Privacy Policy

1. Information We Collect

1.1 Account Information

• Email Address: Collected during account registration and used for authentication, account management, and service communications.
• User ID: A universally unique identifier (UUID) assigned to your account, used to associate your data with your profile across our systems.

1.2 User-Created Content

The core function of the App involves creating, managing, and organizing your personal content:

• Tasks and To-Dos: Task titles, descriptions, due dates, priorities, subtasks, notes, and completion status. Tasks are stored locally on your device in a local-first architecture. We do not currently provide cloud sync for tasks.
• Voice Input: Audio may be processed in one of several ways: (a) on-device speech recognition using the iOS Speech framework, which may use Apple's cloud-based recognition when on-device recognition is unavailable; or (b) sent to OpenAI's Whisper API via our backend server for cloud-based transcription. We do not intentionally store raw audio recordings on our servers; however, transcriptions and resulting task data are stored locally and may be sent to our AI provider when you invoke AI features.
• Photos and Images: When you use image-to-task extraction, a resized copy of the image is transmitted to our backend and sent to our AI provider (OpenAI) for analysis. We do not store the original image on our servers after processing; we keep only the extracted task data and any visual summary generated during extraction.
• Knowledge and Memories: Preferences and facts you approve (and related settings) are stored locally on your device. When you use AI features, some of this context may be included in prompts sent to our AI provider to personalize responses. This data is not cloud-synced across devices at this time.
• Calendar Events: Event data imported from your connected Google Calendar account, stored locally on your device and used to display and manage your schedule within the App.
• Shared Content (Share Sheet / Share Extension): If you use your device's share features to send text or an audio file into TaskAI, we process that content to extract tasks. Audio files may be sent to our transcription provider (OpenAI Whisper via our backend) as described above. The resulting extracted task data is stored locally on your device.
• Widget Snapshot (iOS): If you enable the TaskAI widget, the App stores a small snapshot of certain task and reminder data in an iOS app group so the widget can display it. This snapshot stays on your device and is not transmitted to our servers.
• Feedback: If you choose to submit feedback through the app, we collect your sentiment response (positive, negative, or neutral) and any optional free-text comments you provide. This data is associated with your User ID and stored on our servers to help us improve the app. Feedback submission is entirely voluntary.

1.3 Integration Data

When you connect third-party services, we access limited data from those services:

• Canvas LMS: Course names, assignment titles, descriptions, due dates, and submission status. We access this data read-only through either OAuth authorization or a Personal Access Token you provide. We do not access your grades, messages, or other Canvas content.
• Google Calendar: Calendar event titles, times, and descriptions from calendars you explicitly authorize, as well as basic account information such as the email address of the Google account you connect (used to display which account is connected). We currently request read and write scopes for Google Calendar. We will not create, modify, or delete calendar events without your explicit action. We use this data to display events alongside your tasks and to prevent scheduling conflicts.

1.4 Financial Information

• Purchase History: Subscription status, plan type, and transaction history are managed by RevenueCat and your platform provider's in-app purchase system (Apple App Store, and where available, Google Play Store). We do not collect or store your payment card details or billing address.

1.5 Usage and Analytics Data

• AI Usage Economy Data: Coin wallet balance and coin transaction history (server-side, used to meter AI features).
• Operational Logs: Minimal server-side logs for security and diagnostics (for example: request timestamps, request type, error messages/codes, approximate payload sizes, token usage counters, and identifiers such as user ID and request ID). We do not intentionally log full task lists, full prompts, raw audio, or original images in these logs.
• Advertising Data: Ad impressions, interactions, and consent status, collected by Google AdMob for users who view advertisements.

1.6 Device and Technical Information

• Device Identifiers: IDFA (iOS) or Advertising ID (Android), collected with your consent for personalized advertising through Google AdMob. We do not send your email address to Google AdMob; for rewarded ads, we may send a non-email user identifier to Google AdMob for server-side reward validation.
• Sensor Data: Ambient light sensor data used locally on your device for adaptive theming. This data is never transmitted off your device.
• Local Notifications: We use locally scheduled notifications on your device for task reminders and deadline alerts. We do not currently use server-initiated push notifications or store push notification tokens.

2. Device Permissions

TaskAI requests the following device permissions:

You can adjust or revoke these permissions in your device settings at any time.

3. How We Use Your Information

Core App Functionality

• Creating, organizing, and managing your tasks and to-dos
• Converting voice input and images into structured tasks
• Synchronizing assignments from Canvas LMS and events from Google Calendar
• Providing AI-powered task decomposition, scheduling suggestions, and proactive briefings
• Scheduling local notification reminders for upcoming tasks and deadlines
• Powering the coin-based AI usage economy (with daily check-in streaks) and subscription management

Personalization

• Learning your preferences and habits to improve AI recommendations over time
• Adapting the user interface (e.g., adaptive theming based on ambient light)

Advertising

• Displaying advertisements through Google AdMob, including rewarded ads for earning additional coins
• Measuring ad performance and interactions

Service Improvement

• Monitoring AI usage patterns to optimize performance and cost
• Diagnosing technical issues and improving app reliability

3A. AI Data Processing Disclosure

TaskAI uses artificial intelligence to power core features including voice-to-task conversion, smart task suggestions, the assistant chat, image-to-task extraction, daily briefings, and assignment decomposition. To provide these features, we send certain user data to our AI provider, OpenAI, via their API.

3A.1 What Data Is Sent to OpenAI

When you use AI-powered features, the following data may be transmitted to OpenAI for processing:

3A.2 Who Receives Your Data

Your data is sent to OpenAI (San Francisco, CA, USA) via their API. OpenAI processes the data to generate responses and returns the results to TaskAI. Under OpenAI's current API data usage policy, data sent through their API is not used to train or improve their models unless the customer explicitly opts in. We have not opted in to share your data with OpenAI for model training. OpenAI may retain API inputs and outputs for up to 30 days for abuse and misuse monitoring, unless they are legally required to retain them for longer.

For details, see OpenAI's API Data Controls.

3A.3 Your Consent

Before any of your data is sent to OpenAI, the App presents an in-app disclosure that explains what data will be shared and identifies OpenAI as the recipient. You must explicitly agree to this disclosure before AI-powered features are activated. If you do not agree, you may continue to use TaskAI's manual task management features without any AI processing.

You may revoke your AI data processing consent at any time through Settings → AI Data & Privacy within the App, or by contacting us at [email protected]. Revoking consent will disable AI-powered features but will not affect your existing tasks or manual functionality.

3A.4 Data Minimization

We send only the data relevant to each specific AI operation. For example, a voice-to-task conversion sends only the audio or transcription, while a daily briefing may include task and calendar data for scheduling context. We do not send your email address, payment information, or device identifiers to OpenAI.

4. How We Share Your Information

We share data with the following service providers solely to operate the App:

OpenAI Data Retention: API inputs and outputs sent to OpenAI may be retained by OpenAI for a limited period for abuse and misuse monitoring, in accordance with OpenAI's data usage policies. See Section 3A for a detailed breakdown of what data is sent to OpenAI, when it is sent, and your consent rights.

We may also disclose your information if required by law, in response to valid legal process, or to protect the rights, property, or safety of our users or the public.

5. Data Storage and Security

5.1 Storage

• Local-First Task Storage: Tasks, inboxes, reminders, AI-generated suggestions, and other planning data are stored locally on your device. We use Supabase for account authentication and to maintain server-side coin balance and transaction records used to meter AI features. We do not provide cloud sync for tasks at this time.
• Integration Credentials: Canvas LMS tokens and Google OAuth tokens are stored locally using platform-native secure storage (iOS Keychain / Android Keystore via expo-secure-store) and are also synced to our server to enable cross-device access. Local credentials are encrypted at rest and are not accessible to other applications. Server-side credentials are encrypted at rest by our hosting provider and are accessible only to your account. Disconnecting an integration removes credentials from both your device and our servers. You may also delete all server-side integration data by deleting your account.
• Shared-Device Consideration: Task data and user knowledge are stored under device-level storage keys and are not automatically scoped per user account. If multiple users share a device, signing out does not erase locally stored tasks or memories. Users on shared devices should use the "Reset App Data" option before signing out.

5.2 Security

• Encryption in Transit: All data transmitted between the App and our servers uses HTTPS/TLS encryption.
• Encryption at Rest: Server-side data is encrypted at rest by our hosting provider.
• Access Controls: Server-side database row-level security ensures authenticated users can only access their own coin and account data. Service-role operations use SECURITY DEFINER functions with no direct write access for client connections.

While we take reasonable measures to protect your information, no method of electronic transmission or storage is 100% secure, and we cannot guarantee absolute security of stored data.

5.3 Analytics and Logging

TaskAI uses Sentry (Functional Software, Inc.) for crash and error reporting in production builds. When an error occurs, Sentry receives technical diagnostic data such as error stack traces, device type, OS version, and app state. All user-generated content (task titles, descriptions, AI prompts/responses, voice transcripts, and conversation history) is stripped from error reports before they leave your device. Only your anonymous User ID is associated with error reports to help us group issues. Sentry's privacy policy is available at sentry.io/privacy. No performance monitoring or session replay data is collected.

We may also maintain minimal server-side request logs for security, abuse prevention, and diagnostics. Our advertising and subscription providers (Google AdMob, RevenueCat) may also collect usage or diagnostic data as part of their SDKs, subject to their policies. Minimal anonymous data may be collected by iOS or Android for device or OS-level reporting, which is controlled by your device settings.

6. AI-Powered Features

The App uses artificial intelligence to enhance task management:

• Voice-to-Task Conversion: Audio may be transcribed using the iOS Speech framework (which may use Apple's cloud-based recognition when on-device processing is unavailable) or sent to OpenAI's Whisper API via our backend for cloud-based transcription. The resulting transcription is then processed by our AI service to extract structured task data. We do not intentionally persist raw audio, but transcripts and task data may be stored locally and sent to the AI provider when you invoke AI features.
• Image-to-Task Extraction: A resized copy of the image is transmitted to our backend and sent to OpenAI for vision-based analysis. The original image is not stored on our servers after processing; only extracted task data and a visual summary are retained locally.
• Task Decomposition: Assignment details from Canvas LMS may be sent to our AI provider to generate suggested subtasks. You review and approve all AI-generated content before it is saved.
• Proactive Briefings: Your upcoming tasks, deadlines, and calendar events may be summarized by AI to produce personalized briefings displayed within the App. Briefings are generated in-app and are not delivered via push notifications.
• User Knowledge: The App stores contextual preferences locally (e.g., preferred study times, course priorities) to improve AI suggestions. When you use AI features, this context may be included in prompts sent to our AI provider. This data is not cloud-synced across devices.

AI processing is metered through a coin-based economy. Free-tier users earn Coins through daily check-in streaks and rewarded activities, while Pro subscribers receive unlimited coin-metered AI access, subject to fair-use and technical rate limits. AI-generated content is always presented for your review and is never acted upon automatically without your confirmation.

7. Your Rights and Choices

7.1 Access and Data Export

You can export your data through Settings → Export data. This shares a JSON representation of your locally stored tasks, preferences, and integration data via the system share sheet. Please note that the export may not include all server-side data (such as coin transaction history) or all local stores; it provides a best-effort snapshot of your primary app data.

7.2 Deletion

You can reset your local app data through Settings → Reset App Data, which clears all locally stored tasks, memories, preferences, and integration connections while preserving your account and coin balance. To fully delete your account and all associated server-side data, use Settings → Delete Account. Account deletion removes all data from our servers, including authentication records and coin ledger, and cannot be undone.

7.3 Integration Disconnection

You can disconnect Canvas LMS or Google Calendar at any time through the App's settings. Disconnecting removes stored credentials and stops all future data synchronization from that service.

7.4 Notification Preferences

You can enable or disable locally scheduled notifications and configure reminder timing through the App's notification settings or your device's system settings.

7.5 Ad Personalization and Tracking

On iOS, we respect your App Tracking Transparency (ATT) choice. If you decline tracking, no IDFA is shared with advertising partners. Where available, you can review or change your ad privacy preferences through Settings → Ad privacy choices within the App. Rewarded ad functionality (watch an ad to earn coins) may be available to all users, including Pro subscribers, as an optional way to earn additional coins. Access to rewarded ads is not conditioned on granting tracking permission.

7.6 AI Data Processing

You can review and revoke your AI data processing consent at any time through Settings → AI Data & Privacy within the App. Revoking consent will disable all AI-powered features (including voice-to-task, smart suggestions, the assistant chat, image extraction, and briefings) but will not affect your existing tasks, reminders, or manual task management functionality. If you later wish to re-enable AI features, you will be asked to review and accept the AI data disclosure again.

8. Legal Basis for Processing (EU Users)

For users in the European Economic Area (EEA), Foundry One Technology LLC is the data controller responsible for your personal data. We process personal data only when we have a legal basis to do so, including:

• Performance of contract: When necessary to provide the services you request (account management, task storage, AI features).
• Consent: For optional features such as personalized advertising, integrations, and AI processing. AI data processing requires your explicit in-app consent before any data is shared with our AI provider (see Section 3A). Personalized advertising is processed based on user consent where required by law.
• Legitimate interests: For maintaining App performance, security, service improvement, and fraud prevention.

You have the right of access, rectification, erasure, restriction of processing, data portability, the right to object to processing, and the right to lodge a complaint with your local data protection authority. To exercise your rights, contact us at the address below.

We do not knowingly serve personalized ads to users under 16, or under the applicable age of digital consent in your jurisdiction.

9. California Privacy Notice (CCPA/CPRA)

If you are a California resident, you have the right to request access to or deletion of your personal information and to know whether your data is shared with third parties. We do not sell personal information.

The sharing of device identifiers with Google AdMob for cross-context behavioral advertising may constitute "sharing" under the CPRA. You may opt out of this sharing by declining the App Tracking Transparency prompt on iOS, or by adjusting your ad privacy preferences within the App's settings (where available). We do not sell or share sensitive personal information.

To exercise your rights or submit a request through an authorized agent, contact us at the address below. We will verify your identity before fulfilling any request.

10. Children's Privacy

The App is not directed to children under the age of 13 (or the applicable age of digital consent in your jurisdiction). We do not knowingly collect personal information from children under 13. We do not knowingly serve personalized ads to users under 16. If we become aware that we have collected personal information from a child under 13 without parental consent, we will take steps to delete that information promptly. If you believe a child has provided us with personal information, please contact us at the address below.

11. Data Retention

We retain your personal information for as long as your account is active or as needed to provide the App's services. Specifically:

• Account data: Retained on our servers until you delete your account.
• Tasks, knowledge, and local content: Stored on your device only; removed when you reset app data, delete your account, or uninstall the App.
• Voice recordings: We do not intentionally store raw audio recordings on our servers. Audio may be temporarily stored on your device while recording or processing, and transcriptions are stored locally.
• Images: Uploaded to our AI provider for task extraction and not stored after processing; only extracted data and visual summaries are retained locally.
• AI usage logs (coin transactions): Retained server-side for billing accuracy and service integrity.
• Ad interaction data: Managed by Google AdMob per their retention policies.

After account deletion, we may retain certain anonymized or aggregated data that cannot be used to identify you, for service improvement purposes.

12. International Data Transfers

Your information may be transferred to and processed in countries other than your country of residence, including the United States, where our servers and service providers are located. When we transfer personal data internationally, we use appropriate safeguards where required (such as Standard Contractual Clauses) and other lawful mechanisms. These countries may have data protection laws that differ from those in your jurisdiction.

13. Third-Party Services and Affiliations

The App integrates with third-party services, each governed by their own privacy policies. We encourage you to review those policies:

• Supabase: supabase.com/privacy
• RevenueCat: revenuecat.com/privacy
• Google (AdMob, Calendar): policies.google.com/privacy
• OpenAI: openai.com/privacy
• Sentry: sentry.io/privacy
• Canvas LMS: Governed by your educational institution's privacy policy

We are not responsible for the privacy practices of third-party services.

14. Changes to This Privacy Policy

We may update this Privacy Policy periodically. The latest version will be available through the App and on our website. We will notify you of material changes by updating the "Effective Date" at the top. Your continued use of the App after such changes constitutes your acceptance of the revised Privacy Policy.

15. Contact Us

For questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us:

Foundry One Technology LLC is the data controller responsible for your personal data under applicable data protection laws.