Legal
Last updated: 6 July 2026
Privacy policy
Tododay is a small, independent app. Our interest in your data begins and ends with making your todo list appear on your phone - there is no profiling, no personal targeting, and nothing sold. This page says plainly what we store, why, and the few limited exceptions below.
01Who we are
Tododay ("we") operates the Tododay app and this website. For anything related to your data, the data controller can be reached at [email protected]. Contacting us by email is the fastest way to exercise any of the rights below.
02What we collect
- Your email address - used only to sign you in and, if you write to us, to reply.
- Your password - stored only as a bcrypt hash. We cannot read it, and neither could anyone who copied our database.
- Your display name - optional, only if you choose to set one, used only to greet you inside the app.
- Your todos - the text, status (done, missed, staged) and timestamps of your tasks, so they can sync between the app and the server.
- Basic technical data - like any server, ours briefly processes your IP address to deliver responses and to rate-limit sign-in attempts. Traffic to the app and this website passes through Cloudflare, which sees the same kind of anonymised network-level data as part of keeping things fast and secure. None of it is used to build a profile of you.
- Anonymised website analytics - this marketing website may use a tool such as Google Analytics or Meta's pixel, aggregated and anonymised, to see roughly how many people visit and to run general "come try Tododay" ads. It is never linked to your account or your todos, never used to target you personally, and never present inside the app itself.
That is the complete list. No location data, no contact list, no device fingerprinting, and none of the above is ever used for profiling or personalised advertising.
03Why we process it
Your account and todo data is processed for exactly one purpose: providing the service you signed up for - keeping your account secure and your list in sync. In legal terms, that processing is necessary to perform our contract with you (providing the app) and to protect the service from abuse (our legitimate interest in rate-limiting and security). The website's anonymised analytics, where used, rest on our legitimate interest in understanding and promoting the app in general terms - never on singling you out.
04Where it lives
Your account and todos are stored on our own self-hosted server - not on a cloud platform's analytics-laden backend. The website and app sit behind Cloudflare for security and performance, and the website may use an analytics or ads provider like Google or Meta as described above. Beyond that, nothing personal is shared with, sold to, or processed by any third party.
05What we will never do
- Sell your personal data or your todos to anyone.
- Use your account, your todos, or how you use the app to target ads at you.
- Build a personal profile of you or track you individually across the web.
- Email you anything except replies to messages you send us.
The only advertising we do is generic promotion of the app itself, using anonymised, aggregate analytics on this website - never anything drawn from your account.
06Security
Passwords are stored as bcrypt hashes. Session tokens are stored only as SHA-256 hashes, so a copy of the database cannot be used to hijack a session. Changing your password signs out every other device automatically. No security is perfect, but nothing we store is usable in plain form.
07Sessions
When you log in, you stay logged in on that device until you log out, change your password, or clear the app's data. We chose this deliberately: a personal todo app should not ask for your password every week.
08How long we keep it
Your account and todos are kept until you delete them. Deleting a todo in the app deletes it on the server too. Technical logs are short-lived and rotate automatically. If you ask us to delete your account, everything goes with it - the anonymised website analytics described above are never tied to an account in the first place, so there is nothing of yours left behind to keep.
09Your rights
Depending on where you live (for example under the GDPR), you have the right to access, correct, export, and erase your personal data, to restrict or object to its processing, and to complain to your local data-protection authority. With us it's simpler than that: email [email protected] from the address you signed up with and we will send you a copy of your data or delete your account - fully and promptly, no questions, no retention tricks.
10Children
Tododay is not directed at children under 13 (or the higher age your country requires), and we do not knowingly collect data from them. If you believe a child has created an account, write to us and we will remove it.
11Changes
If this policy ever changes in a way that matters, the date at the top changes with it and the app's store listing will say so. The spirit of it - your list is yours - will not change.
12Contact
Questions, worries, requests: [email protected]