Privacy Policy

Last updated: August 14, 2025

This Privacy Policy explains how Overtask ("we", "us", or "our") collects, uses, and protects your personal data when you use our Service. By using the Service, you agree to the collection and use of information in accordance with this policy.

Interpretation and Definitions

Interpretation

Words with capitalized initial letters have meanings defined under the following conditions. The following definitions shall have the same meaning regardless of whether they appear in singular or plural.

Definitions

• Account: A unique account created for you to access our Service.
• Company: Overtask, referred to as "we", "us" or "our".
• Country: Switzerland.
• Personal Data: Any information relating to an identified or identifiable individual.
• Service: The Overtask website (https://Overtask.com).
• Service Providers: Third parties that process data on our behalf, including Convex (data storage), Clerk (authentication), Lemonsqueezy (payments), Vercel (hosting and analytics), and calendar providers (Google, Microsoft).
• Usage Data: Data collected automatically from use of the Service (e.g., IP address, browser type).
• You: The individual or entity using the Service.

What We Collect

Account and Profile

• Email address and name (managed via Clerk; also stored in our database for account management).

Product Data

• Tasks and Projects: Titles, descriptions, priorities, deadlines, estimates, completion status.
• Preferences: Work schedules, time zones, duration preferences, blocked hours, notification settings.
• Notification Data: In‑app notifications and their read/dismiss status.
• Files: ICS calendar files you upload for import.

Calendar Integration Data

If you connect Google Calendar or Microsoft Outlook, we store:

• Access and refresh tokens (OAuth credentials, stored server‑side only; never in browser cookies).
• Webhook subscription data (channel/subscription IDs, resource IDs) for real‑time updates.
• Sync tokens to incrementally synchronize changes.
• Calendar metadata about which calendars you selected.

Tokens are stored in our database and are encrypted at rest. You can revoke access at any time by disconnecting the integration in Settings, which deletes stored credentials and webhook subscriptions.

Authentication is provided by Clerk; see Clerk's Privacy Policy and storage is provided by Convex; see Convex's Privacy Policy.

Payment

We use Lemonsqueezy to process payments. Payment details are collected and processed by Lemonsqueezy; we do not store full card data. See Lemonsqueezy's Privacy Policy.

Usage and Analytics

• Technical: IP address, device, OS, browser.
• Analytics: Page views and feature usage via Vercel Analytics.
• Security: Rate‑limit signals and access patterns to prevent abuse.

How We Use Data

• Provide and improve the Service.
• Authenticate users and manage accounts.
• Schedule tasks and generate reminders automatically based on your preferences and calendar availability.
• Process payments and manage subscriptions.
• Secure the Service, including fraud prevention and rate limiting.
• Communicate service updates. Marketing emails are sent only if you opt‑in.

We do not sell your Personal Data.

We do not use Google Workspace APIs or Microsoft Graph APIs to develop, improve, or train generalized AI/ML models.

Use of information received from Google APIs will adhere to the Google API Services User Data Policy, including the Limited Use requirements.

Cookies and Local Storage

• Essential cookies only for authentication/session continuity.
• No OAuth tokens in cookies: OAuth credentials are stored server‑side only.
• No marketing cookies. If we add non‑essential cookies in the future, we will request consent and update this policy.

Security

• Encryption at rest for sensitive credentials (e.g., OAuth tokens).
• Access controls to restrict who can access production data.
• PII‑safe logging: Error and debug logs automatically redact emails, tokens, and secrets.
• Rate limiting to mitigate abuse and protect service stability.

Sharing of Personal Data

We share data with Service Providers only to operate the Service:

• Clerk (authentication) – Privacy
• Lemonsqueezy (payments) – Privacy
• Convex (database) – Privacy
• Vercel (hosting/analytics) – Privacy
• Google (calendar) – Privacy
• Microsoft (Outlook calendar) – Privacy

These providers are obligated by contract to protect your data and use it only for specified purposes.

International Data Transfers

Your data may be processed in countries outside your residence (including the EU and US) where our providers operate. We rely on appropriate safeguards offered by these providers and applicable legal mechanisms.

Automated Decision Making

We use automated algorithms to schedule tasks based on your inputs and calendar availability. You can adjust preferences to influence these outcomes.

Retention

• Account data: For the duration of your account and a short period thereafter as necessary.
• Tasks/projects: While your account is active or until you delete them.
• Calendar credentials: Until you disconnect the integration or tokens expire.
• Notifications and logs: Retained for limited periods for security and reliability.

Your Rights

Depending on your location (EEA under GDPR, Switzerland under FADP, California under CCPA/CPRA), you may have rights to:

• Access and obtain a copy of your data (Data Export in Settings downloads a JSON export).
• Request correction of inaccurate data.
• Request deletion of your data (Delete Account in Settings performs a full data purge and revokes connected calendar tokens).
• Object to or restrict processing for non‑essential purposes.
• Data portability (receive your data in a usable format).
• Withdraw consent where processing is based on consent.

CCPA/CPRA: You have the right to know, delete, and correct personal information and the right to non‑discrimination for exercising these rights. We do not sell your personal information.

To exercise your rights, use the in‑app controls in Settings or email us at contact@overtask-app.com.

Legal Bases (EEA/UK/CH)

• Performance of a contract (to provide the Service).
• Legitimate interests (security, fraud prevention, product improvement).
• Consent (where required, e.g., marketing communications).

Children's Privacy

The Service is not directed to children under 13. We do not knowingly collect data from children.

Changes to This Privacy Policy

We may update this policy from time to time. We will notify you by email or in‑app when material changes occur.

Contact Us

Questions or requests: contact@overtask-app.com.

© 2025 Overtask. All rights reserved.