Privacy Policy
1. Introduction
Agent Todo ("we", "our", or "us") is committed to protecting your privacy and ensuring compliance with applicable data protection laws, including the General Data Protection Regulation (GDPR), California Consumer Privacy Act (CCPA), and other privacy regulations. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our task management service that integrates with AI assistants through the Model Context Protocol (MCP).
Data Controller: Agent Todo operates as a data controller for the personal information we process. Our registered address is available upon request by contacting privacy@agent-todo.com. For EU residents, our EU representative can be contacted at eu-representative@agent-todo.com.
2. Information We Collect
We collect information you provide directly to us, such as:
- Account Information: Email address, username, profile picture (if provided), subscription preferences
- Authentication Data: OAuth tokens, refresh tokens, and session identifiers for connected services (Microsoft Todo, Google Tasks)
- Task Data: Task titles, descriptions, due dates, completion status, list names, and metadata synced from your connected services
- Usage Data: API call logs, feature usage patterns, performance metrics, error logs
- Device Information: IP address, browser type, operating system, device identifiers
- Payment Information: Billing address, payment method details (processed by Stripe), subscription history
- Communication Data: Support requests, feedback, and correspondence with us
Automatically Collected Information: We automatically collect certain information through cookies, web beacons, and similar technologies, including website interaction data, session duration, referral sources, and technical performance metrics.
3. Legal Basis for Processing (GDPR)
For users in the European Economic Area (EEA), UK, and Switzerland, we process your personal data based on the following legal grounds:
- Contract: Processing necessary to perform our service agreement with you (account management, task synchronization, core features)
- Legitimate Interest: Improving our services, security monitoring, fraud prevention, technical support, and business analytics
- Consent: Marketing communications, optional analytics, and non-essential cookies (you may withdraw consent at any time)
- Legal Obligation: Compliance with applicable laws, regulatory requirements, and court orders
- Vital Interest: Protecting the safety and security of our users and preventing harm
4. How We Use Your Information
We use the information we collect to:
- Provide, maintain, and improve our services
- Sync tasks between your connected services and AI assistants
- Respond to your comments, questions, and customer service requests
- Send you technical notices and support messages
- Detect, investigate, and prevent fraudulent transactions and other illegal activities
5. International Data Transfers
Agent Todo operates globally and may transfer your personal data to countries outside your country of residence, including the United States. We ensure appropriate safeguards are in place for international transfers:
- Adequacy Decisions: We transfer data to countries recognized by the European Commission as providing adequate protection
- Standard Contractual Clauses (SCCs): We use EU-approved SCCs for transfers to countries without adequacy decisions
- Certification Schemes: We work with service providers who comply with recognized certification schemes like Privacy Shield successors
- Technical Safeguards: All data in transit is encrypted using TLS 1.3, and data at rest is encrypted using AES-256
Data Locations: Your data may be processed in the United States (Cloudflare Workers, Supabase), and with third-party service providers including Stripe (payments), Sentry (error monitoring), and your chosen task management providers (Microsoft, Google).
6. Information Sharing and Disclosure
We do not sell, trade, or rent your personal information. We may share your information in the following situations:
- With AI assistants through the Model Context Protocol (MCP) to enable task management features
- With service providers who assist us in operating our service
- To comply with legal obligations or protect our rights
- With your consent or at your direction
7. Data Security
We implement comprehensive technical and organizational measures to protect your personal information against unauthorized access, alteration, disclosure, or destruction:
- Encryption: All OAuth tokens encrypted using AES-256-GCM, data in transit protected with TLS 1.3
- Access Controls: Role-based access controls, multi-factor authentication for administrative access
- Infrastructure Security: Hosted on secure cloud infrastructure (Cloudflare Workers, Supabase) with SOC 2 compliance
- Regular Audits: Security assessments, penetration testing, and vulnerability scanning
- Data Minimization: We collect and process only the minimum data necessary for our services
- Incident Response: Established procedures for detecting, responding to, and notifying about security incidents
8. Data Retention
We retain your personal information only for as long as necessary to fulfill the purposes for which it was collected, comply with legal obligations, and resolve disputes. Specific retention periods:
- Account Data: Retained while your account is active, deleted within 30 days of account closure
- Task Data: Retained while your account is active, permanently deleted upon account closure
- OAuth Tokens: Retained until you disconnect the service or close your account
- Usage Logs: Retained for 12 months for security and performance monitoring
- Payment Records: Retained for 7 years as required by financial regulations
- Support Communications: Retained for 3 years for quality assurance and training
- Security Logs: Retained for 24 months for fraud prevention and security monitoring
Automated Deletion: We implement automated deletion processes to ensure data is removed according to our retention schedule. You may request earlier deletion of your data subject to legal and contractual obligations.
9. Cookies and Tracking Technologies
We use cookies and similar technologies to enhance your experience, provide functionality, and analyze usage. Types of cookies we use:
- Essential Cookies: Required for basic functionality (authentication, session management)
- Functional Cookies: Remember your preferences and settings
- Analytics Cookies: Help us understand how you use our service (with consent)
- Security Cookies: Protect against fraud and unauthorized access
Cookie Consent: You can manage your cookie preferences through your browser settings. Essential cookies cannot be disabled as they are necessary for the service to function. For analytics and non-essential cookies, we obtain your consent through our cookie banner.
10. Third-Party Services and Integrations
Our service integrates with third-party services to provide task management functionality. Each integration is subject to their respective privacy policies:
- Microsoft To Do: Microsoft Privacy Statement applies to data processed by Microsoft
- Google Tasks: Google Privacy Policy applies to data processed by Google. See Section 11 below for Google API Services User Data Policy compliance details.
- Stripe: Stripe Privacy Policy applies to payment processing
- Cloudflare: Cloudflare Privacy Policy applies to infrastructure services
- Supabase: Supabase Privacy Policy applies to database services
- Sentry: Sentry Privacy Policy applies to error monitoring
Data Sharing: We only share the minimum necessary data with these services to provide functionality. You maintain control over which services you connect and can disconnect them at any time.
11. Google API Services User Data Policy
Agent Todo's use and transfer to any other app of information received from Google APIs will adhere to the Google API Services User Data Policy, including the Limited Use requirements.
Data We Access
When you connect your Google Tasks account, we request the https://www.googleapis.com/auth/tasks scope, which allows us to read and write your task lists and tasks. We do not request access to any other Google services or data.
How We Use Google Data
- Display your Google Tasks lists and tasks within the Agent Todo dashboard
- Sync task updates (creation, completion, edits, deletion) between Agent Todo and Google Tasks
- Enable AI assistants to manage your tasks through the Model Context Protocol (MCP) at your direction
Limited Use Compliance
- We do not use Google user data for serving advertisements or for any purpose unrelated to providing and improving task management functionality
- We do not transfer Google user data to third parties except as necessary to provide the service, as required by law, or with your explicit consent
- We do not use Google user data to build user profiles for advertising or to train general-purpose AI models
- Human access to Google user data is limited to security investigations, legal compliance, and providing user-requested support
Data Storage and Security
OAuth tokens for Google Tasks are encrypted using AES-256-GCM at rest. Task data is retrieved from Google's servers on demand and is not permanently cached in our systems beyond what is necessary to display it in your session. You can disconnect your Google Tasks account at any time from your account settings, which will delete all stored tokens.
12. Children's Privacy
Our service is not intended for children under 16 years of age (or the minimum age for digital consent in your jurisdiction). We do not knowingly collect personal information from children. If we discover that we have collected information from a child, we will delete it immediately. Parents or guardians who believe their child has provided personal information to us should contact us at privacy@agent-todo.com.
13. Your Rights and Choices
You have the following rights regarding your personal information. The specific rights available to you may depend on your location and applicable privacy laws:
- Right of Access: Request a copy of the personal information we hold about you
- Right to Rectification: Correct inaccurate or incomplete information
- Right to Erasure: Request deletion of your personal information (subject to legal obligations)
- Right to Restrict Processing: Limit how we process your data in certain circumstances
- Right to Data Portability: Export your data in a machine-readable format
- Right to Object: Object to processing based on legitimate interests or for marketing purposes
- Right to Withdraw Consent: Withdraw consent for processing based on consent
- Right to Complain: Lodge a complaint with a supervisory authority
How to Exercise Your Rights: Contact us at privacy@agent-todo.com with your request. We will respond within 30 days (or as required by applicable law). For account deletion, you can also use the account deletion feature in your dashboard.
California Residents: Under the CCPA, you have additional rights including the right to know what personal information is sold or disclosed and to opt-out of the sale of personal information. We do not sell personal information.
14. Changes to This Policy
We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors. We will notify you of material changes by:
- Posting the updated policy on our website with a new "Last updated" date
- Sending an email notification to your registered email address (for significant changes)
- Displaying a prominent notice on our service (for material changes affecting your rights)
Your continued use of our service after the effective date of the updated policy constitutes acceptance of the changes. If you do not agree with the updated policy, you should discontinue use of our service.
15. Contact Us and Data Protection Officer
If you have any questions about this Privacy Policy, our data practices, or wish to exercise your rights, please contact us:
- Email: privacy@agent-todo.com
- Data Protection Officer: dpo@agent-todo.com
Supervisory Authority: If you are located in the EU and believe we have not adequately addressed your concerns, you have the right to lodge a complaint with your local data protection authority. A list of supervisory authorities is available at edpb.europa.eu.
Response Time: We aim to respond to all privacy-related inquiries within 30 days. For urgent matters related to data breaches or security concerns, contact us immediately at the email addresses above.