← Back to Whendoist

PRIVACY POLICY

Last updated: February 2026

1. Information We Collect

Google Account Information: When you sign in with Google, we receive your email address, name, and profile picture. This is used to create and identify your account.

Tasks and Content: Tasks, domains, descriptions, and preferences you create within the Service are stored to provide functionality.

Google Calendar Data: With your permission, we access your Google Calendar events to display them alongside your tasks. If you enable calendar sync, we also create a secondary "Whendoist" calendar to sync your tasks to Google Calendar. We never modify or delete your personal calendar events.

Todoist Data: If you choose to import from Todoist, we access your Todoist tasks for a one-time import. We do not retain Todoist API credentials after the import is complete.

2. How We Use Your Data

  • To provide, maintain, and improve the Service
  • To display your calendar events alongside your tasks
  • To sync your tasks to Google Calendar (if you enable this)
  • To sync your task data across your own devices

We do not use your data for advertising, profiling, or analytics beyond basic service operation.

3. Google API Services User Data

Whendoist's use and transfer of information received from Google APIs adheres to the Google API Services User Data Policy, including the Limited Use requirements.

Specifically:

  • We only request the scopes necessary to provide the Service (calendar read, or calendar read-write if you enable sync)
  • We do not sell, lease, or share Google user data with third parties
  • We do not use Google user data for advertising or to build user profiles
  • Google OAuth tokens are encrypted at rest and only used to access the Google APIs on your behalf

4. Data Storage and Security

Your data is stored in a PostgreSQL database hosted on Railway. Google OAuth tokens are encrypted at rest using Fernet symmetric encryption.

Optional End-to-End Encryption: If you enable encryption, your task titles and descriptions are encrypted client-side before storage. We cannot read encrypted content, and we cannot recover your data if you lose your passphrase and passkey.

5. Data Sharing

We do not sell, trade, or share your personal data with third parties. Your data is only accessed by the following services as necessary to operate the Service:

  • Google APIs — authentication and calendar integration
  • Railway — application and database hosting
  • Sentry — error monitoring (no user content is sent, only error metadata)

6. Data Retention and Deletion

Your data is retained for as long as your account exists. You can delete your account and all associated data at any time from the Settings page. Account deletion is immediate and irreversible — all tasks, preferences, and stored tokens are permanently removed.

You can also revoke Whendoist's access to your Google account at any time via your Google Account permissions.

7. Cookies and Sessions

We use a session cookie to keep you signed in. We use a short-lived cookie during the Google OAuth flow (state parameter) to prevent cross-site request forgery. We do not use tracking cookies, third-party cookies, or analytics cookies.

8. Children's Privacy

The Service is not intended for children under 13. We do not knowingly collect personal information from children under 13.

9. Open Source

Whendoist is open source. You can audit exactly how your data is handled by reviewing the source code at github.com/aleksandr-bogdanov/whendoist.

10. Changes to This Policy

We may update this Privacy Policy from time to time. Changes will be reflected on this page with an updated date. Continued use of the Service after changes constitutes acceptance of the revised policy.

11. Contact

For questions about this Privacy Policy, please contact alex@bogdanov.wtf.