Tododay

Legal

Last updated: 6 July 2026

Privacy policy

Tododay is a small, independent app. Our interest in your data begins and ends with making your todo list appear on your phone - there is no profiling, no personal targeting, and nothing sold. This page says plainly what we store, why, and the few limited exceptions below.

01Who we are

Tododay ("we") operates the Tododay app and this website. For anything related to your data, the data controller can be reached at [email protected]. Contacting us by email is the fastest way to exercise any of the rights below.

02What we collect

That is the complete list. No location data, no contact list, no device fingerprinting, and none of the above is ever used for profiling or personalised advertising.

03Why we process it

Your account and todo data is processed for exactly one purpose: providing the service you signed up for - keeping your account secure and your list in sync. In legal terms, that processing is necessary to perform our contract with you (providing the app) and to protect the service from abuse (our legitimate interest in rate-limiting and security). The website's anonymised analytics, where used, rest on our legitimate interest in understanding and promoting the app in general terms - never on singling you out.

04Where it lives

Your account and todos are stored on our own self-hosted server - not on a cloud platform's analytics-laden backend. The website and app sit behind Cloudflare for security and performance, and the website may use an analytics or ads provider like Google or Meta as described above. Beyond that, nothing personal is shared with, sold to, or processed by any third party.

05What we will never do

The only advertising we do is generic promotion of the app itself, using anonymised, aggregate analytics on this website - never anything drawn from your account.

06Security

Passwords are stored as bcrypt hashes. Session tokens are stored only as SHA-256 hashes, so a copy of the database cannot be used to hijack a session. Changing your password signs out every other device automatically. No security is perfect, but nothing we store is usable in plain form.

07Sessions

When you log in, you stay logged in on that device until you log out, change your password, or clear the app's data. We chose this deliberately: a personal todo app should not ask for your password every week.

08How long we keep it

Your account and todos are kept until you delete them. Deleting a todo in the app deletes it on the server too. Technical logs are short-lived and rotate automatically. If you ask us to delete your account, everything goes with it - the anonymised website analytics described above are never tied to an account in the first place, so there is nothing of yours left behind to keep.

09Your rights

Depending on where you live (for example under the GDPR), you have the right to access, correct, export, and erase your personal data, to restrict or object to its processing, and to complain to your local data-protection authority. With us it's simpler than that: email [email protected] from the address you signed up with and we will send you a copy of your data or delete your account - fully and promptly, no questions, no retention tricks.

10Children

Tododay is not directed at children under 13 (or the higher age your country requires), and we do not knowingly collect data from them. If you believe a child has created an account, write to us and we will remove it.

11Changes

If this policy ever changes in a way that matters, the date at the top changes with it and the app's store listing will say so. The spirit of it - your list is yours - will not change.

12Contact

Questions, worries, requests: [email protected]