TASKLIGHT PRIVACY POLICY

Effective date: 2026-05-01
Last updated: 2026-05-01

This Privacy Policy explains how Tasklight AI S.R.L. ("Tasklight," "we," "us," "our") collects, uses, shares, and protects information when you use the Tasklight mobile application (the "App") and related web services (together, the "Service").

By using the Service you agree to this Policy. If you do not agree, do not use the Service.


1. WHO WE ARE

- Legal entity: Tasklight AI S.R.L.
- Registered address: Prunului 6, Chitila, Ilfov, Romania
- Company registration number: RO48208295
- Email for privacy questions: privacy@tasklight.ai

We act as the data controller for the personal data described in this Policy.


2. DATA WE COLLECT

2.1 Account and identity data

When you sign up or sign in, we collect the data needed to authenticate you and identify your account, including:

- Name and email address
- Workplace / organization affiliation (if applicable)
- Profile photo (if you upload one)
- Authentication identifiers issued by our identity provider (Keycloak), including session and refresh tokens

2.2 Content you create or upload

The Service is a workplace task and document management tool. We process content you create or upload, including:

- Tasks, comments, mentions, and other text you enter
- Photos taken via the App's camera feature and attached to tasks or documents
- Files and images selected from your device storage and attached to tasks or documents
- Metadata associated with the above (timestamps, file names, file sizes)

2.3 Device and technical data

- Device model, operating system version, and language
- IP address (collected at the network layer when you connect to our servers)
- App version and approximate usage patterns (which screens are opened, what actions are taken) for diagnostic and product-improvement purposes
- Firebase Cloud Messaging (FCM) registration token — a per-device token we use to deliver push notifications
- Crash and error diagnostics (stack traces, device state at the time of an error)

2.4 Permissions requested by the App

The App requests the following Android / iOS permissions. Each permission is used only for the purpose stated below; we do not access these resources in the background.

- Camera: Take photos to attach to tasks, documents, or your profile
- Photos / Media / Files: Pick existing photos and files from your device to attach to tasks or documents
- Internet & Network state: Communicate with our backend servers
- Notifications: Deliver push notifications about task updates, mentions, and reminders

We do NOT access your contacts, location, microphone, calendar, SMS, or call logs.

2.5 We do NOT collect

- Precise or background location
- Health, biometric, financial-account, or payment-card data
- Browsing history outside the App
- Data from children under 16 (see Section 9)


3. HOW WE USE YOUR DATA

We use the data described above to:

1. Provide the core Service: authenticate you, sync your tasks and documents, deliver real-time updates, and let you collaborate with your organization.
2. Deliver push notifications about events you've subscribed to (mentions, task assignments, reminders).
3. Operate, secure, and improve the Service: detect abuse, debug crashes, measure performance.
4. Communicate with you about service changes, security alerts, and account-related notices.
5. Comply with our legal obligations.

We do NOT use your content to train artificial-intelligence models, sell your data to third parties, or serve advertising.


4. LEGAL BASIS FOR PROCESSING (GDPR)

Where the GDPR applies, we rely on the following lawful bases:

- Contract (Art. 6(1)(b)) — to provide the Service you requested.
- Legitimate interests (Art. 6(1)(f)) — to keep the Service secure, prevent abuse, and improve the product. You may object to processing based on legitimate interests at any time (Section 8).
- Consent (Art. 6(1)(a)) — for optional features that require explicit permission (e.g., enabling push notifications, granting camera access). You can withdraw consent at any time via your device settings or your account settings.
- Legal obligation (Art. 6(1)(c)) — where we must process data to comply with the law.


5. HOW WE SHARE DATA

We share personal data only in the situations described below.

5.1 Within your organization

Tasklight is a multi-user collaboration tool. Other members of your organization can see content you share with them (tasks you assign, comments you write, files you attach, your name and profile photo).

5.2 Service providers (sub-processors)

We use trusted third parties who process data on our behalf under written contracts and applicable data-protection terms. As of the effective date, these include:

- Google Firebase Cloud Messaging — Delivery of push notifications — Global
- Google Cloud Platform — Application hosting and storage — EU
- Keycloak (self-managed) — Identity and authentication — EU
- Sentry — Diagnostics — EU

An up-to-date list of sub-processors is available on request to privacy@tasklight.ai.

5.3 Legal requests

We may disclose information if required by law, court order, or to protect the rights, safety, or property of Tasklight, our users, or others. We narrow such disclosures to what is legally required.

5.4 Business transfers

If Tasklight is involved in a merger, acquisition, or asset sale, personal data may be transferred. We will give notice before personal data becomes subject to a different privacy policy.

We do NOT sell personal data, and we do NOT share personal data with third parties for their own marketing.


6. INTERNATIONAL DATA TRANSFERS

Data may be processed in the European Union and in other countries where our service providers operate, including the United States. Where data is transferred outside the European Economic Area, we rely on appropriate safeguards under Articles 44-49 GDPR, such as the European Commission's Standard Contractual Clauses.


7. DATA RETENTION

- Account data is retained while your account is active and for up to 90 days after deletion to allow recovery, after which it is permanently erased or anonymized.
- Content (tasks, documents, attachments) is retained while your organization keeps the data in the Service. When your organization deletes content, it is removed from active systems and from backups within 30 days.
- Diagnostic data (crash logs, performance metrics) is retained for up to 90 days.
- Authentication tokens are short-lived; refresh tokens are invalidated on sign-out.

We retain data longer only when required by law (e.g., tax or accounting obligations).


8. YOUR RIGHTS

If the GDPR or a similar law applies to you, you have the right to:

- Access the personal data we hold about you
- Rectify inaccurate data
- Erase your data ("right to be forgotten")
- Restrict or object to certain processing
- Portability — receive your data in a portable format
- Withdraw consent at any time, where processing is based on consent
- Lodge a complaint with a supervisory authority. In Romania this is ANSPDCP (Autoritatea Nationala de Supraveghere a Prelucrarii Datelor cu Caracter Personal) — https://www.dataprotection.ro

To exercise any of these rights, email privacy@tasklight.ai. We will respond within 30 days.

Account and data deletion

You can request deletion of your account and associated personal data by:

1. Emailing privacy@tasklight.ai from the address tied to your account, or
2. Using the in-app account deletion option.

We will delete your account within 30 days of a verified request, subject to limited exceptions for legal compliance and security.


9. CHILDREN

Tasklight is a workplace product and is NOT intended for children under 16. We do not knowingly collect personal data from children under 16. If you believe a child has provided us personal data, contact privacy@tasklight.ai and we will delete it.


10. SECURITY

We protect personal data using industry-standard measures, including encryption in transit (TLS), encryption at rest where supported by the underlying platform, principle-of-least-privilege access controls, secure local storage of authentication tokens on your device, and regular security review of dependencies and infrastructure.

No method of transmission or storage is perfectly secure. If we become aware of a breach affecting your personal data, we will notify you and the relevant authorities as required by law.


11. PUSH NOTIFICATIONS

If you enable notifications, we send messages via Firebase Cloud Messaging (Google) addressed to a token registered to your device. You can disable notifications at any time in your device's system settings or in the App.


12. THIRD-PARTY SERVICES

The Service may link to third-party websites or services that we do not control. This Policy does not apply to those services. Review their privacy policies before sharing data with them.


13. CHANGES TO THIS POLICY

We may update this Policy from time to time. When we make material changes we will notify you in the App or by email at least 30 days before the change takes effect. The "Last updated" date at the top of this page indicates the most recent revision.


14. CONTACT

For privacy-related questions or requests:

Tasklight AI S.R.L.
Prunului 6
Chitila
Ilfov, Romania
Email: privacy@tasklight.ai