Privacy Policy

We collect the following types of information:

Account Information

• Name and email address when you register.
• Password (stored as a one-way cryptographic hash — we never store your plain-text password).
• Organisation name when you create a workspace.
• Avatar or profile picture if you choose to upload one.

Usage Data

• Projects, tasks, comments, attachments, and other content you create within the Service.
• Log data including IP address, browser type, pages visited, and timestamps.
• Device information such as operating system and screen resolution.

Communications

• Emails you send to our support team.
• Notification preferences you configure in Settings.

We use the information we collect to:

• Provide, operate, and improve the Service.
• Send transactional emails (password resets, task assignments, digest summaries) based on your preferences.
• Respond to your support requests and enquiries.
• Monitor and analyse usage patterns to improve performance and user experience.
• Detect, prevent, and address technical issues or security threats.
• Comply with legal obligations.

We do not sell, rent, or trade your personal data to third parties for their marketing purposes.

We use the following:

• Session cookie — a secure HTTP-only cookie that identifies your authenticated session. This is essential for the Service to function.
• localStorage — used to persist your theme preference (light/dark) and UI state on your device.

We do not use third-party advertising cookies or cross-site tracking technologies.

We share your data only with:

• Infrastructure providers — our database is hosted on Neon (PostgreSQL) and our application is deployed on Vercel. Both operate under strict data processing agreements.
• Email delivery — we use Resend to deliver transactional emails. Your email address is shared with Resend solely for this purpose.
• File storage — attachments you upload are stored in Vercel Blob storage with access-controlled URLs.
• Legal requirements — we may disclose your data if required by law, court order, or governmental authority.

We retain your account data for as long as your account is active. If you delete your account, we will delete your personal data within 30 days, except where we are legally required to retain it for longer.

Organisation data (projects, tasks, comments) may be retained for up to 90 days after account deletion to allow for recovery in case of accidental deletion.

We implement industry-standard security measures to protect your data:

• All data is transmitted over HTTPS (TLS 1.2+).
• Passwords are hashed using bcrypt with a cost factor of 10 or higher.
• Authentication tokens are signed with a secure secret and stored in HTTP-only cookies.
• Rate limiting is applied to sensitive endpoints (login, password reset) to prevent brute-force attacks.
• Database access is restricted to application servers via connection pooling with TLS.

No method of transmission or storage is 100% secure. If you become aware of a security vulnerability, please contact us at support@taskflow.app.

Depending on your location, you may have the following rights:

• Access — request a copy of the personal data we hold about you.
• Correction — request correction of inaccurate or incomplete data.
• Deletion — request deletion of your personal data ("right to be forgotten").
• Portability — request your data in a machine-readable format.
• Objection — object to processing of your data for certain purposes.

To exercise any of these rights, contact us at support@taskflow.app. We will respond within 30 days.

The Service is not directed to children under the age of 16. We do not knowingly collect personal data from children under 16. If you believe we have inadvertently collected such data, please contact us immediately and we will delete it promptly.

Your data may be stored and processed in countries other than your own, including the United States. By using the Service, you consent to the transfer of your data to these countries. We take steps to ensure that such transfers comply with applicable data protection laws.

We may update this Privacy Policy from time to time. We will notify you of significant changes by posting a notice on the Service or by email. Your continued use of the Service after the effective date of any changes constitutes your acceptance of the updated policy.

If you have any questions, concerns, or requests regarding this Privacy Policy or how we handle your data, please contact us at: