← Back to HES gTasks

Privacy Policy

Last updated: July 10, 2026

This Privacy Policy explains how HES gTasks ("we", "us", "the Service"), operated by Henry Enterprises and Services, LLC, handles your information when you use gtasks.henry.enterprises.

1. Information we access

When you sign in with Google, we request the following OAuth scopes:

2. How we use it

We use the information solely to provide the features of HES gTasks to you: rendering your task lists, executing CRUD operations you initiate, scheduling recurring tasks you've configured, and exposing the same data to API or MCP clients you've authorized. We do not use your task content for advertising, analytics, AI training, or any purpose unrelated to the Service.

3. How we store it

Your Google OAuth refresh token is stored in our Postgres database, encrypted at rest using Fernet (AES-128-CBC with HMAC). Access tokens (short-lived) are stored unencrypted in the same database. We do not store the content of your Google Tasks; every task list and task view is fetched live from Google's API on demand.

The only task-related data we persist locally is recurrence rules you create (frequency, interval, weekday selection) — needed because Google's Tasks API does not expose recurrence natively.

4. With whom we share

We do not sell, rent, or share your information with third parties. Your data leaves our server only when:

You control which lists each API key can access via the per-key ACL.

5. Google API Services User Data Policy

HES gTasks' use and transfer of information received from Google APIs to any other app will adhere to the Google API Services User Data Policy, including the Limited Use requirements.

6. Your rights and how to exercise them

You may at any time:

7. Data retention

We retain your encrypted refresh token and account record until you delete your account in-app, or revoke access via Google. Inactive accounts with no API activity for 12 consecutive months may have their stored credentials deleted; you can sign in again to restore access.

8. Security

Refresh tokens are encrypted at rest. The Service runs over HTTPS only. API keys are stored as SHA-256 hashes — the raw value is shown once and not recoverable thereafter. We have not had a security incident affecting user data.

9. Changes to this policy

We may update this policy. If we make material changes affecting your data, we'll post a notice on the dashboard for 30 days before the change takes effect.

10. Operator

The Service is operated by:

Henry Enterprises and Services, LLC
408 Red Haw Rd
Dayton, OH 45405