TODOčko
🇨🇿

Privacy Policy

Last updated: March 24, 2026

1. Introduction

TODOčko is designed with privacy as a priority. Thanks to local-first architecture and end-to-end encryption, we have minimal access to your data.

The data controller is Ing. Michal Bernát, Company ID: 88341178, registered at Habrová 1542/11, 693 01 Hustopeče (hereinafter "Controller").

2. Data We Process

2.1 App data (encrypted)

Your tasks, projects, and all app content are encrypted with your backup phrase. This means:

  • Data is readable only by you and persons you share your backup phrase with
  • The Operator cannot read your data even under a court order
  • Only encrypted data is transmitted during synchronization

2.2 Technical data during sync

If you use device synchronization, we process:

  • IP address (to facilitate communication)
  • Synchronization timestamps
  • Technical device identifiers (anonymized)

This data is processed on the basis of legitimate interest for service delivery and is retained only for as long as necessary.

2.3 Payment data

When purchasing a paid plan, we process:

  • Email address (for communication and invoicing)
  • Billing details (name, address, Company ID for businesses)
  • Payment history

We do not store payment card details – payments are processed through secure payment gateways (Stripe).

3. Purposes of Processing

  • Service delivery: Synchronizing data across devices
  • Contract performance: Processing payments and managing subscriptions
  • Legitimate interest: Ensuring security and preventing abuse
  • Legal obligations: Accounting and tax records

4. Cookies and Local Storage

TODOčko uses

  • Local storage (Local Storage, IndexedDB): For storing your encrypted data and app settings. This is essential for the local-first architecture to function.
  • Technical cookies: For website functionality (e.g., theme preference)

We do not use tracking cookies, third-party analytics, or advertising systems.

5. Gmail Integration (Pro/Enterprise)

Pro and Enterprise users can optionally connect their Gmail account to automatically create tasks from emails.

Data we process

  • OAuth2 refresh token: Encrypted (AES-256-GCM) and stored on the sync server. Used to access Gmail to read emails with the specified label.
  • Email metadata: Subject, sender, date – only from emails with the user-selected label. This data is converted into a task and stored encrypted in the user's Evolu database.
  • Email body: HTML content is used as the task description. It goes through sanitization (removal of scripts and dangerous content).

Permissions we use

  • gmail.readonly: Reading emails with the specified label
  • gmail.modify: Relabeling processed emails (removing the label, adding a "Processed" label)

We do not use: Access to send emails, delete emails, or access contacts.

Disconnecting

Users can disconnect Gmail integration at any time in their profile. Upon disconnection, the refresh token is immediately deleted from the server. Users can also revoke access directly in Google account settings.

6. Sharing Data with Third Parties

Data sharing exceptions

  • Payment gateways (Stripe): For processing payments
  • Infrastructure providers: Sync servers (encrypted data only)
  • Google (Gmail API): When Gmail integration is active – read and relabeling access only, for emails with the user-selected label
  • Government authorities: Only when required by law

We never sell your data or share it for marketing purposes.

7. Data Retention

  • Encrypted data: Until you actively use it or delete it
  • Technical logs: Maximum 30 days
  • Billing data: 10 years (legal requirement)
  • Email communication: 3 years from last contact

8. Your Rights (GDPR)

Under the General Data Protection Regulation (GDPR), you have the following rights.

Your GDPR rights

  • Right of access: You can request information about data being processed
  • Right to rectification: You can correct inaccurate data
  • Right to erasure: You can request deletion of your data
  • Right to data portability: You can export your data (feature available in app)
  • Right to restriction of processing: In certain cases
  • Right to object: Against processing based on legitimate interest

Important: Due to E2E encryption, you have full control over your data directly in the app. You can export or delete it at any time without contacting us.

9. Data Security

Security measures in place

  • End-to-end encryption: Your data is encrypted on your device
  • HTTPS: All communication is encrypted
  • Backup phrase: 24 words as a cryptographic key (BIP-39)
  • Data minimization: We only process necessary data

10. Children

The Service is not intended for children under 16 years of age. We do not knowingly collect personal data from children. If we discover we have collected data from a child, we will delete it immediately.

11. Changes to This Policy

We may occasionally update this policy. We will notify you of significant changes by email (if we have it) or via an in-app notification.

12. Contact

To exercise your rights or for questions regarding data protection, contact us:

You also have the right to lodge a complaint with the supervisory authority – Office for Personal Data Protection (www.uoou.cz).