Last updated: 2026-03-15
I collect the following personal data when you use TODO: your name, email address, and profile picture (provided by Google OAuth); tasks, task lists, and descriptions you create; Pomodoro timer sessions and settings; AI chat conversations and interaction history; and technical data such as your browser type and language preference.
I use PostHog for product analytics. PostHog collects anonymous usage data such as feature interactions (e.g., task created, pomodoro started) and page views. I never track sensitive content like task titles, descriptions, emails, or names in analytics events. You can opt out of analytics cookies when first visiting the site. If you decline, no analytics data is collected.
I use your data to: provide and maintain TODO; authenticate your identity; generate AI-powered task suggestions; send notifications about shared lists; enable data export and account deletion; and improve TODO through anonymous analytics.
I share data with the following third parties only as necessary to operate TODO: Google (authentication via OAuth); PostHog (anonymous product analytics, if you consent); AI model providers (to generate task suggestions, only task metadata is sent, never personal information beyond what is needed for suggestions); and Vercel (hosting infrastructure). I do not sell your personal data to any third party.
Your data is retained as long as your account is active. When you delete your account, all associated data (tasks, lists, Pomodoro sessions, AI conversations, and notifications) is permanently deleted from the servers. I do not retain backups of deleted accounts.
You have the right to: access your data (via the Settings page); export your data in JSON or CSV format (via the Settings page); delete your account and all associated data (via the Settings page); opt out of analytics cookies; and request information about how your data is processed by contacting me. These rights are provided in compliance with Colombian data protection law (Ley 1581 de 2012) and are consistent with GDPR and CCPA requirements.
I use the following cookies: session cookies (essential, required for authentication); cookie consent preference (functional, records your analytics choice); and PostHog analytics cookies (optional, only set if you accept analytics). Essential and functional cookies do not require consent. Analytics cookies are only activated if you explicitly accept them.
I take reasonable measures to protect your data, including encrypted connections (HTTPS), secure authentication via Google OAuth, and hosting on Vercel's infrastructure with enterprise-grade security. However, no method of transmission over the Internet is 100% secure.
I may update this Privacy Policy from time to time. If I make material changes, you will be notified through TODO. The date at the top of this page indicates when the policy was last updated.
If you have questions about this Privacy Policy or your personal data, please contact me at sebastian.caja@gmail.com.