Privacy Policy

Datenschutzerklärung under Art. 13 GDPR.

Last updated: 14 July 2026

The short version

We sell a subscription. That is the entire business model. We do not run ads, we do not have trackers, we do not sell or share your data, and we do not use analytics. Because we set no non-essential cookies, there is no cookie banner on this site — and under German guidance, showing you one would be misleading, since you would have no real choice to make.

The uncomfortable part, stated plainly: if you connect a mailbox, Focoose downloads and stores your email on our server. Message bodies and attachments are encrypted at rest, but Focoose is not end-to-end encrypted — we hold the keys, which means we are technically capable of reading your mail. We don't, and access is restricted, but you deserve to know that rather than discover it.

Who is responsible

Controller
Zulfi Ismailov-Demiri
Address
Richardstr. 14, 26725 Emden, Deutschland

What we store, and why

Everything below is stored because the service cannot work without it.

Account
Your email address, your name, and the date you signed up. We never ask for a password — you sign in with a one-time link sent to your address.
Focus points
Titles, notes, schedules, meeting links, and any guest email addresses you enter.
Boards, cards and tags
Cards, notes, steps, comments, tags and column names you and your colleagues create.
Colleagues
If you invite people to your account: their email address, their name, and their role.
Mailbox credentials
If you connect a mailbox: the IMAP/SMTP host, port, and username, plus your mailbox password — which is encrypted at rest with a key held separately from the database.
Email content
If you connect a mailbox: the messages we sync, including sender, recipients, subject, body, and attachments. This is the most sensitive data we hold.
Screener decisions
Which sender addresses you have allowed or blocked.
Payments
Amount, the period it covers, the date received, and any bank reference — so we can tell whether your subscription is active, and to meet tax obligations.

Legal bases. Almost all of this is Art. 6 (1)(b) GDPR — processing necessary to perform the contract you entered into. Payment records are additionally kept under Art. 6 (1)(c) to satisfy German tax law. Keeping the service secure and preventing abuse rests on Art. 6 (1)(f), our legitimate interest.

Cookies

Focoose sets two cookies, both strictly necessary to sign you in and keep you signed in:

  • session_id — signed and HTTP-only; this is what keeps you signed in.
  • _focus_session — carries the CSRF token that protects forms, and remembers where to send you after you click a sign-in link.

There are no analytics, advertising, or tracking cookies, and no third-party scripts. Under §25 (2) TDDDG, cookies needed to deliver the service you asked for do not require consent, so we do not show a consent banner. Our fonts are the ones already on your device — your browser makes no request to Google when you load this page.

Who else touches your data

We use as few third parties as we can. These are all of them. We do not sell or share your data with anyone else, for any purpose.

Cloudflare, Inc. (USA)
Reverse proxy and tunnel. Every request to Focoose passes through it, and it terminates TLS, so it can see the traffic in the clear. IP address, request metadata, and the content of requests in transit.
1blu AG (Germany)
Outbound SMTP relay for sign-in links and reminder emails. Recipient address and the content of emails we send you.

Our servers are located at Emden, Germany — our own hardware, at the address given in the Impressum. Internet connectivity is provided by Vodafone; the site is reachable from the public internet through a Cloudflare Tunnel.

We run our own hardware. There is no hosting company holding your data on our behalf, and no data centre operator with a copy of it — the machine is ours, at the address given in the Impressum.

Transfers outside the EU

Focoose is served to the public internet through a Cloudflare Tunnel. Cloudflare, Inc. is established in the United States, so every request you make to Focoose is processed by a company outside the EU — this is not an occasional export, it is the path every page takes.

Cloudflare terminates TLS, which means it can see the content of requests in the clear as they pass through. We rely on Cloudflare's certification under the EU–US Data Privacy Framework, and on the Standard Contractual Clauses in its data processing addendum, as the safeguard for that transfer (Art. 45 / Art. 46 GDPR).

Everything else stays in Germany: the application, the database, and your synced email are on our own hardware in Emden, and outbound mail goes through a German relay.

How long we keep it

  • Your content — focus points, cards, and synced email — is kept until you delete it, or until you ask us to delete your account.
  • A locked-out account keeps its data for 12 months, so that nothing is lost if you subscribe later. After that it is deleted automatically, and we cannot get it back. We email the account owner 30 days beforehand — you will not find out by finding it gone. Ask us at any point and we will delete it sooner.
  • Payment records are kept for 10 years, as German tax law (§147 AO) requires. We cannot delete these on request, and they are the one thing that survives the deletion above.

While Focoose is in preview no account locks out at all, so that 12-month clock is not running for anyone. It starts the first day an account is locked, and not before.

How it is protected

  • All traffic to the app is encrypted in transit (TLS).
  • Your mailbox password is encrypted at rest; the key lives in the server environment, not in the database, so a database dump alone does not expose it.
  • Message bodies and attachments are encrypted at rest the same way. Subject lines and addresses are not, because search and the Screener need to read them.
  • HTML email is sanitised before it is rendered, so a malicious message cannot run scripts against your account.
  • Sign-in is by one-time link — there is no password of ours for anyone to steal.

Focoose is not end-to-end encrypted. That is a deliberate trade-off: search, the Screener, and reminders all require the server to be able to read your mail. It means we could technically access stored content, and you should weigh that before connecting a mailbox holding highly sensitive correspondence.

The full picture — what is encrypted, what is not, backups, and what happens if something goes wrong — is on the Security page.

Email belonging to other people

When you connect a mailbox, you upload messages written by third parties who never agreed to anything with us. If you use Focoose for business, you are the controller of that data and we act as your processor, which means we should sign a data processing agreement (Auftragsverarbeitungsvertrag, Art. 28 GDPR). Email us and we will provide one.

Your rights

Under the GDPR you can ask us to:

  • tell you what we hold about you (Art. 15);
  • correct it (Art. 16);
  • delete it (Art. 17);
  • restrict what we do with it (Art. 18);
  • hand it to you in a portable format (Art. 20);
  • stop processing it where we rely on legitimate interest (Art. 21).

Email id@werkkasten.com and we will act on it. You also have the right to complain to a data protection supervisory authority, in the country where you live or where we are established.

Changes

If we change this policy in a way that materially affects you, we will tell you by email rather than quietly editing this page.

Questions? Our contact details are in the Impressum.