Your privacy matters to us. This policy explains what data TaskFlow collects, how it is used, and what controls you have over your information.
01
Information We Collect
TaskFlow collects only the minimum data necessary to provide the service:
| Data Type | What We Collect | Why |
|---|
| Account | Name (optional), email address, hashed password | Authentication and user identification |
| Tasks | Task titles, descriptions, priorities, due dates | Core app functionality |
| Workspaces | Workspace names, member associations | Collaboration features |
| Push tokens | Browser push subscription endpoint | Sending workspace notifications |
| Contact messages | Name, email, message content | Responding to support requests |
We do not collect IP addresses, browsing history, device fingerprints, or any advertising identifiers.
02
Information We Do NOT Collect
- Payment information (donations go directly to PayPal)
- Location data
- Device identifiers or hardware information
- Browsing history or activity outside of TaskFlow
- Third-party account data (we do not store Google OAuth tokens)
- Advertising identifiers of any kind
03
How We Use Your Information
Your data is used exclusively to:
- Authenticate your account and maintain your session
- Store and sync your tasks across devices
- Enable workspace collaboration with invited members
- Send push notifications for workspace activity (only if you enable them)
- Respond to support messages you send us
We do not sell, rent, or share your personal data with third parties for marketing or advertising purposes.
04
Data Storage and Security
Your data is stored on a self-hosted MySQL database. We implement the following security measures:
- Passwords are hashed using PHP's
password_hash() with bcrypt
- Authentication tokens are random 64-character hex strings
- Sessions expire automatically after 30 days of inactivity
- All API communication requires a valid Bearer token
- VAPID private keys for push notifications are protected from web access
While we implement reasonable security measures, no system is completely secure. We recommend using a strong, unique password for your TaskFlow account.
05
Google Calendar Integration
If you choose to connect Google Calendar:
- We request an OAuth 2.0 access token scoped only to
calendar.events
- The token is stored locally in your browser (localStorage) only โ never on our servers
- We never have access to your full Google account
- You can disconnect Google Calendar at any time from Settings
06
Push Notifications
Push notifications are entirely optional. If you enable them:
- Your browser generates a unique push subscription endpoint
- This endpoint is stored on our server associated with your account
- Notifications are only sent for workspace activity (new tasks added)
- You can disable push notifications at any time in Settings or browser settings
- Unsubscribing from push removes your endpoint from our server
07
Data Sharing
Your data is shared only in these specific circumstances:
- Workspace members: Tasks in shared workspaces are visible to all members you invite
- Share links: If you create a share link, anyone with that link can view a snapshot of your tasks
- Legal requirements: We may disclose data if required by law
We do not share your data with advertisers, data brokers, or any other third parties.
08
Data Retention
Your data is retained as follows:
- Active accounts: Data is retained for as long as your account exists
- Deleted tasks: Permanently removed from the database upon deletion
- Deleted accounts: All associated data is permanently deleted upon account deletion
- Task deletion logs: Deletion records are purged after 30 days (used for multi-device sync)
- Expired sessions: Auth tokens are automatically cleaned up after expiry
09
Your Rights
You have the following rights regarding your data:
- Access: You can view all your tasks and account information in the app
- Correction: You can edit your name and other profile details at any time
- Deletion: You can delete your account and all associated data from the Profile section
- Portability: You can export your tasks using the Share feature
- Opt-out: You can disable push notifications and Google Calendar integration at any time
10
Cookies and Local Storage
TaskFlow does not use cookies. We use browser localStorage to store:
- Your authentication token (to keep you logged in)
- Your task list (for offline access)
- App settings (theme, notification preferences)
- Workspace data (for faster loading)
This data stays entirely on your device and is never transmitted to third parties. You can clear it at any time by logging out or clearing your browser data.
11
Children's Privacy
TaskFlow is not intended for children under 13 years of age. We do not knowingly collect personal information from children under 13. If you believe a child has provided us with personal information, please contact us and we will delete it promptly.
12
Changes to This Policy
We may update this Privacy Policy from time to time. We will notify users of significant changes by updating the "Last updated" date. Continued use of the App after changes constitutes acceptance of the updated policy.
13
Contact Us
If you have questions, concerns, or requests regarding your privacy or this policy, please contact us through the in-app Contact form. We will respond as promptly as possible.