Legal

Privacy Policy

How ToDo's AI collects, uses, and protects your information.

Effective date: April 28, 2026 Contact: support@todosai.net

This Privacy Policy describes how ToDo's AI ("we," "us," or "our") collects, uses, and handles your information when you use our iOS application and related services. By using ToDo's AI, you agree to the practices described in this policy.

Information we collect

When you use ToDo's AI, we collect the following information:

  • Account information: Your name and email address, obtained when you sign in with Google.
  • Gmail access token: An OAuth 2.0 token that permits read-only access to your Gmail inbox. This token is encrypted before storage and is never stored in plain text.
  • Email content: Subject lines, sender names, and body text of emails in your inbox, read for the purpose of identifying actionable tasks. Emails determined to be non-actionable are not stored.
  • Tasks and feedback: Tasks extracted from your emails, and any feedback you provide by confirming or rejecting task suggestions.
  • Usage data: Sync timestamps, error logs, and basic operational data used to maintain and debug the service.

We do not collect your Gmail password. We do not access your Google Drive, Google Calendar, or any Google service other than Gmail.

How we use your information

We use the information we collect exclusively to:

  • Read and process your Gmail inbox to generate task suggestions
  • Improve task extraction accuracy for your account based on your feedback
  • Maintain, secure, and debug the service
  • Communicate with you about your account if necessary

We do not use your information for advertising. We do not sell your data to third parties. We do not share your email content with any external party for any purpose.

AI processing and third-party AI services

All AI inference — reading emails, classifying whether they are actionable, and extracting task details — runs on servers we operate directly using a locally-hosted language model.

Your email content is never sent to OpenAI, Anthropic, Google's AI services, or any other external AI provider. This is an architectural decision, not just a policy commitment.

Gmail API usage

ToDo's AI uses the Gmail API with a read-only scope. Specifically:

  • We can read email content, subject lines, and sender information
  • We cannot send emails, delete emails, modify labels, or take any action on your account
  • We use incremental sync (Gmail history IDs) to fetch only new emails since the last sync

Our use of Gmail data is limited to providing the task extraction feature described in this policy. We do not use Gmail data to develop, improve, or train general-purpose AI models.

Data storage and security

Your data is stored on servers we control. We implement the following security measures:

  • Gmail OAuth tokens are encrypted at rest using industry-standard symmetric encryption (Fernet/AES-128)
  • All data in transit is protected by HTTPS/TLS
  • Access to production systems is restricted and logged
  • Databases are not publicly accessible

No security system is perfect. If you discover a security vulnerability, please report it to support@todosai.net before public disclosure.

Data retention

We retain your data for as long as your account is active. If you delete your account or revoke Gmail access:

  • Your Gmail OAuth token is immediately invalidated and deleted from our systems
  • Your task history, feedback data, and account information are deleted within 30 days
  • Anonymized aggregate statistics not linked to your account may be retained for service improvement

Third-party services

ToDo's AI uses the following third-party services:

  • Google Gmail API — to access your email with your explicit permission. Subject to Google's Privacy Policy.
  • Firebase Hosting — to serve this website. No user account or email data passes through Firebase.

We do not use third-party analytics tools, advertising networks, or data brokers.

Children's privacy

ToDo's AI is not directed at children under 13. We do not knowingly collect personal information from children under 13. If you believe a child under 13 has provided us with personal information, please contact us at support@todosai.net.

Your rights and choices

You have the following rights regarding your data:

  • Access: Request a copy of the data we hold about your account
  • Deletion: Request deletion of your account and all associated data
  • Revocation: Revoke Gmail access at any time via myaccount.google.com/permissions — this immediately stops all inbox access
  • Correction: Request correction of inaccurate account information

To exercise any of these rights, email support@todosai.net. We will respond within 30 days.

Changes to this policy

We may update this Privacy Policy from time to time. When we do, we will update the effective date at the top of this page. For material changes, we will notify you through the app or via the email address associated with your account. Continued use of the service after changes constitutes acceptance of the updated policy.

Contact

For questions, concerns, or requests related to this Privacy Policy, contact us at support@todosai.net.

This policy applies to the ToDo's AI iOS application and the website at todoai.uk.