Todo4Back to home

Privacy Notice

Last updated: April 11, 2026

Introduction

Todo4 is an AI-native task management platform operated by Panit Wechasil. This privacy notice explains what personal data we collect, how we use it, who we share it with, and what rights you have over your information.

This notice applies to everyone who uses Todo4, whether you access it through the web app, connect an AI agent, or simply visit our website.

Information We Collect

We collect the following types of information when you use Todo4:

  • Account information— your name and email address, provided during registration.
  • OAuth profile data— if you sign in with Google or Facebook, we store your profile picture URL so we can display your avatar in the app.
  • Task data— everything you create in Todo4, including task titles, descriptions, due dates, priorities, tags, subtasks, comments, and recurrence settings.
  • Agent connection metadata— when you connect an AI agent, we store the agent’s name, permission scope (read-only or full access), and registration date. We never store raw agent tokens — only secure hashes.
  • Usage and error data— we collect error reports and performance data through Sentry to keep the platform reliable. No personally identifiable information (such as your name, email, or task content) is included in these reports.

How We Use Your Information

We use the information we collect to:

  • Provide and maintain the Todo4 service, including task management, agent connections, and calendar sync.
  • Authenticate your identity when you sign in, whether by email and password or through Google or Facebook.
  • Send transactional emails — including welcome emails, email verification, password resets, agent action notifications, weekly task summaries, overdue task reminders, and agent token expiry alerts.
  • Enforce free-tier usage quotas to keep the platform fair for all users.
  • Monitor and improve platform reliability, performance, and security.

We do not sell your personal data. We do not use your task content for advertising or marketing purposes.

Legal Basis for Processing (GDPR)

If you are in the European Economic Area or the United Kingdom, we rely on the following legal bases under the GDPR to process your personal data:

  • Performance of a contract— to create and maintain your account, deliver the task management service, sync your data across devices, and send essential transactional emails such as email verification, password resets, and account notifications.
  • Legitimate interests— to keep the platform secure, prevent fraud and abuse, monitor errors and performance through Sentry, and improve the reliability of the service. We balance these interests against your privacy rights and only process the minimum data needed.
  • Consent— for optional features that you explicitly enable, such as Google Calendar sync. You can withdraw consent at any time by disabling the feature in Settings.
  • Legal obligation— where we are required by law to process or retain certain information, such as responding to lawful requests from authorities.

Third-Party Services

Todo4 relies on the following third-party services to operate:

  • Google and Facebook— for OAuth login and retrieving your profile picture. These providers only share the data you authorize during sign-in.
  • Email delivery service— to send transactional emails such as verification links, password resets, and notifications. Only your email address and the message content are shared.
  • Sentry— for error tracking and performance monitoring. No personally identifiable information is sent to Sentry.
  • Railway— our cloud hosting provider, which runs the application servers and database infrastructure.
  • Google Calendar— if you enable calendar sync, your task due dates are synced as events to your Google Calendar. This is optional and one-way (Todo4 to Google Calendar).

International Data Transfers

Todo4 is hosted on Railway’s cloud infrastructure, which may process and store data in the United States and other regions where Railway operates. If you access Todo4 from outside these regions — including from the European Economic Area, the United Kingdom, or other jurisdictions — your data will be transferred to and processed in those locations.

Where required by applicable law, we rely on appropriate safeguards for these transfers, including the European Commission’s Standard Contractual Clauses or equivalent legal mechanisms put in place by our subprocessors.

Data Retention

Your account data is retained for as long as your account is active.

When you delete a task, it enters a soft-delete state and is retained for up to one year before being permanently purged. This gives you a safety net for accidental deletions.

When you delete your account, all agent connections are revoked immediately. A 30-day grace period begins, after which all your data — including tasks, comments, agent connections, and account information — is permanently and irreversibly deleted.

Security Measures

We take the security of your data seriously and apply industry-standard protections:

  • Encryption in transit— all communication between your device and Todo4 is protected by HTTPS using TLS 1.2 or higher.
  • Password hashing— passwords are hashed with bcrypt at a strong cost factor; we never store plaintext passwords.
  • OAuth token protection— agent OAuth tokens are encrypted at rest using AES-256-GCM, and we only ever store hashed token references.
  • Session security— authentication sessions use httpOnly cookies that cannot be read by JavaScript, reducing the risk of token theft.
  • Monitoring— we monitor errors and anomalous activity through Sentry to detect and respond to potential incidents quickly.

No system can guarantee perfect security. If we ever become aware of a personal data breach that affects you, we will notify you and the relevant authorities as required by applicable law.

Children’s Privacy

Todo4 is not intended for children under the age of 13, and we do not knowingly collect personal data from anyone under 13. If you are a parent or guardian and believe your child has provided personal data to Todo4, please contact us and we will promptly delete the information.

Cookies

Todo4 uses two httpOnly session cookies for authentication: an access token and a refresh token. These cookies are essential for the service to work — they keep you signed in and secure your session.

We do not use third-party tracking cookies, advertising cookies, or analytics cookies. The only cookies Todo4 sets are strictly necessary for authentication.

Your Rights

You have the right to:

  • Access your data— all your tasks, agent connections, and profile information are viewable in the app at any time.
  • Export your tasks— download your tasks as a CSV file from the Settings page.
  • Export your full account data— download a complete JSON export of all your data from the Settings page.
  • Update your profile— change your name, email address, and timezone in Settings.
  • Delete your account— permanently remove your account and all associated data from Settings at any time.

Changes to This Notice

We may update this privacy notice from time to time to reflect changes in our practices, the services we offer, or applicable law. The “Last updated” date at the top of this page always reflects the most recent revision.

For material changes — such as new categories of data processing or new third-party services — we will notify you in advance through the app or by email, and where required by law we will ask you to review and re-accept the updated notice. We encourage you to review this page periodically.

Contact

If you have questions about this privacy notice or how your data is handled, please reach out to us at privacy@todo4.io.