Privacy Policy

Effective date: April 21, 2026

This Privacy Policy (the "Policy") explains what information Taskid ("we", "us", "Service") collects from users of the website https://taskid.app and the Taskid mobile applications, how we use, store, and protect that information, and what rights you have.

By creating an account or using the Service, you confirm that you have read and agree to this Policy. If you do not agree with its terms, please do not use the Service.

1. Data Controller

The data controller is the Taskid team. For any questions regarding the processing of personal data, account deletion, or exercising your rights, please contact us at support@taskid.app.

2. Data We Collect

2.1. Account data

Email - required for registration, account verification, and password reset.
Password - stored only as an argon2id hash. The password itself is never stored on the server or shared with third parties.
Name (optional) - displayed in the app interface.
Avatar (optional) - a profile picture you upload.
Time zone and language - used to display dates and the UI correctly.

2.2. Device and session data

Platform (iOS, Android, macOS, Windows, Linux, Web), device manufacturer and model, OS version, app version.
Install identifier (UUID generated by the client, unrelated to the advertising identifier of the device).
IP address and User-Agent - retained in service logs for security, abuse prevention, and password reset.
APNs (Apple Push Notification service) or FCM (Firebase Cloud Messaging) push token - only if you explicitly enable notifications in your device settings. Used solely to deliver notifications about your tasks and reminders.
A SHA-256 hash of the session token. The raw token is never stored on the server.

2.3. User content

Groups, lists, tasks, subtasks, their titles, notes, priorities, dates, flags, and recurrence rules (RRULE).
Reminders and their trigger times.
Information entries attached to lists.
Completion history of recurring tasks.

This content belongs to you. We store it only to provide synchronization between your devices and to make the Service work.

2.4. What we do NOT collect

We do not use third-party analytics, advertising SDKs, or trackers.
We do not collect device advertising identifiers (IDFA / AAID).
We do not access your location, contacts, calendar, photo library, microphone, or camera unless you explicitly provide such data through app features (no such features exist in the current version).
We do not sell personal data to third parties.

3. Purposes of Processing

Creating and authenticating your account.
Synchronizing tasks, lists, and notes across your devices.
Sending transactional emails: email verification and password reset.
Delivering push notifications for tasks and reminders (only with your consent).
Ensuring security: protection against brute-force, suspicious sign-ins, and abuse.
Providing technical support in response to your requests.

4. Legal Basis (GDPR)

We process personal data on the following legal grounds:

Performance of a contract - providing the Service you requested by creating an account.
Consent - push notifications and any future marketing communications.
Legitimate interest - ensuring the security of the Service and preventing fraud.
Legal obligation - where required by applicable law.

5. Third-Party Service Providers

We share the minimum necessary data with the following service providers:

Apple Inc. - Apple Push Notification service (APNs) used to deliver push notifications to iOS and macOS devices. The device push token and the notification payload are transmitted.
apple.com/legal/privacy
Google LLC (Firebase) - Firebase Cloud Messaging (FCM) used to deliver push notifications to Android devices. The device push token and the notification payload are transmitted.
firebase.google.com/support/privacy
Cloudflare, Inc. - Cloudflare Turnstile used to protect the registration form from bots. Cloudflare may receive the user's IP address and technical request metadata.
cloudflare.com/privacypolicy
MXroute (SMTP provider) - delivers transactional emails. The recipient's email address and message content are transmitted.
mxroute.com/privacy

We do not share data with any other third parties, except where required by law (for example, in response to a valid request by a competent public authority).

6. Storage and Security

Data is stored in PostgreSQL and Redis on servers rented from a professional hosting provider.
All traffic between the client and the server is protected by TLS (HTTPS).
Passwords are stored only as argon2id hashes. Authentication tokens are stored only as SHA-256 hashes.
Database access is restricted and protected.
Backups are created daily and retained for 7 days.

7. Retention Periods

Account data and user content are retained for as long as the account is active.
After account deletion, data is erased within 30 days. Backup copies are overwritten within the following 30 days.
Password reset and email verification tokens are automatically deleted upon expiration.
Service logs (IP address, sign-in time) are retained for no longer than 90 days.

8. Your Rights

Under applicable law (including GDPR and CCPA) you have the right to:

Obtain confirmation of whether your data is being processed and access a copy of it.
Request correction of inaccurate data.
Request deletion of your account and all associated data (the "right to be forgotten").
Restrict or object to processing.
Receive a copy of your data in a machine-readable format (data portability).
Withdraw consent for push notifications at any time through your device settings.
Lodge a complaint with a supervisory authority.

You can delete your account from the Settings section of the app or by sending a request to support@taskid.app. Requests are processed within 30 days.

9. International Data Transfers

For push notifications and bot protection to work, data may be transmitted to servers operated by Apple, Google, and Cloudflare, which are located in various countries, including the United States. These providers maintain an adequate level of data protection through their public policies and applicable data transfer mechanisms.

10. Children

The Service is not intended for children under 13 (or 16 in the EU, unless otherwise set by national law). We do not knowingly collect data from children below this age. If you become aware that a child has provided us with personal data without parental or guardian consent, please contact us and we will delete that data.

11. Cookies and Local Storage

The web version of the Service uses a single strictly-necessary cookie taskid_session for authentication. It is not used to track user behavior and is not shared with third parties. Browser local storage (localStorage / sessionStorage) may be used to keep temporary form state. We do not set advertising or analytics cookies.

12. Changes to This Policy

We may update this Policy from time to time. The current version is always available at taskid.app/en/privacy. For material changes, we will notify users by email or through an in-app notice.

13. Contact

For any questions regarding the processing of your personal data, please contact us at support@taskid.app.