Ace-The-Backlog

Privacy Policy

Last updated: June 2026

This English version is a non-binding convenience translation. For users in Germany / the EU the binding German version (available via the language toggle above) is authoritative.

For the content and functions of the web app https://ace-the-backlog.com (hereinafter "Services").

Introduction

Privacy policies are often hard to read. We understand that, and we want to do it differently. With this privacy policy we want to give users an easy-to-understand explanation of the way in which we process personal data. To this end we structure our privacy policy clearly and show users, for each topic, whether and how we process users' personal data.

In this privacy policy we explain to users whether and how we process personal data. We describe all processing operations carried out by us, by third-party services we commission or embed, or by other third parties on our behalf in the course of the use of our web app and the functions available, as well as in the course of performing our contractual relationship (hereinafter together also referred to as "Services").

Table of contents

Our privacy policy is structured as follows:

  1. General – brief introduction to the subject of the privacy policy, the controller, and the data protection officer
  2. General information on data processing – information on what personal data is, on which legal basis we process it or share it with third parties
  3. Data subject rights – information on users' rights to, among other things, access, erasure, or objection to our data processing
  4. Information on the cookies and other technologies used – information on the use of cookies and other technologies with which we process users' personal data
  5. Data processing in connection with the use of our Services – information on our data processing within the Services themselves
  6. Communication Services – information on services for communication and on the corresponding processing of personal data
  7. Provision of our Services – information on hosting providers and the services they use
  8. Tracking & tools – information on services through which we provide our Services to users and through which we analyse the use of our Services

1. General

The protection of personal data and privacy is extremely important to us. We therefore want to offer users full transparency regarding the processing of personal data (GDPR) and the storage of information on the user's device (TDDDG). Because only if the processing of personal data and information is comprehensible to users as data subjects are they sufficiently informed about the scope, the purposes, and the benefit of the processing.

This privacy policy applies to all processing of personal data carried out by us and to the storage of information on devices. It therefore applies both in the context of providing services within our Services and within external online presences, such as our social media profiles.

The controller within the meaning of the General Data Protection Regulation (GDPR), the German Federal Data Protection Act (BDSG), and other data protection provisions is:

Noah Wagner
Sole proprietorship
Karl-Ries-Str. 22
91550 Dinkelsbühl, Germany
Email: hello@ace-the-backlog.com
Phone: +49 (0) 160-7581190

Hereinafter referred to as "controller" or "we".

2. General information on data processing

First we want to give users some introductory information on what the protection of personal data means, what personal data is, how we process it, and what security measures we apply.

Ace-The-Backlog is a free web tool for agile teams that lets you estimate story points anonymously via planning poker. Several participants join a session through a shared room link, estimate face-down, and reveal together. No registration is required; all room data is automatically deleted after 24 hours.

2.1 Processing of personal data

Personal data (hereinafter also "data") is any information relating to the personal or material circumstances of an identified or identifiable natural person.

Information about personal or material circumstances includes, for example, the following data, whereby it is clarified that not all of this data has to be processed by our Services:

  • Personal data – first name, last name
  • Communication data – email address
  • Geodata – IP address & location data

The "processing" of personal data includes, for example, the following operations:

  • Collection – the collection of data via contact forms, by email, or through processes and services we use
  • Transfer – the transfer of data to our service providers, embedded services, or other third parties
  • Storage – the storage of data in our databases or on our servers
  • Modification – the modification of data due to changes of name, place of residence, or of entries in our Services
  • Erasure – the erasure of data when we are no longer authorised to process it

2.2 Legal bases for processing personal data

We process personal data only within the legally permissible limits. We are already obliged to do so by law, in particular by the GDPR. Accordingly we are required to be able to base processing operations on a legal basis at all times. These legal bases are set out in Art. 6 (1) GDPR. Below we list all the legal bases on which we base any processing of personal data.

  • For the performance of a contract – Art. 6 (1)(b): data is processed where this is necessary for the performance of a contract between us or for taking pre-contractual steps. Where processing is no longer necessary for the performance of the contract, we no longer process users' personal data.
  • Compliance with a legal obligation – Art. 6 (1)(c) GDPR: data is processed where this processing is necessary for compliance with a legal obligation to which we as controller are subject.
  • Legitimate interest – Art. 6 (1)(f) GDPR: data is processed where this is necessary to safeguard a legitimate interest on our side and the interests or fundamental rights and freedoms of users regarding the protection of data do not override it.

We process personal data only for clearly defined purposes (Art. 5 (1)(b) GDPR). As soon as the purpose of processing ceases to apply, users' personal data is erased or protected by technical and organisational measures (e.g. pseudonymisation).

The same applies to the expiry of a prescribed retention period, subject to cases in which further storage is necessary to conclude or perform a contract. Furthermore, a legal obligation to store data longer or to disclose it to third parties (in particular to law enforcement authorities) may arise. In other cases the retention period and type of data collected, as well as the type of data processing, depend on which functions a user uses in the individual case. We are happy to provide users with information about this on a case-by-case basis pursuant to Art. 15 GDPR.

2.3 The categories of data we process

Data categories include in particular the following data:

  • Master data (e.g. names, addresses, dates of birth),
  • Contact data (e.g. email addresses, phone numbers, messenger services),
  • Content data (e.g. text entries, photographs, videos, contents of documents/files),
  • Contract data (e.g. subject of the contract, terms, customer category),
  • Usage data (e.g. history within our Services, use of certain content, access times),
  • Connection data (e.g. device information, IP addresses, URL referrer).

2.4 The security measures we take

In accordance with statutory requirements and taking into account the state of the art, the cost of implementation, and the nature, scope, circumstances, and purposes of the processing, as well as the varying likelihood and severity of the risk to rights and freedoms, we take appropriate technical and organisational measures to ensure a level of protection appropriate to the risk.

These measures include in particular ensuring that our users' data is stored and processed confidentially, with integrity, and is available at all times. They also include controls over access to data and over access, input, transfer, securing of availability, and separation from data of other natural persons. Furthermore, we have established procedures to ensure the exercise of data subject rights (see section 3), the erasure of data, and responses to threats to our users' data. We also take the protection of personal data into account already during the development of our software and through procedures that comply with the principle of data protection by design and by default.

2.5 How we transfer or disclose personal data to third parties

In the course of our processing of personal data it may happen that this data is transferred or disclosed to other entities, companies, legally independent organisational units, or persons. These third parties may include, for example, service providers commissioned with IT tasks or providers of services and content that we have embedded into our Services. If we transfer or disclose users' personal data to third parties, we observe the statutory requirements and, in particular, conclude appropriate contracts or agreements that serve to protect data with the recipients of the data.

2.6 How a third-country transfer takes place

If this privacy policy indicates that we transfer users' personal data to a third country, i.e. a country outside the EU or the EEA, the following applies. A third-country transfer only takes place in accordance with statutory requirements. We assure users that we have a contractual or statutory authorisation to transfer and process data in the third country concerned. Furthermore, we only have users' data processed by service providers in third countries that, in our view, have a recognised level of data protection. This means that, for example, an adequacy decision exists between the EU and the country to which we transfer users' personal data. An "adequacy decision" is a decision adopted by the European Commission pursuant to Art. 45 GDPR determining that a third country (i.e. a country not bound by the GDPR) or an international organisation offers an adequate level of protection for personal data. Alternatively, e.g. where there is no adequacy decision, a third-country transfer only takes place if, for instance, contractual obligations between us and the service provider in the third country exist by means of so-called EU Commission standard contractual clauses and further technical security precautions have been taken which ensure a level of protection appropriately equivalent to that in the EU, or if the service provider in the third country can present data protection certifications and our users' data is processed only in accordance with internal data protection rules (Art. 44 to 49 GDPR. Information page of the EU Commission: international-dimension-data-protection).

Within the framework of the so-called "Data Privacy Framework" ("DPF"), the EU Commission, by way of the adequacy decision of 10 July 2023, recognised the level of data protection for certain companies from the USA as adequate. A list of the certified companies and further information on the DPF can be found by users on the website of the US Department of Commerce at dataprivacyframework.gov (in English). Within this privacy policy we inform users which of the services we use are certified under the Data Privacy Framework.

Please note: certification under the EU-US Data Privacy Framework (DPF) is company-specific and may change at any time. We regularly check whether the US service providers we use are certified under the DPF at the time of the respective data processing. The current list of certified companies is available at dataprivacyframework.gov/list.

If a service provider we use is no longer certified under the DPF, the transfer of personal data takes place exclusively on the basis of the EU Commission's standard contractual clauses and supplementary technical and organisational measures.

2.7 Erasure of data

The data we process is erased in accordance with statutory requirements as soon as the consents permitting its processing are withdrawn or other authorisations cease to apply (e.g. when the purpose of processing this data has ceased to apply or it is no longer necessary for the purpose). If the data is not erased because it is necessary for other and legally permissible purposes, its processing is restricted to those purposes. That is, the data is blocked and not processed for other purposes. This applies, for example, to data that must be retained for commercial or tax-law reasons or whose storage is necessary for the establishment, exercise, or defence of legal claims or for the protection of the rights of another natural or legal person.

Within this privacy policy we provide information, where applicable, on the erasure and retention of data that applies specifically to the respective processing operations.

2.8 Storage of and access to data on the user's device

Unless we obtain consent from users, the storage of, or access to, information on the user's device takes place pursuant to § 25 (2) no. 2 of the Act on Data Protection and the Protection of Privacy in Telecommunications and Digital Services (TDDDG), because the storage of, and access to, this information is strictly necessary in order to provide the desired functions of our Services. Where we do obtain consent, the legal basis is § 25 (1) TDDDG. Our Services use cookies, tokens, or other technologies that may be stored on devices and without which the provision of our Services would not be possible.

Cookies, tokens, or other technologies are generally text files that are stored on the user's device and can be read by us and by third parties when our Services are accessed. Many of the aforementioned technologies contain their own ID. Such an ID is a unique identifier of the respective technology used. It consists of a string of characters by which websites and servers can be assigned to the specific internet browser or to the specific service or device used on which cookies, tokens, or other technologies were stored. This enables operators of websites and analytics services to identify users as such and to distinguish them from others.

2.9 Processing on our behalf

If we use external service providers to process data, they are carefully selected and commissioned by us. If the services these providers render constitute processing on our behalf within the meaning of Art. 28 GDPR, the service providers are bound by our instructions and are regularly monitored. Our data processing agreements comply with the strict requirements of Art. 28 GDPR and with the requirements of the German data protection authorities.

3. Data subject rights

If our users' personal data is processed, they are data subjects within the meaning of the GDPR and have the following rights vis-à-vis the controller:

3.1 Right of access

Users may request confirmation from the controller as to whether personal data concerning them is being processed by us.

Where such processing takes place, users may request information from the controller about the following:

  • the purposes for which the personal data is processed;
  • the categories of personal data being processed;
  • the recipients or categories of recipients to whom the personal data concerning the user has been or will be disclosed;
  • the envisaged duration for which the personal data concerning the user will be stored or, if specific information is not possible, the criteria for determining that duration;
  • the existence of a right to rectification or erasure of the personal data concerning the user, a right to restriction of processing by the controller, or a right to object to that processing;
  • the existence of a right to lodge a complaint with a supervisory authority;
  • all available information about the origin of the data, where the personal data is not collected from the data subject;
  • the existence of automated decision-making including profiling pursuant to Art. 22 (1) and (4) GDPR and – at least in those cases – meaningful information about the logic involved as well as the significance and the envisaged consequences of such processing for the data subject.
  • Users have the right to request information as to whether the personal data concerning them is transferred to a third country or to an international organisation. In this context users may request to be informed of the appropriate safeguards pursuant to Art. 46 GDPR in connection with the transfer.

3.2 Right to rectification

Users have a right to rectification and/or completion vis-à-vis the controller if the processed personal data concerning them is inaccurate or incomplete. The controller must carry out the rectification without delay.

3.3 Right to restriction of processing

Under the following conditions users may request the restriction of the processing of the personal data concerning them:

  • if users contest the accuracy of the personal data concerning them, for a period enabling the controller to verify the accuracy of the personal data;
  • the processing is unlawful and users oppose the erasure of the personal data and instead request the restriction of its use;
  • the controller no longer needs the personal data for the purposes of the processing, but users require it for the establishment, exercise, or defence of legal claims, or
  • if users have objected to processing pursuant to Art. 21 (1) GDPR pending the verification whether the controller's legitimate grounds override those of the user.
  • Where the processing of the personal data concerning the user has been restricted, such data may – apart from its storage – only be processed with consent or for the establishment, exercise, or defence of legal claims, or for the protection of the rights of another natural or legal person, or for reasons of important public interest of the Union or of a Member State.

Where processing has been restricted under the above conditions, users will be informed by the controller before the restriction is lifted.

3.4 Right to erasure

3.4.1. Users may request the controller to erase the personal data concerning them without delay, and the controller is obliged to erase that data without delay where one of the following grounds applies:

  • The personal data concerning the user is no longer necessary for the purposes for which it was collected or otherwise processed.
  • Users withdraw consent on which the processing was based pursuant to Art. 6 (1)(a) or Art. 9 (2)(a) GDPR, and there is no other legal basis for the processing.
  • Users object to the processing pursuant to Art. 21 (1) GDPR and there are no overriding legitimate grounds for the processing, or users object to the processing pursuant to Art. 21 (2) GDPR.
  • The personal data concerning the user has been unlawfully processed.
  • The erasure of the personal data concerning the user is necessary for compliance with a legal obligation under Union or Member State law to which the controller is subject.
  • The personal data concerning the user was collected in relation to the offer of information society services pursuant to Art. 8 (1) GDPR.

3.4.2. Where the controller has made the personal data concerning the user public and is obliged to erase it pursuant to Art. 17 (1) GDPR, the controller, taking account of available technology and the cost of implementation, takes reasonable measures, including technical ones, to inform controllers processing the personal data that the user as data subject has requested the erasure of any links to, or copies or replications of, that personal data.

3.4.3. The right to erasure does not exist insofar as the processing is necessary

  • for exercising the right of freedom of expression and information;
  • for compliance with a legal obligation which requires processing under Union or Member State law to which the controller is subject, or for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller;
  • for reasons of public interest in the area of public health pursuant to Art. 9 (2)(h) and (i) as well as Art. 9 (3) GDPR;
  • for archiving purposes in the public interest, scientific or historical research purposes, or statistical purposes pursuant to Art. 89 (1) GDPR, insofar as the right referred to in paragraph 1 is likely to render impossible or seriously impair the achievement of the objectives of that processing, or
  • for the establishment, exercise, or defence of legal claims.

3.5 Right to notification

Where users have exercised the right to rectification, erasure, or restriction of processing vis-à-vis the controller, the controller is obliged to communicate this rectification or erasure of the data or restriction of processing to all recipients to whom the personal data concerning the user has been disclosed, unless this proves impossible or involves disproportionate effort.

Users have the right vis-à-vis the controller to be informed about those recipients.

3.6 Right to data portability

Users have the right to receive the personal data concerning them which they have provided to the controller in a structured, commonly used, and machine-readable format. Users also have the right to transmit this data to another controller without hindrance from the controller to whom the personal data was provided, provided that the processing is based on consent pursuant to Art. 6 (1)(a) GDPR or Art. 9 (2)(a) GDPR or on a contract pursuant to Art. 6 (1)(b) GDPR and the processing is carried out by automated means.

In exercising this right, users also have the right to have the personal data concerning them transmitted directly from one controller to another, where technically feasible. The freedoms and rights of other persons must not be adversely affected by this.

The right to data portability does not apply to processing of personal data necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller.

3.7 Right to object

Users have the right, on grounds relating to their particular situation, to object at any time to the processing of the personal data concerning them which is carried out on the basis of Art. 6 (1)(e) or (f) GDPR; this also applies to profiling based on those provisions.

The controller will no longer process the personal data concerning the user unless it can demonstrate compelling legitimate grounds for the processing which override the interests, rights, and freedoms of our users, or the processing serves the establishment, exercise, or defence of legal claims.

Where the personal data concerning the user is processed for direct marketing purposes, users have the right to object at any time to the processing of the personal data concerning them for such marketing; this also applies to profiling to the extent that it is related to such direct marketing.

If users object to processing for direct marketing purposes, the personal data concerning them will no longer be processed for these purposes.

Users have the option, in connection with the use of information society services – notwithstanding Directive 2002/58/EC – to exercise the right to object by automated means using technical specifications.

3.8 Right to withdraw the data protection consent

Users have the right to withdraw a data protection consent at any time. The withdrawal of consent does not affect the lawfulness of the processing carried out on the basis of the consent up to the withdrawal. Processing is lawful up until a withdrawal – the withdrawal therefore only takes effect on processing after receipt of the withdrawal. Users may declare the withdrawal informally by post or email. The processing of personal data then ceases, subject to the permission of another legal basis. If this is not the case, our users' data must be erased without delay following the withdrawal pursuant to Art. 17 (2) GDPR. The right to withdraw consent, subject to the conditions stated above, is guaranteed.

The withdrawal should be addressed to:

Noah Wagner
Sole proprietorship
Karl-Ries-Str. 22
91550 Dinkelsbühl, Germany
Email: hello@ace-the-backlog.com
Phone: +49 (0) 160-7581190

3.9 Right to lodge a complaint with a supervisory authority

Without prejudice to any other administrative or judicial remedy, users have the right to lodge a complaint with a supervisory authority, in particular in the Member State of their habitual residence, place of work, or place of the alleged infringement, if they consider that the processing of the personal data concerning them infringes the GDPR.

The supervisory authority with which the complaint has been lodged informs the complainant of the progress and the outcome of the complaint, including the possibility of a judicial remedy pursuant to Art. 78 GDPR.

3.10 Automated individual decision-making including profiling

Automated individual decision-making within the meaning of Art. 22 GDPR does not take place. In some areas, however, we use automated procedures to structure or optimise content, communication, or processes (e.g. statistical analyses). These procedures produce no legal effect concerning users and do not significantly affect them in a comparable manner.

3.11 Notification obligations of the controller

If users' personal data has been lawfully disclosed to other recipients (third parties), we communicate to them any rectification, erasure, or restriction of the processing of personal data (Art. 16, Art. 17 (1), and Art. 18 GDPR). The notification obligation does not apply if it involves disproportionate effort or is impossible. We also inform users about the recipients upon request.

4. Information on the cookies and other technologies used

4.1 How we use cookies and other technologies

We use cookies or other technologies to provide our Services. Cookies are, for example, small text files that contain data from visited websites or domains and are stored on a device (computer, tablet, or smartphone). When users access a website, the cookie stored on a device sends information to whoever placed the cookie.

4.2 Storage period of cookies and other technologies

The specific storage period of cookies and comparable technologies depends on the respective service used. Unless specific information is provided, cookies are deleted, or lose their validity, at the latest after 24 hours.

5. Data processing in connection with the use of our Services

The use of our Services with all their functions involves the processing of personal data. We explain to users here exactly how this happens.

Informational use of our Services

The purely informational access to our Services requires the processing of the following personal data and information: device type and device version, operating system used, IP address of the device with which users access our Services, and the time of access to our Services. All of this information is transmitted automatically by a device unless users have configured the device in such a way that the transmission of the information is suppressed.

This personal data is processed for the purpose of the functionality and optimisation of our Services, as well as to ensure the security of our information technology systems. These purposes are at the same time legitimate interests under Art. 6 (1)(f) GDPR; the processing therefore takes place on a legal basis.

6. Communication Services

6.1 Contact by email

We process the personal data that users provide to us when contacting us for the purpose of responding to an inquiry, an email, or a callback request. The data categories processed here are master data, contact data, content data, and, where applicable, usage data, connection data, and contract data. In individual cases we forward this data to companies affiliated with us, or to third parties who may process this data for the handling of orders and bookings as agreed. The legal basis for the processing depends on the purpose of the contact. By making an inquiry through contact by email, users declare that they wish to receive answers or information on certain topics. For this purpose users also leave their data. We respond to an inquiry as requested and process our users' data for this purpose. The authorisation to process data is therefore based on Art. 6 (1)(b) GDPR, since we process it to answer an inquiry and thus to perform the contract about it.

6.2 Voting

Within our Services we offer the possibility for users to vote on specific topics. Here users may appear with a display name they have chosen themselves. If this is the correct name, we thereby process master data and, where applicable, content data, i.e. the contents of the users' votes. Our legal basis for processing personal data in this way results from Art. 6 (1)(b) GDPR (performance of a contract), since voting is an essential part of our Services and users use our Services for these reasons.

7. Hosting

7.1 Provision of our Services

In order to be able to provide our Services to users, we use the services of the hosting providers named below. Our Services are accessed from the servers of these hosting providers. For these purposes we use the infrastructure and platform services, computing capacity, storage space, and database services, as well as security services and technical maintenance services of the hosting providers.

The data processed includes all such data that users enter in the course of use and communication in connection with their visit to our Services, or that is collected from users in the process (e.g. IP address). Our legal basis for using the hosting providers to provide our Services results from Art. 6 (1)(f) GDPR (legitimate interest).

7.2 Receiving and sending emails

The services we use from the hosts may also include the sending, receiving, and storage of emails. For these purposes the addresses of the recipients of emails as well as the senders, as well as further information concerning the sending of the email (e.g. the providers involved), and the contents of the respective emails are processed. The aforementioned data is processed among other things for the purpose of detecting SPAM. Emails are generally not sent encrypted over the internet. As a rule, emails are encrypted in transit but (unless end-to-end encryption is used) not on the servers from which they are sent and received. We can therefore accept no responsibility for the transmission path of the emails between the sender and receipt on our server. Our legal basis for using the hosting providers to receive and send emails results from Art. 6 (1)(f) GDPR (legitimate interest).

7.3 Collection of access data and log files

We ourselves (or the hosting providers) collect data on every access to the server (server log files). The server log files may include the address and name of the accessed services and files, the date and time of access, the amount of data transferred, a notification of successful access, the device type and version, the operating system, the referrer URL (the previously visited page), and as a rule IP addresses and the requesting provider.

The server log files may be used, on the one hand, for security purposes, e.g. to avoid an overload of the servers (in particular in the case of abusive attacks, so-called DDoS attacks), and, on the other hand, to ensure the utilisation of the servers and their stability. Our legal basis for using a hosting provider for the collection of access data and log files results from Art. 6 (1)(f) GDPR (legitimate interest).

The hosting providers we use are the following:

Cloudflare, Inc.
101 Townsend Street
San Francisco, CA 94107
USA

Supabase, Inc.
3500 S Dupont Hwy
Dover, DE 19901-6041
USA

8. Tracking & tools

To ensure a smooth technical operation and an optimal user-friendly use of our Services, we use the following services:

Cloudflare Web Analytics

We use the web analytics service "Cloudflare Web Analytics" to continuously optimise our Services, both technically and in terms of content. The data processed here is usage data & connection data. The recipient of the data is Cloudflare, Inc., 101 Townsend Street, San Francisco, CA 94107, USA, hereinafter referred to only as "Cloudflare Web Analytics". If Cloudflare transfers this data to a third country (e.g. the USA), this only happens on a case-by-case basis, on the basis of a data processing agreement concluded with Cloudflare and in accordance with standard contractual clauses agreed with Cloudflare and other security measures permitted by the GDPR which ensure the security of the processing of personal data with a level of protection identical to that in the EU, in particular on the basis of the EU-US Data Privacy Framework (DPF). Cloudflare Web Analytics pursues a particularly privacy-friendly approach to analysing the use of our Services. For this purpose Cloudflare Web Analytics records, among other things, the following information: aggregated reach measurement (page views, referrer, country at country level, browser/device class, Core Web Vitals). Cloudflare Web Analytics does not use or store any "cookies" on the user's device. The legal basis for using Cloudflare Web Analytics results from Art. 6 (1)(f) GDPR (legitimate interest). We have an interest in analysing usage behaviour and drawing important conclusions from it for our Services. Since neither we nor Cloudflare Web Analytics use cookies or localStorage entries, require no user IDs, no cross-site tracking, no persistent IP storage, and the data is not combined with other data sources, the interest in the most data-integral treatment of personal data possible is not unduly impaired. Further information on data protection at Cloudflare Web Analytics can be found here https://www.cloudflare.com/privacypolicy/.