(This content is also available in-app, via Settings (gear) → Privacy and Agreements.)
When you click the "Sign in with Google" button, it uses the OAuth protocol to let Google identify who your are, which pops out a window where you pick a google account. Next you can grant various permissions for 3rd party to access your data. In this app, the only permission being requested is your "tasks". Since you didn't give permissions to any other things like your gmail address, name, profile picture, other data, etc, this app cannot access them.
This app is front-end only, and doesn't have a server to collect or store your data. After connecting with google's Tasks API, it retrieves and displays your tasks. When you make edits, it's submitted back to the google tasks API. Data is transferred via https.
Except the google server, it doesn't send your tasks data anywhere else on the internet. All network traffic can be monitored in the Chrome DevTools (press F12 then choose the "Network" tab).
Although this app doesn't use an open source license, frontend JavaScript is always open by nature. Anybody is free to inspect the source code.