Privacy Policy

Account data: When you register, we collect your name, email address, and role (client or freelancer). If you sign in via Google OAuth, we receive the profile information you authorize Google to share (name, email, profile picture).

Usage data: We collect information about how you use TaskFlow — pages visited, features used, and actions taken — to improve the product and diagnose issues.

Profile data: Display name, avatar image, and account plan level are stored in our database and displayed within the platform.

TaskFlow uses Supabase Auth to manage user accounts. Authentication state is maintained via a secure JWT (JSON Web Token) that is automatically refreshed before expiry. We do not store your password in plaintext — passwords are hashed using industry-standard algorithms managed by Supabase.

If you choose to sign in with Google OAuth, you will be redirected to Google's authentication page. Google will share your name, email, and profile picture with TaskFlow. We do not receive your Google password. You can revoke Google access at any time through your Google Account settings.

Your session persists across browser restarts using an encrypted session token stored in your browser's local storage. You can sign out at any time to invalidate your session.

TaskFlow uses two categories of browser storage:

Your cookie consent choice is stored in localStorage under the key taskflow-cookie-consent. If you clear browser storage the banner will reappear and you can make a new choice.

Plan upgrades are processed via PayPal. When you complete a payment, your browser communicates directly with PayPal's secure checkout. TaskFlow does not see or store your credit card number, bank account details, or PayPal password.

Our server uses a server-side PayPal API key only to create and capture payment orders. This key is never exposed to your browser. After a successful payment, we update your account plan in our database. PayPal processes your payment data under their own Privacy Policy.

Messages and file attachments you send are stored in our database and file storage (Supabase Storage). Files are accessible only to the participants of the conversation — this is enforced at the database level using Row Level Security (RLS) policies.

Uploaded files are served via authenticated URLs. We block executable file types (.exe, .bat, .cmd, .sh, etc.) at the upload level. Maximum file size limits apply per upload.

If you delete your account, your messages and uploaded files are removed per our data retention policy described in Section 6.

All data is transmitted over HTTPS. Our database and file storage are hosted on Supabase infrastructure with encryption at rest. Database access is restricted via Row Level Security policies — no user can read another user's private data.

We do not sell your personal data to third parties. We do not use your data to train AI models. Third-party services we use (Supabase, PayPal) operate under their own data protection agreements.

We retain your data as long as your account is active. If you request account deletion, we will remove your profile, tasks, messages, and uploaded files within 30 days.

Depending on your jurisdiction, you may have the following rights regarding your personal data:

• Access: Request a copy of the data we hold about you.
• Correction: Update your display name and avatar via Settings.
• Deletion: Request deletion of your account and associated data.
• Portability: Request your data in a machine-readable format.
• Opt-out: Decline optional cookies at any time via Settings → Cookie Preferences.

To exercise these rights, contact us using the details in Section 8.

If you have questions about this Privacy Policy or your data, contact us: