Legal
Privacy Policy
Last updated: 18 May 2026 · Effective: 18 May 2026
This Privacy Policy explains how Taskist ("Taskist", "we", "us", "our") collects, uses, stores, shares, and protects information when you use the Taskist mobile applications, websites, and related services (collectively, the "Service"). It also describes the choices available to you regarding our processing of your information and how you can exercise your rights.
By downloading, installing, accessing, or using the Service, you acknowledge that you have read and understood this Privacy Policy. If you do not agree with any part of it, please do not use the Service.
TL;DR. Your tasks, lists, notes, and habits stay on your device unless you explicitly opt in to cloud sync. Taskist contains no advertising networks, no third-party analytics, and no behavioural tracking. AI features and voice transcription are opt-in and use vetted third-party services. We share the minimum data needed to make a requested feature work, and never sell your personal information.
1. Scope and definitions
This Policy applies to all personal information processed by Taskist in the course of providing the Service, regardless of the format of that information or the device or platform on which the Service is used.
"Personal information" means any information relating to an identified or identifiable natural person. "Processing" means any operation performed on personal information, whether or not automated. "You" or "user" means any individual who downloads, installs, or uses the Service.
For the purposes of the European Union General Data Protection Regulation ("GDPR") and the UK GDPR, the Taskist operator is the "data controller" of personal information processed through the Service. For the purposes of the California Consumer Privacy Act and the California Privacy Rights Act ("CCPA/CPRA"), Taskist is the "business" that determines the purposes and means of processing.
2. Categories of information we process
2.1 Information stored on your device
The following categories are stored locally on your device in an application-private SQLite database protected by the operating system's app-sandboxing mechanisms. We do not have remote access to this database unless you opt in to cloud sync (see Section 2.2).
- Tasks, subtasks, lists, notes, tags, attachments, and recurring-task rules you create
- Habits, streak history, and completion records
- Focus / Pomodoro session preferences and saved notes
- Application settings, including theme, language, notification, and accessibility preferences
- Onboarding completion flags and feature-introduction state
- Aggregated counters of AI requests made in the current billing month
2.2 Information you choose to send to our cloud sync
If you opt in to cloud sync by signing in to a Taskist account through the in-app Sign In screen, the following will be transmitted to and stored on our authentication and database infrastructure (currently provided by Supabase — see Section 5):
- Email address used to create your account
- Hashed authentication credential (we never receive your plaintext password)
- Encrypted refresh and access tokens
- The same task, list, habit, and settings content described in 2.1, so it can be synchronised across your devices
- A device-generated user identifier used solely to associate your data with your account
2.3 Information sent to AI features (opt-in)
When you enable AI features and use them, we transmit the minimum text necessary for the requested operation to our AI provider (currently Google Gemini — see Section 5). Examples include the natural-language phrase you typed for AI Quick Add, the transcript captured during AI Mode voice input, or a structured list of your overdue tasks for the auto-reschedule feature. We do not include credentials, contacts, calendar entries, or unrelated data.
2.4 Voice-input information
When you tap the microphone control to add a task by voice, the operating system's built-in speech recogniser captures audio on your device. Depending on your device settings, this audio is either processed on-device or transmitted to your operating-system provider (e.g. Google or Apple) for speech-to-text conversion. Taskist receives only the resulting text transcription; we do not record, store, or transmit raw audio ourselves.
2.5 Subscription and purchase information
If you subscribe to Taskist Pro or buy the Lifetime plan, your payment is processed entirely by Google Play, Apple App Store, or another store platform on which you obtained the Service. Subscription receipts are validated through RevenueCat (see Section 5), which provides us with your entitlement status (Pro / Free), product identifier, and an anonymous subscriber identifier. We do not receive your full name, billing address, or any payment-card information.
2.6 Technical information
To deliver basic functionality, the Service may collect or generate limited technical information, including: device model, operating-system version, application version, anonymous installation identifier, and diagnostic information when a feature fails (for example, an internal error code returned when an AI request cannot be parsed). We do not use this information for advertising or cross-app tracking.
2.7 Information we do not collect
- We do not collect your real-time location, GPS coordinates, or location history.
- We do not access your contacts, photos, microphone (outside the voice add-task feature), camera, or files.
- We do not deploy advertising identifiers, IDFA, AAID, or similar tracking identifiers.
- We do not use behavioural analytics, heatmaps, session replay, or marketing pixels.
- We do not sell, rent, or share personal information for cross-context behavioural advertising.
3. How we use information (purposes of processing)
We process the categories above for the following purposes:
- Service delivery — to provide the core task-management, focus, habit, and AI features you request.
- Synchronisation — to keep your data consistent across your devices when you opt in to cloud sync.
- Authentication and account security — to verify your identity, prevent unauthorised access, and protect against fraud and abuse.
- Subscription management — to determine whether you are entitled to Pro features and to honour purchases.
- Customer support — to respond when you contact us with questions or issues.
- Service improvement — to diagnose crashes and bugs, in aggregated and de-identified form where possible.
- Legal compliance — to comply with applicable law, respond to lawful legal requests, and enforce our Terms.
4. Legal bases for processing (GDPR / UK GDPR)
If the GDPR or UK GDPR applies to you, we rely on the following legal bases under Article 6(1):
- Performance of a contract (Art. 6(1)(b)) — to provide the Service you signed up for and process subscriptions you bought.
- Legitimate interests (Art. 6(1)(f)) — to keep the Service secure, prevent abuse, and improve reliability, balanced against your fundamental rights.
- Consent (Art. 6(1)(a)) — for opt-in features such as AI processing, cloud sync, and local calendar integration. You can withdraw consent at any time without affecting prior processing.
- Legal obligation (Art. 6(1)(c)) — to comply with tax, accounting, and other legal requirements.
We do not engage in automated decision-making that produces legal or similarly significant effects on you, within the meaning of Article 22 GDPR. AI features in Taskist are advisory only — you remain in control of which suggestions to accept or reject.
5. Sub-processors and third-party services
To deliver the Service we rely on the third-party processors listed below. Each is engaged under a contractual data-protection agreement and processes data only on our documented instructions, except where required by law. Their privacy policies, linked here for transparency, govern their own practices.
| Provider | Purpose | Data shared | Privacy policy |
|---|---|---|---|
| Google LLC (Gemini API) | AI quick-add parsing, multi-task voice extraction, auto-reschedule, daily briefing | Short user-supplied text (no account information) | policies.google.com/privacy |
| Google LLC / Apple Inc. (System speech recogniser) | Voice-to-text transcription for the voice add-task feature | Audio captured by the device microphone during a recording session | Google · Apple |
| Google Play Billing / Apple App Store | Processing subscription and one-time purchases | Purchase tokens, receipt data; no payment-card data reaches us | Google · Apple |
| RevenueCat, Inc. | Subscription receipt validation and entitlement management | Purchase tokens, product identifiers, anonymous subscriber ID | revenuecat.com/privacy |
| Supabase, Inc. (optional) | Authentication and encrypted cloud sync for opted-in users | Email, hashed credential, task content, settings | supabase.com/privacy |
| GitHub, Inc. (Pages) | Hosting of this website and legal pages | Standard server logs (IP address, user agent) for the website only | GitHub |
We may add or change sub-processors over time. When a change materially affects the categories of data processed or the geographic location of processing, we will update this list and, where required, give reasonable notice in advance.
6. International data transfers
Some of our sub-processors may store or process personal information in countries outside your country of residence, including the United States. Where such transfers from the European Economic Area, the United Kingdom, or Switzerland are required, we rely on appropriate safeguards under applicable data-protection law — including the European Commission's Standard Contractual Clauses, supplementary measures where required, and certifications such as the EU–U.S. Data Privacy Framework where the recipient participates in it.
7. Data retention
We retain personal information only for as long as necessary to provide the Service or to fulfil the purposes set out in this Policy, including to comply with legal, accounting, or reporting obligations.
- Local data on your device — retained until you uninstall the Service, clear app data in the OS settings, or use the in-app delete features.
- Cloud-synced data — retained as long as your account is active. On account deletion, your synced data is permanently removed from our active systems within 30 days, and from backups within 90 days.
- Subscription records — retained for the period required by tax and accounting law in our jurisdiction (typically up to 7 years), excluding personal identifiers where possible.
- Support correspondence — retained for up to 24 months to resolve recurring issues, then anonymised or deleted.
- AI request content — not retained by us after the response is returned to your device. Our AI provider may retain transient logs in accordance with its own terms.
8. Your rights
8.1 General rights
Regardless of jurisdiction, you have the following options at any time:
- Access your local data — open the Service on your device.
- Export your data — Settings → Integrations & Import → Export (CSV / JSON).
- Delete your local data — uninstall the Service or clear its storage in your operating system's settings.
- Delete your cloud-synced data — sign in, then use the in-app "Delete account" function (Settings → Sign In).
- Disable AI features — Settings → AI Assistant → toggle off.
- Revoke microphone access — through your operating system's permission settings.
8.2 Rights of European Economic Area, United Kingdom, and Swiss residents
If the GDPR or UK GDPR applies to you, you have the right to:
- Request access to and a copy of your personal information (Art. 15)
- Request correction of inaccurate or incomplete data (Art. 16)
- Request erasure of your personal information ("right to be forgotten", Art. 17)
- Restrict our processing of your data (Art. 18)
- Object to processing based on legitimate interests (Art. 21)
- Receive your data in a structured, commonly used, machine-readable format and transmit it to another controller (Art. 20)
- Withdraw consent at any time, without affecting the lawfulness of prior processing
- Lodge a complaint with a supervisory authority in the EU/UK/Swiss member state where you live or work, or where the alleged infringement occurred
8.3 Rights of California residents (CCPA / CPRA)
If you reside in California, you have the right to:
- Know what personal information we collect, the categories of sources, the purposes for collection, and the categories of third parties with which it is shared
- Request a copy of the specific pieces of personal information we have collected about you in the prior 12 months
- Request deletion of your personal information
- Request correction of inaccurate personal information
- Limit the use and disclosure of "sensitive personal information"
- Not receive discriminatory treatment for exercising any of these rights
Taskist does not sell or share personal information for cross-context behavioural advertising within the meaning of the CCPA/CPRA. There is no "Do Not Sell or Share My Personal Information" link because there is no such practice to opt out of.
8.4 How to exercise your rights
To exercise any of the rights above, contact us at the email in Section 13. We will respond within the time required by applicable law (typically 30 days for GDPR, 45 days for CCPA, extendable in complex cases). We may need to verify your identity before fulfilling certain requests; this is to protect your data from unauthorised disclosure. You may also authorise an agent to act on your behalf in accordance with applicable law.
9. Children's privacy
The Service is intended for general audiences and is not directed at children under 13 (or under the equivalent age of digital consent in your country: 16 in the EEA, except where lower national thresholds apply). We do not knowingly collect personal information from children. If you are a parent or guardian and believe that a child has provided personal information to us, please contact us and we will take reasonable steps to delete it.
10. Security
We implement technical and organisational measures designed to protect personal information from accidental or unlawful destruction, loss, alteration, unauthorised disclosure, or access. These include:
- Transport encryption (TLS) for all data in transit between the Service and our sub-processors
- App-sandboxed storage for local data, protected by the operating system's encryption-at-rest where available
- Hashed credentials for authentication, with token-based session management
- Access controls limiting administrative access to back-end systems
- Periodic dependency updates and security patches
No method of electronic transmission or storage is 100% secure. We cannot guarantee absolute security, but we will notify affected users and the competent supervisory authority of a personal-data breach without undue delay where required by applicable law.
11. Cookies and similar technologies
The Taskist mobile applications do not use cookies. Our website (the page you are reading) uses only the strictly necessary technical mechanisms provided by our static-hosting platform; no advertising or analytics cookies are set by us.
12. Changes to this Privacy Policy
We may revise this Privacy Policy from time to time. The "Last updated" date at the top of this page indicates when revisions were last made. If we make material changes, we will provide additional notice — for example, by in-app notice or an email to the address associated with your account (where applicable) — before the change takes effect. Your continued use of the Service after the effective date of a revised Policy constitutes your acceptance of the revised Policy.
13. Contact
Privacy inquiries, data-subject requests, and questions about this Policy:
- Email: support@taskist.pro
- In-app: Settings → Help & Support
If you are located in the European Economic Area, the United Kingdom, or Switzerland and we cannot resolve your concern, you have the right to lodge a complaint with the data-protection supervisory authority in your country of residence.