Privacy Policy

Effective date: July 11, 2026

Todoke ("the app") is a third-party client for GitHub Issues, developed by David Collado Sela ("we", "us"). This policy explains what data the app touches, where it lives, and — most importantly — what we never see.

The short version: we collect nothing. Todoke has no server that stores your data, no analytics, no ads, and no trackers. Your GitHub token lives only in your device's Keychain, and your issues travel directly between your device and GitHub.

Signing in with GitHub

Todoke signs you into your existing GitHub account using GitHub's standard OAuth authorization code flow, with PKCE (a code verifier/challenge pair, generated fresh on your device) added on top, in a system browser session. The app never sees your GitHub password.

PKCE alone isn't enough to complete GitHub's flow: GitHub's authorization-code exchange still requires a confidential application secret, which cannot safely ship inside a public app binary. For that one step — and that step only — the app calls a small service we operate (a Cloudflare Worker at todoke-auth.bitomule.workers.dev) that holds the secret on our behalf. This service:

  • performs only the momentary code-for-token exchange (and token refresh) with GitHub;
  • holds the application secret so the app doesn't have to;
  • stores nothing — no database, no user records, no token logs. The exchange is transient: the token passes through to your device and is immediately forgotten;
  • never receives your issues, comments, repositories, or any other GitHub content.

Your access token

The token GitHub issues to you is stored only on your device, in the iOS Keychain (device-only, protected after first unlock). It is never synced to iCloud, never sent to us, and only ever transmitted to api.github.com and github.com to make the requests you ask for.

Your GitHub data

Issues, comments, repositories, labels, and profile information flow directly between your device and GitHub, authenticated with your own token. Todoke displays that data; it does not copy it to any server of ours. Your use of GitHub itself is governed by GitHub's Privacy Statement.

Todoke can only access the repositories you explicitly grant when you install the Todoke GitHub App, requesting only the Issues permission plus GitHub's mandatory read-only Metadata permission (repository names and labels — never source code). You can review the exact permissions the app requests on that page before installing it, and again any time at github.com/settings/installations.

Analytics, advertising, and tracking

None. Todoke contains no analytics, no advertising, no trackers, and no third-party SDKs that receive your data. We do not build profiles, fingerprints, or usage statistics.

Preferences

App preferences (issue filters, repository defaults, and similar settings) are stored on your device in local app storage (UserDefaults). They never leave your device.

Signing out and revoking access

When you sign out, Todoke deletes the token from your device's Keychain and asks GitHub to revoke it, so it can no longer be used anywhere.

You can also revoke Todoke's access yourself at any time, independently of the app, at github.com/settings/apps/authorizations, and manage or uninstall the Todoke GitHub App from your repositories at github.com/settings/installations.

Data retention

We retain nothing, so there is nothing to delete on our side. Removing the app from your device (or signing out) removes everything Todoke stored locally. Revoking the authorization on GitHub severs the app's access entirely.

Children

Todoke is not directed at children and is not intended for use by anyone under 13 (or the equivalent minimum age in your jurisdiction). GitHub itself requires users to be at least 13. We do not knowingly collect any information from children — indeed, we do not collect any information from anyone.

Changes to this policy

If this policy changes, the updated version will be posted at this address with a new effective date. Because the app collects nothing, changes are expected to be rare and editorial.

Contact

Questions about privacy in Todoke: [email protected]