Privacy Policy
Last Updated: November 20, 2025
TL;DR: This MCP server is designed with privacy as a core principle. We encrypt all tokens, redact sensitive information from logs, and store only what's necessary to provide the service. You maintain full control over your data through your Google account.
Introduction
This Privacy Policy explains how the Google Tasks MCP Server ("the Service", "we", "our") collects, uses, and protects your information when you use our Model Context Protocol server to access your Google Tasks data.
Information We Collect
Authentication Tokens
- Google OAuth Tokens: Access and refresh tokens from Google OAuth 2.0 authentication
- MCP Session Tokens: Temporary session identifiers for MCP client connections
- Storage Duration: 30 days (automatically purged after expiration)
What We Do NOT Collect
- Personal information (name, email, phone number)
- Google Tasks content or metadata beyond what's requested through MCP tools
- IP addresses or tracking cookies
- Usage analytics or telemetry data
How We Use Your Information
Authentication & Authorization
OAuth tokens are used exclusively to authenticate your requests to the Google Tasks API on your behalf. We act as a secure proxy between your MCP client and Google's services.
Session Management
MCP session tokens maintain the connection between your client (e.g., Claude Desktop) and our server, enabling real-time communication for task management operations.
Data Security
Encryption at Rest
- Algorithm: AES-256-GCM (authenticated encryption)
- Key Derivation: PBKDF2 with 100,000 iterations
- What's Encrypted: All Google OAuth access and refresh tokens
Encryption in Transit
- All communications use HTTPS/TLS 1.2+
- Strict Transport Security (HSTS) enabled
- Modern cipher suites only
Privacy-Safe Logging
Our logging system automatically redacts:
- Access and refresh tokens
- Authorization codes
- User identifiers
- Client secrets
- Any personal information
You can verify this implementation in our open-source code at src/utils/logger.ts.
Data Sharing & Third Parties
We do not share, sell, rent, or trade your data with any third parties. Your OAuth tokens are used solely to communicate with Google's APIs on your behalf.
Google API Services
This service interacts with Google Tasks API. Your use of Google services is subject to Google's Privacy Policy.
Data Retention
- OAuth Tokens: 30 days (automatic expiration via Deno KV TTL)
- MCP Sessions: 30 minutes of inactivity (automatic cleanup)
- Logs: Operational logs are retained for debugging purposes but contain no personal information
Your Rights & Control
Revoke Access
You can revoke this service's access to your Google account at any time:
- Visit Google Account Permissions
- Find "Google Tasks MCP Server" in the list
- Click "Remove Access"
Delete Your Data
To delete all data associated with your account:
- Revoke access as described above (automatically purges tokens within 30 days)
- For immediate deletion, contact us at the repository issues page
Open Source Transparency
This service is fully open source. You can review the complete source code, including:
- Token encryption implementation
- Logging and redaction logic
- Data storage mechanisms
- API request handling
Repository: github.com/akutishevsky/google-tasks-mcp
Cookies & Tracking
This service does not use cookies, tracking pixels, or any form of user tracking. Session management is handled through HTTP headers and OAuth tokens.
Children's Privacy
This service is not directed at children under 13. We do not knowingly collect personal information from children.
Changes to This Policy
We may update this Privacy Policy from time to time. Changes will be posted on this page with an updated "Last Updated" date. Continued use of the service after changes constitutes acceptance of the updated policy.
Data Breach Notification
In the unlikely event of a data breach affecting encrypted tokens, we will:
- Notify affected users via GitHub repository announcement
- Provide details about the nature and scope of the breach
- Recommend immediate token revocation through Google Account settings
Self-Hosting
For maximum privacy and control, you can self-host this service. When self-hosting:
- You control all data storage and encryption keys
- No data is sent to any third-party servers (except Google APIs)
- You can audit all code and operations
See the README for self-hosting instructions.
Contact Information
For privacy concerns, questions, or data deletion requests:
Disclaimer
This service is provided "as-is" without warranties of any kind. While we implement industry-standard security practices, no system is 100% secure. Users are encouraged to review the source code and self-host if maximum security is required.