Privacy Policy

ToDidIt collects only what’s needed to run a task manager: your email, your tasks, and your projects. Your data is stored on Supabase, scoped to your account by Row Level Security. We use a small set of analytics tools to understand how the product is used. We don’t sell your data. You can export or delete everything you’ve created at any time.

When you use ToDidIt we collect:

• Account information. The email you sign in with, plus your display name and avatar URL if you sign in with Google.
• Content you create. Projects, tasks, and their associated metadata (names, descriptions, due dates, priorities, phases).
• Usage data. Pages viewed, actions taken, and standard server log data (IP address, user agent, request timestamps).
• Cookies. An auth-session cookie to keep you signed in, and a small theme-preference cookie to remember your light/dark choice across visits.

The data we collect is used to:

• Operate the product (sign-in, store your tasks, etc.).
• Understand usage patterns and improve the product.
• Communicate with you about your account or service updates.
• Investigate and prevent abuse.

We don’t sell your personal information, and we don’t share it with third parties for their marketing purposes.

Your account, projects, and tasks are stored on Supabase, hosted on AWS. The application is deployed on Vercel. Both are SOC 2 Type II–compliant infrastructure providers.

Row Level Security policies on the database ensure that every query is scoped to the authenticated user — no account can read or write another account’s data.

We use the following third-party services to understand usage and improve the product. Each handles your data under its own privacy policy:

• Google Analytics 4 — page views and aggregated usage metrics.
• Microsoft Clarity — anonymized session replays and heatmaps to help us spot UX issues.
• PostHog— product event tracking (e.g., “project created”, “task completed”).

You can opt out of these by enabling “Do Not Track” in your browser, by using standard ad-blockers, or by signing out before browsing.

When you sign in with Google, we receive your email address, name, and profile picture URL from Google’s OAuth response. We don’t access your other Google data.

When you sign in with email magic link, we send a one-time code to the address you provide. The address is stored as your account identifier.

You can at any time:

• Export your data as a JSON file from the user menu (Export data).
• Delete a project from its settings page (cascades to all tasks).
• Delete your accountby emailing us (see contact below). Account deletion is permanent and removes everything you’ve created.

EU/UK users have additional rights under GDPR (access, rectification, erasure, portability, restriction, objection). California residents have rights under CCPA. Contact us to exercise any of these.

Active account data is retained for as long as your account exists. After account deletion, content is permanently removed within 30 days. Server logs are retained for up to 90 days for operational and security purposes.

ToDidIt is not directed at children under 13 (or 16 in the EU/UK), and we do not knowingly collect data from them. If you believe a child has signed up, contact us and we’ll remove the account.

When we update this policy, we’ll change the “Last updated” date at the top. Material changes will be communicated via email to active users.

Questions about this policy or your data? Email [email protected].