Effective date: March 22, 2026
DaggerList is operated by Morningwood Ventures LLC ("we", "us", "our"). This policy explains what information we collect, how we use it, and your rights regarding your data. We believe in transparency and keeping things simple.
Account information: When you sign up, we collect your email address and display name. If you sign in with Google or Microsoft, we also receive your profile picture from the provider. Apple Sign-In provides your name and email only. Email/password users do not provide a profile picture — all users may optionally set an emoji avatar. We do not receive or store your OAuth provider password.
Task data: Lists, tasks, subtasks, notes, due dates, reminders, locations, comments, and any other content you create within the app. This is your data and you retain full ownership of it.
File uploads: Files you attach to tasks are stored in our cloud infrastructure. File metadata (name, size, type) is stored alongside your task data.
Google Calendar data (optional): If you enable Google Calendar sync for a task, we create and manage events in a dedicated "DaggerList" calendar on your Google account. We store the calendar ID and per-task event IDs in your preferences and task data so we can keep them in sync. We do not access or modify any of your existing calendars or events.
Cloud backups (premium): If you are a premium user, we periodically save cloud snapshots of your task data for backup purposes. Up to 20 snapshots are retained with automatic tiered pruning (recent, daily, weekly).
Feedback submissions: If you use the in-app feedback form, your message, email address, and basic browser context are stored in our database and emailed to our team via Resend. Feedback data is used solely to improve the service.
Usage data: We store your application preferences (theme, text size, sidebar layout, etc.) to provide a consistent experience across sessions. We do not use analytics tracking or third-party analytics services.
Error logging: The app captures console errors in a small in-memory buffer (up to 20 entries) for debugging purposes. This data is sanitized (authentication tokens and email addresses are removed), never leaves your browser automatically, and is lost when you close or refresh the page.
Local storage: We cache your task data and preferences in your browser's local storage for offline access and performance. This data stays on your device.
| Data | Purpose |
|---|---|
| Email address | Account authentication, password reset, shared list invitations |
| Display name & avatar | Shown to collaborators on shared lists |
| Task data & preferences | Stored and synced so you can access your data across devices |
| File uploads | Stored and served back to you (and shared list members, if applicable) |
| Location data (optional) | Resolved via Nominatim when you add a location to a task; not tracked or stored beyond what you enter |
| Google Drive file metadata | When you attach a Drive file, we store only a link reference (file ID, name, URL). The file itself stays in your Drive. |
| Google Photos images | When you pick a photo as a background image or task attachment, the image is downloaded and stored in our infrastructure as a plain image file. No Google Photos metadata is retained. |
DaggerList offers optional integrations with Google services. Each integration requests only the permissions it needs, and only when you first use that feature.
| Feature | Google Scope | What We Access | What We Store |
|---|---|---|---|
| Sign-in with Google | email, profile (via Supabase) | Name, email, profile picture | Account info only (same as any sign-up method) |
| Attach files from Drive | drive.file | File names, IDs, MIME types, and image contents (user-selected files only). drive.file grants access to files you explicitly select through the Picker — no bulk or background access to your Drive. | Link references (file ID, name, URL) for non-image files — files remain in your Drive. Images selected for backgrounds or attachments are downloaded and stored in our infrastructure. |
| Background from Drive | drive.file | Image file contents (user-selected images only) | Image uploaded to our storage as a background — no Drive metadata retained |
| Photos (backgrounds & attachments) | photospicker.mediaitems.readonly | Photo image data (user-selected photos only) | Image uploaded to our storage as a background or task attachment — no Google Photos metadata retained |
| Google Calendar sync | calendar.app.created | Only the app-created "DaggerList" calendar and its events — zero access to your existing calendars | Calendar ID and per-task event IDs (stored in your preferences and task data) |
| Contact autocomplete | contacts.readonly, contacts.other.readonly | Contact names, emails, photos (search results only) | Nothing — results are displayed in a dropdown and immediately discarded |
Thumbnail proxy: When you attach a Google Drive file, we may proxy its thumbnail image through our server to bypass browser security restrictions (CORS). The thumbnail is fetched on demand and cached briefly — no file contents are accessed or stored.
Token handling: When you authorize a Google feature, we store an OAuth refresh token securely in our database (encrypted at rest) to avoid re-prompting you each session. The refresh token is stored server-side only and is never sent to your browser. Access tokens are held in browser memory only and are not persisted. You can revoke access at any time via your Google Account permissions.
Token deletion: Your stored Google tokens are deleted when you delete your account or use the "Clear All Data" option. "Clear All Data" deletes all task data, cloud backups, uploaded files, Google OAuth tokens (both the server-side refresh token and the in-memory access token), and Google Calendar sync state — the user must re-consent to use any Google feature afterward. Signing out clears the in-memory token only; the refresh token is retained in our database for silent re-authentication on your next sign-in.
Google API Services User Data Policy: DaggerList's use and transfer to any other app of information received from Google APIs will adhere to the Google API Services User Data Policy, including the Limited Use requirements.
We use the following additional third-party services to operate DaggerList:
We do not share your data with any other third parties.
Your data is encrypted in transit (TLS/HTTPS) and at rest (AES-256, managed by Supabase). Google OAuth tokens are stored encrypted at rest in a dedicated database table with Row-Level Security ensuring only you can access your own tokens.
File attachments are stored in a private cloud storage bucket accessible only to you and authorized collaborators, with short-lived signed URLs generated on demand when you view or download a file. Background images are stored in a public-read bucket because they are rendered continuously via CSS — a private bucket would require signed URLs that expire mid-session, silently breaking the background. Background URLs are not enumerable or indexed by search engines.
We implement Row-Level Security (RLS) policies on all database tables to ensure users can only access their own data and shared lists they are members of. All server-side functions authenticate callers via JWT before processing any request.
While we take reasonable measures to protect your information, no method of electronic storage is 100% secure.
When you participate in a shared list, the following information is visible to other members of that list:
Leaving a shared list removes your access immediately. Content you contributed remains on the list unless the owner removes it.
We retain your data for as long as your account is active. When you delete your account:
The same data removal applies when you use the "Clear All Data" option in Settings. Both actions delete all task data, cloud backups, uploaded files, Google OAuth tokens, and shared lists from our servers.
Feedback submissions are retained separately for service improvement and are not automatically deleted with your account or by using Clear All Data. You can request deletion of feedback data by contacting us.
Browser local storage on the current device is cleared by both Delete Account and Clear All Data. However, neither action clears local data cached on other devices. If you later sign in on another device with cached data, that device's local cache may be used to restore your data to the cloud.
You have the right to:
For any data requests we can't fulfill through the app, contact us at [email protected].
DaggerList is not directed at children under 13. We do not knowingly collect personal information from children under 13. If you believe a child under 13 has provided us with personal information, please contact us and we will promptly delete it.
DaggerList is operated from the United States. If you access the service from outside the US, your information will be transferred to and processed in the United States. By using the service, you consent to this transfer.
For users in the European Economic Area (EEA), we process your data based on legitimate interest (providing the service you signed up for) and your consent (for optional features like location and file uploads).
We may update this privacy policy from time to time. Material changes will be communicated through the service or via email. The effective date at the top of this page indicates when it was last updated.
For questions or concerns about this privacy policy or your data, contact us at:
Morningwood Ventures LLC
Email: [email protected]