Privacy Policy

Todopus Software ("Todopus", "we", "us") builds a native macOS menu bar app for capturing tasks and viewing your calendar. This policy explains what we collect, why, and what choices you have. We designed Todopus to need as little of your data as possible.

The short version

• Your tasks are stored locally on your device by default. If you sign in, an encrypted copy is synced through our backend so you can use Todopus on multiple devices.
• Calendar and GitHub data is read directly from the providers you connect. We do not re-share or sell it.
• OAuth tokens are encrypted at rest with AES-256-GCM.
• We do not sell personal data, ever.

Information we collect

Account information

If you sign in, we receive your name, email, and a provider account ID from Google or GitHub. We use this to create your account and identify you across devices.

Task and project content

Tasks, subtasks, projects, notes, attachments, and screenshots you create in Todopus. If sync is enabled this content is transmitted over TLS and stored in our database to deliver it back to your other devices.

Connected services

With your permission, Todopus reads from Google Calendar, Apple Calendar (via EventKit, on-device only), Outlook Calendar, and GitHub Projects v2. We store the minimum metadata required to display these items in the app and to call the providers on your behalf.

Diagnostic data

Anonymous crash reports and performance metrics, only when you opt in. These never include task content.

How we use information

• To operate, sync, and improve the Todopus apps.
• To authenticate you and connect to third-party services you authorize.
• To respond to your support requests.
• To detect, prevent, and address abuse or technical problems.

How we share information

We do not sell your personal information. We share data only with:

• Infrastructure providers that host our backend and run our application (Encore, our cloud hosting partners, and transactional email).
• Providers you explicitly connect (Google, Apple, Microsoft, GitHub) — and only the requests you initiate.
• When required by law, after reviewing the request and challenging it where appropriate.

Security

Data in transit is protected with TLS. OAuth tokens are encrypted at rest using AES-256-GCM. Access to production systems is restricted and logged. No system is perfectly secure, but we work to keep yours safe.

Data retention

Synced data is kept while your account is active. When you delete your account, we delete your synced data within 30 days. Local data on your device is yours to manage; uninstalling Todopus removes it.

Your rights

You can access, export, correct, or delete your data at any time. Email hello@todopus.com and we'll respond within 30 days. Depending on where you live, you may have additional rights under the GDPR, UK GDPR, or CCPA — those rights apply.

Children

Todopus is not directed to children under 13. We do not knowingly collect data from them.

International transfers

Our infrastructure is hosted in the United States and the European Union. By using Todopus you consent to your data being processed in those regions.

Changes to this policy

We'll post any changes here and, for material changes, notify you in the app or by email. Your continued use of Todopus after the update constitutes acceptance.

Contact

Questions? Email hello@todopus.com.