TinjaSoft takes your security and privacy very seriously. GTO has been designed with the understanding that your data belongs to you, not to TinjaSoft or anyone else.
GTO never has access to your account password, since these are handled by the Android operating system. You can read more about how Android manages your passwords here. After you have granted permission for GTO to manage your tasks, the Android OS creates secure network sessions for GTO to communicate with the Google servers. This is done through use of an authentication token, and the token used by GTO is only valid for accessing Tasks, not GMail or any other Google products (more technical information here).
Your task and list data is only sent to the official Google servers, and is sent securely using the HTTPS protocol. GTO does not send your data anywhere else.
Your data is stored in a private database on your Android device, and is designed to only be accessed through GTO. Your GTO preference options are automatically stored on the SD Card, in the /GTO_Backup folder, but this does not contain your accounts, lists or tasks. If you choose to backup your data using one of the Backup / Restore options, then those files potentially could be easily accessed by other apps, but I haven't found any evidence of this actually occurring.
GTO should only be downloaded from the TinjaSoft website (or, before June 2014, from the Play Store or Amazon Appstore). If you obtain GTO or GTO Lite from any other source, or if the app was distributed by a developer other than TinjaSoft, be aware that that software has almost certainly been altered somehow, possibly in a malevolent way. Unofficial copies are vulnerable to many potential problems such as the app not behaving as intended, losing your task data, your Google account and/or device being hacked, malware being placed on your device, and other issues. TinjaSoft takes no responsibility for damage or loss caused by unofficial copies of its software.