TaskAuraTaskAuraHome

Privacy Policy

Last updated: June 16, 2026

1. Data controller

The controller of your personal data is the TaskAura team, reachable at hello@taskaura.app. We have not appointed a Data Protection Officer — for any data-related matters please use the same email address.

2. Definitions

For the purposes of this Policy: "GDPR" means Regulation (EU) 2016/679; "User" means a person using the app; "Account" means an individual profile in the app; "Service" means the TaskAura app available in web and mobile versions; "Content" means data entered by the User (tasks, projects, habits, notes, settings); "AI Features" means features powered by language models; "Cookies" means cookies and similar technologies described in the Cookie Policy.

3. Sources of data

We receive data directly from you (during sign-up, login and use of the Service) and — when you use external sign-in — from the authentication provider (Google OAuth: account ID, email, name, avatar). We do not buy data nor obtain it from data brokers.

4. What data we collect

  • Email address and (optionally) name — to create your account and sign you in.
  • Content of tasks, projects, habits and focus sessions that you enter yourself.
  • Anonymous usage metrics (e.g. "task_created", "focus_started") — no task content, no personal data.
  • Technical logs (IP, user agent, request time) needed for security and debugging.
  • Sign-in provider data (Google) — only account ID and email.
  • Mobile app data (Capacitor): install identifier, push notification settings — only after you grant OS-level consent.
  • Submissions from the feedback / contact form — message content and email address if you provide one.

5. Purposes and legal bases of processing

We process your data for the following purposes, on the following GDPR legal bases, and within the following data scopes. We do not process special categories of data within the meaning of Art. 9 GDPR.

  • Providing the Service and operating your Account (email, name, Content, sign-in data) — Art. 6(1)(b) GDPR (performance of a contract).
  • Complying with legal obligations, e.g. responding to complaints and data-subject requests (Account data, message content) — Art. 6(1)(c) GDPR.
  • Security of the Service and abuse prevention (technical logs, IP, user agent) — Art. 6(1)(f) GDPR (legitimate interest).
  • Product analytics and improving the app (anonymous usage metrics) — Art. 6(1)(f) GDPR.
  • AI Features (Content you submit to a given feature) — Art. 6(1)(a) GDPR (your consent expressed by activating the feature).
  • Optional analytics or marketing cookies — Art. 6(1)(a) GDPR (your consent).

6. Voluntary nature of providing data

Providing data is voluntary but necessary to create an Account and use features that require sign-in. Without an email address we cannot create an Account or provide the Service. Use of consent-based features (e.g. AI Features, analytics cookies) is entirely optional.

7. Cookies and similar technologies

We use cookies and browser local storage to the extent necessary to operate the app (login session, language and theme preferences). Analytics or marketing cookies are used only after you give consent. Full information about cookie types, legal bases and management is available in the separate Cookie Policy: https://taskaura.app/cookies.

8. Retention periods

  • Account data and Content — for the lifetime of the Account; up to 30 days in backups after deletion (backups rotate on a 30-day cycle).
  • Security logs — up to 90 days.
  • Complaint records — up to 3 years (limitation periods).
  • Anonymous usage metrics — indefinitely (they do not identify a person).

9. Recipients and processors

We share data with the following categories of processors, only as needed to provide the Service:

  • Supabase — database hosting and authentication (EU region).
  • Cloudflare / Lovable — CDN, front-end hosting and DDoS protection (global).
  • AI model providers (Google, OpenAI, Anthropic) — processing AI Feature requests (USA), only when you activate the feature.
  • Outgoing email provider — sending transactional messages (confirmations, password resets).
  • HIBP (haveibeenpwned.com) — password verification using k-anonymity: we send only the 5-character SHA-1 hash prefix, never the full password or any User identifier.

10. Transfers outside the EEA

Some providers (e.g. AI models) may process data in countries outside the European Economic Area, including the United States. Transfers rely on Standard Contractual Clauses (SCC) approved by the European Commission, Commission adequacy decisions (e.g. EU-US Data Privacy Framework — where the provider is listed) and additional safeguards.

11. AI features and external processing

AI-powered features (Coach, "Break into steps", prioritization) send selected Content to language-model providers only when you activate the feature. Content is not used to train provider models (per their business terms). Remember: AI inputs may include your Content — do not enter data you do not want to share with the model providers.

12. Security

We apply technical and organizational safeguards appropriate to the risk, in particular:

  • Encryption in transit (TLS) and at-rest encryption on the database provider side.
  • Row-Level Security in the database — data is isolated at the User level.
  • Password verification against known breach lists (HIBP) using a hash only (k-anonymity).
  • Restricted access to production infrastructure (least-privilege principle).
  • Monitoring of suspicious events and security alerts.

13. Profiling and automated decisions

We do not subject Users to automated decisions producing legal effects or similarly significantly affecting them within the meaning of Art. 22 GDPR.

14. Children's data

The Service is not directed to persons under 16 and we do not knowingly collect their data. If we learn that data of a person under 16 has been provided to the Service without the required guardian consent, we will delete it without undue delay. If you are a guardian and believe a child has shared data with us without your consent, please contact us.

15. Mobile app

The mobile version of TaskAura (Capacitor) uses local on-device storage (session, preferences, draft Content). Optionally and only after OS-level consent, we may send push notifications (the device identifier is used solely for delivery). We do not track you across apps or websites. System permissions (e.g. notifications) are optional and can be revoked at any time in OS settings.

16. Your rights

You have the right to: access, rectification, erasure, restriction of processing, data portability, objection to processing based on legitimate interest (Art. 21 GDPR — including profiling), the right not to be subject to automated decisions (Art. 22 GDPR — see section 13), and the right to withdraw consent at any time (without affecting the lawfulness of processing before the withdrawal). You also have the right to lodge a complaint with the President of the Personal Data Protection Office (uodo.gov.pl). A full data export is available in Settings; to delete the Account, write to the contact address.

17. Changes to the policy and versioning

We publish changes to the Policy on this page; the date of the last update is shown at the top. We notify Users of material changes in the app or by email at least 14 days in advance. Previous versions are available on request at the contact address.

18. Contact

hello@taskaura.app