Discord Tasks (Trello Power-Up) & Trello Tasks Bot (Discord) · https://trellobot.hejapp.com · Last updated: March 2026
The service is operated by a private individual:
As an individual operator based in Germany, Maximilian Krisch is the Data Controller within the meaning of Art. 4(7) of the General Data Protection Regulation (GDPR).
We collect only the minimum data required to operate the service. The legal basis for all processing is Art. 6(1)(b) GDPR — processing is necessary to perform the service you signed up for — unless stated otherwise.
| Data | Purpose |
|---|---|
| Trello board ID | Identifies which Trello board to create cards on. Acts as the primary key for your configuration. |
| Trello list ID | Identifies which list on the board new cards land in. |
| Discord server ID (guild ID) | Identifies which Discord server the bot is active in. |
| Discord channel ID | Identifies which Discord channel triggers /task slash commands. |
| Timestamps (created_at, updated_at) | Operational record-keeping and maintenance purposes. |
| Trello member ID | The opaque Trello account identifier of the user who authorized the integration. Stored to handle Trello's GDPR compliance events: if you revoke your Trello token or delete your Trello account, Trello notifies us via their compliance API using this ID so we can automatically delete your stored token. See note on Trello compliance below. |
We store OAuth access tokens so the service can act on your behalf — creating Trello cards and reading Discord guild information — without requiring you to re-authenticate on every action.
| Token | Source | Scope granted | Storage |
|---|---|---|---|
| Trello OAuth token | You authorize via Trello's OAuth flow | read, write on your Trello account |
Encrypted at rest |
| Discord OAuth token | You authorize via Discord's OAuth flow | identify, guilds — to list servers you manage |
Encrypted at rest |
Tokens are encrypted at rest before being written to the database using strong, authenticated cryptography.
You can revoke both tokens at any time from the Power-Up settings page. Disconnecting Trello also instructs Trello's API to invalidate the token immediately. Note that disconnecting a specific board or disabling the Power-Up from Trello's board menu permanently erases all stored data for that board — including thread mappings, checklist item mappings, and the board configuration itself. The "Disconnect all" (logout) action only clears tokens and deactivates the board while preserving your data so you can reconnect later.
After you connect Discord, the setup wizard shows a dropdown of Discord servers in which you have administrator or Manage Server permission. This list is fetched in real time from Discord's API each time the settings panel is opened — it is not stored in our database. Once you select and save a server, only the server ID and channel ID are persisted (see section 2.1).
The selected server ID and channel ID are also stored in Trello's Power-Up storage (inside Trello's own infrastructure) so the settings panel can restore your selection on re-open. No server names are stored — names are always fetched live from Discord's API when displayed.
Note on Trello compliance (member ID): The Trello member ID stored in section 2.1 is an opaque identifier — it is not a human-readable name or email address. We do not store any other Trello profile fields (username, full name, avatar, email, bio). The member ID is used solely as a deletion key: when Trello notifies us via their GDPR compliance API that a user has revoked their token or deleted their account, we use this ID to locate and erase the associated record.
When the bot processes a /task slash command or a thread reply, the following is stored:
| Data | Purpose |
|---|---|
| Discord thread ID | Links the Discord thread to the corresponding Trello card for syncing. |
| Discord message ID (for thread replies) | Maps individual thread messages to Trello checklist items so reactions and edits can be synced. |
| Trello card ID | Reference for API calls to update the correct card. |
| Trello checklist / checklist item ID | Reference for API calls to update the correct subtask. |
| Checklist item state (complete / incomplete) | Tracks sync state to avoid redundant API calls. |
| Discord CDN attachment URL and filename (if a file was submitted) | Transmitted to the Trello API solely for the purpose of attaching the file to the corresponding Trello card. Not stored in our database. The file content itself is never downloaded or processed by the Service. |
/task commands and thread replies is forwarded to the Trello API and stored as card names and checklist items on your Trello board. We do not store the raw message text in our own database — it lives in Trello under your account. If you provide a file attachment via the attachment option of the /task command, the Discord CDN URL and filename of that attachment are transmitted to the Trello API and stored as a card attachment on your Trello board. The file itself is hosted by Discord (Discord Inc., USA) and retrieved by Trello directly via the URL; we do not download, copy, or independently store the file content at any point during transmission. The attachment remains subject to Discord's and Trello's respective data retention policies.
If you purchase a paid subscription, we store the following from Paddle (our Merchant of Record):
We do not store your name, email address, payment card details, or billing address. All billing data is collected and stored by Paddle directly. See Section 6 for more on Paddle's role.
Where no paid subscription exists, no subscription or billing data is collected or stored. The settings panel may display a voluntary support link ("Buy me a coffee") — clicking it navigates to an independent third-party platform. We do not transmit any data to that platform and receive no information about whether or how you interact with it. Any personal data you provide to that platform is governed solely by their own privacy policy.
The service operator (administrator) may suspend a user account to maintain service integrity — for example, in response to abuse, a violation of the Terms of Service, or as part of an administrator-initiated account deletion. When an account is suspended or deleted by the administrator, the following minimal record is stored:
| Data | Purpose |
|---|---|
| Trello member ID | Identifies the suspended account. Used to block API access and, in the case of a permanent deletion, to prevent re-registration using the same Trello account. |
| Suspension date | Records when the suspension took effect, for audit and compliance purposes. |
| Reason | An administrative note recording the category of reason for the suspension or deletion (e.g. terms violation, abuse, legal obligation). This is a fixed administrative classification — it is not derived from user-submitted content and is not shared with third parties. |
The legal basis for storing this enforcement record is Art. 6(1)(f) GDPR — legitimate interest in maintaining service integrity, preventing abuse, and ensuring that permanently deleted accounts cannot immediately be re-registered.
A standalone suspension (account blocked without data deletion) does not affect your stored data — board configurations, task mappings, and OAuth tokens remain intact while API access is blocked. If you believe a suspension was applied in error, contact support-trellopowerup@hejapp.com.
A permanent account deletion by the administrator erases all configuration and task data immediately. Only the minimal enforcement record described above is retained afterwards.
Regardless of suspension status, suspended users retain access to the billing portal so they can cancel any active paid subscription.
We use no tracking cookies, no analytics cookies, and no advertising cookies.
The only cookie set by this service is a strictly necessary session cookie for the administrator control panel:
| Cookie name | Purpose | Type | Lifetime |
|---|---|---|---|
admin_auth |
Authenticates the service operator's admin panel session. Not set for regular users. | HttpOnly, Secure, SameSite=Strict | 24 hours |
End users (Trello Power-Up users and Discord server members) do not receive any cookies from this service. The Power-Up runs inside a Trello iframe and stores its configuration in Trello's own Power-Up data store, not in browser cookies.
Third-party services you interact with (Trello, Discord, Paddle) may set their own cookies in accordance with their own privacy policies.
Our web server automatically records standard HTTP access logs. Each log entry contains:
GET /settings.html)These logs are stored on the server for operational purposes only (debugging, abuse detection, security incident investigation). They are not shared with third parties and are not used for profiling or tracking. The legal basis is Art. 6(1)(f) GDPR — legitimate interest in securing and maintaining the service.
The application itself logs only operational events (task operations, synchronisation results, error messages). No personal information beyond technical service identifiers is written to application logs.
| Data type | Retention period |
|---|---|
| Configuration data (board/channel/list IDs, Trello member ID), OAuth tokens |
Immediately and permanently erased when you:
|
| Selected server ID and channel ID — Trello Power-Up storage | Until you disconnect Discord from the Power-Up settings panel. Cleared immediately on disconnect. Server names are never stored — always fetched live from Discord's API. |
| Thread and checklist mappings |
Immediately and permanently erased when you:
|
| Subscription data | Until you delete your account. Paddle retains billing records independently under their own retention policy. |
| Account suspension record (Trello member ID, suspension date, reason) |
Permanent — if the account was permanently deleted by the administrator ("Delete + Block"), this record is retained indefinitely to prevent re-registration using the same Trello account. Until manually removed — if the account was suspended without deletion (standalone block), the record is removed if the administrator lifts the suspension. |
| Server access logs | Up to 30 days, after which logs are automatically rotated and deleted. These are not linked to application-level user identifiers. |
Our server and PostgreSQL database are hosted on a VPS provided by Contabo GmbH, Munich, Germany. All application data (including encrypted tokens) is stored on this server. Contabo acts as a data processor under a Data Processing Agreement (DPA).
Subscriptions are handled by Paddle.com Market Ltd, acting as Merchant of Record. This means that when you purchase a subscription, you are technically buying from Paddle — not from us. Paddle collects and processes your billing information (name, email, payment method, billing address) directly and is independently responsible for that data.
We receive only a customer ID and subscription ID from Paddle to track your subscription tier. We do not receive or store your email or payment details.
Card and checklist data is sent to and read from Trello's API using the OAuth token you authorized. Trello (operated by Atlassian, Inc., USA) processes this data under their own privacy policy. Your Trello data remains in your Trello account and is governed by Atlassian's terms.
The bot processes /task slash commands in configured channels, and interacts with threads in those channels. Discord (Discord Inc., USA) processes message data under their own privacy policy. The Discord OAuth token you grant allows our service to identify which servers you manage; it does not grant access to message history or private messages.
The settings panel may display a voluntary support link that navigates to the Buy Me a Coffee platform (Appstel Inc., USA). This platform operates entirely independently of this Service. We do not share any personal data with Buy Me a Coffee, and we receive no information about whether or how you use their platform. Any personal data you provide to Buy Me a Coffee (such as an email address or payment details) is governed solely by their privacy policy.
Our primary server is located in the EU (Contabo, Germany). However, some data flows outside the EU/EEA as part of normal service operation:
| Recipient | Country | Transfer mechanism |
|---|---|---|
| Atlassian / Trello | USA | Standard Contractual Clauses (SCCs) — see Atlassian's privacy policy |
| Discord Inc. | USA | Standard Contractual Clauses (SCCs) — see Discord's privacy policy |
| Paddle.com Market Ltd | United Kingdom | UK GDPR adequacy decision (UK is recognised as adequate by the EU) |
We take the following technical measures to protect your data:
No system is completely secure. In the event of a data breach that is likely to result in a risk to your rights and freedoms, we will notify the competent supervisory authority within 72 hours and, where required, affected users directly.
As a data subject under the GDPR, you have the following rights:
| Right | How to exercise it |
|---|---|
| Right of access (Art. 15) — receive a copy of all data we hold about you | Use the Export Data button in the Power-Up settings (under "Account & Data"). Downloads a JSON file containing all stored configuration, thread, subscription data, and — if your account has been suspended — your suspension record (suspension date and reason). You can also email us to request a copy. |
| Right to erasure (Art. 17) — have all your data deleted | Use the Delete Account button in the Power-Up settings. This immediately and permanently deletes all configuration data, thread and checklist mappings, OAuth tokens, and the Trello member ID from our database, and clears any data stored in Trello's Power-Up storage. Note: if you have an active paid subscription, you must cancel it via the billing portal first — account deletion is blocked while a subscription is active. You can also email us to request deletion. Exception — administrator-initiated deletions: if your account was permanently deleted by the administrator, a minimal suspension record (Trello member ID, deletion date, reason "Deleted by admin") is retained after erasure. This is the minimum data necessary for the legitimate interest described in Section 2.6 (preventing re-registration). You may contact privacy-trellopowerup@hejapp.com to dispute this. |
| Right to rectification (Art. 16) — correct inaccurate data | Disconnect and reconnect your accounts in the Power-Up settings to refresh stored IDs and tokens. Server and channel selections can be updated by re-saving in the setup wizard. |
| Right to disconnect / terminate the service |
You may terminate the service for a specific board at any time by:
To also disconnect Discord, use the Disconnect Discord button in settings — this clears the Discord token and removes the associated server/channel data from Trello Power-Up storage. As processing is based on Art. 6(1)(b) GDPR (contract performance), disconnecting a board constitutes termination of the service for that board. |
| Right to data portability (Art. 20) | Use the Export Data button in settings — downloads all stored data as a structured JSON file. |
| Right to lodge a complaint (Art. 77) | You may contact the German supervisory authority: Bundesbeauftragter für den Datenschutz (BfDI). |
To exercise any right by email, contact privacy-trellopowerup@hejapp.com. We will respond within 30 days.
We may update this Privacy Policy from time to time. When we do, we will update the "Last updated" date at the top of this page. For significant changes, we will provide additional notice (e.g. a notice in the Power-Up settings panel). Continued use of the service after a change constitutes acceptance of the updated policy.
For any privacy-related questions, data subject requests, or concerns: