TaskFlow

Privacy Policy

Last updated: April 9, 2026 · Effective: April 9, 2026

📋 Summary (Plain English)

✅ Your tasks are stored locally on your device by default — we cannot read them.
✅ If you enable optional cloud sync, data is encrypted in transit and at rest.
✅ We collect minimal data — only what is needed for the app to work.
✅ We never sell your personal data to third parties.
✅ You can delete your account and all associated data at any time.
⚠️ Guest mode stores data only on your device. Clearing your browser removes it permanently.

1. Who We Are

TaskFlow is a productivity application operated by WebIntimate Technologies ("we," "us," or "our"). Our registered address and principal place of business is in India. You can reach us at privacy@webintimate.com.

This Privacy Policy applies to the TaskFlow web application at https://www.webintimate.com, our iOS and Android applications (when published), and any related services ("Services").

2. Data Architecture — Local-First Design

TaskFlow is designed with a local-first architecture. This means:

Guest Mode: All your tasks, spaces, and preferences are stored exclusively in your device's local storage (browser localStorage or on-device storage for mobile apps). We have no access to this data.⚠️ Warning: Clearing your browser data or uninstalling the app permanently removes guest data. We cannot recover it. Please sign up to protect your data.
Signed-In Accounts (Optional Cloud Sync): When you create an account, your task content can optionally be synced to our secure cloud servers (Supabase, hosted in the European Union). This data is encrypted in transit (TLS 1.3) and at rest. Even with cloud sync, your tasks are processed only to provide the service — we do not analyze, scan, or monetize task content.

3. Information We Collect

3.1 Information You Provide

Field	Purpose	Notes
Full Name	Account creation	Stored in user profile
Email Address	Authentication, notifications	Required for email OTP login
Mobile Number	Optional — SMS OTP login	India (+91) only; used for authentication
Date of Birth	Optional — profile	Not shared with third parties
Task Data	Core app functionality	Stored locally by default; encrypted if synced

3.2 Information Collected Automatically

Field	Purpose	Notes
Device Type	Desktop/Mobile detection	Used for UI optimization; not sold
Last Login Date/Time	Security & activity analytics	Stored in your profile
Browser Type	Technical diagnostics only	Not linked to your identity
IP Address	Fraud prevention, rate limiting	Not stored beyond 24 hours

3.3 Information We Do NOT Collect

The content of your tasks in guest mode (it never reaches our servers)
Payment card numbers (handled by Razorpay/Stripe — PCI DSS compliant)
Location data
Contacts or address book
Microphone, camera, or biometric data

4. How We Use Your Information

Purpose	Legal Basis	Notes
Provide and maintain the Services	Contract performance	—
Send verification OTPs (email/SMS)	Contract performance	Required for authentication
Send task reminders (if enabled)	Legitimate interest / Consent	Can be disabled anytime
Send weekly productivity insights	Consent	Opt-in only
Detect fraud and abuse	Legitimate interest	IP address, request patterns
Improve the app (aggregate analytics)	Legitimate interest	Anonymized, never personal data
Process subscription payments	Contract performance	Via Razorpay/Stripe — we see only transaction ID

5. Data Sharing & Third Parties

We never sell your personal data. We share it only with:

Service	Purpose	Safeguards
Supabase	Database & authentication	EU-hosted; SOC 2 compliant; DPA in place
Vercel	Web hosting & CDN	US-hosted; SOC 2 compliant
Razorpay	India payments (Pro plan)	PCI DSS Level 1; RBI compliant
Twilio / MSG91	SMS OTP delivery	Phone number only; not stored by us after OTP
Resend	Transactional email	Email address only; no task content

All third-party processors have signed Data Processing Agreements (DPAs) and are obligated to process your data only on our instructions.

6. Data Retention

Data Type	Retention Period	Notes
Account data (name, email)	Until account deletion + 30 days	Then permanently deleted
Task data (cloud sync)	Until account deletion	Deleted within 72 hours of request
Authentication logs	90 days	For security audit purposes
Payment records	7 years	Required by Indian financial law (GST)
Guest data	Device local storage only	We have no access; cleared when you clear browser data

7. Your Rights

Depending on your location, you have the following rights under applicable laws including India's Digital Personal Data Protection Act (DPDP Act, 2023), GDPR (EU/UK), and CCPA (California):

👁️

Right to Access

Request a copy of all data we hold about you.

✏️

Right to Rectification

Correct inaccurate or incomplete data.

🗑️

Right to Erasure

Delete your account and all associated data ("right to be forgotten").

📦

Right to Portability

Export your data in JSON or CSV format.

🚫

Right to Object

Opt out of marketing emails and analytics.

⏸️

Right to Restriction

Request we stop processing while a dispute is resolved.

To exercise any right, email privacy@webintimate.com. We will respond within 30 days. Identity verification may be required.

8. Security

Encryption in transit: All data transmitted between your device and our servers uses TLS 1.3.
Encryption at rest: Database is encrypted using AES-256 (Supabase managed keys).
Row-Level Security (RLS): Database policies ensure users can only access their own data. Administrators cannot access user task content by design.
Authentication: We use time-limited OTPs (no passwords stored on our servers). Sessions expire after 1 hour of inactivity.
No service key exposure: Our admin (service role) key is never exposed to client-side code.

9. Children's Privacy

TaskFlow is not directed at children under the age of 13 (or under 18 where required by applicable law, including India's DPDP Act). We do not knowingly collect personal data from children. If you believe a child has provided us personal data, please contact privacy@webintimate.com and we will delete it immediately.

10. Push Notifications

We may send the following notification types, all of which require your explicit consent:

Task reminders: Alerts before high-priority task due dates (browser/device only).
Streak reminders: Daily nudge if you haven't completed a task (opt-in).
Weekly insights: Productivity summary every Monday (opt-in, email).

You can withdraw consent for notifications at any time via your device settings or the in-app notification preferences.

11. Cookies & Local Storage

Cookie/Storage	Type	Purpose
Authentication session cookie	Required	Supabase session token; expires with session
Theme preference	Functional	Remembers dark/light mode
App state (localStorage)	Functional	Tasks, spaces, preferences — stored on your device only
Analytics (if enabled)	Optional	Self-hosted PostHog — no third-party tracking

We do not use Google Analytics, Facebook Pixel, or any cross-site advertising trackers.

12. International Data Transfers

TaskFlow is operated from India. Our database infrastructure is hosted in the European Union (Supabase Frankfurt region) and our application server is hosted on Vercel's global edge network. By using our Services, you consent to the transfer of your data to these jurisdictions. We ensure appropriate safeguards are in place through Standard Contractual Clauses (SCCs) with all service providers.

13. Changes to This Policy

We may update this Privacy Policy periodically. When we make material changes, we will:

Update the "Last Updated" date at the top of this page.
Send a notification to your registered email address (for signed-in users).
Show an in-app banner for 7 days after the change.

Continued use of TaskFlow after a policy change constitutes acceptance of the updated policy.

14. Contact & Grievance Officer

Data Controller: WebIntimate Technologies

Grievance Officer (India — DPDP Act): Rahul (CEO)

Email: privacy@webintimate.com

Response Time: Within 30 days of receipt

If you are not satisfied with our response, you have the right to lodge a complaint with your local data protection authority (e.g., India's Data Protection Board under the DPDP Act).