Privacy Policy

Last Updated: October 31, 2025

In Short: Sidekick helps you manage tasks through Telegram and Google Tasks. We store minimal data (your Telegram ID and Google OAuth tokens) securely to provide the service. Your task data lives in your own Google account—we just help you manage it. You can delete your data anytime.

1. Introduction

Welcome to Sidekick ("we," "our," or "us"). We are committed to protecting your privacy and being transparent about how we handle your data. This Privacy Policy explains what information we collect, how we use it, and your rights regarding your personal data.

Sidekick is an accountability and task management bot that integrates with Telegram and Google Tasks to help you stay motivated and productive.

2. Information We Collect

2.1 Information You Provide

Telegram Account Information: When you start using Sidekick, we collect your Telegram user ID and username to identify your account and communicate with you.
Task Information: Commands and messages you send to the bot (e.g., "add: finish report by Friday").

2.2 Information from Third-Party Services

Google Account: When you connect Google Tasks, we receive OAuth access tokens that allow us to read and manage your Google Tasks on your behalf. We also receive your Google account email address for account linking purposes.
Notion (Optional): If you choose to use Notion integration instead of Google Tasks, we receive OAuth access tokens for your Notion workspace.

2.3 Automatically Collected Information

Usage Data: We may collect logs of your interactions with the bot (commands used, error messages) for debugging and improving the service.
Technical Data: Request metadata such as timestamps and response codes stored in Cloudflare logs.

3. How We Use Your Information

We use the collected information for the following purposes:

Provide Core Services: Process your task management requests, sync with Google Tasks, and send you motivational messages through Telegram.
Authentication & Authorization: Maintain your session, verify your identity, and securely access your Google Tasks on your behalf.
Service Improvement: Analyze usage patterns to improve features, fix bugs, and enhance user experience.
Communication: Send you task reminders, motivational check-ins, and service-related notifications.
Compliance: Comply with legal obligations and protect against fraud or abuse.

4. How We Store Your Information

4.1 Storage Infrastructure

Cloudflare KV (Key-Value Store): We store your Telegram user ID, Google OAuth tokens (encrypted), and session data in Cloudflare's globally distributed KV storage.
Your Google Account: All your task data is stored in YOUR Google Tasks database. We do not store copies of your tasks on our servers.
Cloudflare Workers: Our application runs on Cloudflare's edge network, processing requests without maintaining persistent servers.

4.2 Data Retention

Active Accounts: We retain your OAuth tokens and session data as long as you actively use Sidekick.
Inactive Accounts: If you stop using the service, your session data may be retained for up to 90 days before automatic deletion.
Logs: Usage logs are retained for up to 30 days for debugging purposes.

5. How We Share Your Information

We do NOT sell, rent, or trade your personal information. We only share data in the following limited circumstances:

5.1 Third-Party Service Providers

Google LLC: We access Google Tasks API on your behalf using OAuth tokens to read and manage your tasks.
Telegram Messenger: We send messages to you through Telegram's Bot API.
Cloudflare Inc.: Our infrastructure provider that hosts the application and stores session data.
Notion (Optional): If you choose Notion integration, we access your Notion workspace via their API.

5.2 Legal Requirements

We may disclose your information if required by law, court order, or government regulation, or if necessary to protect our rights or the safety of others.

6. Data Security

We implement industry-standard security measures to protect your data:

Encryption in Transit: All data transmitted between your device and our servers uses HTTPS/TLS encryption.
OAuth Token Security: Your Google OAuth tokens are stored securely in Cloudflare KV and used only for authorized API requests.
Access Controls: Only authorized systems can access user data, following the principle of least privilege.
No Password Storage: We use OAuth for authentication and never store your Google or Notion passwords.

However, no method of transmission or storage is 100% secure. While we strive to protect your data, we cannot guarantee absolute security.

7. Your Rights and Choices

You have the following rights regarding your personal data:

7.1 Access and Portability

Request a copy of your data stored in our systems (Telegram ID, linked accounts).
Export your task data directly from Google Tasks (it's already in your Google account).

7.2 Data Deletion

Disconnect Service: Send /disconnect or /delete command to the bot to remove your OAuth tokens and session data.
Google Tasks Data: Your task data remains in your Google account. You can delete it directly in Google Tasks.
Complete Deletion: Contact us at the email below to request complete account deletion.

7.3 Revoke Access

Google Access: Revoke Sidekick's access at https://myaccount.google.com/permissions
Telegram: Block or delete the bot in Telegram to stop receiving messages.

7.4 Correction

You can update your tasks directly through the bot or in Google Tasks.
For other data corrections, contact us directly.

8. Children's Privacy

Sidekick is not intended for users under the age of 13. We do not knowingly collect personal information from children under 13. If you believe a child under 13 has provided us with personal information, please contact us immediately, and we will delete such data.

9. International Data Transfers

Sidekick is hosted on Cloudflare's global network. Your data may be processed in data centers located in various countries. By using Sidekick, you consent to the transfer of your information to countries that may have different data protection laws than your country of residence.

We ensure appropriate safeguards are in place for international transfers, including relying on Cloudflare's compliance with GDPR and other data protection frameworks.

10. Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices or legal requirements. When we make changes:

We will update the "Last Updated" date at the top of this policy.
For significant changes, we may notify you through the bot or via email (if provided).
Your continued use of Sidekick after changes constitutes acceptance of the updated policy.

11. Third-Party Links

Sidekick may contain links to third-party websites or services (e.g., Google Tasks, Notion). We are not responsible for the privacy practices of these external sites. We encourage you to review their privacy policies.

12. Data Controller

For the purposes of data protection law, the data controller is Sidekick. If you have questions about how your data is processed, please contact us using the information below.

13. Your California Privacy Rights (CCPA)

If you are a California resident, you have additional rights under the California Consumer Privacy Act (CCPA):

Right to know what personal information is collected, used, shared, or sold
Right to request deletion of your personal information
Right to opt-out of the sale of personal information (Note: We do NOT sell your data)
Right to non-discrimination for exercising your CCPA rights

To exercise these rights, contact us at the email address below.

14. European Users (GDPR)

If you are in the European Economic Area (EEA), you have rights under the General Data Protection Regulation (GDPR):

Legal Basis: We process your data based on your consent (OAuth authorization) and to perform our contract with you (providing task management services).
Data Subject Rights: Access, rectification, erasure, restriction of processing, data portability, and objection.
Withdrawal of Consent: You may withdraw consent at any time by revoking OAuth access or deleting your account.
Supervisory Authority: You have the right to lodge a complaint with your local data protection authority.

15. Contact Us

Questions about this Privacy Policy?

If you have questions, concerns, or requests regarding your privacy or this policy, please contact us:

Email: privacy@sidekick.dev
GitHub Issues: https://github.com/rahal/sidekick/issues

We will respond to your inquiry within 30 days.

This privacy policy is effective as of the date stated at the top and applies to all users of Sidekick.