Privacy Policy
Your tasks, lists, notes, tags, and projects are not stored on our servers. 2Do stores your data locally on your devices and syncs it only with the services you explicitly configure, such as CalDAV, iCloud CalDAV, or Dropbox.
Regulatory Compliance
2Do is designed around local-first data ownership. We do not run a hosted 2Do sync service, and we do not process, store, or transmit the task data you create inside the app through our own servers.
This approach supports common privacy and security requirements:
- GDPR (General Data Protection Regulation) – Your 2Do data remains on your device or with the sync provider you choose.
- HIPAA (Health Insurance Portability and Accountability Act) – We do not process Protected Health Information (PHI) on our servers. If you use 2Do in a healthcare setting, you must ensure your chosen sync provider is appropriate for that use.
- CCPA (California Consumer Privacy Act) – We do not sell or share the personal data you create inside 2Do.
2Do has not undergone formal certification for these regulatory frameworks. This page is provided for transparency and general guidance. If you are required to meet a specific legal or industry standard, it is your responsibility to ensure that the sync service you choose, such as CalDAV, iCloud CalDAV, or Dropbox, meets those requirements.
GDPR Compliance
2Do helps you and your organization meet GDPR requirements by keeping the data you add to the app under your control. The task data you create is not uploaded to Beehive Innovations servers. If you enable sync, 2Do communicates directly with the service you selected, and that provider becomes responsible for storing and handling the synced data.
Because we do not operate a hosted 2Do sync service or perform large-scale monitoring of customer task data, our role is limited to the website, licensing, support, crash reporting, and optional analytics described below.
HIPAA Compliance
2Do follows HIPAA-friendly local-data principles by ensuring that user-created task data is not stored, transferred, or processed on our servers. If you choose to store sensitive information in 2Do and sync it with a third-party service, you and your organization are responsible for ensuring that service is suitable for the sensitivity of the data.
SOC 2 Applicability
SOC 2 is aimed at service providers that store, process, or transmit customer data through hosted infrastructure. Since 2Do does not provide a hosted sync service and does not store your task database on our servers, SOC 2 certification is not applicable to the app itself.
2Do operates as a native app on macOS, iOS, iPadOS, and Android. Your task database, attachments, notes, tags, lists, and related app data remain on your device unless you choose to sync them with a supported service. We do not act as a proxy or intermediary for that sync traffic, and we cannot inspect the contents of your tasks.
EULA
Our End User License Agreement is accessible here.
Sync Accounts and Login Credentials
2Do uses the credentials or authorization tokens you provide only to connect to the sync services you configure. Supported sync options include:
- CalDAV servers
- iCloud CalDAV
- Dropbox
Your credentials are stored by the app using the secure storage provided by the operating system where available, such as Keychain on Apple platforms. They are not sent to Beehive Innovations servers.
Optional Email to 2Do Add-On
Some versions of 2Do include an optional Email to 2Do feature. When you enable this feature, 2Do acts as an email client for the account you configure so it can apply the capture rules you create.
When a message matches your rules, 2Do may copy the subject into a task title, copy message content into task notes, and store a message identifier so you can return to the original message from the task. This processing happens on your device. We do not use your email address, credentials, or message contents for marketing, and we do not store them on our servers.
Google Accounts for Email to 2Do
If you connect a Google email account to the optional Email to 2Do add-on, 2Do uses OAuth 2.0 through Google's sign-in flow. 2Do does not ask for or store your Google password. Our use of information received from Google APIs adheres to the Google API Services User Data Policy, including the Limited Use requirements.
1. Data Accessed
2Do requests only the permissions needed to provide the Email to 2Do feature you choose to enable. Depending on the account type, permission grant, and capture rules you configure, 2Do may access:
- Your Google email address so the app can identify the connected account in settings.
- Message metadata such as message ID, thread ID, sender, recipients, date, subject, and labels when needed to evaluate rules or link a created task back to the source message.
- Message content such as the subject, body text, and attachments only when needed to create the task content you asked 2Do to capture.
- A message identifier so a task can refer back to the original email where supported.
2. Data Usage
Google email data is used only to provide the user-facing Email to 2Do workflow:
- Match incoming messages against the rules you create.
- Create tasks, notes, links, or attachments in 2Do from matching messages.
- Show the connected account and allow you to manage or disconnect it.
Google email data is not used for advertising, market research, profiling, unrelated analytics, or any purpose unrelated to the Email to 2Do feature. It is not sold, rented, or transferred to data brokers. It is not used to train AI or machine-learning models.
3. Data Sharing and Human Access
2Do processes Google email data locally on your device. We do not store your Google email address, OAuth tokens, message metadata, message bodies, attachments, or captured email content on Beehive Innovations servers. We do not share Google email data with third parties.
Humans at Beehive Innovations do not read your Google email data. The only exception is if you explicitly choose to send specific diagnostic logs or screenshots to support, and even then we review only the information needed to troubleshoot the issue.
4. Data Storage and Protection
OAuth tokens are stored using secure operating-system credential storage where available, such as Keychain on Apple platforms. Local email metadata and captured task content are stored inside 2Do's local app data on your device. Network communication with Google occurs over TLS-encrypted HTTPS connections.
If a matched email becomes a 2Do task, that task is treated like any other task you create. It remains in your local 2Do database and, if you enabled sync, may sync through the sync provider you selected, such as CalDAV, iCloud CalDAV, or Dropbox.
5. Data Retention, Removal, and Uninstallation
Google email data is retained locally only for as long as the Google email account remains connected, the related local cache is needed for the add-on, or the task created from an email remains in your 2Do database.
To remove Google email access from 2Do:
- Remove the Google email account from Email to 2Do settings. This removes the local account connection, locally stored OAuth token, and local email cache used by the add-on.
- Visit your Google Account security settings and remove 2Do under Third-party apps or connected apps to revoke Google-side access.
- Delete any tasks, notes, or attachments that were created from emails if you no longer want that captured content in your 2Do database.
- Uninstalling 2Do removes local app data according to the behavior of the operating system. If you synced tasks to CalDAV, iCloud CalDAV, or Dropbox, remove those tasks from the app or sync provider if you also want the synced copies deleted.
Location Data
2Do offers location-based task reminders. If you choose to use this feature, the app may ask for permission to access your location so it can remind you about tasks near a place you saved.
Location data is used only for the task reminders you configure. It is stored on your device and is not sent to our servers. If you enable sync, the task information you chose to sync may be stored by your selected sync provider.
Licensing
When you purchase a direct 2Do Mac license, we store the information needed to issue invoices, generate a registration code, validate the license, and provide renewal support. This typically includes your email address, order information, registration code, and basic activation information.
This information is used only for licensing, fraud prevention, invoicing, refunds, support, and renewal workflows. It is not used to inspect or access your tasks.
Automatic Updates
2Do Mac periodically checks for updates by contacting our update servers. These checks may include anonymous information about the installed app version and macOS version so the app can determine whether an update is available.
Mailing List
If you subscribe to our mailing list, you may receive occasional messages about important product updates, announcements, or offers. We do not sell or share your email address. You may unsubscribe at any time through the mailing-list link or by contacting us.
Customer Support and Application Logs
When you contact support, we keep a record of the conversation and any attachments you voluntarily provide so we can help diagnose and resolve the issue.
If you choose to send diagnostic logs, those logs may contain app activity needed for troubleshooting. Logs are shared only when you send them to us. We cannot access your computer, your phone, or your 2Do database without your action.
We retain support logs only as long as needed to resolve the issue, protect service integrity, or meet legal and accounting requirements. You may request deletion of support logs at any time.
Support logs are handled with care. We review only the parts needed to diagnose the problem and avoid unrelated personal details whenever possible.
Non-Personal Information
Non-personal information is data that cannot be used on its own to identify a specific person. This can include crash reports, stack traces, performance metrics, app version, device model, operating-system version, and broad usage patterns.
We may use Google Firebase Crashlytics to receive crash reports and optional performance diagnostics. This helps us find bugs and improve stability. These reports are used only for product quality and troubleshooting.
Optional analytics, where present, are used to understand broad product usage trends and improve the app. They are not used to inspect your task contents.
Internet Access Policy
Apart from CalDAV, iCloud CalDAV, and Dropbox accounts that you configure, these are the main domains 2Do may contact. No task contents are collected, tracked, sold, or shared by us through these connections.
Outgoing Connections
versioncheck.2doapp.com
2Do Mac connects to this server to check for updates and validate direct licenses.
downloads.2doapp.com
This domain may be used to download app updates or related update metadata.
support.2doapp.com
This is the domain used by our support portal. Some help, registration-code lookup, renewal, or contact links may open pages under this domain.
api.dropboxapi.com, content.dropboxapi.com
2Do connects to Dropbox only when you configure Dropbox sync. The app communicates directly with Dropbox using the account authorization you provide.
accounts.google.com, oauth2.googleapis.com
These domains are used only when you connect a Google email account to the optional Email to 2Do add-on. They handle Google's OAuth sign-in and token flow.
gmail.googleapis.com
This domain is used only when the optional Email to 2Do add-on connects to a Google email account. It is used to read the email data needed to apply the rules you configure and create matching tasks on your device.
*.crashlytics.com, crashlyticsreports-pa.googleapis.com
2Do may send anonymous crash reports to Google Firebase Crashlytics to help identify and fix bugs.
firebaselogging-pa.googleapis.com, *.app-measurement.com
Optional analytics and performance diagnostics may use these domains when enabled. They are used for broad product quality signals and not for task-content tracking.
Apple Push Notification service
When enabled, push notifications may be used by the operating system to help devices notice changes and perform background work. You can control notification permissions from your device settings.
Cookies and Other Technologies
Our website may use cookies and similar technologies to provide core site behavior, understand website usage, and improve the user experience. You can disable cookies in your browser settings, although some website features may not work as expected.
When you visit the website, standard server logs may include your browser type, operating system, referring page, IP address, request time, and requested resource. We use this information in aggregate to administer the website, protect the service, and improve our product information.
Your Rights
You may contact us to request access, correction, or deletion of personal information we hold about you, such as support emails, licensing records, or mailing-list subscriptions.
Because your 2Do task data is stored locally on your device or with the sync service you chose, you can delete that data directly from the app, your device, or your sync provider. Uninstalling the app removes locally stored app data according to the behavior of the operating system.
Children's Privacy
2Do and this website are not directed at children under 13, and we do not knowingly collect personal information from children under 13. If you believe a child has provided us personal information, please contact us so we can delete it.
Changes to This Policy
We may update this policy as 2Do, our website, or our support systems evolve. When we make material changes, we will update this page and, where appropriate, notify customers through the website, app, or email.