Untoil Privacy Policy

Last updated: 2026-06-20
Effective date: 2026-06-20

This policy describes how Untoil (“the app”, “we”, “us”) handles your information. Untoil is published by Enemies of Toil LLC and is available for Mac and iOS. Except where noted, this policy applies equally to both versions.

The short version

• Untoil has no user account. There is nothing to sign up for and we do not have a server that stores your tasks.
• The only analytics Untoil takes part in is Apple’s App Store Connect, which shares aggregated, anonymized installation and crash data with us if you have “Share with App Developers” enabled in system settings. We have no other analytics, telemetry, or crash-reporting service. There is no advertising, and we do not sell or share your data. See §4.
• Your data lives on your device. If you have iCloud enabled on your Mac or iPhone/iPad, it syncs through your iCloud account using Apple’s CloudKit. We never see it.
• Untoil can optionally connect to third-party services you already use (Apple Calendar, Apple Reminders, Bugzilla, Day One, Jira, Monday.com, Notion, Todoist). When you connect one, Untoil talks to that service on your behalf using credentials you provide. We are not in the middle.
• Untoil contains no AI features today. Nothing you type or import is sent to OpenAI, Anthropic, or any other third-party model provider. If we add an AI feature in a future release (for example, on-device summarization via Apple Intelligence), we will update this policy and describe exactly what data it processes before that feature ships.

If you stop using Untoil and delete the app, deleting your iCloud data from System Settings → Apple ID → iCloud → Manage Account Storage removes the synced copy too.

1. Who is responsible for your data

Enemies of Toil LLC publishes Untoil. For the data Untoil stores on your device and writes to your iCloud, Enemies of Toil LLC is the data controller in a nominal sense — but in practice, we have no access to your task content, your notes, or any third-party data Untoil reads on your behalf. The only server we operate is the OAuth broker described in §5; it handles the OAuth handshake for integrations that use it and never sees provider API responses.

For third-party services you choose to connect, the operator of that service (Apple for Calendar / iCloud / Reminders, Atlassian for Jira, Bloom Built for Day One, the relevant Bugzilla host, Doist for Todoist, monday.com Ltd. for Monday, Notion Labs for Notion) is the controller of the data you store with them. Their privacy policy applies to that data.

2. What Untoil stores on your device

Untoil saves the following to your device’s local storage and to your iCloud account (when iCloud is enabled on your Mac, iPhone, or iPad):

• Tasks you’re working on — the title, the source service it came from (or “Untoil” if you used the Quick Task feature to type the title in directly), how you’ve sorted it, and which “Mode” it belongs to.
• Modes — the named contexts you’ve created (e.g. “Work”, “Personal”), their order, and when each was created.
• Activity metrics (optional) — if you turn on analytics in Settings, Untoil records each focus session you complete or skip: the outcome, how long it took, the timestamp, and which task and mode it was associated with. This powers your in-app stats and is only visible to you. If you leave analytics off, no activity metrics are stored.
• Log entries (optional) — if you use Untoil’s Log feature to record notes against tasks, those entries (title, note body, timestamp, optional link, elapsed time) are saved here. If you don’t use the feature, no log entries are stored.
• App settings — preferences such as timer duration, your selected mode, color choices, which integrations are enabled, and the per-integration configuration described in §5.

This data is held in two SwiftData stores on disk. When you are signed into iCloud, these stores synchronize through Apple’s CloudKit under a container tied to your Apple ID. The data is end-to-end-managed by Apple between your devices (Mac, iPhone, iPad); Enemies of Toil LLC has no read access to it.

3. What Untoil does not collect

• No name, email, phone number, address, or other identifier is collected by Untoil itself.
• No advertising identifier, IDFA, or cross-app tracking identifier.
• No location data.
• No microphone, camera, photos, contacts, or health data.
• No task titles, notes, log entries, calendar events, reminders, or third-party API content are sent to any analytics, crash-reporting, or AI service. The only diagnostic data we receive is via Apple’s App Store Connect, and only if you opt in — see §4.
• No AI features today. Your data is not sent to OpenAI, Anthropic, or any other third-party model provider. If we add an AI feature in the future (such as on-device summarization through Apple Intelligence), we will update this policy and describe exactly what data the feature processes before it ships.

4. Analytics shared via App Store Connect

Untoil does not include any analytics, telemetry, or crash-reporting SDK of its own. The only diagnostic channel it participates in is Apple’s App Store Connect, and only if you opt in.

If you have Share with App Developers enabled in System Settings → Privacy & Security → Analytics & Improvements (or, on iOS, Settings → Privacy & Security → Analytics & Improvements), Apple shares aggregated, anonymized installation and crash data with us through App Store Connect. We never see individual users through this channel. You can disable it in system settings at any time.

If we add a dedicated crash-reporting or product-analytics service in a future release (for example, Sentry for crashes or TelemetryDeck for anonymous usage signals), we will update this policy with the specifics — what each service receives, what it never receives, and who operates it — before that service ships.

5. Optional third-party integrations

Untoil ships with integrations that are off by default. Turning one on is what causes the corresponding data flow. You can turn each one off again at any time.

For every integration listed here, Untoil acts as your client: it sends API requests directly from your device (Mac, iPhone, or iPad) to the service using credentials you provide, and the response comes back to your device. Enemies of Toil LLC operates no intermediary server for integration data — for OAuth specifically, we run a small token-exchange broker described at the end of this section.

Apple Calendar

• What it does: Reads upcoming calendar events so you can pull them in as tasks. Optionally adds a calendar event for completed sessions when you enable that setting.
• Permission: Calendar access, requested by the system the first time you enable it on Mac or iOS. The usage string explains this: “Untoil reads your calendar events to add them as tasks, and logs completed sessions back to your calendar.”
• Network: None. Events are read and written locally through EventKit.

Apple Reminders

• What it does: Reads reminders from lists you select so you can pick them as active tasks. Read-only.
• Permission: Reminders access, requested by the system the first time you enable it on Mac or iOS.
• Network: None. Reminders are read locally through Apple’s EventKit.

Bugzilla

• What it does: Reads bugs matching your saved searches, transitions bugs, and optionally posts your session note as a comment.
• What you provide: A Bugzilla base URL and an API key. The API key is stored in the macOS Keychain.
• What is sent to your Bugzilla host: Bug-read requests, status transitions, comment bodies.
• Read-only mode: Per-query setting; when enabled, Untoil will not write back to Bugzilla.

Day One

• What it does: Sends a completed-session entry to Day One.
• Method: Uses Day One’s dayone2:// URL scheme — no API key is stored.
• What is sent to Day One: Title, note text, and elapsed time.

Jira (Atlassian)

• What it does: Reads issues that match your JQL queries, optionally transitions issues to “Done”, and optionally posts the note you wrote during a session as a comment on the issue.
• What you provide: Your Jira site domain, your account email, and an Atlassian API token. The API token is stored in the macOS Keychain.
• What is sent to Jira: JQL queries you configure, transition requests, comment bodies (which contain the note text you typed).
• Read-only mode: Per-query setting; when enabled, Untoil will not write back to Jira.

Monday.com

• What it does: Reads items from boards you select, and optionally updates an item’s status column to a completion label when you finish a session.
• What you provide: A Monday.com API token. The token is stored in the macOS Keychain.
• What is sent to Monday: GraphQL queries to read items, and status mutation requests when you complete tasks.
• Read-only mode: Per-query setting; when enabled, Untoil will not write back to Monday.com.

Notion

• What it does: Appends a row to a Notion database you select when you complete, pass, or log a session.
• What you provide: A Notion integration token and the target database ID. The integration token is stored in the macOS Keychain.
• What is sent to Notion: A page-create request containing the task title, your note text, the outcome (completed/passed/noted), elapsed time, project name, link, and timestamp.

Todoist

• What it does: Reads tasks and projects, marks tasks complete, and optionally posts your session note as a comment.
• What you provide: A Todoist API token, stored in the macOS Keychain.
• What is sent to Todoist: Task read requests, completion calls, comment bodies.

OAuth (for integrations that support it)

For integrations that support OAuth as an alternative to entering an API token, you authenticate with the service in your browser; the service then redirects back to Untoil via the untoil:// URL scheme registered by the app. Your password is never sent to or stored by Untoil — only the resulting access token, which Untoil stores in the macOS Keychain the same way it stores manually-entered API tokens.

The OAuth broker

OAuth requires exchanging an authorization code for an access token using a client secret that the app can’t safely hold on-device. Untoil therefore runs a small backend service — the broker — whose only job is that exchange (and the equivalent refresh-token rotation). Specifically:

• What it does. Receives an authorization code from your device, exchanges it for an access token by calling the provider’s token endpoint with our client secret, and returns the resulting tokens to your device. Refresh rotations work the same way: your device sends the current refresh token, the broker calls the provider, the rotated tokens are returned to your device. The broker does not refresh anything autonomously on a schedule.
• What it does NOT see. Your task content, notes, project names, or any provider API responses. Once the token is on your device, every subsequent API call goes directly between your device and the third-party service.
• What it does NOT store. Your access tokens, refresh tokens, authorization codes, or provider account details are never written to disk — they transit the request and are returned to your device in the response. The only data persisted is Apple App Attest material (a public key + signature counter) used to prove your request comes from a genuine Untoil app on a genuine Apple device. This is opaque cryptographic data; the broker has no concept of “user” — no email, no provider account, no name.
• Where it runs. AWS in the United States (us-east-1). Logs contain only per-request metadata (method, path, HTTP status, latency) with an explicit redaction list applied — request and response bodies are never logged. Logs are retained for 30 days and then deleted; they are not sent to any third-party log aggregator.

The Terms of Service §3 covers the same broker in its legal framing.

6. Where credentials are stored

Secret credentials you provide for the integrations above — API tokens and API keys — are stored locally on your device in the Keychain (and synced to your other Apple devices via iCloud Keychain if you have it enabled). Non-secret configuration such as your account email, instance URL, or target database ID is stored in app preferences alongside your other settings. Apple Reminders, Apple Calendar, and Day One do not require credentials; access to them is granted through standard system permission prompts or a URL scheme. Your tokens never leave your device except in requests that go directly to the service that issued them.

7. Files Untoil writes outside its own database

• Daily log markdown files (Mac only). If you enable the Daily Log feature in the Mac app, Untoil appends each completed or noted session to a file named task.YYYY-MM-DD.md in the folder you choose (we recommend a folder inside iCloud Drive). The file contains the task title, your note, the project name, any link, and the elapsed time. Files are capped at 10 MB each. These files are yours; we do not read them, and they sync only if the folder you chose is itself synced (e.g. iCloud Drive, Dropbox). The iOS app does not currently write daily log files.

Untoil does not write any other files to your filesystem outside of its own sandboxed storage.

8. Permissions Untoil requests

Untoil only asks for permissions when you enable the feature that needs them:

• Calendar (full access) — Mac and iOS, only if you turn on the Calendar integration.
• Folder access — Mac only, only if you choose a Daily Log folder. Granted via a standard macOS file picker.
• Notifications — Mac and iOS, only if you turn on timer notifications.
• Reminders — Mac and iOS, only if you turn on the Reminders integration.

Untoil does not request: microphone, camera, photos, location, contacts, health, motion, screen recording, accessibility, or input monitoring on either platform. Both apps are sandboxed.

9. Children’s privacy

Untoil is not directed at children under 13, and we do not knowingly collect personal information from anyone, of any age.

10. Security

Your data lives on your device (Mac, iPhone, or iPad) and (if you have iCloud enabled) in your iCloud account. Untoil relies on the security properties of:

• macOS / iOS file system protections for on-disk data.
• The Keychain (and, optionally, iCloud Keychain) for integration API tokens.
• Apple’s CloudKit for sync transport and at-rest encryption.
• HTTPS (TLS) for every request Untoil makes to a third-party API.

Because Untoil stores no user data on our servers — the OAuth broker (§5) holds only opaque device-attestation cryptographic material, no tasks, notes, or provider tokens — there is no central database of your content for us to lose. The trade-off is that account-style recovery options (e.g. “I lost my Mac” or “I lost my iPhone”) fall back to Apple’s iCloud recovery flow, not ours.

11. Your rights and how to delete your data

You are in control of every copy of your Untoil data:

• On a Mac: Quit Untoil and drag the app to the Trash. macOS’s standard app-removal will leave behind Untoil’s sandbox container in ~/Library/Containers; deleting that container removes the local databases.
• On an iPhone or iPad: Long-press the Untoil icon and choose Remove App → Delete App. iOS removes the app and its local databases automatically.
• In iCloud: Go to System Settings → Apple ID → iCloud → Manage Account Storage (on iOS: Settings → [your name] → iCloud → Manage Account Storage), find Untoil, and choose Delete Data. This removes the synced copy from iCloud and from every device signed into the same Apple ID.
• In third-party services: Data you sent to Bugzilla, Day One, Jira, Monday.com, Notion, or Todoist lives with that service. Use their interface or privacy controls to delete it.

You may exercise any rights you have under the GDPR, UK GDPR, CCPA/CPRA, or similar laws by emailing us (see §13). Because we hold no personal data about you on our own systems, most requests reduce to confirming that fact.

12. Changes to this policy

If we change this policy, we will update the “Last updated” date at the top and, for material changes, note the change in the app’s release notes. Continued use of the app after the effective date constitutes acceptance of the updated policy.

13. Contact

Questions, requests, or concerns:

Enemies of Toil LLC
Email: support@enemiesoftoil.com