Privacy Policy

Effective Date: [INSERT DATE]
Last Updated: [INSERT DATE]

1. Introduction and Contact Information

This Privacy Policy describes how taskpipe.ai ("we," "us," "our," or "Company") collects, uses, processes, and protects your personal information when you use our workflow automation platform and services (the "Service").

Data Controller:
taskpipe.ai
Email: [INSERT EMAIL]
Address: [INSERT ADDRESS]
Phone: [INSERT PHONE]

Data Protection Officer (DPO):
[INSERT DPO CONTACT INFORMATION]

EU Representative (if applicable):
[INSERT EU REPRESENTATIVE DETAILS]

2. Information We Collect

2.1 Personal Information You Provide

Account Information:

• Email address (encrypted in our database)
• User profile information (encrypted)
• Name and contact details
• Payment information (processed securely through Stripe)

Content and Communications:

• Form submissions and data inputs
• Documents you upload (stored encrypted)
• Communication preferences
• Support communications

Team and Organizational Data:

• Team membership information
• Role and permission assignments
• Organizational workflows and configurations

2.2 Information Automatically Collected

Usage Analytics:

• Page views and user interactions (via Segment Analytics)
• Click tracking and navigation patterns
• Session duration and frequency
• Feature usage statistics

Technical Information:

• IP address and device information
• Browser type and version
• Operating system
• Client hints for optimal service delivery
• Error logs and performance metrics

Cookies and Similar Technologies:

• Session cookies for authentication (tp_session)
• Toast notification cookies (tp_toast)
• Magic link authentication cookies (tp_magiclink)
• Analytics cookies (when consent is provided)

2.3 Information from Third Parties

Payment Processing:

• Payment transaction data from Stripe
• Subscription and billing information
• Customer portal interactions

Calendar Integrations:

• Calendar event scheduling data from Calendly and Cal.com
• Appointment confirmations and modifications

Analytics Services:

• Behavioral analytics from Segment (when consent is provided)
• Google Analytics data (when consent is provided and GA_MEASUREMENT_ID is configured)

Error Monitoring:

• Error tracking data from Sentry (when configured)

3. Legal Basis for Processing (GDPR Article 6)

We process your personal data based on the following legal grounds:

Contract Performance (Art. 6(1)(b) GDPR):

• Providing our workflow automation services
• Processing payments and managing subscriptions
• Account creation and management
• Delivering requested features and functionality

Legitimate Interests (Art. 6(1)(f) GDPR):

• Improving our services and user experience
• Security monitoring and fraud prevention
• Analytics and performance optimization
• Customer support and communication

Legal Obligation (Art. 6(1)(c) GDPR):

• Compliance with tax and accounting requirements
• Data retention for legal purposes
• Anti-money laundering checks

Consent (Art. 6(1)(a) GDPR):

• Analytics tracking (localStorage consent: 'accept-cookies')
• Marketing communications
• Optional feature enablement

4. How We Use Your Information

4.1 Service Provision

• Creating and managing user accounts
• Processing workflow submissions and data
• Managing team memberships and permissions
• Providing document storage and processing capabilities
• Facilitating calendar scheduling integrations

4.2 Payment Processing

• Processing subscription payments via Stripe
• Managing billing cycles and payment methods
• Handling refunds and cancellations
• Maintaining transaction records

4.3 Communication

• Sending transactional emails via Resend
• Providing customer support
• Sending service updates and notifications
• Processing magic link authentication

4.4 Analytics and Improvement

• Understanding user behavior and preferences
• Identifying and fixing technical issues
• Improving service performance and features
• Conducting security monitoring

4.5 Legal and Compliance

• Maintaining records for legal purposes
• Complying with applicable laws and regulations
• Protecting against fraud and abuse
• Enforcing our Terms of Service

5. Data Sharing and Third-Party Services

5.1 Service Providers

Stripe (Payment Processing):

• Purpose: Payment processing and subscription management
• Data shared: Payment information, billing details, transaction data
• Location: Global (with adequate safeguards)
• Legal basis: Contract performance

Resend (Email Services):

• Purpose: Transactional email delivery
• Data shared: Email addresses, message content
• Location: [INSERT RESEND LOCATION]
• Legal basis: Contract performance

Segment (Analytics):

• Purpose: User behavior analytics (with consent)
• Data shared: Usage data, user identifiers
• Location: United States (with adequate safeguards)
• Legal basis: Consent

Google Services:

• Google Analytics (when configured and consented)
• Google Sheets API (for data export when configured)
• Purpose: Analytics and data management
• Legal basis: Consent/Legitimate interest

Calendar Services:

• Calendly and Cal.com integrations
• Purpose: Appointment scheduling
• Data shared: Scheduling preferences, contact information
• Legal basis: Contract performance

Sentry (Error Monitoring):

• Purpose: Error tracking and performance monitoring
• Data shared: Error logs, technical data (pseudonymized)
• Location: United States (with adequate safeguards)
• Legal basis: Legitimate interest

5.2 Data Transfers Outside the EU

When we transfer personal data outside the European Economic Area (EEA), we ensure appropriate safeguards are in place:

• Standard Contractual Clauses (SCCs) approved by the European Commission
• Adequacy decisions by the European Commission
• Binding Corporate Rules (where applicable)
• Recipient's certification under approved frameworks

5.3 No Sale of Personal Data

We do not sell, rent, or trade your personal information to third parties for their marketing purposes.

6. Data Security

6.1 Technical Safeguards

• Data encryption at rest and in transit
• Field-level encryption for sensitive data using Prisma Field Encryption
• Secure session management with HTTP-only cookies
• Content Security Policy (CSP) implementation
• Regular security audits and vulnerability assessments

6.2 Access Controls

• Role-based access control (RBAC)
• Multi-factor authentication capabilities
• Regular access reviews and permission audits
• Secure development practices

6.3 Infrastructure Security

• Secure hosting with appropriate certifications
• Regular backups and disaster recovery procedures
• Network security monitoring
• Incident response procedures

7. Data Retention

7.1 Account Data

• Active accounts: Retained while your account is active
• After account deletion: Deleted within 30 days, except where legal obligations require longer retention

7.2 Transaction Records

• Payment data: Retained for 7 years for accounting and tax purposes
• Stripe data: Subject to Stripe's retention policies

7.3 Analytics Data

• Aggregated analytics: Retained indefinitely in anonymized form
• Individual tracking data: Deleted after 26 months

7.4 Legal Requirements

• Data may be retained longer when required by law or for legal proceedings
• We will notify you if extended retention is necessary

8. Your Rights Under GDPR

8.1 Right of Access (Article 15)

You can request information about the personal data we hold about you, including:

• What data we process
• Why we process it
• Who we share it with
• How long we retain it

8.2 Right to Rectification (Article 16)

You can request correction of inaccurate or incomplete personal data.

8.3 Right to Erasure/"Right to be Forgotten" (Article 17)

You can request deletion of your personal data when:

• The data is no longer necessary for the original purpose
• You withdraw consent (where processing is based on consent)
• You object to processing based on legitimate interests
• The data has been unlawfully processed

8.4 Right to Restrict Processing (Article 18)

You can request restriction of processing when:

• You contest the accuracy of the data
• Processing is unlawful but you don't want erasure
• We no longer need the data but you need it for legal claims

8.5 Right to Data Portability (Article 20)

You can request a copy of your data in a structured, machine-readable format and have it transmitted to another controller.

8.6 Right to Object (Article 21)

You can object to processing based on legitimate interests or for direct marketing purposes.

8.7 Rights Related to Automated Decision-Making (Article 22)

You have the right not to be subject to automated decision-making, including profiling, that produces legal effects or significantly affects you.

8.8 How to Exercise Your Rights

To exercise any of these rights, contact us at [INSERT EMAIL] or through your account settings. We will respond within one month of receiving your request.

9. Cookies and Tracking Technologies

9.1 Essential Cookies

• Session authentication (tp_session): Required for login functionality
• Toast notifications (tp_toast): Required for system messages
• Magic link authentication (tp_magiclink): Required for secure login

9.2 Analytics Cookies (Consent Required)

• Segment Analytics: Tracks user behavior for service improvement
• Google Analytics: Website analytics (when configured)

9.3 Managing Cookies

You can control cookie settings through:

• Browser settings
• Our cookie consent interface
• Account preferences (for analytics cookies)

10. Children's Privacy

Our Service is not intended for individuals under 16 years of age. We do not knowingly collect personal information from children under 16. If we become aware that we have collected personal information from a child under 16, we will delete such information immediately.

11. International Data Transfers

11.1 Adequacy Decisions

We may transfer data to countries that have received an adequacy decision from the European Commission.

11.2 Appropriate Safeguards

For transfers to countries without adequacy decisions, we implement appropriate safeguards such as:

• Standard Contractual Clauses (SCCs)
• Binding Corporate Rules
• Certification mechanisms

11.3 Derogations

In limited circumstances, we may transfer data based on specific derogations under Article 49 GDPR, such as:

• Your explicit consent
• Performance of a contract
• Important reasons of public interest

12. Data Protection Impact Assessments

We conduct Data Protection Impact Assessments (DPIAs) for processing activities that pose high risks to your rights and freedoms, particularly when using new technologies or processing on a large scale.

13. Data Breach Notification

In case of a personal data breach that poses risks to your rights and freedoms, we will:

• Notify the relevant supervisory authority within 72 hours
• Inform affected individuals without undue delay when the breach poses high risks
• Document all breaches and our response measures

14. Changes to This Privacy Policy

We may update this Privacy Policy from time to time. When we make material changes, we will:

• Update the "Last Updated" date at the top of this policy
• Notify you via email or through our Service
• For EU users, provide reasonable advance notice of changes affecting your rights
• Obtain your consent for changes requiring it under applicable law

15. Supervisory Authority

You have the right to lodge a complaint with a supervisory authority if you believe our processing of your personal data violates GDPR. You can contact:

• The supervisory authority in your EU country of residence
• The supervisory authority in your place of work
• The supervisory authority where the alleged violation occurred

16. Contact Information

If you have questions about this Privacy Policy or our data practices, please contact us:

Primary Contact:
Email: [INSERT EMAIL]
Address: [INSERT ADDRESS]
Phone: [INSERT PHONE]

Data Protection Officer:
Email: [INSERT DPO EMAIL]
Phone: [INSERT DPO PHONE]

EU Representative (if applicable):
[INSERT EU REPRESENTATIVE CONTACT DETAILS]

17. Additional Rights for California Residents

17.1 CCPA Rights (for California residents)

Under the California Consumer Privacy Act (CCPA), California residents have additional rights:

• Right to know what personal information is collected
• Right to delete personal information
• Right to opt-out of the sale of personal information
• Right to non-discrimination for exercising privacy rights

17.2 Exercising CCPA Rights

California residents can exercise these rights by contacting us at [INSERT EMAIL] or through designated request mechanisms in our Service.

18. Legal Compliance

18.1 EU Regulations Compliance

This Privacy Policy and our data practices comply with:

• General Data Protection Regulation (GDPR)
• EU Cookie Directive (ePrivacy Directive)
• Digital Services Act (DSA)
• Consumer Rights Directive

18.2 Other Applicable Laws

We also comply with applicable privacy laws in other jurisdictions where we operate, including but not limited to:

• California Consumer Privacy Act (CCPA)
• UK GDPR
• Swiss Federal Data Protection Act

Last Updated: [INSERT DATE]

IMPORTANT NOTICE: This Privacy Policy is designed for EU compliance and should be reviewed by a qualified data protection attorney before implementation. Regular updates may be necessary to maintain compliance with evolving privacy laws and regulations. The effectiveness of this policy depends on proper implementation across all data processing activities.

By using our Service, you acknowledge that you have read and understood this Privacy Policy and agree to the collection and use of information in accordance with this policy.