Launch Checklist
ChecklistPricing
Quick Check
LoginRegister
© 2026 Launch Checklist · Developed by INGENIUMDESIGNAbout|Legal Notice|Privacy PolicyVersion 26.18.0

Privacy Policy

Last updated: 07.04.2026

We take the protection of your personal data very seriously. This privacy policy explains what data we collect, why we collect it and what your rights are. Launch Checklist is designed with a privacy-first approach — we do not use tracking, analytics or third-party advertising scripts.

1. Responsible Party

The controller within the meaning of the General Data Protection Regulation (GDPR) is:

Sebastian Schmal — INGENIUMDESIGN

Fichtenweg 13, 65510 Idstein, Germany

Email: info@ingeniumdesign.de

Web: launch-checklist.com

2. Privacy at a Glance

  • No tracking or analytics tools (no Google Analytics, no Matomo, no similar services)
  • No cookie banner required — we only use technically necessary cookies
  • No third-party scripts, ads or social media plugins
  • All fonts are self-hosted (no external requests to Google or other CDNs)
  • Hosting on self-managed servers in the EU
  • No data is sold or shared with third parties
  • Open source — the code is publicly auditable

3. Hosting & Infrastructure

Launch Checklist is hosted on a self-managed server in the European Union. The application runs in Docker containers on an Ubuntu server. The database (PostgreSQL) runs on the same server. No external cloud services (AWS, Google Cloud, Azure, etc.) are used for data processing or storage.

4. Server Log Files

When you visit our website, the web server automatically collects technical data required for delivering the page. This may include:

  • IP address (anonymized)
  • Date and time of access
  • Browser type and version
  • Operating system
  • Referrer URL (previously visited page)

Legal basis: Art. 6(1)(f) GDPR (legitimate interest in the secure and stable operation of the website). Server logs are deleted automatically after 14 days.

5. User Registration & Account

When you create an account, we collect the following data:

  • Name — displayed within teams and project assignments
  • Email address — used for login, team invitations and password reset
  • Password — stored as a cryptographic hash (bcrypt), never in plain text
  • Profile picture (optional) — stored locally on our server

Legal basis: Art. 6(1)(b) GDPR (contract performance). Your account data is stored until you delete your account. Upon deletion, all data is soft-deleted and permanently removed after the retention period.

6. Cookies

Launch Checklist only uses technically necessary cookies. No consent banner is required because we do not use any cookies for tracking, analytics or advertising purposes.

Cookie NamePurposeDuration
authjs.session-tokenUser session (login authentication)Session / 30 days
authjs.csrf-tokenCSRF protection for form submissionsSession
authjs.callback-urlRedirect URL after loginSession
wlc_temp_projectLinks anonymous checklist to user30 days
wlc_active_teamRemembers the currently selected team1 year
wlc_share_auth_*Authenticates password-protected share links7 days

Legal basis: Art. 6(1)(f) GDPR (legitimate interest in the functionality of the application). All cookies are strictly functional — none are used for tracking or advertising.

7. Email Communication

We send emails exclusively for application-related purposes via our own SMTP server. No email marketing services (Mailchimp, SendGrid, etc.) are used. Emails are sent in the following cases:

  • Team invitations — when a team owner or admin invites a member
  • Magic Link login — passwordless authentication link (valid for 15 minutes)
  • Password reset — link to set a new password (valid for 60 minutes)
  • Invitation accepted — notification to team owner/admins when an invitation is accepted

Legal basis: Art. 6(1)(b) GDPR (contract performance). We do not send newsletters, marketing emails or promotional content.

8. Team Collaboration

When you create or join a team, the following data is shared within the team:

  • Your name and email address are visible to other team members
  • Your role (Owner, Admin, Member) is visible within the team
  • Task assignments — team members can see who is assigned to a task
  • Invitations contain the invitee's email address and are visible to team admins

Legal basis: Art. 6(1)(b) GDPR (contract performance — team collaboration is a core feature of the application).

9. Automated Website Checks

When you trigger automated checks (Auto-Check) for a project, our server contacts the domain configured in your project to perform technical checks (SSL, robots.txt, sitemap, security headers, etc.). This means:

  • Our server makes HTTP/HTTPS requests to your domain
  • No personal data is transmitted — only standard HTTP requests
  • Check results are stored in our database and associated with your project
  • If you provide Basic Auth credentials for staging environments, they are stored encrypted (AES-256-GCM)

Legal basis: Art. 6(1)(b) GDPR (contract performance — verification is a core feature you actively trigger).

10. Public View Links

You can share projects via read-only public links. When someone accesses a public link:

  • An access counter is incremented (no personal data stored)
  • For rate limiting of password-protected links, IP addresses are hashed (one-way, irreversible) — we cannot identify individual visitors
  • No account or login is required to view shared projects

Legal basis: Art. 6(1)(f) GDPR (legitimate interest in providing the sharing feature and preventing abuse).

11. Temporary Projects (Free Users)

Users without an account can use a limited checklist. A temporary project is created and linked via a cookie (wlc_temp_project). This data is automatically deleted after 30 days of inactivity. If you register, the temporary project is converted to a permanent project associated with your account.

Legal basis: Art. 6(1)(f) GDPR (legitimate interest in providing the free checklist feature).

12. Data Retention & Deletion

We follow a soft-delete strategy — when you delete data (projects, tasks, account), it is marked as deleted but retained for a limited period before permanent removal. This allows recovery in case of accidental deletion.

  • Deleted accounts: retained for 30 days, then permanently removed
  • Deleted projects: retained for 30 days, then permanently removed
  • Temporary projects: automatically deleted after 30 days of inactivity
  • Magic Link and password reset tokens: deleted immediately after use or upon expiry (15 / 60 minutes)
  • Server logs: deleted after 14 days

13. SSL/TLS Encryption

This website uses SSL/TLS encryption (HTTPS) for security reasons and to protect the transmission of personal data and other confidential content. You can recognize an encrypted connection by the lock icon in your browser's address bar.

14. Your Rights

Under the GDPR, you have the following rights regarding your personal data:

  • Right of access (Art. 15 GDPR) — you can request information about what data we store about you
  • Right to rectification (Art. 16 GDPR) — you can request correction of inaccurate data
  • Right to erasure (Art. 17 GDPR) — you can request deletion of your data
  • Right to restriction (Art. 18 GDPR) — you can request restriction of processing
  • Right to data portability (Art. 20 GDPR) — you can request your data in a machine-readable format
  • Right to object (Art. 21 GDPR) — you can object to processing based on legitimate interests
  • Right to lodge a complaint — you can contact the supervisory authority for data protection in your country

To exercise your rights, please contact us at: info@ingeniumdesign.de

15. Changes to This Privacy Policy

We may update this privacy policy from time to time to reflect changes in the application or legal requirements. The current version is always available on this page. We recommend checking this page occasionally.