Privacy Policy — Gantt Chart Maker

This Privacy Policy explains how we collect, use, and share your personal information when you use ganttchartmaker.app ("the Service"). We are committed to protecting your privacy and complying with the EU General Data Protection Regulation (GDPR), Greek Law 4624/2019, the ePrivacy Directive (Greek Law 3471/2006), and other applicable laws.

1. Who we are

The data controller responsible for your personal information is:

Name: Fotis Petrou
Operator type: Private individual (non-commercial service)
Address: 7th km PEO Larisas-Volou, 41500 Melissochori, Greece
Email: fokompet@gmail.com

If you have any questions about this Policy or how we handle your data, contact us at the email above. You also have the right to lodge a complaint with the Hellenic Data Protection Authority (HDPA / Αρχή Προστασίας Δεδομένων Προσωπικού Χαρακτήρα), Kifissias 1-3, 11523 Athens, Greece — www.dpa.gr.

2. What data we collect

Account data

When you create an account or sign in via Google, GitHub, or Microsoft, we collect:

Email address
Display name
Profile picture URL (from your OAuth provider)
OAuth provider ID (a stable identifier issued by Google/GitHub/Microsoft)
Account creation date and last sign-in date
Display name colour (cursor colour) used for real-time collaboration

Chart content

Gantt charts you create, edit, or save to the cloud (tasks, dates, dependencies, themes, viewport state)
Sharing settings (who you have invited to a chart and with what role)
Project metadata (name, last-edit timestamp)

Collaboration data

Cursor positions and presence indicators (broadcast in real time over Supabase Realtime; not persisted to disk)
Collaborator memberships (which charts you have been invited to)
Email addresses of users you invite to your charts
In-app notifications (share events, announcements)

Technical data

IP address (logged briefly for security and abuse-prevention purposes; not used for cross-site tracking)
Browser type and version, operating system
Timestamps of actions you take in the Service
Error logs that may include the URL you were on when an error occurred

Usage and activity data (signed-in users)

Export events — each time you export a chart while signed in, we record the file format (for example PNG, PDF, SVG, Excel, CSV) and the time. We do not record the contents of the exported chart. Exports made without an account are not recorded.
Activity signal — while you are signed in with the app open and in focus, a periodic "heartbeat" records that you are active. From this we derive when you were last active and an approximate total time you have spent in the app.

This usage data is linked to your account (it is not anonymised) and is used for product analytics, capacity planning, and to power the administrator tools described in section 4. It is distinct from the cookieless, aggregate website analytics described in our Cookie Policy.

Cookies and similar technologies

See our Cookie Policy for the full list of cookies and similar technologies (localStorage, sessionStorage, IndexedDB) we use.

Advertising data (when ads are active)

Google AdSense advertising identifiers (only after you have consented through the cookie banner)
Whether you have viewed or interacted with an ad served on our site

3. Why we collect it (legal bases under GDPR Article 6)

Account creation and login: performance of a contract with you (Art. 6(1)(b)).
Cloud storage and sharing of charts: performance of a contract (Art. 6(1)(b)).
Real-time collaboration features (presence, cursors, live edits): performance of a contract (Art. 6(1)(b)).
Access by an AI assistant you connect: performance of a contract, together with your explicit authorisation of the connection (Art. 6(1)(b) and 6(1)(a)).
Service security, fraud prevention, abuse detection: our legitimate interest in keeping the Service safe (Art. 6(1)(f)).
Aggregated, anonymised analytics: our legitimate interest in understanding usage (Art. 6(1)(f)).
Usage and activity analytics linked to your account (export and activity records): our legitimate interest in understanding how the Service is used and planning capacity (Art. 6(1)(f)). You may object at any time under Art. 21.
Service administration: our legitimate interest in supporting users, keeping the Service secure, and preventing abuse, including via an internal administrator console (Art. 6(1)(f)).
Non-essential cookies, personalised advertising: your consent (Art. 6(1)(a)), collected via the cookie banner. You can withdraw at any time.
Compliance with legal obligations: Art. 6(1)(c), for example responding to lawful requests from authorities.

4. Who we share your data with

Service providers (processors acting on our behalf)

Supabase, Inc. — authentication, database (PostgreSQL), and storage for your account and charts. Servers in the EU (Frankfurt, Germany).
Cloudflare, Inc. — site hosting, content delivery, DDoS protection, and privacy-friendly (cookieless) analytics.
Google LLC — Google AdSense (only when ads are active) and Google Funding Choices consent management.

OAuth providers (independent controllers when you sign in via them)

Google LLC — Sign in with Google. Google provides us your email, name, Google ID, and profile picture URL.
GitHub, Inc. — Sign in with GitHub. GitHub provides us your username, email, GitHub ID, and avatar URL.
Microsoft Corporation — Sign in with Microsoft. Microsoft provides us your email, name, and Microsoft ID.

Other users

Other users on a chart you have shared see your display name, your cursor position in real time, and your edits to the chart.

If you create a public share link for a chart, anyone who has that link can view the chart's contents without signing in. You choose whether a link exists and can revoke it at any time.

AI assistants you connect (optional)

You can optionally connect a third-party AI assistant (for example Anthropic's Claude or OpenAI's ChatGPT) to your account so it can list, read, create, and edit your charts on your behalf. This uses an access token that you explicitly authorise and can revoke at any time. When you connect an assistant and ask it to work with a chart, the chart data you direct it to is processed by that AI provider under its own privacy terms. We never connect an assistant for you, and your data is shared with an AI provider only when you have set up and authorised the connection yourself.

Our administrators

A small number of authorised administrators can access an internal console that shows account information (email, login provider, number of charts, export and activity counts, last-active time) for support, security, and abuse-prevention purposes, and can suspend or delete accounts. This is internal access by us as the data controller — not disclosure to a third party. Administrator access requires a separate sign-in and is restricted to accounts we have explicitly authorised.

Authorities and law enforcement

We disclose data to authorities only when legally required, and we will inform you whenever the law allows.

We do NOT sell your personal data. We do NOT share your personal data for cross-context behavioural advertising outside of the consent-gated Google AdSense flow.

5. International transfers

Some of our service providers and OAuth providers are based in the United States. Transfers rely on the following safeguards:

The EU-U.S. Data Privacy Framework (DPF), under Commission Implementing Decision (EU) 2023/1795 of 10 July 2023, for recipients certified under the DPF. Google LLC and GitHub/Microsoft Corporation are DPF-certified.
Where DPF certification is not available or is invalidated, Standard Contractual Clauses (SCCs) approved by the European Commission, supplemented by appropriate additional measures where necessary.

You can request a copy of the SCCs or further information about transfers by emailing us at fokompet@gmail.com.

6. How long we keep your data

Account data: retained while your account is active. On deletion (by you or by us), hard-deleted from production systems within 30 days; encrypted backups purged within 90 days.
Chart content: retained while you keep it in your account. Same deletion window as above.
Usage and activity records (export events, activity signal): retained while your account is active and deleted with your account. When an administrator deletes an account, access is suspended immediately and the data is recoverable for 30 days before permanent erasure.
Technical logs: retained for up to 90 days for security analysis, then deleted or anonymised.
AdSense data: retained by Google according to Google's own retention policy.
Cookie consent records: retained for 12 months from your last interaction with the cookie banner, then prompted again.
Legal compliance records: retained as long as required by applicable law (typically 5 years for tax-related records under Greek law).

7. Your rights

You have the following rights under GDPR:

Right of access (Art. 15) — get a copy of the data we hold about you.
Right to rectification (Art. 16) — correct inaccurate data.
Right to erasure / "right to be forgotten" (Art. 17) — delete your account and the data we hold.
Right to restriction of processing (Art. 18) — pause processing while a dispute is resolved.
Right to data portability (Art. 20) — receive your data in a machine-readable format.
Right to object (Art. 21) — to processing based on legitimate interests, including direct marketing.
Right to withdraw consent at any time (Art. 7) where processing is based on consent.
Right to lodge a complaint with a supervisory authority (Art. 77) — for Greek residents, the HDPA (see §1).

To exercise these rights:

Self-service: open Settings → Account → Delete account or Download my data from within the Service.
Manual: email fokompet@gmail.com. We will respond within one month (with a possible two-month extension for complex or numerous requests, in which case we will notify you within the first month).

8. Children

The Service is not directed at children under 15. Under Greek Law 4624/2019, children under 15 in Greece (16 elsewhere in the EU under GDPR Art. 8) cannot consent to processing of their personal data without parental authorisation. If you are under this age, do not create an account. If we discover we have collected data from a child below this age without parental consent, we will delete it promptly.

9. How we protect your data

We use industry-standard security measures, including:

Sign-in is handled entirely by Google, GitHub, or Microsoft — we never receive or store your password.
TLS / HTTPS for all data in transit.
Row-level security (RLS) on every database table so users can only access their own data.
Rate-limiting on authentication endpoints.
Encrypted off-site backups.
Optional two-factor authentication (where supported by your sign-in provider).
Periodic security audits and dependency reviews.

We will notify the HDPA within 72 hours of becoming aware of a personal-data breach that risks user rights (GDPR Art. 33). When the breach is likely to result in a high risk to your rights, we will notify you directly without undue delay (Art. 34).

10. Advertising

When advertising is active on the Service, ads are served by Google AdSense. Third parties, including Google, use cookies to serve ads based on your prior visits to this site or to other sites. You can manage your choices through the consent banner shown on your first visit, or by clicking Cookie Settings in the footer.

You can also:

Opt out of personalised Google advertising at adssettings.google.com.
Opt out of third-party vendor use of cookies for personalised ads at aboutads.info (US Digital Advertising Alliance) or youronlinechoices.com (European Interactive Digital Advertising Alliance).

See our Cookie Policy for the full inventory of advertising cookies.

11. California residents (CCPA / CPRA)

If you are a California resident, you have additional rights under the California Consumer Privacy Act (CCPA) as amended by the California Privacy Rights Act (CPRA):

Right to know what personal information we collect, use, disclose, and share.
Right to delete personal information.
Right to correct inaccurate personal information.
Right to opt out of sale or sharing of personal information for cross-context behavioural advertising.
Right to non-discrimination for exercising your rights.

We do not sell your personal information. To submit a request, use the in-app self-service tools or email fokompet@gmail.com. We also honour Global Privacy Control (GPC) signals where transmitted by your browser.

12. Changes to this Policy

We may update this Privacy Policy from time to time. Material changes will be announced in-app via the notifications bell. The Effective date at the top reflects the current version. Previous versions are archived and available on request.

13. Contact

For any questions about this Policy or your rights, contact us at fokompet@gmail.com.

You may also contact the Hellenic Data Protection Authority:

Hellenic Data Protection Authority (Αρχή Προστασίας Δεδομένων Προσωπικού Χαρακτήρα)
Kifissias 1-3, 11523 Athens, Greece
Phone: +30 210 6475 600
Web: www.dpa.gr