The data controller for personal data processed in connection with Sprintz is:

Full company details are listed on the imprint.

We process the following categories of personal data:

• Account data: name, email address, password hash, workspace membership.
• Usage data: issues, sprints, comments, and other content you create (“workspace content”).
• Technical data: IP address, browser, device, timestamps — recorded in server logs for security and operations.
• Analytics data: aggregated, cookie-less page-view data — processed only if you have given consent.

• Providing the service — Art. 6(1)(b) GDPR (performance of a contract).
• Security, fraud prevention, and operations — Art. 6(1)(f) GDPR (legitimate interests).
• Legal obligations such as accounting or responding to authorities — Art. 6(1)(c) GDPR.
• Analytics & non-essential cookies — Art. 6(1)(a) GDPR (consent). You may withdraw consent at any time without affecting prior processing.

We use carefully selected providers to operate Sprintz. Each is bound by a data processing agreement under Art. 28 GDPR.

Where a provider is based in a third country, transfers are safeguarded by the EU Standard Contractual Clauses and, where applicable, additional measures.

We use two categories of cookies and similar storage:

• Strictly necessary — for authentication, security, and to remember your theme preference. Legal basis: Art. 6(1)(f) GDPR / § 25(2) TTDSG. No consent required.
• Analytics (optional) — Vercel Analytics records aggregated, cookie-less page views. Loaded only after you click “Accept” on the cookie banner. You can revoke consent any time via the banner that reappears after clearing the sprintz-consent cookie.

We keep personal data only as long as needed for the purpose it was collected:

• Account & workspace data — until you delete your account.
• Server logs — 30 days, then aggregated or deleted.
• Analytics data — 90 days, then aggregated.
• Records required by tax or commercial law — up to 10 years (§ 147 AO, § 257 HGB).

After deletion, residual data may persist in encrypted backups for up to 35 days before being overwritten.

Under the GDPR you have the right to:

• request access to your personal data (Art. 15);
• have inaccurate data corrected (Art. 16);
• have data erased (Art. 17);
• restrict processing (Art. 18);
• receive your data in a portable format (Art. 20);
• object to processing based on legitimate interests (Art. 21);
• withdraw consent at any time (Art. 7(3));
• lodge a complaint with a supervisory authority — for Berlin, the Berliner Beauftragte für Datenschutz und Informationsfreiheit.

To exercise any of these rights, write to privacy@sprintz.io.

We use TLS for all traffic, encrypted databases at rest, row-level security on workspace data, and least-privilege access controls. Despite reasonable measures, no system is fully secure — please report suspected vulnerabilities to security@sprintz.io.

We may revise this policy as the service evolves. Material changes will be announced by email or in-app at least 14 days before they take effect.