Skip to content

Privacy Policy

How cleanlist.app processes personal data — EU hosting, photo retention periods, login-free completion, bring-your-own-AI and your rights under the GDPR.

Stand:

Protecting your personal data is of high importance to Wogenfels GmbH as the operator of cleanlist.app. As a rule, you can use our website without providing any personal data. Using certain services (e.g. registration, demo request, newsletter) requires the processing of personal data. Where there is no legal basis for this, we generally obtain the consent of the data subject.

1. Controller for Data Processing

The controller within the meaning of the General Data Protection Regulation (GDPR) and other data protection provisions is:

Wogenfels GmbH
Ing. Dominik Pototschnig, MSc.
Pribelsdorf 87
9125 Eberndorf
Austria

Email: hallo@cleanlist.app

A statutory data protection officer has not been appointed, as the legal requirements for this are not met. All data protection enquiries can be directed straight to the address above.

2. General Information on Data Processing

2.1 Data Security (SSL or TLS Encryption)

To protect the transmission of confidential content (e.g. enquiries, logins, photo uploads), our website and our platform use SSL or TLS encryption. You can recognise an encrypted connection by the browser address bar switching from “http://” to “https://” and by the padlock symbol. When encryption is active, the data transmitted to us cannot be read by third parties.

2.2 Storage Period

Unless a more specific storage period is stated within this privacy policy, your personal data remains with us until the purpose for processing it no longer applies. As a rule, the following criteria and periods apply:

  • Website log files are generally deleted after 14 days at the latest.
  • Customer and contract data is stored to fulfil our contractual and statutory obligations (tax and commercial retention periods of 7 years in Austria).
  • Proof photos and run data (SaaS): Photos and results from checklist runs are deleted fully automatically and irreversibly once the retention period configured per workspace has elapsed.
  • Demo and contact enquiries: Data from demo enquiries and general support/contact enquiries is generally deleted 6 months after final handling, provided no contract results from it and no statutory retention obligations apply.
  • Newsletter data is stored until you unsubscribe from the newsletter. After unsubscribing, the data is deleted; we reserve the right to store your email address on a suppression list for up to 3 years in order to prevent future unwanted mailings and to be able to provide proof of our former authorisation.

If you assert a legitimate request for deletion or withdraw consent, your data will be deleted without delay, provided no other legally permissible grounds (e.g. retention periods) stand in the way.

2.3 Data Transfer to Third Countries

Important note in advance: The core processing of our platform (checklists, runs, photos, damage reports, accounts) takes place exclusively on servers within the European Union (see point 3). We operate no artificial intelligence of our own; content is only transferred for AI functions if you yourself connect an external AI (see point 4.4).

A transfer of data to third countries (in particular the USA) relates exclusively to peripheral services for website operation, marketing or payment processing (e.g. Stripe, HubSpot, Mailchimp as well as – subject to your consent – web analytics and remarketing via Google, Meta and LinkedIn). Insofar as data is transferred to the USA in this context, we rely primarily on the EU-US Data Privacy Framework (DPF). If a provider is not covered by the DPF, we base the transfer on the Standard Contractual Clauses (SCC) of the EU Commission together with appropriate technical safeguards. We will be glad to provide you with a copy of the safeguards on request (by email to hallo@cleanlist.app).

3. Provision of the Website and Hosting

3.1 Hosting (Hetzner) & Server Management (Ploi)

Our website and our SaaS services are hosted on servers of Hetzner Online GmbH (Industriestr. 25, 91710 Gunzenhausen, Germany) within the EU. The server infrastructure is administered using the server management software Ploi (WebBuilds B.V., Amperestraat 16J, 3861NC Nijkerk, Netherlands).

3.2 Server Log Files

When you visit our website, our servers automatically record general data (server log files): (1) browser type and version, (2) operating system, (3) referrer URL, (4) date and time of access, (5) IP address and (6) the requesting internet service provider.

Legal basis: The temporary storage is carried out on the basis of Art. 6(1)(f) GDPR. Our legitimate interest lies in a smooth connection setup, system security and stability as well as the optimisation of our website. Data processing agreements (DPA) pursuant to Art. 28 GDPR are in place with the named providers.

4. The cleanlist Platform (SaaS)

cleanlist.app is a digital checklist platform. With regard to the content processed by customers (admins) in their workspaces, the respective customer is the controller; in this respect Wogenfels GmbH is the processor (see point 5 and the Data Processing Agreement).

4.1 Accounts (Admins)

For the registration and use of the admin area, we process inventory data (name, email address, organisational affiliation, password hash). Authentication takes place via an established authentication library; passwords are stored exclusively as a secure hash.

Legal basis: Art. 6(1)(b) GDPR (performance of a contract).

4.2 Login-Free Completion via QR Code (Operators)

The operators (e.g. cleaning staff) do not require a user account: access takes place via a link or QR code, optionally secured by a PIN. In the interest of data minimisation, only what the proof requires is recorded – typically the one-time name provided by the operator, timestamps as well as the results of the checklist (ticks, notes, photos). No advertising tracking and no profiling take place in the operator flow. Before submission, data-protection-compliant consent is obtained.

Legal basis: Processing on behalf of the respective customer (Art. 28 GDPR) for the performance of the contract with that customer.

4.3 Photo and Damage Records & Retention Periods

As part of runs, photos (e.g. as proof of execution or to document damage) as well as damage reports with severity and status can be recorded. The retention of proof photos is subject to a configurable retention period per workspace; once it has elapsed, the photos are deleted fully automatically and irreversibly. We recommend taking photos in such a way that no individuals are depicted.

4.4 Bring Your Own AI (MCP) — Transparency Note

cleanlist operates no artificial intelligence of its own. Optionally, as a customer you can connect your own AI model (e.g. ChatGPT or Claude) via the MCP interface in order to create or evaluate checklists by chat. If you activate this connection, the data requested for this purpose is transferred to the external AI model you have chosen. You as the customer are responsible for this transfer and the chosen AI offering (your own responsibility towards the AI provider). Without such an AI connection, your content does not leave our EU servers for this purpose.

4.5 Interfaces (API) & Webhooks

The platform provides a versioned API as well as outgoing webhooks (e.g. for connecting n8n, Make or Zapier). If webhooks or the API are configured by the customer, cleanlist transmits the specified event data to the target systems specified by the customer. The customer is responsible for the selection and lawfulness of these target systems.

5. Processing on Behalf of Our Customers

Insofar as we process personal data on behalf of our business customers (workspace content, runs, photos, operator data), this is done on the basis of a data processing agreement (DPA) pursuant to Art. 28 GDPR. You can find our standard DPA at /en/avv.

To provide certain functions and – subject to your consent – for analytics and marketing, we use cookies. To manage consent, we use the open-source tool vanilla-cookieconsent. On your first visit, a cookie banner is displayed; your choice is stored in the cc_cookie cookie (valid for 182 days).

The legal basis for technically necessary cookies is Art. 6(1)(f) GDPR or the performance of a contract. For all other cookies (analytics, marketing), your consent pursuant to Art. 6(1)(a) GDPR is decisive. You can withdraw your consent at any time via the cookie settings in the footer. Details on the individual cookies can be found in our Cookie Policy.

7. Contact and Demo Enquiries

If you contact us by email or via our demo/contact form, the information you provide (e.g. name, company, email address, number of properties) is stored for the purpose of handling the enquiry. This information is processed via our own backend on servers within the EU.

Legal basis: Art. 6(1)(b) GDPR, insofar as the enquiry is connected with the performance of a contract or serves pre-contractual measures; otherwise Art. 6(1)(f) GDPR (legitimate interest in the effective handling of enquiries).

8. Payment Processing (Stripe)

For the processing of chargeable services, we use the payment service provider Stripe (Stripe Payments Europe, Ltd., 1 Grand Canal Street Lower, Grand Canal Dock, Dublin, Ireland). The payment data you enter is transmitted directly to Stripe in encrypted form and processed there.

Legal basis: Art. 6(1)(b) GDPR (performance of a contract).

9. Email Dispatch (System Emails & Newsletter)

System emails (Resend): For system-relevant transactional emails (e.g. registration confirmations, password resets, damage notifications) we use the service Resend (Resend, Inc., USA). The processing is necessary for the performance of a contract (Art. 6(1)(b) GDPR); to safeguard the European level of data protection, Standard Contractual Clauses are in place.

Newsletter (Mailchimp): If you subscribe to our newsletter, we send it via Mailchimp (Intuit Inc., USA). The dispatch takes place exclusively on the basis of your express consent (Art. 6(1)(a) GDPR). You can unsubscribe at any time (e.g. via the link at the end of each newsletter).

10. Customer Relationship Management (HubSpot)

To manage prospect and customer enquiries as well as for marketing purposes, we use HubSpot (HubSpot Ireland Ltd. / HubSpot, Inc., USA). If you submit data to us via a form or contact us, this data may be processed in HubSpot. The HubSpot tracking script is only loaded after you have consented to analytics cookies.

Legal basis: Art. 6(1)(b) and (f) GDPR (handling of enquiries, customer relationship management) or Art. 6(1)(a) GDPR (consent), insofar as cookies/tracking are concerned.

11. Analytics Tools and Advertising

Provided that you have given your consent via our cookie banner (Art. 6(1)(a) GDPR), we use the following analytics and marketing tools. For control, we use Google Consent Mode v2; without consent, no analytics/marketing cookies are set.

  • Google Analytics 4 & Google Ads: The provider is Google Ireland Limited. These tools analyse usage behaviour and measure the success of our advertisements (incl. remarketing/conversion tracking). Data may be transferred to Google servers in the USA.
  • Meta Pixel: The provider is Meta Platforms Ireland Limited. The Pixel enables targeted advertising on Facebook and Instagram as well as its analysis. The Pixel script is delivered first-party via our own domain.
  • LinkedIn Insight Tag: The provider is LinkedIn Ireland Unlimited Company. It enables the analysis of campaigns and reports on website visitors.

You can withdraw your consent at any time via the cookie settings. For the data transfer to the USA, the providers generally rely on the EU-US Data Privacy Framework (DPF) or Standard Contractual Clauses. Details of the cookies set can be found in the Cookie Policy.

12. Fonts (Local Embedding)

For a consistent display of fonts, this website uses web fonts (the “Inter” font family), which are embedded locally on our own servers. No connection to third-party servers takes place in this process; no IP addresses are transferred to third parties.

13. Your Rights as a Data Subject

Within the framework of the applicable statutory provisions, you have the following rights at any time:

  • Right of access to your stored personal data, its origin, recipients and the purpose of processing (Art. 15 GDPR).
  • Right to rectification of incorrect or incomplete data (Art. 16 GDPR).
  • Right to erasure (“right to be forgotten”), provided no statutory retention obligations stand in the way (Art. 17 GDPR).
  • Right to restriction of processing (Art. 18 GDPR).
  • Right to data portability in a common, machine-readable format (Art. 20 GDPR).
  • Right to withdraw consent given with effect for the future (Art. 7(3) GDPR).
  • Right to object to processing based on legitimate interests (Art. 21 GDPR).
  • Right to lodge a complaint with the supervisory authority – in Austria: Datenschutzbehörde (Austrian Data Protection Authority), www.dsb.gv.at.

To exercise your rights, an informal message to hallo@cleanlist.app is sufficient.