Privacy Policy
1.About Todo
Todo is a personal task-management web app available at https://todo.motaz-abuelnasr.workers.dev/. This Privacy Policy describes the data Todo accesses when you connect your Google Calendar, and what happens to that data.
2.Information we receive from Google
When you connect your Google Calendar, Todo requests the read-only scope https://www.googleapis.com/auth/calendar.readonly. Through that scope Todo reads:
- Your calendar list (calendar names, IDs, and time zones).
- Event details for the calendars you choose to display: title, start and end times, location, and your own attendee response status (accepted, declined, tentative, needs-action).
Todo does not request, read, or have access to: event descriptions or attachments outside of what is needed to render the title, your contacts, your Gmail, your Drive, your Photos, your Workspace data, or any other Google service. Todo never writes to your calendar or any other Google product.
3.How we use your information
The events you've authorized are displayed alongside your todos in Todo's calendar view, so you can see your day at a glance and time-block tasks. Your calendar data is used only to render this view in your own browser. Todo does not analyze your calendar, build profiles, train models, generate advertising signals, or share insights with anyone.
4.How we store your information
Calendar events are fetched directly from Google's servers by the code running in your browser. They are cached only in your browser's localStorage on your own device.
Todo's server (a Cloudflare Worker hosted at the same domain) is used only as a proxy for the OAuth token exchange — exchanging your authorization code for an access token — so that Google's client_secret is never exposed to the browser. The server never receives, processes, logs, or stores your calendar events, event titles, attendees, or any other calendar content.
Todo has no database. If you clear your browser's site data for todo.motaz-abuelnasr.workers.dev, every cached event and every stored token is gone.
5.Sharing and disclosure
Todo does not sell, share, transmit, or transfer Google user data to any third party. There are no analytics services, no advertising SDKs, no telemetry endpoints, and no human reviewers — including the author — who can see your calendar data. Because the data never leaves your browser, there is nothing on a server for anyone to access.
6.Limited Use disclosure
Todo's use and transfer to any other app of information received from Google APIs will adhere to the Google API Services User Data Policy, including the Limited Use requirements.
7.Data retention and deletion
You can delete your calendar data from Todo at any time, and you control retention entirely. You have three independent ways to do this:
- In Todo: open Settings → Calendar → Disconnect Google Calendar. This clears the access token, the refresh token, and every cached event from your browser.
- In your browser: clear site data for
todo.motaz-abuelnasr.workers.dev. This removes every trace of Todo, including all calendar caches and tokens. - In your Google Account: revoke Todo's access at https://myaccount.google.com/permissions. This invalidates every refresh token Todo holds and prevents any further calendar reads.
Because Todo never stores your data on any server, there is no separate deletion request to make to the author.
8.Security
OAuth tokens are stored only in your browser's localStorage. The OAuth token-exchange proxy uses HTTPS exclusively; the browser communicates with both Todo's proxy and Google's APIs over TLS. Because Todo has no server-side database, there is no remote credential store that can be breached.
The browser-only architecture also means that any compromise is bounded to your own device: an attacker would need access to your browser profile to obtain Todo's stored tokens, at which point your Google session is already at risk through any logged-in tab.
9.Children's privacy
Todo is not directed to children under the age of 13, and we do not knowingly collect personal information from children under 13. If you believe a child under 13 has connected a calendar to Todo, please contact us at the email below and we will remove any associated information.
10.Changes to this policy
We may update this Privacy Policy from time to time. Any material change will be reflected in the Effective date at the top of this page. Because Todo has no user accounts, we cannot notify you individually — checking this page is the canonical way to see the current version. Continued use of Todo after changes constitutes acceptance of the updated policy.
11.Contact
For privacy questions, deletion requests, or to report a concern, contact: motaz.abuelnasr@gmail.com.
Effective: 2026-05-06 · Contact: motaz.abuelnasr@gmail.com · See also: Terms of Service