Legal document

Privacy Policy

Information about what data Project 90 processes, for what purposes, who it may be shared with and what rights the user has.

Updated: May 3, 2026

Data privacy

Summary

Data is used to operate your account and sprint

We process data needed to run the solo account, generate plans, handle check-ins, notifications, payments, invoices, security and platform improvement.

Cookie Policy

Data controller

The controller of personal data processed within Project 90 is NGITECH as the platform operator. The controller’s contact details are available on the contact page and on the NGITECH website.

For personal data matters, the user may contact the controller through the contact channels indicated on the contact page.

Data categories

We process data provided by the user and data generated while using the platform. The scope depends on selected features, plan, notification settings and login method.

account data: email, name, language, timezone, email verification status and security settings
login and security data: password hashes, session tokens, login events and 2FA codes stored in hashed form
project data: name, description, stage, target group, offer, sprint goal, constraints, channels and preferences
plan and task data: 7-day plans, tasks, completion statuses, minimum actions and plan rebuilds
check-in data: daily status, notes, blockers, mood and update history
notification data: email address, phone number, consents, quiet hours, sending status, delivery events and errors
payment and invoice data: plan, subscription status, Stripe identifiers, buyer data, tax ID, address and invoice metadata
technical data: IP address, user agent, requestId, error logs, system events and analytics data

Purposes and legal bases

We process data to provide the service, operate the account, perform the agreement, ensure security, handle payments and invoices, communicate with the user, process support requests, comply with legal obligations and improve product analytics.

Depending on the situation, the legal basis may be performance of a contract, legal obligation, legitimate interest of the controller or user consent, for example for selected notifications or analytical cookies.

AI data processing

AI is used to prepare or rebuild a sprint plan. Information entered by the user during project onboarding and data required to generate or rebuild the plan may be sent to the AI model.

AI is not used for formal sprint review. Sprint review is calculated by application rules based on task statuses, check-ins and the start date of the active plan.

The user should limit data entered for AI to what is necessary to prepare the plan and should not provide sensitive or confidential data unless necessary.

Data recipients and providers

Data may be shared with service providers necessary for platform operation, only to the extent needed for the relevant function. This may include hosting, error monitoring, payments, PWA notifications, email, invoice storage, analytics and AI providers.

Stripe — subscription payments and customer portal
OpenAI — sprint plan generation or rebuild
operator-owned SMTP/IMAP server — email delivery
OVH S3 Object Storage — private storage of invoice PDFs
Sentry or equivalent tool — error diagnostics and application stability
Plausible, PostHog or equivalent tool — product analytics if enabled

Transfers outside the EEA

Some technology providers may process data outside the European Economic Area. In such cases, the controller applies appropriate legal mechanisms required by law, such as standard contractual clauses or other permitted safeguards.

Retention period

Account and project data is stored for as long as the account exists or as long as needed to provide the service. Technical data, logs and security events may be stored for a limited period needed for security and diagnostics.

Invoice, billing and data required by tax or accounting law may be stored for the period required by law. Data needed to establish, pursue or defend claims may be stored until claims expire.

User rights

The user has the right to access data, rectify it, delete it, restrict processing, data portability, object to processing based on legitimate interest and withdraw consent where processing is based on consent.

The user may request data export or account deletion in the application, if available, or by contacting the controller. Withdrawal of consent does not affect the lawfulness of processing before withdrawal.

Security

The platform uses organizational and technical measures to protect data, including authentication, password hashing, email 2FA, userId-based access control, rate limiting, health checks, error monitoring and sensitive data masking in logs.

The user should use a strong password, protect access to their email account, not share the account with others and not disclose 2FA codes to third parties.

Cookies and similar technologies

The platform uses cookies and similar technologies as described in the Cookie Policy. Some cookies are necessary for the website and application to work, while others may support analytics or remembering preferences.

Complaint to a supervisory authority

The user has the right to lodge a complaint with the competent data protection supervisory authority if they believe that data processing violates the law. In Poland, this authority is the President of the Personal Data Protection Office.