Privacy Policy

Last updated: March 2026

1. Introduction

Agent Todo ("we", "our", or "us") is committed to protecting your privacy and ensuring compliance with applicable data protection laws, including the General Data Protection Regulation (GDPR), California Consumer Privacy Act (CCPA), and other privacy regulations. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our task management service that integrates with AI assistants through the Model Context Protocol (MCP).

Data Controller: Agent Todo operates as a data controller for the personal information we process. Our registered address is available upon request by contacting privacy@agent-todo.com. For EU residents, our EU representative can be contacted at eu-representative@agent-todo.com.

2. Information We Collect

We collect information you provide directly to us, such as:

Automatically Collected Information: We automatically collect certain information through cookies, web beacons, and similar technologies, including website interaction data, session duration, referral sources, and technical performance metrics.

3. Legal Basis for Processing (GDPR)

For users in the European Economic Area (EEA), UK, and Switzerland, we process your personal data based on the following legal grounds:

4. How We Use Your Information

We use the information we collect to:

5. International Data Transfers

Agent Todo operates globally and may transfer your personal data to countries outside your country of residence, including the United States. We ensure appropriate safeguards are in place for international transfers:

Data Locations: Your data may be processed in the United States (Cloudflare Workers, Supabase), and with third-party service providers including Stripe (payments), Sentry (error monitoring), and your chosen task management providers (Microsoft, Google).

6. Information Sharing and Disclosure

We do not sell, trade, or rent your personal information. We may share your information in the following situations:

7. Data Security

We implement comprehensive technical and organizational measures to protect your personal information against unauthorized access, alteration, disclosure, or destruction:

8. Data Retention

We retain your personal information only for as long as necessary to fulfill the purposes for which it was collected, comply with legal obligations, and resolve disputes. Specific retention periods:

Automated Deletion: We implement automated deletion processes to ensure data is removed according to our retention schedule. You may request earlier deletion of your data subject to legal and contractual obligations.

9. Cookies and Tracking Technologies

We use cookies and similar technologies to enhance your experience, provide functionality, and analyze usage. Types of cookies we use:

Cookie Consent: You can manage your cookie preferences through your browser settings. Essential cookies cannot be disabled as they are necessary for the service to function. For analytics and non-essential cookies, we obtain your consent through our cookie banner.

10. Third-Party Services and Integrations

Our service integrates with third-party services to provide task management functionality. Each integration is subject to their respective privacy policies:

Data Sharing: We only share the minimum necessary data with these services to provide functionality. You maintain control over which services you connect and can disconnect them at any time.

11. Google API Services User Data Policy

Agent Todo's use and transfer to any other app of information received from Google APIs will adhere to the Google API Services User Data Policy, including the Limited Use requirements.

Data We Access

When you connect your Google Tasks account, we request the https://www.googleapis.com/auth/tasks scope, which allows us to read and write your task lists and tasks. We do not request access to any other Google services or data.

How We Use Google Data

Limited Use Compliance

Data Storage and Security

OAuth tokens for Google Tasks are encrypted using AES-256-GCM at rest. Task data is retrieved from Google's servers on demand and is not permanently cached in our systems beyond what is necessary to display it in your session. You can disconnect your Google Tasks account at any time from your account settings, which will delete all stored tokens.

12. Children's Privacy

Our service is not intended for children under 16 years of age (or the minimum age for digital consent in your jurisdiction). We do not knowingly collect personal information from children. If we discover that we have collected information from a child, we will delete it immediately. Parents or guardians who believe their child has provided personal information to us should contact us at privacy@agent-todo.com.

13. Your Rights and Choices

You have the following rights regarding your personal information. The specific rights available to you may depend on your location and applicable privacy laws:

How to Exercise Your Rights: Contact us at privacy@agent-todo.com with your request. We will respond within 30 days (or as required by applicable law). For account deletion, you can also use the account deletion feature in your dashboard.

California Residents: Under the CCPA, you have additional rights including the right to know what personal information is sold or disclosed and to opt-out of the sale of personal information. We do not sell personal information.

14. Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors. We will notify you of material changes by:

Your continued use of our service after the effective date of the updated policy constitutes acceptance of the changes. If you do not agree with the updated policy, you should discontinue use of our service.

15. Contact Us and Data Protection Officer

If you have any questions about this Privacy Policy, our data practices, or wish to exercise your rights, please contact us:

Supervisory Authority: If you are located in the EU and believe we have not adequately addressed your concerns, you have the right to lodge a complaint with your local data protection authority. A list of supervisory authorities is available at edpb.europa.eu.

Response Time: We aim to respond to all privacy-related inquiries within 30 days. For urgent matters related to data breaches or security concerns, contact us immediately at the email addresses above.