Privacy & Cookie Policy

Last updated: 16 April 2026

Contents

Who we are
What data we collect
How we use your data
Legal basis for processing
Cookies & local storage
End-to-end encryption
Subscriptions & payments
Third-party services
Admin access
Data retention
Your rights
Data security
Children's privacy
Changes to this policy
Contact

1. Who we are

ToDoodle is a personal productivity application for managing tasks, notes, and boards. When this policy refers to "ToDoodle", "we", "us", or "our", it means the operator of the ToDoodle service. When it says "you" or "your", it means you, the user.

2. What data we collect

2.1 Account data

When you create an account, we collect:

Email address — used as your unique login identifier.
Password — we never store your plaintext password. It is hashed using bcrypt before storage.

2.2 Content you create

The core data you produce while using ToDoodle:

Tasks — title, description, date, time, recurrence settings, tags, colour, completion status, and sort order.
Notes — title, content, date, colour, tags, pin status, and sort order.
Boards — title and visual board content (shapes, text, images, connectors).

If you enable end-to-end encryption (see Section 6), the text fields of your tasks, notes, and boards are encrypted in your browser before being sent to our server. The server only stores ciphertext and cannot read your content.

2.3 Session & device data

When you log in, we create a session record that includes:

Device name — a general label derived from your browser's User-Agent string (e.g. "Mac", "iPhone", "Windows"). We do not store the full User-Agent string.
IP address — stored alongside the session for security purposes (e.g. reviewing active sessions).
Timestamps — when the session was created and when it was last active.

2.4 Push notification data

If you opt in to push notifications, we store:

Your browser's push subscription endpoint URL.
Encryption keys provided by your browser for delivering notifications (p256dh and auth keys).
Your selected timezone (so notifications can be sent at relevant times).

Push notifications are entirely optional and require your explicit consent.

2.5 Two-factor authentication data

If you enable two-factor authentication (2FA), we store:

A TOTP secret key (used to verify your authenticator app codes).
Backup codes (stored as bcrypt hashes — we cannot see the plaintext codes after generation).

2.6 Subscription & billing data

ToDoodle is offered with a 7-day free trial, after which continued use of sync and premium features requires a paid subscription (£36/year). If you start a subscription, we store the following references to enable and manage your subscription:

A Stripe customer identifier (e.g. cus_xxx) linking your ToDoodle account to your billing record at Stripe.
A Stripe subscription identifier (e.g. sub_xxx) and the current subscription status (such as active, past_due, or canceled).
A flag indicating whether premium access has been granted to your account manually by an administrator (used for complimentary access).

We do not store or have access to your payment card details. All payment information (card number, expiry, billing address, etc.) is collected and stored directly by Stripe, our payment processor, on their PCI-DSS-compliant systems. See Section 7 for details about Stripe.

2.7 Account status

For administrative and security purposes, we store two flags on your account:

An admin flag (only set on accounts explicitly designated by us) — allows an account to access the admin panel.
A suspension flag — if set, prevents login and disables sync. Suspension is only used in rare cases, such as violation of our terms of use, and is reversible.

2.8 What we do NOT collect

We do not use analytics or tracking services.
We do not store your payment card details — these are handled entirely by Stripe (see Section 7).
We do not track your behaviour across other websites.
We do not use advertising cookies or pixels.
We do not build user profiles for marketing purposes.

3. How we use your data

Purpose	Data used
Providing the service (sync tasks, notes, and boards across your devices)	Account data, content you create
Authenticating you and keeping your account secure	Email, password hash, session token, IP address, device name
Managing your free trial and determining whether you have premium access	Account creation date, subscription identifiers, subscription status, override flag
Processing payments and managing subscriptions	Email (shared with Stripe), Stripe customer and subscription identifiers
Delivering push notifications you have opted into	Push subscription data, timezone
Verifying your identity with two-factor authentication	TOTP secret, backup code hashes
Enforcing account suspension where required	Suspension flag, email
Diagnosing server errors	User ID and error message (logged temporarily in server error logs)

We do not use your data for advertising, profiling, or any purpose other than those listed above.

4. Legal basis for processing

Under the General Data Protection Regulation (GDPR), we rely on the following legal bases:

Legal basis	Applies to
Performance of a contract (Art. 6(1)(b))	Account registration, data synchronisation, subscription management, processing payments, and all core functionality — these are necessary to provide the service you signed up for.
Consent (Art. 6(1)(a))	Push notifications — you explicitly opt in, and can revoke consent at any time by disabling notifications.
Legitimate interest (Art. 6(1)(f))	Session management (IP address, device name), account suspension enforcement, and server error logging — necessary to maintain security and diagnose issues, balanced against minimal privacy impact.
Legal obligation (Art. 6(1)(c))	Retention of billing and transaction records by our payment processor (Stripe) to meet tax, accounting, and anti-fraud requirements.

5. Cookies & local storage

5.1 Cookies

We use a single, strictly necessary cookie:

Name	Purpose	Type	Duration
`noodle_token`	Keeps you logged in by identifying your authenticated session.	Strictly necessary (first-party)	90 days

This cookie is set with the HttpOnly, Secure, and SameSite=Lax flags. It is not accessible to JavaScript and is only sent over HTTPS.

We do not use advertising, analytics, or any other third-party cookies on the ToDoodle website itself.

Stripe cookies: When you click "Subscribe" or "Manage subscription", you will be redirected to pages hosted by Stripe (our payment processor). Those pages set their own cookies to process your payment securely, detect fraud, and remember your billing session. These cookies are set by Stripe and governed by Stripe's cookie policy. They are only set on Stripe-hosted pages, not on ToDoodle.

5.2 Local storage

ToDoodle uses your browser's local storage to provide offline functionality and improve performance:

Key	Purpose
`weekflow_data`	Local cache of your tasks, notes, and settings so the app works offline.
`noodle_last_sync_at`	Timestamp of the last successful sync with the server.
`noodle_current_view`	Remembers whether you last viewed the Tasks or Notes screen.
`noodle_board_*`	Cached board content for each board you've opened.
`noodle_dek`	Your data encryption key (only present if you enable end-to-end encryption). This key never leaves your browser.
`noodle_sync_user`	Basic session state (whether you are logged in).

All local storage data is cleared when you log out. Local storage is not shared with any third party.

5.3 Service worker cache

A service worker caches static application files (HTML, CSS, JavaScript, fonts) so the app loads quickly and works offline. API responses containing your data are never cached by the service worker.

6. End-to-end encryption

ToDoodle offers optional end-to-end encryption. When enabled:

A Data Encryption Key (DEK) is generated randomly in your browser.
The DEK is wrapped (encrypted) using a key derived from your password via PBKDF2 with 600,000 iterations of SHA-256.
Only the wrapped (encrypted) DEK is stored on our server. We never have access to your password-derived key or the DEK itself.
All task text, note content, note titles, tags, and board content are encrypted with AES-256-GCM in your browser before being sent to the server.
A recovery key is generated so you can regain access if you forget your password. You are responsible for storing this key safely.

Important: If you enable encryption and lose both your password and recovery key, your data cannot be recovered — by you or by us.

Metadata that is not encrypted includes: dates, timestamps, completion status, sort order, colour, note type, and sync identifiers. This metadata is necessary for the application to function (sorting, filtering, syncing) without decrypting your content.

7. Subscriptions & payments (Stripe)

Paid subscriptions to ToDoodle are handled by Stripe, Inc., our third-party payment processor. Stripe is a PCI-DSS-compliant payment service provider.

7.1 What Stripe receives from us

When you subscribe, we send the following to Stripe:

Your email address (used as your customer identifier in Stripe).
A reference identifier for your ToDoodle account (numeric user ID, stored as metadata).
The price or product identifier you are subscribing to.

7.2 What Stripe collects directly from you

When you check out or manage your subscription, you interact with pages hosted by Stripe. On those pages Stripe collects and stores:

Your payment card details (card number, expiry, CVC).
Your billing name and address.
Fraud-prevention data Stripe uses to verify the legitimacy of the transaction (this may include device and IP information).

ToDoodle never sees, receives, or stores your payment card details. This data lives exclusively within Stripe's systems.

7.3 What we receive back from Stripe

After a successful payment, Stripe notifies our server (via a secure webhook) of:

Your Stripe customer and subscription identifiers.
The status of your subscription (active, past due, canceled, etc.).
Payment success or failure events (to keep your access up to date).

We do not receive or store your card details or full billing address via these webhooks.

7.4 Stripe's privacy policy

Stripe acts as a joint controller / independent data controller for the information it collects from you directly during checkout. Their handling of that data is governed by their own privacy policy: stripe.com/privacy.

7.5 Trials, overrides, and cancellation

New accounts include a 7-day free trial during which no payment information is required. If you do not subscribe before the trial ends, sync and premium features are paused, but your local data remains accessible. You can cancel your subscription at any time from the Stripe-hosted customer portal, accessible via Settings. Cancellation takes effect at the end of your paid period.

Administrators may also manually grant premium access to specific accounts without a Stripe subscription (e.g. for complimentary or promotional access). In this case no payment data is involved.

8. Other third-party services

8.1 Google Fonts

We load typefaces from Google Fonts (fonts.googleapis.com and fonts.gstatic.com). When your browser requests these fonts, Google may receive your IP address and standard HTTP request headers. Google's privacy policy applies to this data: policies.google.com/privacy. Font files are cached by the service worker after the first load, reducing subsequent requests to Google.

8.2 Web push services

If you enable push notifications, your browser's built-in push service (operated by Google, Apple, or Mozilla, depending on your browser) acts as an intermediary to deliver notifications to your device. We send an encrypted notification payload to the push service endpoint; the push service cannot read the content. The push service operator's own privacy policy governs their handling of delivery metadata.

8.3 No other third parties

Apart from Stripe (see Section 7), Google Fonts, and browser push services, we do not share, sell, or transfer your data to any other third party. There are no analytics providers, advertising networks, or external APIs integrated into ToDoodle.

9. Admin access

A small number of designated administrator accounts can access an admin panel used to operate the service. Through this panel an administrator can see, for every registered user:

Email address.
Account creation date and most recent login date.
The number of tasks and notes stored on the account.
Current premium status (whether premium is active via Stripe subscription, via manual override, or via the free trial).
Whether the account is currently suspended.

Administrators cannot read the contents of your tasks, notes, or boards through the admin panel. If end-to-end encryption is enabled on your account, administrators (like all server operators) also cannot read your content through any other means.

Administrators can perform the following actions on accounts:

Grant or remove manual premium access (an override that does not involve Stripe).
Suspend or reinstate an account (a suspension prevents login until reversed).
Delete an account and all its synced data (this action is irreversible).

These actions are logged in the database. Admin access is granted only to personnel required to operate the service.

10. Data retention

Data	Retention period
Account data (email, password hash)	Retained until you delete your account.
Tasks, notes, and boards	Retained until you delete them. Optionally, the auto-archive feature can automatically delete completed tasks and old notes after a period you choose (6 months to 3 years).
Sessions	Automatically deleted 90 days after creation, or when you manually revoke them.
Push subscriptions	Retained until you disable notifications or the subscription endpoint becomes invalid.
Subscription identifiers (Stripe customer / subscription IDs, status)	Retained while your account exists. Deleting your ToDoodle account removes these references from our database; the underlying billing records held by Stripe are retained by Stripe under their own retention policy (typically several years for tax and anti-fraud purposes).
Server error logs	Retained according to the hosting provider's log rotation policy (typically 14–30 days).

11. Your rights

Under the GDPR, you have the following rights regarding your personal data:

Right of access — You can view all your data within the app. You can also export a complete copy of your data (tasks, notes, boards, and settings) as a JSON file from Settings.
Right to rectification — You can edit any of your tasks, notes, or account details at any time.
Right to erasure — You can delete individual items, bulk-delete old data, or delete your entire account (and all synced data) from within the app in Settings. For billing records held by Stripe, contact us (see Section 15) or Stripe directly.
Right to data portability — The export feature provides your data in a structured, machine-readable JSON format. Notes can also be exported individually or in bulk as Markdown files.
Right to restrict processing — You can disable cloud sync and use ToDoodle entirely offline with local storage only (by not creating an account or by logging out). You can cancel your subscription at any time via the Stripe customer portal.
Right to withdraw consent — Where processing is based on consent (push notifications), you can withdraw it at any time by disabling notifications in the app or your browser settings.
Right to object — You may object to processing based on legitimate interest by contacting us.
Right to lodge a complaint — You have the right to lodge a complaint with your local data protection supervisory authority.

12. Data security

We take the following measures to protect your data:

Passwords are hashed with bcrypt and never stored in plaintext.
Session tokens are 256-bit cryptographically random values.
The session cookie is HttpOnly, Secure, and SameSite=Lax.
A strict Content Security Policy (CSP) prevents cross-site scripting and unauthorised resource loading.
Rate limiting is applied to login, registration, and password change endpoints to prevent brute-force attacks.
CSRF protection is enforced on all state-changing API requests.
Optional end-to-end encryption (AES-256-GCM) ensures the server cannot read your content.
Two-factor authentication (TOTP) is available for additional account security.
HTML output is sanitised with DOMPurify to prevent injection attacks.
Payment card details are never handled by ToDoodle — they are collected and stored exclusively by Stripe on their PCI-DSS-compliant systems.
Stripe webhook requests are verified using a shared signing secret to ensure authenticity.

13. Children's privacy

ToDoodle is not directed at children under the age of 16. We do not knowingly collect personal data from children. If you believe a child under 16 has provided us with personal data, please contact us so we can delete it.

14. Changes to this policy

We may update this policy from time to time. When we do, we will revise the "Last updated" date at the top of this page. If we make material changes to how we process your data, we will notify you through the app. Your continued use of ToDoodle after a policy update constitutes acceptance of the revised terms.

15. Contact

If you have questions about this policy, wish to exercise your data protection rights, or need to request account deletion, please contact us at:

Email: contact@todoodle.co