness plan but don’t have an account yourself? Write to datenschutz@tadoro.com – Tadoro processes such requests without undue delay and generally within the statutory time limits. As a rule, Tadoro endeavours to provide an initial response within a few business days. We delete or restrict the data about you in the relevant plan, unless statutory retention obligations or legitimate interests apply (GDPR Art. 17).
  • Objection + complaint: Write to us at datenschutz@tadoro.com or to the competent supervisory authority.

8. Data Deletion and Retention

When you delete your account, your personal data and preparedness-plan data are deleted from the active system. Tadoro processes deletion requests without undue delay. Technical implementation generally takes place promptly after the review has been completed, unless statutory retention obligations, security interests, or other legitimate grounds apply.

Data that cannot be deleted, or cannot be deleted immediately, includes in particular:

  • Payment and invoice data, where statutory retention obligations apply (typically up to 10 years under commercial- and tax-law rules, stored by Stripe).
  • Security, audit, and abuse logs, where required for traceability, security, or the establishment, exercise, or defense of legal claims. Retention: typically 2 years for trial accounts, 5 years for paid accounts.
  • Audit logs generally do not contain full document contents, passwords, IBANs, or detailed medical information – only technical and organizational events such as changes, access, role transfers, exports, deletions, and access grants.
  • Support and communication data, where required to process your request or to defend legal claims.
  • Email suppression entries are kept indefinitely or until the purpose ceases to apply, with only the minimum data required – e.g. to enforce objections, opt-outs, or abuse protections technically.
  • Data in backups, until overwritten by the regular backup cycle.
  • Acceptance metadata for the Terms of Service (timestamp, version, sign-in channel) – as proof of contract conclusion and the accepted contract version.

Expired accounts (trial ended or subscription not renewed) remain in a 180-day grace period during which you can reactivate at any time. 30 days before deletion, we send a reminder email with export reminder. After 180 days, preparedness-plan data is automatically deleted (Art. 5(1)(e) GDPR – storage limitation).

Independently of this, your preparedness plan does not depend on Tadoro: Tadoro holds only the organisational overview, not your original documents. You can export your data in full at any time via Settings and continue it outside Tadoro. Should the service be discontinued, we will inform you in good time, enable export, and delete data in accordance with this Privacy Policy; your data is neither sold nor passed on.

Before deleting your account, we recommend downloading your data via “Settings → Export your data.”

8a. Successor Designation and Access in the Event of an Emergency

You may designate a successor (Vertrauensperson) in your settings. This designation is an organisational account feature within Tadoro. It does not create a power of attorney, statutory representative authority, status as heir, or authority vis-à-vis banks, doctors, authorities, insurers, or other third parties.

The successor initially has no access to your data. Access can only be considered after a manual review process. For this purpose, the successor contacts hilfe@tadoro.com and provides appropriate evidence – for example a relevant power of attorney, certificate of inheritance, death certificate, or other documents that demonstrate a legitimate interest or authority.

Tadoro processes such requests without undue delay and generally within the statutory time limits; as a rule, Tadoro endeavours to provide an initial response within a few business days. We may request additional evidence, limit access in scope or duration, notify affected co-organizers, or deny access. In cases of doubt, family dispute, or unclear authority, we reserve the right to suspend access until clarified.

A granted access concerns exclusively the organisational entries stored in Tadoro – for example pointers to existing documents, storage locations, contacts, responsibilities, and emergency plans. Tadoro does not replace legal arrangements such as a will, intestate succession, executorship, power of attorney, banking authorisation, or advance directive.

9. Contact

For privacy-related questions, contact: datenschutz@tadoro.com

In case of discrepancies or questions of interpretation, the German version shall prevail. The English version is provided for convenience only.

Last updated: May 2026