How Lightwork handles your data
Lightwork is a private AI-assisted task intake system. This policy explains what data the app accesses, how it is used, and how Google user data is handled.
Data Lightwork collects
Lightwork stores account details such as your name, email address, profile photo, authentication provider, sessions, workspace memberships, task content, labels, subtasks, due dates, reminders, notification preferences, GitHub connection metadata, and Google Calendar connection metadata.
When you use Google Sign-In, Lightwork receives your Google account identifier, email address, name, and profile image so it can authenticate you and show your account identity inside the app.
Google Calendar data
If you choose to connect Google Calendar, Lightwork may access your calendar list, selected calendar metadata, free/busy blocks, future event titles, descriptions, links, start and end times, recurrence identifiers, and event update timestamps.
Lightwork uses this Google Calendar data to show agenda context, search future calendar events, detect scheduling conflicts, and create calendar blocks from tasks only when you explicitly use calendar features.
How data is used
Task and workspace data is used to run the private Lightwork experience: task capture, AI enrichment, categories, tags, priorities, deadlines, reminders, follow-ups, workspace access, GitHub context, Google Calendar context, email notifications, and web push notifications.
AI enrichment may send task text and relevant context to configured AI providers so the app can produce structured task details. Lightwork does not use your Google user data for advertising, credit decisions, surveillance, or unrelated profiling.
Storage and security
Lightwork stores production data in its private PostgreSQL database and Redis-backed queues. Session cookies are HttpOnly, CSRF is enforced for mutations, and provider secrets are kept in environment variables.
Google OAuth access and refresh tokens are encrypted before storage. When you disconnect a Google account from Lightwork, the connected account record and related local calendar data are deleted through the app database relations.
Data protection mechanisms for sensitive data
Lightwork uses HTTPS/TLS for browser traffic, HttpOnly and same-site session cookies, CSRF protection for state-changing requests, server-side authorization checks, and role-based workspace permissions to limit access to account, workspace, task, Google Calendar, GitHub, notification, and AI-enrichment data.
Sensitive provider credentials and production secrets are stored outside the source code in environment variables. Google OAuth access tokens and refresh tokens are encrypted at rest before they are stored in the database, and decrypted only server-side when needed to perform user-requested Calendar actions.
Administrative access to production infrastructure is limited to authorized maintainers. Lightwork keeps local Google Calendar records only for connected accounts, removes locally stored calendar data when a Google account is disconnected, and avoids using Google user data for advertising, sale, or unrelated profiling.
Sharing and Limited Use
Lightwork does not sell Google user data, task data, calendar data, or account data. Lightwork does not transfer Google user data to advertising platforms, data brokers, or information resellers.
Lightwork uses Google user data only to provide or improve visible user-facing features in the app, to maintain security, to comply with applicable law, or with your explicit consent. This use is intended to comply with the Google API Services User Data Policy, including its Limited Use requirements.
Your choices
You can choose whether to use password login, Google Sign-In, Google Calendar, GitHub, email notifications, or web push where those features are available to your account.
To request access, correction, export, deletion, or privacy support, contact caio.faheina@acomanaus.com.br.