Privacy Policy

Last Updated: November 14, 2025

1. Introduction

Task Chat ("we," "our," or "us") is committed to protecting your privacy. This Privacy Policy explains how our web application handles your data when you use our service to interact with Todoist tasks, Google Calendar events, and OpenAI's services.

Important: Task Chat is designed with privacy as a core principle. We do not collect, store, or transmit any of your personal data to our servers. All data is stored locally in your browser.

2. Information We Do NOT Collect

Task Chat does NOT collect, store, or have access to:

  • Your API keys (OpenAI, Todoist, or any other service)
  • Your Google account credentials or OAuth tokens
  • Your Apple Calendar credentials or app-specific passwords
  • Your chat history or conversations
  • Your Todoist tasks or project data
  • Your Google Calendar events or settings
  • Your Apple Calendar events or calendar settings
  • Any personal information you enter into the application
  • Usage analytics or tracking data

3. How Your Data is Stored

All application data is stored exclusively in your browser using secure, encrypted storage:

🔒 Enhanced Security

All sensitive credentials are encrypted using AES-256-GCM encryption before being stored in your browser. Encryption keys are tied to your browser session, ensuring maximum security.

  • API Keys (Encrypted): Your OpenAI and Todoist API keys are encrypted with AES-256-GCM and stored in your browser's IndexedDB. They are never transmitted to our servers in any form.
  • Google OAuth (Encrypted): When you connect your Google account, the OAuth refresh token is encrypted with AES-256-GCM and stored securely in IndexedDB. Our server only facilitates the OAuth handshake and does not retain any credentials.
  • Apple Calendar (Encrypted): Your Apple ID and app-specific passwords are encrypted with AES-256-GCM and stored in IndexedDB. Calendar connections are made via our server-side API routes to bypass browser CORS restrictions. Your credentials are passed securely in each request but never stored server-side.
  • Chat History: All chat conversations are stored in your browser's localStorage and can be exported or deleted by you at any time.
  • Settings: Application preferences (sidebar state, export folder paths) are stored in localStorage.

4. Third-Party Services

Task Chat integrates with the following third-party services. When you use these integrations, your data is sent directly from your browser to these services:

OpenAI API

Your chat messages are sent to OpenAI's API to generate responses. This communication happens through our server as a proxy, but we do not log or store these messages. Please review OpenAI's Privacy Policy for how they handle your data.

Todoist API

When you provide your Todoist API token, requests to view and manage your tasks are made directly from your browser to Todoist's servers. Please review Todoist's Privacy Policy.

Google Calendar API

When you connect your Google account, Task Chat requests the following permissions:

  • View and manage your Google Calendar events
  • Access is granted through OAuth 2.0 authorization

Your Google OAuth refresh token is stored locally in your browser. Calendar data is fetched on-demand and not stored permanently. Please review Google's Privacy Policy.

⚠️ Google OAuth Verification Status: Task Chat is currently in test mode. When connecting your Google Calendar, you may see an "unverified app" warning. This is expected and safe. You can safely proceed by clicking "Advanced" and then "Go to task-chat-web.vercel.app (unsafe)" - despite the wording, your data remains secure and private as described in this policy.

Apple Calendar (CalDAV)

When you connect Apple Calendar, Task Chat uses server-side API routes to communicate with iCloud via the CalDAV protocol:

  • Your browser calls our Next.js API routes, which then communicate with iCloud
  • Your app-specific password is encrypted and stored only in your browser
  • Credentials are passed in each request but never stored server-side
  • Calendar data passes through your Next.js backend temporarily but is never logged or persisted
  • All communications are encrypted using HTTPS/TLS

This architecture bypasses browser CORS restrictions while maintaining security. Please review Apple's Privacy Policy.

Vercel Analytics

We use Vercel Analytics for basic web analytics (page views, visitor count). This service is privacy-friendly and does not use cookies or collect personal information. Learn more at Vercel's Privacy Policy.

4A. Your Calendar Data Privacy

🔒 We Never See Your Calendar Events

Task Chat uses a privacy-first architecture. This means:

  • Server-Side API Routes: Your browser calls our Next.js API routes, which communicate with Apple iCloud and Google Calendar. Calendar data passes through your self-hosted backend temporarily but is never stored or logged.
  • No Third-Party Servers: We do not use external calendar aggregation services. Your calendar data only travels between your browser, your Next.js backend, and Apple/Google servers.
  • Secure Credentials: Your passwords and OAuth tokens are encrypted and stored only in your browser using AES-256-GCM. Credentials are passed in each API request but never persisted server-side.
  • Industry Standard: This is the same approach used by privacy-focused calendar applications like Fantastical, BusyCal, and other professional calendar tools.

How Calendar Sync Works

Calendar synchronization is handled by your calendar service providers (Apple iCloud, Google), not by Task Chat:

  • Apple Calendar: Your Next.js backend uses the CalDAV protocol to communicate with iCloud on your behalf. Changes are synced by Apple across your devices.
  • Google Calendar: Your browser uses Google's Calendar API with OAuth 2.0. Google handles synchronization across your devices.
  • Task Chat's Role: We only facilitate the connection between your browser and these services. We never intercept or store the calendar data.

What We Store Locally (In Your Browser Only)

  • Your calendar connection preferences (which calendars you've connected)
  • Encrypted credentials (app-specific passwords, OAuth tokens) in browser storage
  • Calendar sync settings and preferences
  • Nothing else - no event data, no calendar content

5. Data Security

Since all your data is stored locally in your browser:

  • Your data security depends on your browser's security and your device's security
  • We recommend using a secure, up-to-date browser
  • Be cautious about using Task Chat on shared or public computers
  • You can clear all local data by clearing your browser's localStorage or using the app's delete functions

All communications between your browser and third-party APIs are encrypted using HTTPS/TLS.

6. Your Rights and Control

You have complete control over your data:

  • Access: All your data is accessible through your browser's developer tools (localStorage)
  • Export: You can export chat history as Markdown or JSON files at any time
  • Delete: You can delete individual chat sessions, clear all data, or simply clear your browser's localStorage
  • Revoke Access: You can disconnect Google Calendar access at any time through the app settings or your Google Account permissions page

7. Children's Privacy

Task Chat is not intended for children under 13 years of age. We do not knowingly collect information from children under 13. If you are under 13, please do not use this service.

8. International Users

Task Chat is hosted on Vercel's global infrastructure. Since all data is stored locally in your browser, no personal data is transferred to or stored on our servers. API requests to third-party services (OpenAI, Todoist, Google) may involve international data transfers as per those services' policies.

9. Changes to This Privacy Policy

We may update this Privacy Policy from time to time. We will notify you of any changes by updating the "Last Updated" date at the top of this policy. We encourage you to review this Privacy Policy periodically for any changes.

Summary: Your Privacy is Our Priority

Task Chat is built with a privacy-first architecture. We do not collect, store, or have access to your data. Everything stays in your browser. Your API keys, chat history, and all personal information remain under your complete control.

🔒 Calendar Privacy: Your calendar events and reminders connect directly from your browser to Apple and Google servers. We never see your calendar data - this is the same approach used by Fantastical and other privacy-focused calendar applications.