Privacy Policy
Last updated: July 10, 2026
This Privacy Policy explains how HES gTasks ("we", "us", "the Service"), operated by Henry Enterprises and Services, LLC, handles your information when you use gtasks.henry.enterprises.
1. Information we access
When you sign in with Google, we request the following OAuth scopes:
openid— to identify you.../auth/userinfo.email— your email, used as your account identifier.../auth/userinfo.profile— your display name and avatar.../auth/tasks— to read, create, edit, and delete your Google Tasks on your behalf, as you request
2. How we use it
We use the information solely to provide the features of HES gTasks to you: rendering your task lists, executing CRUD operations you initiate, scheduling recurring tasks you've configured, and exposing the same data to API or MCP clients you've authorized. We do not use your task content for advertising, analytics, AI training, or any purpose unrelated to the Service.
3. How we store it
Your Google OAuth refresh token is stored in our Postgres database, encrypted at rest using Fernet (AES-128-CBC with HMAC). Access tokens (short-lived) are stored unencrypted in the same database. We do not store the content of your Google Tasks; every task list and task view is fetched live from Google's API on demand.
The only task-related data we persist locally is recurrence rules you create (frequency, interval, weekday selection) — needed because Google's Tasks API does not expose recurrence natively.
4. With whom we share
We do not sell, rent, or share your information with third parties. Your data leaves our server only when:
- You initiate an action that proxies to Google's Tasks API (e.g. creating a task)
- You generate an API key and share it with a third-party tool you control (e.g. a Claude Code MCP connector)
You control which lists each API key can access via the per-key ACL.
5. Google API Services User Data Policy
HES gTasks' use and transfer of information received from Google APIs to any other app will adhere to the Google API Services User Data Policy, including the Limited Use requirements.
6. Your rights and how to exercise them
You may at any time:
- Sign out — clears your session but retains your stored credentials so you can sign in again later.
- Revoke an API key or change its per-list permissions on the API Keys page.
- Review your account and Google connection on the Profile page — see when your access token was last refreshed, what scopes you've granted, and the count of active API keys.
- Delete your account — on the Profile page, in the "Danger zone" section. This permanently deletes your account record, encrypted Google credentials, all API keys, all per-list grants, and all recurrence rules. Your underlying Google Tasks data is not touched and remains in your Google account.
- Revoke at the Google level from your Google account permissions page — this invalidates our refresh token immediately, regardless of what we have stored.
7. Data retention
We retain your encrypted refresh token and account record until you delete your account in-app, or revoke access via Google. Inactive accounts with no API activity for 12 consecutive months may have their stored credentials deleted; you can sign in again to restore access.
8. Security
Refresh tokens are encrypted at rest. The Service runs over HTTPS only. API keys are stored as SHA-256 hashes — the raw value is shown once and not recoverable thereafter. We have not had a security incident affecting user data.
9. Changes to this policy
We may update this policy. If we make material changes affecting your data, we'll post a notice on the dashboard for 30 days before the change takes effect.
10. Operator
The Service is operated by:
Henry Enterprises and Services, LLC408 Red Haw Rd
Dayton, OH 45405