Privacy Policy

Effective Date: June 2, 2026

Last Updated: June 2, 2026

1. Introduction

XdoList ("we", "the app") is a task management application. We highly value your privacy, and this privacy policy explains how we collect, use, store, and protect your personal information.

            Please note:
            
                This app primarily processes local data and does not require user registration or uploading data to our servers. Sync features are only enabled when you actively configure third-party services.

2. Data We Collect

2.1 Data You Provide

Task Data:

Task title, description, priority, due date
Task category names and colors
Subtask relationships
Custom sort order
Reminder settings (time, recurrence rules)

Account Data (Optional):

If you use third-party sync (Supabase), your API URL and key are only stored locally on your device
We do not collect or store your third-party service login credentials

2.2 Automatically Collected Data

Device Identifier:

Device ID (used to identify device source during multi-device sync)
This ID is anonymized and not linked to your personal identity

Usage Data:

App crash logs (for improving app stability)
Operation timestamps (for sync conflict resolution)

We do NOT collect:

Geolocation
Contact information
Other app data on your device
Browsing history or network activity
Advertising identifiers (IDFA/AAID)
Personal identity information (name, email, phone, etc.)

3. Data Storage

3.1 Local Storage

All task data is stored locally in your device's database (SQLite) by default. We do not upload this data to our servers.

3.2 Sync Data

If you enable sync:

Supabase Sync: Data is stored in your own Supabase project, which we cannot access
Custom API Sync: Data is stored on your own deployed server

3.3 Backup Data

The app supports creating local backup files stored on your device. You can export backup files to your chosen location (cloud storage, email, etc.) via system share functionality.

4. Data Usage

We use your data only for the following purposes:

Core functionality: Task management, reminders, categories, sorting
Multi-device sync: Sync task status across your devices
Conflict resolution: Auto-merge based on timestamps when multiple devices edit the same task
App improvement: Anonymous crash reports help us fix bugs

We will NOT:

Sell your data to third parties
Use your data for advertising
Use your data for AI training
Use your data beyond the stated purposes

5. Data Security

5.1 Transmission Security

All network communication uses HTTPS/TLS encryption by default
If you enable "Allow insecure connections" (for internal network dev/testing only), HTTP communication will not be encrypted

5.2 Local Security

Database password (if configured) is only used for database initialization and can be cleared anytime
The app uses standard OS file system permissions to protect data

5.3 Diagnostic Export

Sync and error diagnostic exports are automatically anonymized
Exported files do not contain task titles, descriptions, or other original content
Only IDs, status, hashes, timestamps, and other metadata are included

6. Data Retention & Deletion

6.1 Retention Period

Active data: Retained indefinitely until you actively delete it
Deleted tasks: Removed from database after 30 days (soft delete mechanism)
Operation logs: Retained for 90 days for sync conflict troubleshooting
Backup files: Maximum 5 historical versions, old versions auto-cleaned

6.2 Your Right to Delete

You can at any time:

Delete individual tasks or all tasks
Clear app data (via system settings)
Uninstall the app (deletes all local data)
Revoke sync service authorization

7. Third-Party Services

This app may use the following third-party services (only when you actively configure them):

Service	Purpose	Data Type
Supabase	Data Sync	Task data, Device ID
Custom API	Data Sync	Task data, Device ID

These third-party services have their own privacy policies. We recommend reviewing the privacy policies of the relevant service providers.

8. Children's Privacy

This app is not directed at children under 13. We do not knowingly collect personal information from children. If you discover that a child has provided personal information to us, please contact us and we will promptly delete such information.

9. Policy Changes

We may update this privacy policy from time to time. Any changes will be posted on this page with an updated "Last Updated" date. Significant changes will be communicated via in-app notifications.

10. Contact Us

If you have any questions or suggestions about this privacy policy, please contact us:

Email: privacy@xdolist.com
GitHub Issues: https://github.com/xdolist/todolist/issues

11. Permissions

This app requires the following system permissions:

Notifications: Send task reminder notifications (optional)
Network: Sync data to your configured third-party services (only when sync is enabled)
Local Network (iOS): Connect to custom sync servers on local network (optional)

All permissions are optional. Denying permission will not affect the app's core local functionality.

Statement: XdoList is a privacy-respecting app. Your data belongs to you. We only provide tools to help you manage your data and do not own, analyze, or sell your personal information.