Privacy Policy

Last updated May 18, 2026

This Privacy Notice for Taskachu("we," "us," or "our") describes how and why we might access, collect, store, use, and/or share ("process") your personal information when you use our services ("Services"), including when you:

Visit our website at https://taskachu.com, or any website of ours that links to this Privacy Notice
Use Taskachu — a web-based productivity application that helps solo founders and small teams manage projects through Kanban-style boards. The Service includes AI-powered features that send user-provided content to third-party large-language-model providers (currently OpenAI), and offers optional integrations with Slack, Google Drive, and GitHub. Taskachu offers Free and Pro paid plans, with billing handled via Stripe.
Engage with us in other related ways, including any marketing or events

Questions or concerns? Reading this Privacy Notice will help you understand your privacy rights and choices. We are responsible for making decisions about how your personal information is processed. If you do not agree with our policies and practices, please do not use our Services. If you still have any questions, please contact us at andrii.nadosha@shally.app.

Summary of key points

This summary provides the headline points. Use the table of contents below to jump to the details of any topic.

What personal information do we process? Information you give us directly when you register and use Taskachu (name, email, the content you put into your boards), plus minimal technical data (IP address, browser type) collected automatically to keep the Service running.

Do we process sensitive personal information? No. We do not collect special-category data such as racial or ethnic origin, political opinions, religious beliefs, health data, sexual orientation, or biometric identifiers.

How do we process your information? To provide and improve the Service, communicate with you, prevent fraud, and comply with law. AI features process your content only when you actively use them.

With whom do we share information? Only with the third-party processors that make the Service work (OpenAI, Stripe, Resend, Google, AWS, MongoDB Atlas, and — only when you connect them — Slack, Google Drive, GitHub).

How do we keep your information safe? Industry-standard organisational and technical controls — encryption in transit and at rest, JWT-based authentication, the principle of least privilege, and regular security review. No system is 100% secure.

What are your rights? Depending on where you live, you may have rights to access, correct, delete, port, or restrict the processing of your personal information. See Section 12.

1. What information do we collect?

Personal information you disclose to us

We collect personal information that you voluntarily provide when you register for the Service, create or collaborate on workspaces, contact us, or otherwise engage with Taskachu. The categories we collect:

Names (first and last) you provide at sign-up
Email addresses
Usernames and authentication credentials (e.g. hashed passwords, OAuth tokens)
The content you put into your boards: card titles, descriptions, comments, subtasks, uploaded files, and brainstorm sessions

Sensitive information. We do not process sensitive personal information as defined under GDPR Article 9 or analogous categories in other jurisdictions.

Payment data. If you purchase a Pro plan, payment information is collected and processed by Stripe. Taskachu does not store your full payment card details on its own servers; we receive only a customer identifier and minimal billing metadata. See Stripe's Privacy Policy.

All personal information you provide must be true, complete, and accurate, and you must notify us of any changes.

Information automatically collected

Some information — such as your IP address and basic browser/device characteristics — is collected automatically when you visit the Service. This is needed to operate, secure, and debug the Service. We log:

Log and usage data: request timestamps, pages and features accessed, error reports, and other service-related diagnostic information.
Device data: IP address, browser type and version, operating system, and basic device identifiers your browser sends in headers.

We do not use GPS or other precise-location technologies. Country/region may be derived from your IP address for security and operational purposes only.

On our marketing landing pages, if you accept analytics cookies in the consent banner, Google Analytics 4 additionally collects aggregated visit data — referral source, pages viewed, scroll depth, outbound clicks, and approximate country from a truncated IP address. This data is tied to a randomly-generated client ID, not to your Taskachu account. See Section 5 for the full cookie inventory.

Information from third parties (OAuth-authorised only)

We do not buy lists or receive information from data brokers. We do receive information from third parties only when you explicitly authorise us via OAuth to access your account on those services. Specifically:

Google (via Firebase Authentication when you sign in with Google, or Google Drive when you connect that integration) — basic profile information (name, email, avatar URL) and, if you connect Drive, file metadata you choose to import.
Slack (when you connect a workspace) — workspace metadata and a bot OAuth token.
GitHub (when you provide a Personal Access Token) — repository and pull-request metadata for the cards you link.

2. How do we process your information?

We process your information to:

Provide, operate, and improve the Service
Create and manage your account
Enable AI-assisted features when you invoke them (see Section 6)
Process payments and manage subscriptions
Communicate with you about Service updates, security, and support
Prevent fraud, abuse, and unauthorised access
Comply with applicable law and respond to legal requests

We only process your information when we have a valid legal reason to do so. We do not sell your personal information, and we do not use it for cross-context behavioural advertising.

3. Legal bases for processing

Under GDPR and equivalent regimes, we rely on the following legal bases:

Performance of a contract — to provide the Service you have signed up for.
Legitimate interests — to keep the Service secure, prevent abuse, and improve features in non-intrusive ways.
Consent — for analytics cookies on our marketing pages (loaded only after you accept them in the consent banner — see Section 5) and for processing your content through AI features (your active invocation of an AI feature constitutes consent for that processing).
Legal obligation — to comply with tax, accounting, and other regulatory requirements.

We share information only with the third-party processors needed to operate the Service. We do not sell or rent personal information to anyone.

Processor	Purpose	Privacy policy
OpenAI	AI features — your content is sent to OpenAI's API only when you actively invoke an AI feature	Link
Stripe	Payment processing for Pro subscriptions	Link
Resend	Sending transactional emails (account, billing, notifications)	Link
Google (Firebase Authentication)	Authentication when you sign in with Google	Link
Google Tag Manager (landing only; consent-gated)	Orchestration layer that loads our analytics and advertising tags (currently GA4; in future may include Google Ads conversion tracking and the Meta Pixel listed below). GTM itself does not set tracking cookies — the destination tags do.	Link
Google Analytics 4 (landing only; consent-gated)	Aggregated traffic and conversion measurement on the marketing landing pages — only after you accept analytics cookies via the consent banner	Link
Google Ads (landing only; consent-gated; future)	Conversion tracking for paid acquisition campaigns. Loaded via GTM and active only after you accept advertising cookies via the consent banner. Not active until our first paid campaign launches.	Link
Meta (Facebook / Instagram) (landing only; consent-gated; future)	Meta Pixel for retargeting and conversion measurement of paid social campaigns. Loaded via GTM and active only after you accept advertising cookies via the consent banner. Not active until our first paid Meta campaign launches.	Link
Amazon Web Services	Application hosting (ECS Fargate) and file storage (S3)	Link
MongoDB Atlas	Primary application database	Link
Slack (only if you connect it)	Workspace notifications and slash commands	Link
Google Drive (only if you connect it)	Importing documents into your knowledge base	Link
GitHub (only if you connect it)	Linking pull requests to cards	Link

We may also disclose your information if required by law, in response to valid legal process, or to protect our rights, property, or safety, or that of our users or the public.

In the event of a merger, acquisition, or asset sale, your personal information may be transferred as part of that transaction; we will notify you before such a transfer is completed and your information becomes subject to a different privacy notice.

5. Do we use cookies and other tracking technologies?

In short: One strictly-necessary cookie for authentication, plus Google Analytics cookies only after you accept them via the consent banner shown on our marketing pages. No advertising, retargeting, or social-media cookies.

Strictly necessary cookie

When you sign in to Taskachu, we set one first-party cookie named token. It stores your session as a JSON Web Token, is marked HttpOnly, Secure (in production), and SameSite=Lax, and expires after 7 days. This cookie is strictly necessary for the Service to function — without it you cannot stay logged in. Under the ePrivacy Directive and GDPR, strictly necessary cookies do not require consent.

Analytics cookies (consent-gated)

On our marketing landing pages we use Google Analytics 4 to measure aggregated traffic and conversion funnels (visits, page views, sign-ups). Google Analytics cookies are non-essential and are loaded only after you accept analytics cookies in the consent banner shown on first visit. If you decline, no analytics script is loaded and no analytics cookie is set.

Cookie	Purpose	Duration	Type
`token`	Authentication session (JWT)	7 days	First-party, strictly necessary
`_ga`	Distinguishes unique visitors (Google Analytics 4)	2 years	First-party, analytics (consent-gated)
`_ga_*`	Persists session state for the GA4 property	2 years	First-party, analytics (consent-gated)

We have configured GA4 with IP anonymisation enabled, the Data Processing Terms(Google's Standard Contractual Clauses for GDPR-protected data) signed, and a 14-month data retention limit. We do not enable Google signals (which would expand the data to cross-device behavioural profiles).

Advertising cookies (consent-gated; not active yet)

We have not started running paid acquisition campaigns yet, but the infrastructure for Google Ads conversion tracking and the Meta Pixel is wired into our Google Tag Manager container so we can activate them when we do. Until then, no advertising tag is loaded — even if you accept advertising cookies in the banner, nothing is set yet.

When activated, advertising cookies will load only after you accept them via the consent banner. Declining the advertising category will prevent the tags from firing entirely. We will update the cookie table above with the specific cookie names (_fbp, _gcl_*, etc.) when activation goes live.

We do not currently embed third-party tracking pixels, web beacons, or fingerprinting scripts. We do not currently serve targeted advertising. We will update this notice before any of that changes.

Cookies set on other domains during checkout / sign-in

If you use Stripeto manage a paid subscription, Stripe may set its own cookies when you are on its Checkout or Customer Portal pages — those are governed by Stripe's Privacy Policy. If you sign in with Google, Google may set cookies during the sign-in flow on its own domain — those are governed by Google's Privacy Policy.

How to manage cookies

You can re-open the consent banner at any time from the Cookie preferences link in the site footer, change your selection, or withdraw consent. You can also block or delete cookies via your browser settings. Blocking the token cookie will sign you out and prevent you from using the Service.

6. Do we offer AI-based products?

Yes. The Service uses third-party large-language-model providers (currently OpenAI) to power the following AI-assisted features. None of these features make automated decisions with legal or similarly significant effects on users; outputs are always suggestions that a human reviews and accepts.

Card decomposition— generates a list of subtasks from a card's title and description.
Card description drafting — drafts a card description from a short conversation with the user.
Agent export — produces a structured handoff document (per card or per whole board) intended to be fed to an external code-generation tool.
Weekly review— generates a retrospective summary from a board's activity over the past week.
Card chat— answers questions about a specific card using that card's context.
Knowledge assistant ("Ask Taskachu")— answers questions about a workspace using retrieval-augmented generation over the user's own cards and uploaded documents.
Brainstorm sessions — multi-turn conversation that helps shape an idea, followed by an automatic synthesis step that proposes a board structure.
Card prioritisation— ranks a board's cards by importance and provides supporting reasoning.
Standup plan generation and discussion— synthesises a team's daily check-ins into a recommended day plan, with conversational follow-up.
Embeddings indexing— when you create or update a card or upload a document, its text is converted to a vector embedding via OpenAI's embeddings API and stored to enable semantic search scoped to that workspace only. Vectors from one workspace are never mixed with another.

All AI features are quota-gated per workspace (Free and Pro tiers). User content sent to OpenAI is processed under OpenAI's API data-handling terms; OpenAI does not train its models on API inputs by default.

We offer the option to register and log in using your existing Google account via Firebase Authentication. If you choose this option, Google provides us with a basic profile (name, email, avatar URL) and an ID token verifying your identity. We do not access any other Google data unless you separately connect a Google integration (e.g. Google Drive).

Our use of information received from Google APIs adheres to the Google API Services User Data Policy, including the Limited Use requirements.

We do not offer login via Facebook, X (Twitter), Apple, or other social-media providers at this time.

8. Is your information transferred internationally?

Our servers run on AWS in the United States; our database is hosted on MongoDB Atlas (multi-region options). Several of our processors (OpenAI, Stripe, Resend, Google) are also based in the United States. If you access the Service from outside the United States, your personal information will be transferred to and processed in the United States and in other jurisdictions where our processors operate.

We rely on standard contractual clauses (SCCs) and equivalent safeguards required by applicable data-protection law to ensure your information receives adequate protection when transferred internationally.

9. How long do we keep your information?

We retain your personal information for as long as your account is active or as needed to provide the Service. After you delete your account, we delete or anonymise your personal information within 30 days, except where retention is required by law (e.g. invoicing records under tax law) or where we need to keep data to resolve disputes or enforce our agreements.

Logs and aggregated technical telemetry are retained for up to 90 days for security and operational diagnostics, then deleted automatically.

10. How do we keep your information safe?

We use industry-standard organisational and technical controls, including:

TLS 1.2+ for all data in transit
Encryption at rest for database storage and file storage (AWS S3 SSE)
Hashed passwords (we never see plaintext) and hashed API tokens (SHA-256)
JWT-based authentication with HttpOnly cookies
Principle of least privilege for internal access
Regular dependency updates and security review

No electronic transmission or storage system is 100% secure. While we work to protect your information, we cannot guarantee that unauthorised third parties will never defeat our security. You use the Service at your own risk.

11. Do we collect information from minors?

Taskachu is not directed at children under 16, and we do not knowingly collect personal information from children under 16. If you are a parent or guardian and believe your child has provided us with personal information, please contact us at andrii.nadosha@shally.app and we will delete it.

12. What are your privacy rights?

Depending on where you live, applicable data-protection law may grant you the following rights with respect to your personal information:

The right to access a copy of the personal information we hold about you
The right to correct inaccurate or incomplete information
The right to delete your personal information (subject to legal retention requirements)
The right to restrict or object to processing in certain circumstances
The right to data portability — receive your data in a structured, machine-readable format
The right to withdraw consent at any time where processing is based on consent
The right to lodge a complaint with your local data-protection authority

To exercise any of these rights, contact us at andrii.nadosha@shally.app. Most rights can also be exercised directly from Settings → Account in the application: export your workspace data, update your profile, or delete your account.

13. Do-Not-Track and Global Privacy Control

Most web browsers and some mobile operating systems support a Do-Not-Track ("DNT") signal or a Global Privacy Control ("GPC") signal. Taskachu does not engage in cross-context behavioural advertising and does not sell or share personal information for advertising purposes, so the CCPA/CPRA "Do Not Sell or Share" right does not apply to any data we process. We do load Google Analytics 4 on our marketing pages, but only after you have explicitly accepted analytics cookies in the consent banner — without acceptance, no analytics script is loaded. If we ever introduce advertising pixels or third-party retargeting, we will update this notice and implement signal handling for DNT/GPC before doing so.

14. Do United States residents have specific privacy rights?

If you reside in California, Colorado, Connecticut, Utah, Virginia, or another US state that provides comprehensive privacy rights, you may have additional rights including those listed in Section 12. We do not sell personal information, and we do not share personal information for cross-context behavioural advertising, so the CCPA/CPRA "Do Not Sell or Share My Personal Information" right does not apply to any data we process.

To exercise your rights, contact us at andrii.nadosha@shally.app. We will respond within the timeframes required by applicable law.

15. Do we make updates to this notice?

We may update this Privacy Notice from time to time to reflect changes in our practices, legal requirements, or the Service. The updated version will be indicated by the "Last updated" date at the top of this page. Material changes will be communicated by email or via an in-app notice before they take effect.

16. How can you contact us about this notice?

For any questions or comments about this Privacy Notice, please email andrii.nadosha@shally.app.

17. How can you review, update, or delete the data we collect from you?

You may review or update your account information at any time from Settings → Profile in the application. To request a full data export or to delete your account and all associated data, use the Settings → Account section, or contact us at andrii.nadosha@shally.app and we will respond within the timeframes required by applicable law.