Tadoro

Security

Tadoro is an index, not a filing cabinet. This page summarises what we do technically and organisationally to keep your family-protection information safe, and what we deliberately do NOT do.

Based in GermanyDatabase in the EU

Tadoro is index, not filing cabinet

We're deliberately not a filing cabinet, Tadoro is not designed for the following four kinds of data. So your preparedness stays safe even if something goes wrong elsewhere.

  • No document contents

    No uploads, no scans, no PDFs. Please don't copy full contents of powers of attorney, wills, policies, or contracts into free-text fields. Tadoro records only organisational pointers, whether a document exists and where it is kept outside of Tadoro. Documents you create with Tadoro and choose to keep are end-to-end encrypted, so only you can open them.

  • No passwords

    Please don't store passwords, PINs, TANs, recovery codes, or access credentials to banks, insurers, email accounts, password managers, or any other services in Tadoro.

  • No account numbers or IBANs

    Please don't enter IBANs, account numbers, credit-card data, or other payment data in Tadoro. The location field describes where information can be found, not its confidential content.

  • No medical records

    Tadoro doesn't replace clinical documentation. Please don't store diagnoses, findings, medication plans, or medical records. Record only organisational pointers, e.g. “medication list exists, kept in the emergency binder.”

Your data. Your protection.

Database in the EU

The central database is located in Frankfurt, Germany, GDPR compliant. Every processor is listed in the privacy policy with its location and transfer mechanism.

Original documents stay with you

Tadoro doesn't store copies of your finished documents or originals from notary, bank, or clinic. The plan only records that something exists and where it lives.

End-to-end encrypted

Documents you create with Tadoro are encrypted on your device before they reach our servers. Not even Tadoro can open them – only you.

Deletable anytime

You can delete your account and your plan data any time, no questions asked. What's legally required (invoices, suppression lists) stays for the prescribed period.

Nothing to sell you

No insurance, no legal services, no commissions, no advertising. You pay Tadoro directly, and Tadoro works only for you.

AI only if you want it

Tadoro uses AI for onboarding analysis, optional. You can build the plan entirely manually, without any content being sent to external AI services.

Self-funded. No outside investors, no pressure to monetize your data.

EU Hosting and Data Location

The central database (Supabase / PostgreSQL) runs in Frankfurt am Main. Application hosting via Vercel, transactional emails via Resend, bot protection via Cloudflare Turnstile. A complete list of all processors with location and transfer mechanism is in the Privacy Policy (§ 5).

Documents you create with Tadoro: end-to-end encrypted

When you create a preparedness document with the document assistant, your entries are end-to-end encrypted – on your device, before they reach our servers. Not even Tadoro can open them.

Your device
Encryption happens here, with your password
Tadoro server
Sees only the encrypted block, not the content
Your device
Decryption happens with your password, locally

What gets encrypted?

Your entries for the document assistant – for example the authorised person's details in your power of attorney, your treatment preferences in the advance directive, the named recipients in the medical confidentiality release. Everything you type before the document is created.

How does the encryption work?

On your device, in the browser, with AES-256-GCM. The key is derived from your vault passphrase using PBKDF2 (600,000 iterations, OWASP 2023 standard). We use only the Web Crypto API built into your browser – no external libraries, no hidden dependencies. Implemented in a single file: src/lib/crypto/document-vault.ts (214 lines of code).

What do we see?

Only the encrypted block. Tadoro cannot decrypt it, cannot search it, cannot use it for any other purpose. This isn't a question of "we promise not to" – it's a question of "we can't." This architecture is called zero-knowledge: the provider has no technical access to the plaintext, even on request from authorities or in the event of a server compromise.

What if you forget the password?

When you set up your vault, you receive a 25-character recovery code. Keep it separate from the password – printed in a file folder, in a second password manager, or with a trusted person. With the code you can set a new password and recover your drafts. If both are lost (password and recovery code), the drafts are permanently lost – that's the consequence of zero-knowledge. PDF documents you've already created and downloaded are unaffected; those are yours.

What we deliberately don't (yet) do

Argon2id is a more modern key derivation than PBKDF2 and is on the roadmap. So is passkey-based encryption (instead of passphrase). For our current threat model – honest-but-curious server, trustworthy client – PBKDF2 with 600,000 iterations is sufficient. Device-side compromise (malware on your computer reading your keystrokes) is outside our protection scope; no application protects against that.

We can prove it

The entire encryption logic lives in a single file: src/lib/crypto/document-vault.ts. 214 lines of code. On request we'll send you the full contents of that file for review – for example for IT security audits at your employer, for data protection officers, or for your own examination. Write to datenschutz@tadoro.com with the subject "Source code review document-vault.ts."

Encryption in transit and at rest

In addition to the end-to-end encryption of document assistant content above: transmissions between your device and Tadoro are encrypted via HTTPS. The database stores content encrypted at rest (AES-256, via Supabase). Passwords are not stored in plain text; they are hashed using current standards. For passkeys, Tadoro does not store private keys, these remain on your device or with your passkey provider.

Access Controls

Data within a preparedness plan is protected by workspace membership and role logic, a plan member only sees that plan's data. Admin access is limited to the operator and technically required maintenance access, additionally secured (passkey step-up via FIDO/WebAuthn), and logged.

Backups

The database is backed up automatically daily. Backups are overwritten according to the regular cycle, currently within 7 days. Backups are used solely for recovery in case of failure and are not used for any other purpose.

Your data belongs to you

  • Export anytime. Readable as HTML (print or save as PDF) or as JSON for your own processing. Both available directly from Settings.
  • Initiate deletion anytime. Account and plan data are deleted from the active system, unless statutory retention obligations or legitimate interests apply.
  • Works even without Tadoro. The generated PDF overviews and emergency plans stay with you: as plain files, without app dependency. If you stop, you keep everything important in hand.

Retention periods arising from legal obligations or legitimate interests: Stripe invoice data, audit logs, email suppression entries, are listed in the Privacy Policy (§ 7 + § 8).

AI Processing

  • What is sent?Only the free-text description of your family situation during onboarding, plus inputs for AI-assisted conversation guides. Concrete entry content like location descriptions is not automatically sent to the AI. AI-assisted features process only the inputs you deliberately enter or release for that purpose.
  • What does Anthropic store?Anthropic Ireland Ltd. processes the input for analysis, does not store it for model training, and deletes it after a short retention. A data processing agreement (DPA) is in place.
  • How to skip AI?In onboarding, choose "Fill in manually, without AI". You then enter areas, people, and items step by step. No free-text analysis, no transmission to Anthropic. The platform is functionally identical.

AI processing details are in the Privacy Policy (§ 5b) and the Terms of Service (§ 12).

What you should NOT enter

Tadoro is not designed to store sensitive original content. Please do not enter passwords, PINs, TANs, full account numbers, IBANs, ID-card copies, diagnoses, medication plans, or full contents of legal, medical, or financial documents. Instead, only record whether a document or piece of information exists and where it is stored. This clarity is the foundation for Tadoro remaining safe even if a single incident occurs.

Reporting a Security Incident

If you suspect a security incident: suspicious sign-in attempts, unusual account activity, or a possible vulnerability, please write to hilfe@tadoro.com. We acknowledge reports within 2 business days.

Questions

For data-protection enquiries, contact datenschutz@tadoro.com.

Last updated: May 2026