TaskMailTaskMail
← Back to top

Privacy Policy

Last updated: March 22, 2026

1. Introduction

TaskMail (the "Service") is a Chrome extension that provides task management linked to emails in Gmail, among other features. This Privacy Policy describes information the Service obtains, generates, stores, or keeps on your device, and how it is handled.

2. Information We Obtain and Use

2.1 Account and authentication (Supabase)

  • Sign-in methods: One-time codes sent to your email address (magic links, etc.) or OAuth sign-in with a Google account (the method used depends on implementation).
  • Account-related information: User ID, email address, display name, profile image (if uploaded), and similar data. These are primarily managed on Supabase (authentication, database, and storage).
  • Team features: Workspace name, member roles, invitee email addresses, participation status, and related data.

2.2 In the browser (Chrome extension)

  • Chrome Identity: Used to obtain OAuth tokens for the Gmail API and for web authentication flows when signing in with Google.
  • Profile and Gmail matching: We compare the email address associated with the Chrome profile with the account shown in the Gmail tab so that Gmail integration does not run under the wrong account.
  • Local storage (e.g. chrome.storage): Session and auth tokens, the selected workspace ID, shared Gmail API consent state, caches mapping threads to message IDs, Gmail label ID caches, and similar data may be stored locally as needed for the Service to function.

2.3 Gmail and Google APIs (OAuth scope: https://www.googleapis.com/auth/gmail.modify)

Through the Gmail API, the Service may use data as described below (details may change as features are added).

  • Linking tasks and mail: Metadata such as thread ID, message ID, headers equivalent to the RFC Message-ID, and subject lines (for task titles and list display).
  • Inbox and related UI: Information needed to identify threads and messages.
  • Gmail labels: Creating and listing user labels under the TaskMail family, and applying or removing labels on threads (synced with states such as incomplete or complete).

The Service does not provide a feature to store full email bodies or to fetch them for the purpose of displaying body text to users. Gmail API responses may include thread or message summaries per Google's API behavior; the Service uses only what is needed for task management—identifiers, subjects, and label operations.

2.4 Tasks, logs, workspaces, etc. (server-side data)

On Supabase, data you enter or generate may include, for example:

  • Tasks (title, status, due date, category, including tasks not linked to email) and activity log text
  • Records for mail linking (message ID, thread ID, cached subject lines, etc.)
  • Workspaces, members, invites, snippets, and snippet groups
  • Billing-related workspace identifiers and Stripe customer IDs, etc., as implemented

2.5 Payments (Stripe and our billing server)

  • Payments: Paid plan signup, renewal, billing portal, and similar flows go through Stripe. Card numbers and other payment instrument details are processed by Stripe; our application servers are not designed to retain card numbers.
  • Billing API: In development this may use localhost; in production we connect over HTTPS to our own server hosted on Railway or similar to create checkout sessions, customer portal sessions, seat changes, and similar, sending auth tokens, workspace IDs, and related data as needed.

3. Purposes of use

  • Providing the Service (display, edit, and sync tasks, logs, categories, snippets, and workspaces)
  • Authentication, account security, and consistency between the Chrome profile and the Gmail account shown in the tab
  • Label sync in Gmail and linking mail to tasks
  • Paid plan signup, billing, and contract management (via Stripe and our billing server)
  • Bug fixes, support, and service improvement (as reasonably necessary)

4. Disclosure to third parties and processors

The Service uses the providers below; each provider's privacy policy and similar terms apply.

ProviderMain uses
GoogleSign-in (OAuth), Gmail API, Chrome Identity
SupabaseAuthentication, database, file storage (e.g. avatar images)
StripePayments, invoicing, subscription management
Our billing API server (e.g. on Railway)Mediating billing flows such as creating Stripe sessions

Except where disclosure is required by law, we do not sell personal information to third parties beyond the scope of the arrangements above.

5. Where data is stored and security

  • Cloud data is stored primarily on Supabase and protected by access controls (including row-level security) and encrypted communication (HTTPS).
  • On-device data is stored using Chrome's storage mechanisms.
  • We apply reasonable technical and organizational measures to prevent unauthorized access, leakage, and loss.

6. Your rights

To request access, correction, deletion, or other handling of your data, please contact us through the Service's contact channel. We will respond within the scope permitted by applicable law.

7. Changes

This Privacy Policy may be updated when laws change or when we add or change features. Material changes will be announced on the Service or by other appropriate means.

8. Contact

For questions about this Privacy Policy or how we handle personal information, please contact us via the Contact page.

← Back to top