Privacy Policy

1. Introduction

This Privacy Policy describes how MetaWear s.r.o. ("we", "us", "our") collects, uses, and protects your personal data when you use TaskStaq (the "Service"), available at app.taskstaq.com.

Service Provider

MetaWear s.r.o.
Sládkova 372/8, Moravská Ostrava
702 00 Ostrava
Czech Republic
IČ: 14338017
Registered at the Regional Court in Ostrava, file no. C 88655

By using TaskStaq, you agree to the collection and use of information in accordance with this policy and our Terms of Service.

2. What Data We Collect

We practice data minimization — we only collect what is necessary to provide the Service.

2.1 Account Information (via OAuth)

When you sign in with Google or GitHub, we receive and store:

  • Name — Your display name from the OAuth provider
  • Email address — Your primary email
  • Profile image — Avatar URL from your OAuth account
  • Provider account ID — Unique identifier from Google/GitHub
  • OAuth tokens — Access and refresh tokens (encrypted, used only for authentication)

We do not store passwords. Authentication is handled entirely by Google and GitHub.

2.2 Usage Data

  • Projects, columns, cards, tags, groups — Your task management data
  • AI conversation history — Chat messages with the AI assistant (stored per-project)
  • AI settings — Provider selection, model preferences, temperature
  • Encrypted API keys — If you configure custom AI providers (OpenAI, Anthropic, Google, ElevenLabs), your API keys are encrypted using AES-256-GCM before storage
  • Subscription status — Whether you have a Pro account

2.3 AI Audit Logs

For security and compliance, we maintain a permanent audit log of AI tool calls, including:

  • User ID
  • Tool name (e.g., create_card, delete_project)
  • Tool input parameters
  • Success/error status
  • Timestamp

This log is append-only and cannot be deleted by users. It exists to prevent abuse and provide accountability.

2.4 What We DON'T Collect

  • No IP addresses stored in the database
  • No payment information (not yet implemented)
  • No phone numbers or physical addresses
  • No tracking cookies or analytics scripts
  • No device fingerprinting
  • No third-party analytics (Google Analytics, Mixpanel, Hotjar, etc.)

3. Cookies

We use only one cookie for authentication:

Cookie NamePurposeDurationType
authjs.session-token (dev)
__Secure-authjs.session-token (prod)		Maintains your login sessionSession-based (expires on logout or 30 days)First-party, HttpOnly, Secure

We do not use cookies for tracking, advertising, or analytics.

4. How We Use Your Data

We use your personal data only for the following purposes:

4.1 Service Provision (Legal Basis: Contract)

  • Authenticate you via OAuth
  • Store and display your projects, cards, and AI conversations
  • Enable AI assistant features (if you configure an AI provider)
  • Sync your data across devices

4.2 Security & Fraud Prevention (Legal Basis: Legitimate Interest)

  • Rate limiting on public share endpoints (in-memory, 5-minute TTL, not persisted)
  • AI audit logs to detect abuse
  • Failed authentication logging (console warnings with IP, path, timestamp — not stored in DB)

4.3 Service Improvement (Legal Basis: Legitimate Interest)

  • Monitor system errors via Railway logs (stdout/stderr)
  • No analytics or user behavior tracking

5. Data Sharing & Third Parties

5.1 OAuth Providers

When you sign in, Google or GitHub receives your authentication request. We do not control their data practices. See:

5.2 AI Providers (When You Enable AI Features)

Mode 1: PRO AI (Default for Pro Users)

  • We use our own API key to call OpenAI or Anthropic on your behalf
  • Your AI conversation text and board data are sent to the AI provider via our backend
  • Rate limit: 50 messages per day
  • Your API key: Not required

Mode 2: Custom AI (Bring Your Own Key)

  • You provide your own API key (OpenAI, Anthropic, Google, or any OpenAI-compatible endpoint)
  • Your conversation text is sent to the AI provider using your API key
  • Rate limit: None (you pay directly to the provider)
  • Your API key is encrypted (AES-256-GCM) before storage

AI providers we support:

  • OpenAI — GPT-4, GPT-4o, o1
  • Anthropic — Claude Sonnet, Opus, Haiku
  • Google — Gemini models
  • Any OpenAI-compatible endpoint (e.g., Ollama, Together AI, Groq)

In both modes, AI requests go through our backend — you never communicate directly with AI providers.

5.3 ElevenLabs (Optional Voice Synthesis)

If you enable ElevenLabs voice output:

  • You provide your own ElevenLabs API key
  • We send your text to ElevenLabs using your API key
  • Fallback is browser-native SpeechSynthesis (no external API)

5.4 Hosting Provider

Your data is hosted on Railway infrastructure in the European Union (Amsterdam, Netherlands). Railway may access server logs and database backups for infrastructure maintenance.

Your data remains within the EU. No international data transfer occurs for the primary service infrastructure.

5.5 No Other Third Parties

We do not share your data with:

  • Advertisers or marketing platforms
  • Analytics services
  • Affiliate programs
  • Data brokers

6. Data Retention

Data TypeRetention Period
Account informationUntil you delete your account
Projects, cards, AI conversationsUntil you delete them manually or delete your account
Soft-deleted cardsIndefinitely (can be restored from Archive)
AI audit logsPermanent (security/compliance requirement)
OAuth tokensUntil you revoke access via Google/GitHub or delete your account
Session cookies30 days or until logout

Cascade Deletion

When you delete your account, we automatically delete all projects, columns, cards, tags, groups, AI conversations and settings, share links, OAuth tokens, and session cookies.

AI audit logs are retained permanently for security purposes.

7. Your Rights (GDPR)

Under the EU General Data Protection Regulation (GDPR), you have the right to:

7.1 Access

Request a copy of your personal data. Contact us at info@metawear.cz.

7.2 Rectification

Correct inaccurate data directly in the app (Settings → Profile) or contact us.

7.3 Erasure ("Right to be Forgotten")

Delete your account by contacting us. We will:

  • Delete all account data within 30 days
  • Retain AI audit logs (legal obligation for security)
  • Notify you when deletion is complete

Self-service account deletion UI is coming soon.

7.4 Data Portability

Request a JSON export of your data. Contact us — we will provide all projects, cards, tags, groups, AI conversation history, and account information.

Self-service data export UI is coming soon.

7.5 Object to Processing

You can object to data processing for legitimate interests (e.g., AI audit logging). Contact us to discuss.

7.6 Restrict Processing

Request temporary suspension of data processing. Contact us.

7.7 Withdraw Consent

For OAuth access: Revoke via Google or GitHub.

8. Data Security

We implement industry-standard security measures:

  • Encryption at rest — API keys encrypted with AES-256-GCM
  • Encryption in transit — HTTPS/TLS for all connections
  • Session security — HttpOnly, Secure, SameSite cookies
  • Database isolation — Each user's data is strictly separated (userId foreign keys)
  • OAuth-only authentication — No passwords stored
  • Rate limiting — In-memory rate limits on public endpoints
  • Audit logging — Permanent record of all AI tool calls

Railway infrastructure provides database backups, automated patching, and DDoS protection.

9. Children's Privacy

TaskStaq is not intended for users under 13. We do not knowingly collect data from children. If you believe a child has provided us with personal data, contact us immediately.

10. Changes to This Policy

We may update this Privacy Policy to reflect changes in our practices or legal requirements. We will:

  • Update the "Last Updated" date at the top of this page
  • Notify you via email if we make significant changes affecting your rights
  • Display a notice in the app

Continued use of TaskStaq after changes constitutes acceptance of the updated policy.

11. International Users

TaskStaq is operated by a company registered in the Czech Republic and hosted on servers in the European Union (Amsterdam, Netherlands).

For EU users: Your data stays within the EU. No cross-border transfer is required for the core service. Note that when you use AI features, your conversation data is sent to third-party AI providers (OpenAI, Anthropic, Google) whose servers may be located outside the EU (see Section 5.2).

For non-EU users: Data protection laws in your country may differ. By using TaskStaq, you consent to the processing of your data as described in this policy.

12. Contact Us

For privacy-related questions, data requests, or to exercise your GDPR rights, contact:

Email: info@metawear.cz

Postal Address:
MetaWear s.r.o.
Sládkova 372/8, Moravská Ostrava
702 00 Ostrava
Czech Republic

Response time: We will respond to GDPR requests within 30 days.

13. Supervisory Authority

If you are located in the EU and believe we have violated GDPR, you have the right to lodge a complaint with your local data protection authority:

14. Summary (TL;DR)

  • Minimal data collection — Only OAuth profile + your tasks
  • Zero tracking — No analytics, no cookies beyond session auth
  • Encrypted API keys — AES-256-GCM for your AI provider credentials
  • AI transparency — Conversations stored per-project, you can delete anytime
  • EU hosting — Railway servers (Amsterdam, Netherlands)
  • GDPR rights — Access, delete, export (contact us)
  • No self-service account deletion yet — Email us to delete your account
  • No data export UI yet — Email us for JSON export

We believe in privacy by design — we don't collect what we don't need.

Effective Date: February 15, 2026

Last Updated: February 15, 2026

← Back to TaskStaqTerms of Service