Back to Home

Privacy Policy

Last updated: 3/4/2025

Introduction

MegaTask ("we", "our", or "us") is committed to protecting your privacy. This Privacy Policy explains how we handle your information when you use our email management service, emphasizing that most of your data remains on your own device.

Information We Handle

Server-Side Information

To connect your Google or Microsoft account and enable our service features, we securely store only the following information on our servers:

  • Authentication tokens (access and refresh tokens) provided by Google or Microsoft. These tokens allow us to securely access specific data you authorize, such as:
    • Google: Access to read email metadata and content (`gmail.readonly`), read calendar events (`calendar.readonly`), and basic profile information like your email address and name (`openid`, `profile`, `email`) for account identification.
    • Microsoft: Similar access for Outlook/Microsoft 365, typically involving scopes like `Mail.Read`, `Calendars.Read`, `User.Read` for account identification.
    These tokens are always encrypted both in transit (TLS 1.3) and at rest (AES-256).
  • Your basic account identifier used for MegaTask login (e.g., your email address).
  • Your subscription status and payment information (handled securely via Stripe, we do not store full card details).

You can revoke MegaTask's access at any time through your Google or Microsoft account settings. Disconnecting an account within MegaTask also removes the corresponding tokens from our servers.

Local Device Storage

The vast majority of your data is stored locally on your device using your browser's local storage capabilities (IndexedDB via Dexie.js). This includes:

  • Email metadata (sender, recipient, date, subject, etc.)
  • Tasks derived from emails or created by you
  • AI-generated email summaries
  • Calendar event information synced from your accounts
  • Application settings and preferences
  • Device information used for syncing between your own devices (if applicable)

This locally stored data is under your control and resides within your browser's secure storage. Clearing your browser's site data for MegaTask will remove this local information.

Transient Email Processing

To provide features like AI summaries, we process data obtained via the authorized Google/Microsoft APIs:

  • We temporarily process email content and attachments in memory on our secure servers only when you request a specific feature (e.g., generating a summary).
  • For AI features, this processing may involve sending the relevant email data (content or metadata) to a third-party service provider (e.g. OpenAI). We do not train our own models with this data. This data is not stored by us or the third party for training their models.
  • The original email content and attachments are **never** stored permanently on our servers after processing. The results (e.g., the summary) are sent back to be stored locally on your device.

All data transmitted between your device and our servers (like authentication tokens and transient emails) is encrypted using industry-standard TLS 1.3. Server-side tokens are encrypted at rest using AES-256.

How We Use Your Information

We use the Google and Microsoft user data we access solely to:

  • Provide, maintain, and secure our service (e.g., using tokens to connect to your email provider and fetch data for local display and processing).
  • Perform transient processing of email data via our servers or third-party APIs (like OpenAI) to generate summaries and insights requested by you.
  • Facilitate the storage and management of your emails, tasks, and calendar data locally on your device.
  • Communicate with you about account status, security, or service updates.

Data Security

We implement robust security measures:

  • Server-side storage is limited to essential, encrypted authentication tokens.
  • Transient email processing occurs on secure, memory-only infrastructure.
  • Data transmission is secured with TLS encryption.
  • Security of your locally stored data depends on the security of your device and browser environment.
  • Regular security audits and updates for our server infrastructure.
  • Strict access controls for server-side data (tokens).

Data Retention

We do not retain your email content on our servers beyond the transient processing required for AI features. Authentication tokens are retained server-side only as long as your account is active or until you disconnect an email account. Data stored locally on your device (emails, tasks, summaries) is retained until you clear your browser's site data or delete your account. Deleting your MegaTask account will remove your server-side tokens.

Data Sharing and Disclosure

We **do not** share, transfer, or disclose your Google or Microsoft user data (including emails, calendar events, or personal information obtained via APIs) with any third parties, except in the following limited circumstances:

  • With Service Providers for Specific Features: As described in the "Transient Email Processing" section, we may send necessary data (like email content) to third-party service providers (e.g., OpenAI) solely to perform a specific function you requested, such as generating an email summary. These providers are contractually obligated to handle data securely and are prohibited from using it for other purposes, including training their own models. The processed data is not retained by them or us after the task is complete.
  • For Legal Reasons: We may disclose information if required by law, regulation, legal process, or governmental request, but we will strive to provide notice to you unless prohibited by law.

Your data remains under your control, primarily stored locally on your device. We act as a processor for the data accessed via Google/Microsoft APIs, handling it according to your instructions within the app.

Use of Data for AI/ML Models

MegaTask **does not** use any user data obtained through Google Workspace APIs or Microsoft APIs (such as email content, calendar data, or personal information) to develop, improve, or train any generalized AI and/or machine learning models.

Our use of AI is limited to specific features like email summarization. For these features, we utilize third-party AI services (e.g., OpenAI). The data sent to these services is processed transiently solely for the purpose of providing the requested feature (e.g., generating the summary) and is not stored by us or used by the third party for training their models, as per their data usage policies. The resulting output (e.g., the summary) is returned to your device for local storage.

Your Rights

You have the right to:

  • Access, modify, or delete data stored locally on your device through the application interface or browser settings.
  • Request deletion of your account and associated server-side authentication tokens.
  • Correct inaccurate data stored locally.
  • Export your locally stored data.
  • Revoke MegaTask's access to your email accounts via your email provider's settings, and disconnect accounts within MegaTask (which deletes server-side tokens).

Contact Us

If you have any questions about this Privacy Policy, please contact us at privacy@megatask.app