TTaskz

Legal

Privacy Policy

Last updated

Template, not lawyer-reviewed. This document contains bracketed placeholders that must be filled in (entity name, jurisdiction, contact details, etc.) and should be reviewed by qualified legal counsel for your operating jurisdiction before public launch.

This Privacy Policy explains what personal information [ENTITY NAME, e.g. Taskz Inc.](“Taskz,” “we,” “us”) collects, why we collect it, and what we do with it when you use Taskz.

Summary

  • We collect the minimum we need to run the Service for you.
  • We do not sell your personal information.
  • We do not run advertising trackers or behavioural ad pixels.
  • Your workspace content (boards, docs, messages, files) is encrypted in transit and at rest by our hosting providers.
  • You can export or delete your data at any time from inside the app.

1. Data we collect

Account data. Name, email address, hashed password (handled by Supabase Auth), display name, optional avatar, optional organization name, plan, and billing identifiers if you upgrade.

Workspace content. Boards, lists, tasks, documents, messages, channels, attachments, comments, and other content you create. We treat this as customer data and access it only as needed to provide the Service, respond to support requests, or as required by law.

Usage & technical data. IP address, browser user-agent, timestamps, action logs, and audit-log entries needed for security, abuse prevention, and product reliability.

Payment data. Handled directly by Stripe. We store only non-sensitive identifiers (Stripe customer ID, plan, status). We do not store card numbers.

Cookies. See the Cookie Policy for the full list. We do not use advertising or cross-site tracking cookies.

2. How we use data

  • To provide, secure, and improve the Service.
  • To authenticate you and protect your account.
  • To enforce permissions inside your organization (row-level security).
  • To send transactional emails (invites, password resets, etc.).
  • To process payments through Stripe.
  • To respond to support requests and to enforce our Terms of Service.
  • To comply with legal obligations.

If you are in the European Economic Area or the United Kingdom, we process your personal data under the following GDPR / UK-GDPR bases:

  • Contract— to provide the Service you signed up for.
  • Legitimate interests— for security, abuse prevention, product analytics on aggregated data, and essential service communications.
  • Consent— for any optional cookies or processing we ask you to opt in to.
  • Legal obligation— to comply with applicable law.

4. Sharing & sub-processors

We share personal information only with the providers below, each under a written contract that restricts use to providing services to us:

  • Supabase, Inc.— database, authentication, file storage, realtime.
  • Vercel, Inc.— application hosting and edge delivery.
  • Resend— transactional email delivery.
  • Stripe, Inc.— payment processing.
  • AI model providers— if you enable hosted AI (e.g. Groq, Cerebras, OpenRouter), the prompts and tool calls you send through the AI assistant are forwarded to that provider. The default Ollama provider runs on infrastructure we operate and does not transmit your prompts to a third party.

We may also disclose information if required to do so by law, valid legal process, or to protect our rights or those of our users.

5. Data retention

We retain your account and workspace data for as long as your account is active. When you delete your account, we delete or anonymize your personal data within [RETENTION PERIOD, e.g. 30 days], except where we are required to retain it longer for legal, tax, or backup reasons. Workspace owners can also configure per-organization message-history retention; see the in-app Settings → General page.

6. Security

We protect your data with industry-standard measures, including encryption in transit (TLS), encryption at rest (provider-managed), row-level security inside the database, scoped access for our staff, and audit logging. No system is 100% secure; if we become aware of a breach affecting your personal data we will notify you and the appropriate authorities as required by law.

7. Your rights

Depending on where you live, you may have the right to:

  • Access the personal data we hold about you.
  • Correct inaccurate personal data.
  • Delete your personal data (use Settings → Account → Delete account in the app).
  • Export your personal data in a portable format (use Settings → Data export).
  • Object to or restrict certain processing.
  • Withdraw consent at any time, where consent is the legal basis.
  • Lodge a complaint with your local data-protection authority.

To exercise any of these rights, email [PRIVACY CONTACT EMAIL, e.g. privacy@yourdomain].

8. International transfers

Our sub-processors are primarily located in the United States and the European Union. Where personal data is transferred out of the EEA or UK, we rely on Standard Contractual Clauses or other lawful transfer mechanisms.

9. Children

The Service is not directed to children under [AGE LIMIT, e.g. 16] and we do not knowingly collect personal data from them. If you believe a child has provided us personal data, please contact us and we will delete it.

10. Changes to this policy

We may update this Privacy Policy from time to time. The “Last updated” date at the top reflects the latest revision. Material changes will be communicated by email or an in-app notice.

11. Contact

Privacy questions or rights requests: [PRIVACY CONTACT EMAIL, e.g. privacy@yourdomain]
Postal address: [POSTAL ADDRESS OF ENTITY]

If you are in the EEA / UK and we are required to designate a representative, contact: [EU/UK REPRESENTATIVE, if applicable].