Privacy Policy
Last updated: March 5, 2026
Hi there! We're iziDo — a small team building a task manager Chrome extension for couple-preneurs and small teams. We believe your data is your data, period. This policy explains what we collect, why, and how we keep it safe. We've tried to keep it human-readable, but it's still a legal document, so it covers all the important bits.
Table of Contents
- Who We Are
- What Data We Collect
- How We Collect Your Data
- Why We Collect It (Legal Bases)
- How We Use Your Data
- Where Your Data Lives
- Who We Share Data With
- How Long We Keep Your Data
- Your Rights
- Chrome Extension Permissions
- Children's Privacy
- Security Measures
- International Data Transfers
- Third-Party Links
- Changes to This Policy
- How to Contact Us
1. Who We Are
iziDo ("we", "us", "our") is the developer and operator of the iziDo Chrome extension and the website at izido.app. We're a small indie team — not a big corporation — and we treat your trust seriously.
For any privacy-related questions, you can reach us at: hello@izido.app
2. What Data We Collect
We believe in collecting the minimum amount of data needed to make iziDo work. Here's exactly what we collect:
2.1 Account Information (Sync Mode Only)
If you choose to enable sync, we collect:
- Email address — used for authentication and account identification.
- Display name — auto-filled from your email or manually set by you. Used to identify you to your teammates.
- Avatar URL — optional. A link to your profile picture if you choose to set one.
- Password — stored as a cryptographic hash (never in plain text). We cannot read your password.
2.2 Task & Project Data
The core of what iziDo does — your tasks and projects:
- Task content — titles, descriptions, completion status, priority levels, tags, colors, and scheduled dates.
- Project information — names, colors, website URLs, member roles, and daily standup preferences.
- Collaboration data — project membership, roles (owner, editor, viewer), and team member assignments.
In Local Mode: All task and project data stays on your device. Nothing is sent to any server. We literally can't see it.
In Sync Mode: Data is stored on Supabase servers to enable real-time sync between team members.
2.3 Usage & Behavioral Data
- Timestamps — when tasks are created, updated, or completed. This powers features like timeline views.
- TapTap Nudge interactions — when you nudge a teammate about a task, a record of which task and when.
- Notification preferences — your quiet hours settings, badge alert preferences, and weekend mode choices.
2.4 Technical Data
- Authentication tokens — JWT tokens stored locally in your browser's extension storage to keep you signed in.
- Rate-limiting records — local counters that prevent brute-force login attempts (stored only on your device).
2.5 What We Do NOT Collect
Just as important as what we collect is what we don't:
- We do not track your browsing history, visited URLs, or browsing habits.
- We do not read or access the content of any web page you visit.
- We do not use any analytics, tracking pixels, or fingerprinting.
- We do not serve ads or sell your data. Ever.
- We do not collect device identifiers, IP addresses, or geolocation data.
- We have no Google Analytics, Mixpanel, Sentry user tracking, or any third-party analytics service.
3. How We Collect Your Data
Data comes to us through a small number of clearly defined channels:
- Directly from you — when you create an account, set up a profile, create tasks, or configure settings.
- Automatically via the extension — timestamps are generated when you interact with tasks. Auth tokens are created when you sign in.
- Through collaboration — when someone adds you to a project, a membership record is created.
We do not collect data from third parties, data brokers, or public sources.
4. Why We Collect It (Legal Bases)
Under GDPR and similar regulations, we need a legal basis for processing your data. Here's ours:
| Data | Legal Basis | Purpose |
|---|---|---|
| Email & password | Contract performance | Creating & securing your account |
| Tasks & projects | Contract performance | Providing the core service you signed up for |
| Display name & avatar | Legitimate interest | Identifying you to your teammates in collaborative projects |
| Nudge interactions | Legitimate interest | Enabling the TapTap notification feature |
| Notification settings | Consent | Respecting your preferences for how and when we notify you |
| Auth tokens | Contract performance | Keeping you securely signed in |
5. How We Use Your Data
We use your data exclusively for making iziDo work and making it better:
- Provide the service — syncing tasks, managing projects, and enabling collaboration between team members.
- Authentication — signing you in, managing sessions, and securing your account.
- Real-time features — delivering TapTap nudge notifications and syncing task updates via WebSocket.
- Notifications — showing Chrome notifications for nudges and badge counts for tasks due today (respecting your quiet hours).
- Access control — enforcing project roles (owner, editor, viewer) so only authorized people can modify data.
- API access — if you create API tokens, processing authorized requests to your data.
We do not use your data for profiling, targeted advertising, automated decision-making, or anything beyond delivering the iziDo service.
6. Where Your Data Lives
6.1 Local Mode (Default)
When you use iziDo in local mode, all your data stays on your device. It's stored in your
browser's extension storage (chrome.storage.local). No server is involved, no data leaves your
computer, and we have zero access to it.
6.2 Sync Mode
When you enable sync, your data is stored on Supabase — an open-source backend platform. Specifically:
- Data is stored in a PostgreSQL database hosted by Supabase.
- All data in transit is encrypted with TLS 1.2+ (HTTPS and WSS connections).
- Data at rest is encrypted via Supabase's infrastructure.
- Access is protected by Row Level Security (RLS) — database-enforced policies that ensure you can only access your own data and projects you're a member of.
6.3 Client-Side Storage
Regardless of mode, certain data is stored locally in your browser for performance and functionality:
- Authentication session tokens (encrypted)
- Your notification preferences
- Cached nudge interaction state
- Rate-limiting counters for security
No task content or project data is cached locally in sync mode — it's always fetched fresh from the server.
7. Who We Share Data With
We keep the circle very small. Here's exactly who can see your data:
7.1 Your Teammates
If you join or create a project with other people, those team members can see the tasks, project details, and your display name / avatar within that project — based on their role (owner, editor, or viewer). This is the whole point of collaboration.
7.2 Infrastructure Provider: Supabase
In sync mode, your data is processed by Supabase as our data processor. Supabase provides database hosting, authentication, and real-time sync. They are contractually bound to process your data only as we instruct and in compliance with applicable data protection laws.
7.3 Nobody Else
We do not sell, rent, license, or otherwise share your personal data with:
- Advertisers or ad networks
- Data brokers
- Analytics companies
- Social media platforms
- Any other third parties for their own purposes
7.4 Legal Requirements
We may disclose your data if required by law, legal process, or governmental request. If this ever happens, we'll notify you unless we're legally prohibited from doing so. We will challenge any request we believe is overbroad or unlawful.
7.5 Business Transfers
If iziDo is ever acquired, merged, or otherwise involved in a business transition, your data may be transferred as part of that transaction. We'll notify you before your data becomes subject to a different privacy policy.
8. How Long We Keep Your Data
- Active accounts: We retain your data for as long as your account is active.
- Deleted accounts: When you delete your account, we delete all associated personal data, tasks, and project data within 30 days. Some anonymized, aggregated data may be retained for operational purposes.
- Local mode data: Stored on your device. Deleted when you uninstall the extension or clear extension data.
- API tokens: Deleted when you revoke them or delete your account.
- Backups: Database backups may retain deleted data for up to 90 days before being purged.
9. Your Rights
You have strong rights over your data, regardless of where you live. Here's what you can do:
9.1 Under GDPR (EU/EEA Residents)
- Right to access — request a copy of all data we hold about you.
- Right to rectification — correct any inaccurate personal data.
- Right to erasure ("right to be forgotten") — request deletion of your data.
- Right to restrict processing — limit how we use your data.
- Right to data portability — receive your data in a structured, machine-readable format.
- Right to object — object to processing based on legitimate interests.
- Right to withdraw consent — where processing is based on consent, withdraw it at any time.
- Right to lodge a complaint — file a complaint with your local data protection authority.
9.2 Under CCPA/CPRA (California Residents)
- Right to know — what personal information we collect and why.
- Right to delete — request deletion of your personal information.
- Right to opt out of sale — we don't sell your data, but you have this right regardless.
- Right to non-discrimination — we won't treat you differently for exercising your rights.
- Right to correct — correct inaccurate personal information.
- Right to limit use of sensitive personal information — we collect minimal sensitive data and only for service functionality.
9.3 Under UK GDPR
UK residents have the same rights as under the EU GDPR, enforced by the Information Commissioner's Office (ICO).
9.4 Under Brazil's LGPD
Brazilian residents have rights to access, correction, anonymization, deletion, information about sharing, and the right to revoke consent.
9.5 Under Australia's Privacy Act
Australian residents have the right to access their personal information and request corrections. You can also complain to the Office of the Australian Information Commissioner (OAIC).
9.6 How to Exercise Your Rights
Email us at hello@izido.app with your request. We'll respond within 30 days (or sooner). We may need to verify your identity before processing certain requests.
10. Chrome Extension Permissions Explained
Our extension requests the following browser permissions. Here's exactly why:
| Permission | Why We Need It |
|---|---|
sidePanel |
Displays the iziDo task manager in your browser sidebar. This is how the whole app works. |
storage |
Saves your authentication session, notification settings, and nudge state locally on your device. |
tabs |
Opens the timeline view in a new browser tab and manages tab-related features. |
notifications |
Shows Chrome system notifications when a teammate nudges you about a task (TapTap feature). |
audioCapture |
Powers the optional voice input feature for creating tasks hands-free. |
Host: *.supabase.co |
Connects to Supabase servers for data sync, authentication, and real-time collaboration (sync mode only). |
We do not request permissions to read webpage content, access your browsing history, or intercept network traffic. The extension runs entirely within its own sandboxed side panel and background script.
11. Children's Privacy
iziDo is not directed at children under 16 years of age. We do not knowingly collect personal information from children under 16. If we become aware that we've collected data from a child under 16, we will delete it promptly. If you believe a child has provided us with personal data, please contact us at hello@izido.app.
12. Security Measures
We take security seriously. Here's how we protect your data:
- Encryption in transit — all communications use TLS 1.2+ (HTTPS and WSS protocols).
- Encryption at rest — database storage is encrypted via Supabase infrastructure.
- Password hashing — passwords are cryptographically hashed; we never store or see plain-text passwords.
- Row Level Security (RLS) — database-enforced access control ensures users can only access their own data and authorized projects.
- JWT authentication — signed tokens with automatic expiry and refresh.
- API token security — API tokens are SHA-256 hashed server-side. The original token is shown only once at creation.
- Rate limiting — brute-force protection on authentication endpoints (5 attempts per 5 minutes).
- Content Security Policy — strict CSP headers prevent code injection in the extension.
- Scoped API access — API tokens have granular scopes (read, write, delete) and project-level restrictions.
No system is 100% secure. If you discover a security vulnerability, please report it to hello@izido.app and we'll address it urgently.
13. International Data Transfers
Supabase may host data in various regions. If your data is transferred outside your country of residence, we ensure it's protected by appropriate safeguards, such as Standard Contractual Clauses (SCCs) approved by the European Commission, or other legally recognized transfer mechanisms.
If you'd like to know which region your data is stored in, contact us and we'll let you know.
14. Third-Party Links
Our extension and website may contain links to third-party services (e.g., GitHub, Chrome Web Store). We are not responsible for the privacy practices of these services. We encourage you to read their privacy policies before providing them with your personal data.
15. Changes to This Policy
We may update this Privacy Policy from time to time. When we make material changes, we'll:
- Update the "Last updated" date at the top of this page.
- Post a notice in the extension for significant changes.
- For major changes affecting how we use your data, we'll email affected users (sync mode) at least 14 days before the changes take effect.
Continued use of iziDo after changes constitutes acceptance of the updated policy.
16. How to Contact Us
Got questions, concerns, or just want to say hi? We'd love to hear from you:
We aim to respond to all privacy inquiries within 30 days.