Legal

Privacy Policy

Effective: 22 May 2026 · Last updated: 22 May 2026 · Applies to: the website report.midnightvision.app and the OneClick AI Report Trello Power-Up.

1. Controller and contact

The data controller for the personal data described in this policy is Miroslav Hařovský, sole trader, registered seat in the European Union at 100, Robousy, 506 01 Jičín, the Czech Republic, IČO 04518667, trading as Midnight Vision App (full identification: Imprint).

For privacy questions and to exercise your rights, contact report@midnightvision.app. We are not required to and have not appointed a Data Protection Officer.

2. Plain-language summary

We process the minimum we need to run the Service for you.
Trello card content (titles, descriptions, comments, attachments) is read on demand to generate a report and is not stored in our database.
Generated report text is not stored in our database either; it is returned to you and, for scheduled runs, handed to our mail-delivery sub-processor (Twilio / SendGrid) for transmission only.
Prompts and outputs sent to the LLM provider (Anthropic) are not used to train their models per Anthropic’s commercial terms.
We don’t embed third-party analytics, marketing pixels, or session-replay scripts.
Subscription billing is handled by Lemon Squeezy as Merchant of Record; payment-card data never reaches us.

3. What we process and why

3.1 Power-Up usage data

Category	Examples	Lawful basis
Trello identifiers	Trello member ID, board ID, organisation ID — pseudonymous identifiers issued by Trello.	Performance of the contract with you (Art. 6(1)(b) GDPR).
Report metadata (per run)	Audience preset, scope mode, filter labels, deadline window, token counts, generation duration, model identifier, timestamp.	Performance of the contract (Art. 6(1)(b)) and our legitimate interest in enforcing usage limits and preventing abuse (Art. 6(1)(f)).
Schedule configuration	Schedule name, frequency, time of day, timezone, audience, scope, filter labels, recipient email addresses you enter for delivery.	Performance of the contract (Art. 6(1)(b)).
Trello OAuth token (only if you enable scheduled runs)	Encrypted at rest with AES-256-GCM; one record per Trello member; expires every 30 days.	Performance of the contract (Art. 6(1)(b)).
Workspace templates	Template name and the instructions you write.	Performance of the contract (Art. 6(1)(b)).
In-product feedback (optional)	Free-text message, the view it was submitted from, your contact email if you provide one, and the Trello member / board / organisation identifiers of the context where you submitted it (used to follow up and to enforce abuse-prevention limits).	Your consent (Art. 6(1)(a)) when you submit the form.
Diagnostic logs	Endpoint, error kind, sanitised error message, timestamp; may include the organisation / board identifier of the failed request.	Legitimate interest in operating a reliable service (Art. 6(1)(f)).

3.2 Billing data

Subscription billing is processed by Lemon Squeezy as Merchant of Record. We receive from Lemon Squeezy only the customer reference, the plan, and the subscription state. We do not receive or store full payment-card numbers, CVV codes, or banking credentials. Refer to Lemon Squeezy’s Privacy Policy for their handling of billing data.

3.3 Website data

The marketing website does not embed third-party analytics, advertising pixels, or session-replay scripts. Standard server-side request logs (IP address, request line, status, user agent) are produced and retained by our hosting provider Vercel under its own terms for operational and security purposes (Art. 6(1)(f)); we do not maintain our own request-access log in the application database.

4. What we do not store

Trello card content (titles, descriptions, comments, members, labels, attachments, custom fields) — read on demand, processed to produce one report, then discarded. The application database has no table for card content.
Generated report text — returned to you in the browser and, for scheduled runs, handed to our mail-delivery sub-processor (Twilio / SendGrid) for transmission. Not persisted in the application database.
Email message bodies for scheduled deliveries — handed to the same mail-delivery sub-processor to transmit; not persisted in the application database.
Payment-card data — never reaches us; Lemon Squeezy handles it end-to-end.
We disable open and click tracking on outbound report emails so we do not learn whether your recipient opened or clicked the message.

5. Sub-processors

We rely on the following sub-processors strictly to operate the Service:

Sub-processor	Purpose	Location of processing
Vercel Inc.	Hosting of the website and serverless backend.	United States.
Neon, Inc.	Managed PostgreSQL database (usage metadata, schedules, encrypted Trello tokens).	United States.
Anthropic, PBC	Generative LLM API used to produce report text from the inputs we submit on your behalf. Anthropic does not use commercial API inputs or outputs to train its models.	United States.
Twilio Inc. (SendGrid)	Delivery of scheduled report emails, feedback notifications, and other out-of-band transactional emails. Open and click tracking are explicitly disabled in every request we send.	United States.
Lemon Squeezy LLC (Merchant of Record)	Subscription checkout, payment processing, invoicing, tax collection, chargebacks.	United States and the European Union, depending on the customer and tax jurisdiction.
Atlassian (Trello)	Atlassian is the platform we plug into and is your service provider for Trello itself; not a sub-processor of ours.	Global (per Atlassian’s policies).

6. International transfers

The sub-processors listed above include providers established in the United States. Where personal data is transferred outside the European Economic Area (EEA), we rely on appropriate safeguards under Chapter V of the GDPR, primarily the Standard Contractual Clauses (Commission Implementing Decision (EU) 2021/914) included in the providers’ data-processing terms, supplemented (where the recipient is certified) by the EU-U.S. Data Privacy Framework. We can provide details of the safeguard relied on for a specific transfer on request.

7. Retention

Trello card content and generated report text — not stored; processed in memory and discarded immediately after delivery.
Report metadata (usage logs) — kept up to 24 months from creation, after which they are removed by an opportunistic database sweep. They are used to enforce per-period usage windows, to detect abuse, and to satisfy tax / accounting record-keeping duties applicable to us. You can delete them sooner from the Power-Up via “Delete all workspace data”.
Encrypted Trello OAuth tokens — kept while the member has at least one active schedule. Automatically deleted in three cases: (a) when you revoke the token from the Power-Up Settings, (b) when you delete the last schedule that needs it (we purge the token in the same database transaction), and (c) when the 30-day Trello-issued expiry passes — our cron sweeps expired rows every ten minutes.
Schedule configurations and templates — deleted immediately when you remove them in the Power-Up or call “Delete all workspace data” from Settings.
Workspace record (opaque ID, license tier, trial start date) — a single row that holds only the opaque Trello workspace ID, your current license tier and the date your free trial started. It contains no personal data and no Trello card content. We retain it after “Delete all workspace data” on the basis of our legitimate interest in fairly administering the free trial (Art. 6(1)(f) GDPR). If you would like this row removed as well, write to report@midnightvision.app and we will action it.
Diagnostic and error logs — kept up to 90 days from creation, then deleted by an opportunistic database sweep.
Feedback messages and contact emails you submit — kept up to 24 months from submission, after which they are removed by an opportunistic database sweep. We may keep an individual message longer only if it is needed to resolve an open support case; in that case it is deleted as soon as the case is closed.
Billing records — Lemon Squeezy retains these per its policy; we keep payout reports for as long as required by Czech tax and accounting law (typically 10 years for tax records).

8. Your rights

Under the GDPR you have the right to: access your personal data; rectify inaccurate data; have data erased (“right to be forgotten”) where one of the legal grounds applies; restrict processing; data portability; object to processing carried out under our legitimate interest; and, where applicable, withdraw a consent you previously gave (without affecting the lawfulness of processing before withdrawal).

To exercise any of these rights, write to report@midnightvision.app. We will respond without undue delay and in any event within one month, as required by Article 12(3) GDPR. There is no fee, unless your request is manifestly unfounded or excessive.

Self-service deletion. Inside the Power-Up you can also delete workspace-scoped user data without contacting us. Open the Power-Up gear menu and choose Settings; the Delete all workspace data action removes schedules, custom templates, usage logs and feedback rows. If you no longer have paid access, it also removes the local billing link we keep for your workspace; if you still have an active plan (including a cancelled plan that remains valid until the end of the paid period), billing records are left intact. The Revoke Trello token action deletes the encrypted OAuth token separately. These actions run immediately and cannot be undone. The single workspace record described in the retention section above is kept on the basis of our legitimate interest; e-mail us if you would like it removed too.

You also have the right to lodge a complaint with a supervisory authority, in particular in the EU member state of your habitual residence, place of work, or the place of the alleged infringement. In the Czech Republic, the competent authority is the Office for Personal Data Protection (Úřad pro ochranu osobních údajů), uoou.cz.

9. Security

We apply technical and organisational measures appropriate to the risk, including: transport encryption (HTTPS / TLS) for all traffic; encryption at rest with AES-256-GCM for stored Trello OAuth tokens; the principle of least privilege for database access; sub-processors that hold widely recognised security certifications; short retention windows; and logging that is sanitised to avoid storing card content. No system is perfectly secure, but we treat these measures as a baseline and improve them as the Service grows.

10. Cookies and local storage

The marketing website does not set any cookie used for tracking, advertising, or analytics. Inside the Power-Up running in the Trello iframe, we use the browser’s local storage on your device for strictly functional purposes such as remembering your last form selections (audience preset, scope, filters), caching your trial status to avoid extra requests, and storing the report you just generated so it survives a tab refresh. This data stays on your device. The Trello SDK loaded by the Power-Up may itself set cookies governed by Atlassian’s policies.

11. Children

The Service is intended for professional users aged at least 18. We do not knowingly process personal data of children. If you believe a child’s data has reached us, please contact us and we will delete it.

12. Automated decision-making

We do not perform automated decision-making, including profiling, that produces legal effects concerning you or similarly significantly affects you (Art. 22 GDPR). The report generation is performed by an LLM but each report is requested by you for your own information; it does not produce a legal or similarly significant decision about any data subject by itself.

13. Changes

We may update this policy. The current version is always available at /legal/privacy with the “Effective” date at the top. For material changes we will notify subscribers in advance by in-product banner and / or email.

14. Contact

For privacy questions or requests under the GDPR, contact report@midnightvision.app, or write to the postal address listed in our Imprint.