Privacy Policy
1. Introduction
Welcome to TaskWithAI (“we”, “us”, “our”, or “Company”). TaskWithAI is a product of Cloudifyapps (OPC) Private Limited (CIN to be cited on invoices), an Indian company with its registered office in India (full address: Mani Casadona West Tower, Unit No. 2WS5B, 2nd floor, Plot No. 11F/04, Action Area: IIF, New Town, Rajarhat, Kolkata, West Bengal 700160). We are committed to protecting your privacy and personal data and complying with the General Data Protection Regulation (Regulation (EU) 2016/679, “GDPR”) for individuals in the European Economic Area and the United Kingdom, and with India’s Digital Personal Data Protection Act, 2023(“DPDP Act”) for individuals in India.
This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you visit taskwith.ai or any of our subdomains (the “Website”) or use our multi-tenant project-management platform (the “Services”).
By accessing or using our Website and Services, you acknowledge that you have read, understood, and agree to be bound by this Privacy Policy. If you do not agree with our policies and practices, please do not use our Services. This Privacy Policy should be read in conjunction with our Terms & Conditions and Cookie Policy.
1.1 Our role: Controller, Processor, Fiduciary
Cloudifyapps (OPC) Private Limited acts as the data controller (under GDPR Article 4(7)) and the Data Fiduciary (under DPDP Act §2(i)) for the account, billing, marketing and product-usage information that we collect directly from you to operate TaskWithAI.
With respect to the data you and your workspace members create, upload or otherwise submit into a workspace (“Customer Content”), Cloudifyapps acts as a data processor (GDPR) / Data Processor (DPDP Act §8(7)) on behalf of the workspace owner, who is the controller / Data Fiduciary of that data and determines its purposes and means. Our processing of Customer Content is governed by our Terms & Conditions and any data-processing addendum (DPA) we sign with the workspace owner.
1.2 Grievance Officer / Data Protection contact
In accordance with §10(8) of the DPDP Act and the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011, we publish the following contact for grievances, data-subject requests, and any DPDP-, GDPR- or UK GDPR-related matters:
- Grievance Officer / Privacy contact: Privacy Team, Cloudifyapps (OPC) Private Limited
- Email: [email protected]
- Postal: Mani Casadona West Tower, Unit No. 2WS5B, 2nd floor, Plot No. 11F/04, Action Area: IIF, New Town, Rajarhat, Kolkata, West Bengal 700160, India
We acknowledge grievances within 72 hours and respond substantively within the timeframes prescribed by applicable law (within one month under GDPR Article 12; within the period specified by the DPDP Rules, generally not exceeding 30 days).
2. Information we collect
2.1 Information you provide
Account information:
- Name, email address, phone number, profile photo (avatar)
- Workspace name, slug, industry, and timezone
- Authentication identifiers issued by our identity layer (and, in future, the ID token claims returned by Google, Apple, Microsoft or GitHub if you sign in via social login)
- Profile preferences (theme, date format, week start, notification settings)
Billing information:
- Billing address, business contact, GSTIN (for India), VAT/Tax ID (where applicable)
- Subscription plan, seat count, billing state, invoice IDs and history
- Payment instrument details (card number, UPI VPA, etc.) are entered directly with our payment gateways (Razorpay for INR, Stripe for USD) and are never stored on our servers; we only receive a tokenised reference and the payment status.
Workspace (Customer) content:
- Projects, tasks, subtasks, comments, attachments, tags, milestones
- Time logs, attendance clock-in/out, leave requests, holiday calendars
- Custom statuses, priorities, task types, agent squads
- Saved views, filters, notification preferences
Communications:
- Support emails, in-app messages, feedback, bug reports, survey responses
2.2 Information collected automatically
Usage: pages viewed, features used, actions taken in a workspace, search queries, navigation patterns, time / frequency / duration of activity.
Device & technical: IP address (used for rough geolocation, fraud prevention and security audit logs), browser type and language, operating system, device type, screen resolution, referral URL, request timestamps.
Cookies and similar technologies: see our Cookie Policy. You can manage non-essential cookies through the cookie banner displayed on your first visit and via the “Cookie preferences” link in the footer.
2.3 Information from third parties
- Payment processors (Razorpay, Stripe) — subscription status, invoice IDs, payment confirmations, dispute / chargeback notifications
- Transactional-email provider (Brevo) — delivery status of invitations and notifications
- AI-feature provider (OpenAI, and other LLM providers you may choose to configure in your workspace) — outputs generated for tasks assigned to AI members
- Social-login providers (Google, Apple, Microsoft, GitHub) — only the identity claims required for sign-in (typically email, name, and a stable provider-side identifier), once those flows are enabled
3. How we use your information (purposes & lawful bases)
3.1 To deliver the Services — lawful basis: performance of a contract (GDPR Art. 6(1)(b)) / specified consent and legitimate uses (DPDP Act §7)
- Create and manage your account, workspace and team membership
- Provision and maintain isolated workspace data and private uploads
- Enable task management, time tracking, attendance, leave, AI agents and reports
- Send invitations, in-app and email notifications to your teammates
- Provide customer support and respond to your requests
3.2 For business operations — lawful basis: legitimate interests (GDPR Art. 6(1)(f)) and legal obligation (Art. 6(1)(c))
- Process payments and manage subscriptions through Razorpay / Stripe
- Send transactional emails (account, invoices, billing updates)
- Monitor and analyse usage patterns and trends (in aggregate)
- Detect, prevent and address technical issues, abuse and security threats
- Maintain audit logs of administrative actions for accountability
- Enforce our Terms & Conditions and comply with legal obligations
3.3 For marketing communications — lawful basis: consent (GDPR Art. 6(1)(a)) / DPDP §6 consent
- Product announcements about new features, updates and offers
- Market research and feedback collection
You can opt out of non-essential communications at any time by clicking the unsubscribe link in our emails or by updating your notification preferences in the app.
3.4 With your explicit consent
We may use your information for other purposes with your explicit consent, which you can withdraw at any time. Withdrawal does not affect the lawfulness of processing performed before withdrawal.
4. Sub-processors and third parties we share data with
We share information with the following categories of recipients, and only to the extent necessary for the purpose described. Each sub-processor is bound by written agreements that require equivalent protection of your data.
- Razorpay Software Private Limited (India) — payment processing for INR subscriptions. Data shared: name, email, billing address, transaction details.
- Stripe, Inc. (United States) — payment processing for USD subscriptions. Data shared: name, email, billing address, transaction details. Stripe is a self-certified participant of the EU-US Data Privacy Framework and uses Standard Contractual Clauses for transfers.
- Amazon Web Services (AWS) — Mumbai region, ap-south-1 — hosting and storage of workspace data and uploads. Customer data is stored in India.
- Cloudflare, Inc. (United States / global) — content delivery, DDoS protection, and our private tunnel from edge to origin. Cloudflare may briefly process metadata for the request (IP, URL, headers) to deliver responses and protect against attacks.
- Brevo (Sendinblue SAS, France) — transactional email delivery for invitations, notifications, password reset and billing emails.
- OpenAI, L.L.C. (United States) and any other large-language-model provider that a workspace owner configures — to execute AI-agent runs. The workspace owner controls which provider is used and what content is sent. We do not train or allow our LLM sub-processors to train on Customer Content.
- Social-login providers (Google LLC, Apple Inc., Microsoft Corp., GitHub Inc.) — once enabled by you for sign-in. Only identity claims are exchanged; we do not pull additional profile data.
An up-to-date list of sub-processors is available on request from [email protected]. We will give workspace owners advance notice (at least 30 days, unless legally required earlier) of any addition or replacement of a sub-processor that handles Customer Content, and the owner may object on reasonable grounds.
4.1 Within your workspace
Other members of your workspace can see content you create (tasks, comments, time logs, attendance, leave requests) according to the role you have been granted. Owners and admins have broader visibility than members and viewers.
4.2 Business transfers
If we are involved in a merger, acquisition, sale of assets, or insolvency proceeding, your information may be transferred as part of that transaction. We will notify you of any such change and you will be given the rights described in this Policy with respect to the successor entity.
4.3 Legal requirements
We may disclose your information to comply with the law or in response to:
- Valid legal processes (subpoenas, court orders, warrants)
- Governmental or regulatory requests
- Protection of our or a third party’s rights, property or safety
- Investigation of fraud, security incidents or illegal activity
- Enforcement of our Terms & Conditions
5. Data security
We implement appropriate technical and organisational measures designed to protect personal data against accidental or unlawful destruction, loss, alteration, unauthorised disclosure or access, as required under GDPR Article 32 and §8(5) of the DPDP Act.
- Encryption in transit: TLS 1.2+ for all traffic between you and our edge, and between our edge and our origin.
- Workspace isolation: Each workspace is fully partitioned — Customer Content from one workspace is never accessible to another.
- Access controls: Role-based access inside the product (owner / admin / manager / member / viewer); least-privilege access for our staff, with audit logging on administrative actions.
- Authentication: All sign-ins go through our identity layer; we support enforced multi-factor authentication for operator and super-admin accounts.
- Backups: Pre-deploy and rolling backups of customer data are retained for operational recovery. Backups are encrypted at rest.
- Monitoring: Continuous monitoring for security and reliability incidents; documented incident-response procedure with notification to affected users and regulators as required by Articles 33-34 of GDPR and the DPDP Act.
No warranty of security: While we take reasonable steps, no method of Internet transmission or electronic storage is 100% secure. To the maximum extent permitted by law, our liability arising out of a security incident is subject to the disclaimers and the cap on aggregate liability set out in our Terms & Conditions.
6. Your rights
Depending on where you live, you have the rights described below. To exercise any of them, email [email protected]. We may need to verify your identity before responding, and may decline manifestly unfounded or excessive requests as permitted by law.
6.1 GDPR (EEA / UK) rights
- Access (Art. 15): obtain confirmation of and a copy of your data
- Rectification (Art. 16): correct inaccurate or incomplete data
- Erasure / “right to be forgotten” (Art. 17)
- Restriction of processing (Art. 18)
- Portability (Art. 20): receive your data in a structured, commonly-used, machine-readable format
- Object to processing based on legitimate interests or for direct marketing (Art. 21)
- Withdraw consent at any time (Art. 7(3))
- Lodge a complaint with your national supervisory authority
6.2 India DPDP Act rights
- §11 — right to access information about personal data, processing activities and the identities of Data Fiduciaries / Processors with whom it has been shared
- §12 — right to correction, completion, updating and erasure
- §13 — right of grievance redressal; contact the Grievance Officer identified in §1.3 above
- §14 — right to nominate another individual to exercise these rights in the event of death or incapacity
- §6(4)–(6) — right to withdraw consent at any time, as easily as it was given
- Right to approach the Data Protection Board of India if a grievance is not satisfactorily resolved
6.3 California (CCPA / CPRA) rights
If you are a California resident, you may additionally have:
- The right to know what personal information is collected, used and shared
- The right to delete personal information
- The right to correct inaccurate personal information
- The right to opt out of the “sale” or “sharing” of personal information (we do not sell personal information)
- The right to non-discrimination for exercising your rights
7. Data retention
- Active workspaces: we retain your data while your subscription is active.
- Cancelled subscriptions: after cancellation, workspace data is retained for up to 30 days for recovery, then permanently deleted from production systems; encrypted backups may persist for up to 90 additional days before rolling out of rotation.
- Tax / accounting records: invoices and billing records are retained for the period required by Indian tax law (currently up to 8 years).
- Security & audit logs: typically retained for 12 months.
- Aggregated / anonymised data: may be retained indefinitely, since it is no longer personal data.
8. International data transfers
TaskWithAI is operated from India and primary storage is in the AWS Mumbai region (ap-south-1). If you access the Services from outside India, your information will be transferred to, stored and processed in India.
Some of our sub-processors (e.g. Stripe, Cloudflare, Brevo, OpenAI) are based outside India / the EEA. When personal data is transferred to such third countries we rely on the legal mechanisms required by GDPR Chapter V, including:
- European Commission adequacy decisions, where available
- Standard Contractual Clauses (SCCs) approved by the European Commission
- UK International Data Transfer Agreement / Addendum, where applicable
- Supplementary technical and organisational measures (e.g. encryption in transit)
9. AI features & automated processing
TaskWithAI offers optional AI features (“Agent Squads”) that, when configured by a workspace owner, send selected task content to a large-language-model provider chosen by that owner. We do not allow the LLM provider to train on Customer Content. Outputs are returned to the workspace and treated as Customer Content from then on.
We do not make decisions about you that produce legal or similarly significant effects solely by automated means (GDPR Art. 22 / DPDP §11(2)(c)). If we ever introduce such decisions, we will obtain the additional consent or other legal basis required.
10. Third-party links and services
Our Services may contain links to third-party websites, services, or applications. We are not responsible for the privacy practices or content of these third parties. We encourage you to review their privacy policies before providing any personal information.
11. Children’s privacy
Our Services are not intended for individuals under the age of 18. We do not knowingly collect personal information from children. Under the DPDP Act §9, processing of a child’s personal data requires verifiable parental consent — TaskWithAI does not process children’s data and an account opened by a minor will be disabled when we become aware of it. If you believe a child has provided us with personal information, please contact us immediately and we will delete such information.
12. Changes to this Privacy Policy
We may update this Privacy Policy to reflect changes in our practices, technology, legal requirements, or other factors. When we make material changes, we will:
- Update the “Last updated” date at the top of this policy
- Email account owners
- Display a prominent notice on the Website or inside the app
Continued use of the Services after the effective date constitutes acceptance.
13. Contact
Cloudifyapps (OPC) Private Limited
Mani Casadona West Tower, Unit No. 2WS5B, 2nd floor, Plot No. 11F/04, Action Area: IIF, New Town, Rajarhat, Kolkata, West Bengal 700160, India
Email: [email protected]
Website: www.taskwith.ai
By using our Services, you acknowledge that you have read and understood this Privacy Policy and the legal bases on which we process your personal data.

