Privacy Policy
Last Updated: December 28, 2025
Our Privacy Commitment
TL;2DO is built with a privacy-first architecture. We believe your data belongs to you, and we've designed our app to minimize data collection while maximizing your control.
- Local-First Processing: Your data stays on your device
- No Cloud Sync: We don't store your messages on our servers
- No Tracking: Zero analytics or telemetry unless you opt in
- Your Keys, Your Data: You control your own API credentials
- Encrypted Storage: Credentials secured with platform-native encryption
1. Data Controller
2. Data We Collect
2.1 Data Stored Locally on Your Device
The following data is stored only on your device and is never transmitted to our servers:
- Email/Chat Credentials: Your IMAP passwords, API tokens for Slack, Discord, Chatwork, Jira, Trello, and Redmine are stored in encrypted secure storage (iOS Keychain / Android KeyStore)
- AI API Keys: Your Google Gemini API key is stored in encrypted secure storage
- Profile Configurations: Connection settings, schedules, filters, and preferences
- Analysis Results: AI-generated summaries, extracted tasks, and thread data
- Message Content: Fetched emails and chat messages for local processing
2.2 Data Transmitted to Third-Party Services
When you use TL;2DO, the app connects directly to third-party services using your own credentials:
- Email Providers: Your email content is fetched via IMAP directly from your email server
- Chat Platforms: Messages are fetched directly from Slack, Discord, Chatwork, etc. using their APIs
- Google Gemini API: Message content is sent to Google's AI service for analysis using your personal API key
Important: These transmissions occur directly between your device and the third-party service. Original Device LLC does not receive, store, or have access to this data.
2.3 Data We Do NOT Collect
- We do not collect your email content or chat messages
- We do not collect your credentials or API keys
- We do not collect analytics or usage telemetry (unless you opt in)
- We do not collect device identifiers for tracking purposes
- We do not collect location data
3. Purpose and Legal Basis for Processing
4. Data Retention
- Local App Data: Retained on your device until you delete it or uninstall the app
- Analysis History: Free tier: 3 days; Premium: 30 days (configurable, stored locally)
- Support Correspondence: Retained for up to 2 years for quality assurance
- Subscription Records: Managed by Apple App Store / Google Play per their policies
You can delete all local data at any time by clearing app data or uninstalling the app.
5. Your Rights Under GDPR
As a data subject, you have the following rights:
Right of Access
Request a copy of personal data we hold about you.
Right to Rectification
Request correction of inaccurate personal data.
Right to Erasure
Request deletion of your personal data ("right to be forgotten").
Right to Restrict Processing
Request limitation of processing in certain circumstances.
Right to Data Portability
Receive your data in a structured, machine-readable format.
Right to Object
Object to processing based on legitimate interests.
Right to Withdraw Consent
Withdraw consent at any time where processing is based on consent.
Right to Lodge a Complaint
File a complaint with a supervisory authority.
To exercise any of these rights, please contact us at tl2do@tl2do.com. We will respond within 30 days.
6. Third-Party Services
TL;2DO integrates with the following third-party services. When you connect these services, their respective privacy policies apply:
- Google Gemini API: Google Privacy Policy
- Apple App Store: Apple Privacy Policy (for iOS subscriptions)
- Google Play: Google Privacy Policy (for Android subscriptions)
For chat and email platforms (Slack, Discord, Gmail, etc.), you connect using your own credentials. We do not have access to your accounts or data on these platforms.
7. International Data Transfers
When you use the Google Gemini API, your message content may be transferred to Google's servers, which may be located outside your country of residence, including in the United States.
Google provides appropriate safeguards for international transfers, including Standard Contractual Clauses (SCCs) where required. For more information, see Google's data transfer frameworks.
Note: Original Device LLC does not transfer your personal data internationally, as we do not collect or store your personal data on our servers.
8. Data Security
We implement industry-standard security measures to protect your data:
- Encrypted Storage: Credentials and API keys are stored using iOS Keychain (AES-256) and Android KeyStore (hardware-backed encryption)
- Secure Connections: All network communications use TLS/HTTPS encryption
- Local Processing: Sensitive data processing occurs on your device, not on external servers
- No Plain Text Storage: Passwords and tokens are never stored in plain text
- Autofill Protection: Sensitive input fields are protected from autofill services on Android
9. Children's Privacy
TL;2DO is not intended for use by children under the age of 16. We do not knowingly collect personal data from children under 16. If you believe we have inadvertently collected such data, please contact us immediately at tl2do@tl2do.com, and we will take steps to delete it.
10. Changes to This Policy
We may update this Privacy Policy from time to time to reflect changes in our practices or legal requirements. We will notify you of material changes by:
- Posting the updated policy on this page with a new "Last Updated" date
- Displaying an in-app notification when significant changes occur
We encourage you to review this policy periodically. Continued use of the app after changes constitutes acceptance of the updated policy.
11. Contact Us
If you have any questions about this Privacy Policy, your personal data, or wish to exercise your rights, please contact us:
Original Device LLC
Address: 4-3-25 Nishi-tenma, Kita-ku, Osaka city, OSAKA, Japan
Email: tl2do@tl2do.com
Phone: +81 6-7506-9455
Website: tl2do.com
For EU residents, you also have the right to lodge a complaint with your local Data Protection Authority.