Privacy Policy

Effective: March 22, 2026

Yes! Did It ("we", "us", "our") operates the yesdidit.com website, the ydi CLI tool, and the Yes! Did It MCP server (collectively, the "Service"). This policy explains what data we collect, what data third parties collect, how it is used, and how we protect it.

1. Information We Collect

We practice data minimization — we only collect information that is necessary to provide the Service.

Account information

When you sign in via GitHub or Google OAuth, we receive and store your email address, display name, and avatar URL as provided by your OAuth provider. We do not collect passwords.

Todo data

We store the to-do items you create, including their text content, due dates, tags, status, and timestamps. This is the core data you create and manage through the Service.

Git context metadata

When you create todos from within a git repository (via the CLI or MCP server), we may automatically capture and store git context metadata alongside your todo. This includes: branch names, short commit SHAs, repository names, and repository owner names. This metadata is used to help you filter and organize todos by the code context in which they were created. You can disable automatic context capture with the --no-context flag.

API keys

If you generate API keys, we store a SHA-256 hash of the key and a display prefix. The full key is shown once at creation and never stored in plaintext.

Technical data

We collect standard server logs (IP address, user agent, request timestamps) for security monitoring and abuse prevention. We do not use tracking cookies or third-party analytics.

2. Information Collected by Third Parties

The following third-party services process data on our behalf in order to provide the Service. Each operates under its own privacy policy:

  • Supabase (authentication and database hosting) — receives your OAuth profile information (email, name, avatar) during sign-in and stores your application data. See Supabase Privacy Policy.
  • Vercel (application hosting) — processes HTTP requests including IP addresses, user agents, and request metadata as part of serving the application. See Vercel Privacy Policy.
  • GitHub / Google (OAuth providers) — when you sign in, your OAuth provider shares your profile information (email, name, avatar) with the Service. We do not receive or store your OAuth provider password.

We do not sell, rent, or share your personal data with any parties beyond those listed above. We may disclose data if required by law or to protect the rights, safety, or property of our users.

3. MCP Server Data Handling

The Yes! Did It MCP server allows AI assistants (such as Claude) to manage your todos on your behalf. The MCP server:

  • Only accesses your todo data — it reads and writes todos, tags, and task status using your stored credentials.
  • Does not access AI conversation data — the MCP server does not read, log, or store any content from your conversations with the AI assistant, including chat history, memory, conversation summaries, or uploaded files.
  • Does not perform extraneous logging — the MCP server does not log conversation content or any data beyond what is required to fulfill your todo management requests.
  • Uses your existing credentials — it authenticates using the same config file as the CLI (~/.config/yesdidit/config.json). No additional data collection occurs.

4. How We Use Your Data

  • Provide the Service — authenticate you, store and retrieve your todos, sync across CLI/web/MCP.
  • Security & abuse prevention — rate limiting, detecting unauthorized access, enforcing our Terms of Service.
  • Service communication — we may email you about critical account or security issues. We do not send marketing emails.

We do not use your data for advertising, profiling, or AI model training.

5. Data Retention

Your account data and todos are retained as long as your account is active. If you delete your account, all associated data (todos, API keys, refresh tokens) is permanently removed. Server logs are retained for up to 90 days.

6. Data Security

We use industry-standard measures to protect your data, including:

  • HTTPS/TLS encryption for all data in transit.
  • API keys stored as SHA-256 hashes only.
  • OAuth-based authentication (no passwords stored).
  • Application-level access controls ensuring users can only access their own data.
  • Rate limiting and security headers on all endpoints.

7. Your Rights

You can at any time:

  • Access your data via the API, CLI, or web dashboard.
  • Delete individual todos or your entire account.
  • Export your data via the API (GET /todos?status=all).
  • Revoke API keys and OAuth sessions.

For data-related requests, contact us at the support channels listed on our GitHub repository.

8. Children's Privacy

The Service is not directed at children under 13. We do not knowingly collect data from children under 13. If we learn we have, we will delete it promptly.

9. Security Vulnerability Reporting

If you discover a security vulnerability in the Service, please report it responsibly by opening a security advisory on our GitHub repository. We will investigate all reported vulnerabilities with reasonable care and respond promptly.

10. Changes to This Policy

We may update this policy from time to time. Changes will be posted on this page with an updated effective date. Continued use of the Service after changes constitutes acceptance.

11. Contact

Questions about this policy? Open an issue on our GitHub repository.