Privacy Policy

Last Updated: June 29, 2026

Our Privacy Promise

We believe privacy is a fundamental right. We collect only what's necessary to provide our service, we never sell your data, and you maintain full control over your information at all times.

Introduction

todolist.live ("we," "our," or "us") provides a simple todo list platform designed for AI assistants. This Privacy Policy explains how we collect, use, protect, and share your personal information when you use our service.

By using todolist.live, you agree to the collection and use of information in accordance with this policy.

What Information We Collect

Information You Provide

Email Address: Required for account creation and verification
Todo Lists & Items: The content you create through your AI assistant (lists, tasks, descriptions, due dates, priorities)

Information Automatically Collected

IP Address: Collected during registration for abuse prevention and security
User Agent: Information about the AI client creating your account (e.g., "Claude MCP")
Timestamps: When you create, update, or access your account and lists
API Usage: Basic request logs for rate limiting and abuse prevention

What We DON'T Collect

❌ No cookies or tracking pixels
❌ No analytics or behavioral tracking
❌ No third-party advertising data
❌ No social media connections
❌ No payment information (the service is free)

How We Use Your Information

We use the collected information for the following purposes:

Provide the Service: Store and manage your todo lists across AI conversations
Account Security: Verify your email address and authenticate API requests
Prevent Abuse: Detect and prevent spam, fraudulent accounts, and API abuse
Service Communications: Send verification emails and important account notifications
Legal Compliance: Comply with applicable laws and regulations

We will NEVER:

Sell or rent your personal information to third parties
Use your todo list content for advertising
Share your data with AI training datasets
Send marketing emails (we only send transactional emails)

How We Protect Your Information

Security Measures

Encryption: All data is encrypted in transit (HTTPS/TLS) and at rest
Secure Infrastructure: Hosted on Cloudflare's globally distributed, secure infrastructure
API Key Authentication: Secure, cryptographically generated API keys for access control
Rate Limiting: Protects against brute force attacks and abuse
Minimal Access: Only you (via your API key) can access your data

Data Storage

Your data is stored in Cloudflare D1 databases, distributed across Cloudflare's global network. This ensures low latency and high availability while maintaining security.

How Long We Keep Your Information

            Data Retention Schedule
            Active Verified Accounts: Indefinitely (or until you delete your account)
Unverified Accounts: 10 days to verify, then account is locked
Locked Accounts: 30 days, then permanently deleted
Deleted Accounts: Immediately removed from active database
Backup Data: Removed within 30 days of deletion

        

Your Privacy Rights

You have the following rights regarding your personal information:

Right to Access

You can export all your data at any time through the export_account_data API call via your AI assistant. You'll receive a complete JSON file containing all your lists, items, and account information.

Right to Deletion

You can delete your account anytime through the request_account_deletion API call. We provide a 30-day grace period to cancel accidental deletions. After 30 days, all data is permanently removed.

Right to Rectification

You can update any of your todo lists or items through your AI assistant at any time.

Right to Data Portability

Your data export is provided in standard JSON format, making it easy to transfer to other services.

Right to Object

You can stop using the service at any time and request deletion of your data.

Third-Party Services

We use the following third-party services to operate todolist.live:

Cloudflare (Infrastructure & Email Delivery)

Purpose: Hosting, database, content delivery, and sending verification and notification emails
Data Shared: All service data (necessary for hosting), including your email address and verification tokens used to deliver emails
Privacy Policy: cloudflare.com/privacypolicy

All verification and notification emails are sent through Cloudflare's email infrastructure. We do not share your email address with any separate third-party email provider.

We do NOT use:

Google Analytics or any analytics services
Facebook Pixel or social media tracking
Advertising networks
AI training or data mining services

International Data Transfers

Your data may be processed in data centers around the world as part of Cloudflare's global network. We ensure appropriate safeguards are in place for international data transfers in compliance with GDPR and other privacy regulations.

Children's Privacy

todolist.live is not intended for children under 13 years of age. We do not knowingly collect personal information from children under 13. If you believe we have collected information from a child under 13, please contact us immediately at [email protected].

GDPR Compliance (EU Users)

If you are located in the European Economic Area (EEA), you have additional rights under GDPR:

Lawful Basis: We process your data based on your explicit consent (providing your email)
Data Controller: todolist.live is the data controller for your personal information
EU Representative: Contact information available upon request
Right to Lodge Complaint: You can file a complaint with your local data protection authority

California Privacy Rights (CCPA)

If you are a California resident, you have additional rights under the California Consumer Privacy Act (CCPA):

Right to Know: What personal information we collect and how we use it
Right to Delete: Request deletion of your personal information
Right to Opt-Out: We don't sell personal information, so no opt-out is necessary
Non-Discrimination: We won't discriminate against you for exercising your rights

Changes to This Privacy Policy

We may update this Privacy Policy from time to time. We will notify you of any changes by:

Updating the "Last Updated" date at the top of this policy
Sending an email notification for material changes
Posting a notice on our website

Your continued use of the service after changes become effective constitutes your acceptance of the revised Privacy Policy.

Data Breach Notification

In the unlikely event of a data breach that affects your personal information, we will:

Notify affected users within 72 hours of discovering the breach
Provide details about what information was affected
Explain what steps we're taking to address the breach
Offer guidance on how to protect yourself

Questions About Privacy?

If you have any questions about this Privacy Policy or how we handle your data, please contact us:

Email: [email protected]
Data Protection Officer: [email protected]

← Back to Home