todos.md

Privacy Policy

Effective May 11, 2026.

1. Data we process

When you use todos.md we collect the information needed to run the service:

  • Account information — email address, display name, and authentication credentials.
  • Usage data — task activity, API calls, run timestamps, and response metadata.
  • Run data — inputs, logs, and outputs from hosted runs, stored to deliver results back to the workspace.
  • Billing data — plan selection, payment method tokens (processed by our payment provider), and invoicing records.
  • Device and access logs — IP address, browser or CLI user-agent, and request logs for security and debugging.

2. Local-first boundary

The open source todos tools remain local-first. The hosted service only receives data that users submit to todos.md, send through authenticated APIs, import, upload as run artifacts, or authorize through connected billing and email workflows.

3. How we use it

  • Deliver, maintain, and improve the todos.md platform.
  • Process billing and enforce plan limits.
  • Generate aggregated, anonymized analytics to improve product quality.
  • Detect and prevent abuse, fraud, and security incidents.
  • Communicate service updates, billing notices, and support responses.

4. Billing and subprocessors

We do not sell your data. We share information only with:

  • Service providers — infrastructure hosts, payment processors, and monitoring tools that help us run the platform, bound by data processing agreements.
  • Legal obligations — when required by law, court order, or to protect the rights and safety of our users.

5. Retention and deletion

Run inputs and outputs are retained only as long as needed for debugging, result retrieval, legal obligations, and the retention settings of the workspace. Account and billing data are retained for the duration of your account plus any period required by tax and financial regulations.

6. Cookies and tracking

The todos.md website uses a single localStorage key for theme preference. We do not use third-party tracking cookies or advertising pixels. Server-side logs record standard HTTP request metadata.

7. Security

We use TLS encryption in transit, encrypt sensitive data at rest, enforce access controls on internal systems, and conduct regular security reviews. No system is perfectly secure — if you discover a vulnerability, contact us at [email protected].

8. Your rights

You may request access to, correction of, or deletion of your personal data at any time by emailing [email protected]. We will respond within 30 days. If you delete your account, we remove your personal data except where retention is required by law.

9. Changes

We may update this policy. Material changes will be communicated via email or an in-product notice at least 14 days before they take effect.

10. Contact

Questions about this policy? Email [email protected].

bun install -g @hasna/todos