Privacy Policy
Last Updated: January 31, 2026
When you use our services, you're trusting us with your information. We understand this is a significant responsibility and work hard to protect your information and put you in control.
By accessing or using 1Todo (the "Service"), you agree to this Privacy Policy and our Terms of Service. If you have any questions about this Privacy Policy, you can contact us.
1. Data Controller
1Todo is operated by [Your Company Name] ("we," "us," or "our"), acting as the Data Controller for your personal data under the General Data Protection Regulation (GDPR) and other applicable data protection laws.
Contact Information:
- Email: privacy@1todo.app
- Address: [Your Business Address]
For EU residents, you may also contact our Data Protection Officer at dpo@1todo.app.
2. Information We Collect
2.1 Information You Provide to Us
Account Information
When you register for 1Todo, you voluntarily provide us with:
- Full name
- Nickname (optional)
- Email address
- Password (stored in hashed form only; we never store plain-text passwords)
Content Data
When you use our Service, you create and store:
- Projects (titles and descriptions)
- Tasks (titles, descriptions, deadlines, and priorities)
- Subtasks
2.2 Information We Collect Automatically
Technical Data
When you access our Service, we automatically collect:
- IP address (for rate limiting and security purposes)
- Browser type and version
- Device type and operating system
- Referring website (if applicable)
- Pages visited and features used
- Timestamps of your interactions
Authentication Data
- Session tokens (stored in secure, httpOnly cookies)
- Google ID (if you choose to sign in with Google)
2.3 Information We Do NOT Collect
We do not collect:
- Location data
- Biometric data
- Financial or payment information (currently no paid features)
- Data from third-party sources without your explicit action
- Sensitive personal data (racial or ethnic origin, political opinions, religious beliefs, health data, etc.)
3. Legal Basis for Processing (GDPR Article 6)
We process your personal data based on the following legal grounds:
| Purpose | Legal Basis |
|---|---|
| Providing the Service | Performance of a contract (Art. 6(1)(b)) |
| Account creation and authentication | Performance of a contract (Art. 6(1)(b)) |
| Security and fraud prevention | Legitimate interests (Art. 6(1)(f)) |
| Rate limiting and abuse prevention | Legitimate interests (Art. 6(1)(f)) |
| Service improvement and analytics | Legitimate interests (Art. 6(1)(f)) |
| Responding to your inquiries | Performance of a contract / Legitimate interests |
| Legal compliance | Legal obligation (Art. 6(1)(c)) |
We will always ask for your explicit consent before using your information for any purpose not covered in this Privacy Policy.
4. How We Use Your Information
4.1 To Provide Our Services
- Create and manage your account
- Enable you to create, organize, and manage projects and tasks
- Synchronize your data across devices
- Process and complete any requests you make
4.2 To Maintain and Improve Our Services
- Monitor service performance and uptime
- Troubleshoot issues you report to us
- Analyze usage patterns with anonymized data to improve user experience
- Develop new features and functionality
4.3 To Protect Our Services and Users
- Implement rate limiting to prevent abuse
- Detect and prevent fraud, security threats, and unauthorized access
- Enforce our Terms of Service
- Comply with legal obligations
4.4 To Communicate With You
We may use your email address to:
- Send essential service-related notifications
- Respond to your inquiries and support requests
- Notify you of significant changes to our Service or policies
We will never send you marketing communications without your explicit opt-in consent.
5. Data Sharing and Disclosure
5.1 We Do NOT Sell Your Data
1Todo will never sell, rent, or trade your personal data to any third party.
5.2 Third-Party Service Providers
We use the following GDPR-compliant third-party services to operate 1Todo:
| Service | Purpose | Data Processed |
|---|---|---|
| Supabase | Database hosting and authentication | Account data, content data |
All third-party processors are bound by Data Processing Agreements (DPAs) that ensure GDPR compliance. We only share the minimum data necessary for these services to function.
5.3 Legal Requirements
We may disclose your information if required by law or if we believe in good faith that such action is necessary to:
- Comply with a legal obligation or valid legal process
- Protect and defend our rights or property
- Prevent or investigate possible wrongdoing in connection with the Service
- Protect the personal safety of users or the public
5.4 Business Transfers
If 1Todo is involved in a merger, acquisition, or sale of assets, your personal data may be transferred as part of that transaction. We will notify you via email and/or a prominent notice on our Service of any change in ownership or uses of your personal data.
6. International Data Transfers
Your data may be processed in countries outside your country of residence, including the United States, where our service providers operate data centers.
For transfers of personal data from the European Economic Area (EEA) or United Kingdom to countries not deemed to provide adequate data protection:
- We rely on Standard Contractual Clauses (SCCs) approved by the European Commission
- We ensure our processors maintain appropriate technical and organizational safeguards
- We conduct Transfer Impact Assessments where required
7. Data Retention
7.1 Active Accounts
We retain your personal data for as long as your account remains active and as needed to provide you with our Services.
7.2 Deleted Accounts
Upon account deletion:
- Your personal data is removed from our production systems within 30 days
- Encrypted backups containing your data are retained for up to 90 days for disaster recovery purposes, after which they are permanently deleted
- Anonymized, aggregated data that cannot identify you may be retained indefinitely for analytical purposes
7.3 Specific Retention Periods
| Data Type | Retention Period |
|---|---|
| Account information | Until account deletion + 30 days |
| Tasks and projects | Until account deletion + 30 days |
| Rate limit logs | 24 hours |
| Server access logs | 30 days |
| Backup archives | 90 days after account deletion |
7.4 Legal Retention
We may retain certain data for longer periods if required by law or to establish, exercise, or defend legal claims.
8. Your Rights Under GDPR
As a data subject, you have the following rights regarding your personal data:
8.1 Right of Access (Article 15)
You have the right to request a copy of all personal data we hold about you. You can access most of this data directly through your Account Settings.
8.2 Right to Rectification (Article 16)
You have the right to correct inaccurate personal data. You can update your account information at any time through your Account Settings.
8.3 Right to Erasure / "Right to be Forgotten" (Article 17)
You have the right to request deletion of your personal data. You can delete your account through your Account Settings, or by contacting us directly.
8.4 Right to Restriction of Processing (Article 18)
You have the right to request that we limit how we use your personal data while we verify its accuracy or address your concerns.
8.5 Right to Data Portability (Article 20)
You have the right to receive your personal data in a structured, commonly used, machine-readable format (e.g., JSON). We provide data export functionality, or you can request an export by contacting us.
8.6 Right to Object (Article 21)
You have the right to object to processing of your personal data based on our legitimate interests. We will cease processing unless we demonstrate compelling legitimate grounds.
8.7 Right to Withdraw Consent (Article 7)
Where we process your data based on consent, you have the right to withdraw that consent at any time without affecting the lawfulness of prior processing.
8.8 Right to Lodge a Complaint
You have the right to lodge a complaint with a supervisory authority if you believe we have violated your data protection rights. For EU residents, you can find your local authority at: EDPB Members
How to Exercise Your Rights
To exercise any of these rights, please contact us at privacy@1todo.app. We will respond to your request within 30 days as required by GDPR. We may need to verify your identity before processing certain requests.
9. Data Security
We implement robust technical and organizational measures to protect your personal data:
9.1 Encryption
- Data in Transit: All data transmitted between your device and our servers is encrypted using TLS 1.2 or higher
- Data at Rest: Your data stored in our databases is encrypted using AES-256 encryption
- Passwords: Stored using bcrypt hashing with salt; we never store plain-text passwords
9.2 Access Controls
- Strict access controls limit employee access to personal data on a need-to-know basis
- Multi-factor authentication for administrative access
- Regular access reviews and audits
9.3 Infrastructure Security
- Row Level Security (RLS) ensures users can only access their own data
- Rate limiting protects against brute force and denial-of-service attacks
- Regular security assessments and updates
9.4 Incident Response
In the event of a data breach that poses a risk to your rights and freedoms:
- We will notify the relevant supervisory authority within 72 hours
- We will notify affected users without undue delay if the breach poses a high risk
- We maintain incident response procedures to detect, contain, and remediate breaches
10. Cookies and Similar Technologies
10.1 Essential Cookies
We use strictly necessary cookies for:
- Authentication: Secure, httpOnly cookies containing session tokens to keep you logged in
- Security: CSRF protection tokens
These cookies are essential for the Service to function and cannot be disabled.
10.2 What We Do NOT Use
We do not use:
- Advertising or tracking cookies
- Third-party analytics cookies (e.g., Google Analytics)
- Social media tracking pixels
10.3 Managing Cookies
You can manage cookies through your browser settings. However, disabling essential cookies will prevent you from using 1Todo's authenticated features.
11. Children's Privacy
1Todo is not intended for children under the age of 16. We do not knowingly collect personal data from children under 16 years of age.
If we learn that we have collected personal data from a child under 16, we will take steps to delete that information as quickly as possible. If you believe we have collected information from a child under 16, please contact us immediately at privacy@1todo.app.
12. Third-Party Links
Our Service may contain links to third-party websites or services. We are not responsible for the privacy practices of these third parties. We encourage you to read their privacy policies before providing any personal data.
13. Do Not Track Signals
Our Service does not currently respond to Do Not Track (DNT) signals. However, we do not engage in cross-site tracking, so your privacy is protected regardless of your DNT settings.
14. California Privacy Rights (CCPA)
If you are a California resident, you have additional rights under the California Consumer Privacy Act (CCPA):
- Right to Know: What personal information we collect and how we use it
- Right to Delete: Request deletion of your personal information
- Right to Opt-Out: We do not sell personal information, so this right does not apply
- Right to Non-Discrimination: We will not discriminate against you for exercising your rights
To exercise these rights, contact us at privacy@1todo.app.
15. Changes to This Privacy Policy
We may update this Privacy Policy from time to time. When we do:
- We will update the "Last Updated" date at the top of this page
- We will not reduce your rights under this Privacy Policy without your explicit consent
- For significant changes, we will provide prominent notice (e.g., email notification or in-app banner)
We encourage you to review this Privacy Policy periodically to stay informed about how we protect your information.
16. Contact Us
If you have any questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us:
General Inquiries: contact@1todo.app
Privacy-Specific Inquiries: privacy@1todo.app
Data Protection Officer: dpo@1todo.app
Mailing Address:
[Your Business Address]
We aim to respond to all inquiries within 30 days.
17. Summary of Key Points
| Topic | Summary |
|---|---|
| Data Collection | We collect only what's necessary: account info, content you create, and technical data |
| Data Selling | We never sell your personal data |
| Third Parties | Limited to essential service providers (Supabase) with strict DPAs |
| Security | AES-256 encryption, TLS, hashed passwords, rate limiting |
| Retention | Deleted within 30 days of account deletion; backups for 90 days |
| Your Rights | Access, rectification, erasure, portability, objection, and more |
| Cookies | Essential cookies only; no tracking or advertising |
| Children | Not for users under 16; we do not knowingly collect their data |
By using 1Todo, you acknowledge that you have read and understood this Privacy Policy.