Legal Documentation

Privacy Policy

We respect your data sovereignty. Learn how we collect, use, and safeguard your information.

Last Updated: November 2025

Overview

Your privacy is fundamental to the ZenToDo philosophy. We believe your workspace should be a sanctuary, free from surveillance and data exploitation. This policy outlines exactly what we collect, why, and how we protect it.

Commitment to Privacy

We are committed to transparency and your control over personal data. This policy complies with GDPR, CCPA, and other global privacy regulations. We do not sell your data.

Data Collection

We collect only what is necessary to provide our services:

Identity Data

  • Email address
  • Display name
  • Profile picture
  • Authentication provider ID

Workspace Data

  • Task titles & descriptions
  • Completion timestamps
  • Focus session duration
  • Quiz & Poll results

Telemetry & Performance

  • Device type & OS
  • Browser version
  • Crash reports
  • Page load metrics

Security Protocols

Encryption Standards

All data is encrypted in transit using TLS 1.2+ and at rest using AES-256 encryption. Our database infrastructure is hosted in secure, SOC2 compliant data centers.

Database SecurityRow Level Security (RLS)
AuthenticationGoogle Email-Pass / JWT
BackupsDaily Encrypted Snapshots

Data Usage

We operate on a principle of data minimization. Your data is used strictly for:

Service Delivery

Syncing tasks across your devices.

AI Analysis

Optional processing for productivity insights (Groq/Llama).

Account Safety

Fraud detection and authentication.

Communications

Transactional emails (password reset, etc).

* Note: When using AI features, data is fleetingly processed by our AI partners (Groq, Moonshot AI, Google) to generate insights. Your data is NOT used to train their public models.

Integrations & Privacy

ZenToDo connects with a small set of trusted third-party services to power calendar sync, notifications, whiteboarding, payments, and AI features. We design these integrations with a strict "least access" philosophy and never sell or share your data for advertising.

Google Calendar

The Google Calendar integration is available on the Pro and Zen plans and uses OAuth 2.0. ZenToDo requests the minimum scope needed to read, create, update, and delete events that you choose to sync with your primary Google Calendar.

  • Accessed: event titles, descriptions, times, locations, and calendar metadata needed to load your upcoming Google events and manage task-linked events in your primary calendar.
  • Why: to display Google Calendar context inside ZenToDo views you open, and to create, update, or remove Google Calendar events when you enable manual sync or auto-sync for scheduled tasks.
  • Stored: OAuth credentials and basic calendar metadata are stored server-side in restricted Supabase tables and are not kept in browser-accessible storage. ZenToDo also stores task tags that link a synced task to its corresponding Google Calendar event.
  • Disconnect & revoke:disconnecting in ZenToDo stops future access from the app. You can also revoke ZenToDo in Google Account > Security. Task copies and stored event-link tags already saved in ZenToDo remain until you delete those tasks or delete your account.

Slack

Slack is used to deliver optional workspace notifications (for example when tasks are completed). Notifications are sent via a secure incoming webhook URL. We do not read your Slack messages or channels beyond the target destination you configure, and you can revoke access from your Slack workspace at any time.

Notion

The Notion integration uses OAuth 2.0. Access and refresh tokens plus workspace metadata are stored in restricted Supabase tables and are not exposed to other users or client-side code.

  • Accessed: shared database entries, linked page content, titles, metadata, and any whiteboard export content you explicitly send to Notion.
  • Why: to import Notion items into projects, provide Notion context to AI features you trigger, render linked-page embeds in notes, and create new Notion pages for whiteboard exports.
  • Stored: the OAuth credentials and workspace metadata needed to keep the connection alive, plus any imported tasks, linked Notion URLs, and exported content that become part of your ZenToDo workspace data.
  • Disconnect & delete: disconnecting from ZenToDo stops future Notion access. Removing ZenToDo from Notion cuts off Notion-side access immediately. Imported copies inside ZenToDo remain until you delete those items or delete your account.

Excalidraw & Whiteboard

Our visual whiteboard is powered by the open-source Excalidraw canvas and runs entirely in your browser. Whiteboard content is stored in ZenToDo only when you choose to save it; we do not send your drawings to any Excalidraw-hosted servers. Excalidraw is used under the MIT license, and we keep a copy of that notice in the repository documentation.

Payments & Subscriptions

Paid plans are processed through Dodo Payments. We do not store full card numbers or banking credentials on our servers; those are handled by Dodo as the payment processor. We store only subscription metadata (plan, billing period, status) and minimal transaction references needed for invoicing and fraud prevention.

Optional AI features may send snippets of your content to our AI providers (such as Groq, Moonshot, or Google) strictly for the purpose of generating responses. This data is not used to train public models, and we retain only what is necessary for usage accounting and abuse prevention.

Your Rights

01

Right to Access: Request a copy of all your data.

02

Right to Rectification: Correct inaccurate information.

03

Right to Erasure: Permanently delete your account and data.

04

Right to Portability: Export your tasks in JSON/CSV formats.

Contact

Have Questions?

Our Data Protection Officer is available to address any concerns regarding your privacy rights.