← Back to onmylist

Privacy Policy

Effective April 23, 2026

We try to collect as little as possible and be honest about what happens to what we do collect. This page tells you exactly that.

What we collect

• Account info: your email address (via Supabase Auth) and, if you use Google sign-in, your Google profile name and avatar.
• Your tasks: everything you type into onmylist — task titles, notes, dates, projects, subtasks, estimates, recurrence rules. Stored per-user; no other user can see it.
• Usage basics: anonymous analytics if enabled — page views, feature usage counts, no personal identifiers. We use a privacy-respecting analytics provider (Plausible) that doesn't set cookies or track individuals across sites.

What we don't collect

• Third-party advertising or remarketing cookies.
• Location data.
• Your contacts, calendar, or anything outside onmylist itself.
• We don't sell or rent your data to anyone, for any reason.

Third parties we share with

• Supabase — our database and authentication provider. Your tasks and account live on their infrastructure. Their privacy policy governs that data at rest.
• Anthropic — when you use "Break down" (the AI decomposition feature), the task's title and any notes are sent to Anthropic's API to generate subtask suggestions. Anthropic's commercial terms prohibit training on that data.
• Google — only if you choose Google sign-in. Google shares your profile with us (email, name, avatar). We never post or read anything else from your Google account.
• Plausible Analytics (if enabled) — anonymous page view and feature usage counts. No personal data.

Cookies and local storage

onmylist uses essential browser storage to keep you signed in and remember your preferences (theme, which view you had open). We don't use marketing or advertising cookies.

Your rights

• Export: download your tasks as Markdown from the command palette ("Export tasks").
• Delete: wipe every task, project, and subtask from Settings → Account → Delete all my data. This is immediate and permanent.
• Access: your tasks are always visible to you inside the app. If you want a raw data dump in another format, email us.

Data retention

We keep your data for as long as your account is active. When you delete your data from Settings, it's removed from the production database immediately; backups cycle out within 30 days.

Security

Data in transit is encrypted (TLS). Data at rest is stored encrypted by Supabase. Row-level security in the database means no other user of onmylist can read your tasks, even in theory. We can't read your data's contents at scale either — there's no internal tool for that.

Children

onmylist is not directed at children under 13. If you're a parent and believe your child has created an account, email us and we'll delete it.

International users

onmylist is operated from the United States. If you're using it from outside the US, your data is transferred to and stored in the US. GDPR and UK-GDPR rights (access, deletion, portability, objection) are available to all users regardless of location.

Changes to this policy

We'll update this document when practices change. Material changes are announced in-app. The "Effective" date at the top reflects the last update.

Contact

Privacy questions, data requests, or GDPR/CCPA requests: hello@onmylist.app.