Legal

Privacy Policy

Last updated: April 23, 2026

1. Introduction

Todo ("we", "us", "our") operates the Todo task management application at ai-todo.fly.dev. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our service.

2. Information We Collect

Account Information

When you create an account, we collect your email address and, optionally, your name. If you sign in via Google OAuth, we receive your Google profile name and email. If you use BankID, we receive your personal number and name from the BankID service.

Task Data

We store the tasks, projects, tags, and descriptions you create. This data is scoped to your user account and is never shared with other users or third parties.

AI Chat Data

When you use the AI assistant, your messages and the assistant's responses are stored in your chat history. Task context (titles, statuses, projects) is sent to the AI model provider to generate responses. We do not send task descriptions or notes unless you explicitly include them in your message.

Usage Data

We collect standard server logs (IP address, browser user agent, timestamps) for security monitoring and abuse prevention. We do not use third-party analytics trackers.

3. How We Use Your Information

  • To provide and maintain the Todo service
  • To authenticate your identity and manage your session
  • To process AI assistant requests using your task context
  • To send transactional emails (verification, password reset, magic links)
  • To detect and prevent abuse, fraud, and security threats

4. Data Storage & Security

Your data is stored in an SQLite database on our servers. All data is scoped per-user — every database query requires your authenticated user ID. There is no way to access another user's data by design.

We support two-factor authentication (TOTP with backup codes), passkey/WebAuthn sign-in, and magic link authentication. API keys are stored as SHA-256 hashes — we never store the raw key after initial generation.

5. Third-Party Services

We use the following third-party services:

  • Google OAuth — for optional social sign-in (Google's privacy policy applies)
  • Resend — for sending transactional emails (verification, password reset)
  • AI Model Providers (OpenAI, Anthropic, Google) — for processing AI chat requests; task context is sent per-request and is subject to each provider's data policies
  • BankID — for Swedish electronic identification (BankID's privacy policy applies)
  • Fly.io — for hosting (infrastructure provider)
  • Cloudflare — for hosting the marketing site and CDN

6. Data Export & Portability

You can export all your data at any time in JSON or CSV format via the Export feature in the app or the GET /api/export endpoint. There is no vendor lock-in — your data is always yours.

7. Data Retention & Deletion

Your data is retained for as long as your account is active. Soft-deleted tasks are kept in trash until you empty it. When you delete your account, all associated data (tasks, projects, tags, preferences, sessions, two-factor secrets, passkeys, API keys, and chat history) is permanently deleted in a single transaction.

8. Cookies

We use a session cookie to maintain your authenticated session. We do not use advertising cookies, tracking pixels, or third-party analytics cookies. User preferences (theme, language, UI scale) are stored server-side, not in cookies.

9. Children's Privacy

Todo is not directed at children under 13. We do not knowingly collect personal information from children. If you believe a child has provided us with personal data, please contact us and we will delete it.

10. Changes to This Policy

We may update this Privacy Policy from time to time. Changes will be posted on this page with an updated "Last updated" date. Continued use of the service after changes constitutes acceptance of the revised policy.

11. Contact

If you have questions about this Privacy Policy or your data, please reach out via the contact information provided in the application.