Privacy Policy
We believe privacy is a right, not a feature. This policy explains exactly what data we collect, where it lives, who can see it, and how you can control it.
Overview
TaskQuad is an AI-powered project delivery platform. To provide its core features — conversational discovery, PRD generation, architecture design, and task planning — we necessarily process some personal and project-related data. We are committed to:
- Collecting only the data we actually need to operate the Service.
- Being transparent about who processes your data and why.
- Never selling your personal data to third parties.
- Giving you meaningful control over your data at any time.
Data We Collect
Account & Identity Data
- Full name and email address (provided at sign-up via Clerk).
- Profile picture / avatar URL (optional, synced from your social login provider).
- Clerk user ID used internally to link your identity to your projects.
Project & Content Data
- Project titles and descriptions you enter.
- All discovery conversation messages (your inputs and AI responses).
- PRD documents: goals, user stories, acceptance criteria, scope.
- Architecture documents: components, data models, tech stack, Mermaid diagrams.
- Tasks: titles, descriptions, priority, status, estimated hours, tags.
- AI agent output artifacts (generated code files, logs) stored in object storage.
Usage & Technical Data
- IP address and approximate geographic region (derived from IP).
- Browser type, operating system, and device type.
- Error reports and performance traces (via Sentry) — personal data is minimized.
- API request logs retained briefly for debugging and abuse prevention.
Integration Data (Optional)
If you connect Jira, Linear, or Trello, we store an encrypted OAuth access token and configuration metadata for that integration. We do not store the content of issues or boards beyond what is needed to map tasks.
How We Collect Data
- Directly from you — when you sign up, create projects, type messages, fill in forms, or connect integrations.
- Automatically — browser cookies, server logs, and analytics scripts collect usage and technical data as you interact with the Service.
- From third parties — when you sign in with a social provider (Google, GitHub etc.) via Clerk, we receive your name, email, and avatar from that provider.
- Via webhooks — Clerk sends us webhook events when you create, update, or delete your account, which we use to keep our database in sync.
How We Use Your Data
- Providing, operating, and improving the Service.
- Authenticating your identity and securing your account.
- Processing AI requests — your inputs are sent to AI providers to generate PRDs, architectures, and tasks.
- Storing and displaying your projects and artifacts.
- Sending transactional emails (account verification, password reset, billing receipts).
- Detecting, preventing, and investigating fraud or security incidents.
- Measuring feature usage and improving product decisions via anonymized analytics.
- Responding to your support requests.
- Complying with legal obligations.
We do not use your data for advertising, sell it to data brokers, or share it with any party not listed in this policy.
Legal Basis for Processing
For users in the European Economic Area (EEA), United Kingdom, and other jurisdictions with similar requirements, our legal bases for processing personal data are:
Contract Performance (Art. 6(1)(b) GDPR)
Processing your account data, project data, and AI inputs is necessary to deliver the Service you signed up for. Without this processing, we cannot provide the core features of TaskQuad.
Legitimate Interests (Art. 6(1)(f) GDPR)
We process usage data and error logs to maintain security, prevent abuse, and improve the platform. These interests do not override your fundamental rights.
Consent (Art. 6(1)(a) GDPR)
Where we use non-essential cookies or analytics beyond what is strictly necessary, we rely on your consent, which you may withdraw at any time.
Legal Obligation (Art. 6(1)(c) GDPR)
We may process your data to comply with applicable laws, respond to lawful government requests, or enforce our Terms of Service.
Third-Party Providers
To operate TaskQuad, we share your data with the following trusted third-party service providers. Each provider is bound by a data processing agreement and is obligated to protect your data.
| Provider | Purpose | Data Shared | Location |
|---|---|---|---|
| Clerk | Authentication & user identity | Name, email, profile picture, session tokens | United States |
| Vercel | Hosting, deployment, PostgreSQL database | All application data, IP addresses, request logs | United States / Global CDN |
| OpenAI | Primary AI model (GPT) for content generation | Project descriptions, conversation messages, PRD & architecture inputs | United States |
| Anthropic | Fallback AI model (Claude) for content generation | Project descriptions, conversation messages, PRD & architecture inputs | United States |
| Upstash (Redis) | Session caching, rate limiting, task queue | Temporary session data, API usage counters | United States / EU (region-configurable) |
| AWS S3 / Cloudflare R2 | File & artifact storage for AI agent outputs | Generated code files, log files, build artifacts | United States / Global |
| Fly.io | AI Agent sandbox execution environment | Isolated code execution context, no persistent personal data | United States / Global |
| Sentry | Error tracking & performance monitoring | Error stack traces, browser/OS info, anonymized user IDs | United States |
| Svix | Webhook delivery (Clerk user sync events) | Webhook payloads: user creation/update/deletion events | United States |
We do not transfer your data to any provider not listed above without updating this policy and, where required, obtaining your consent.
Data Storage & Location
Primary Database
All structured application data (users, projects, PRDs, architectures, tasks, conversations) is stored in a PostgreSQL database hosted on Vercel Postgres, located primarily in the United States.
File & Artifact Storage
Files generated by the AI Agent (code, logs, build outputs) are stored in AWS S3 or Cloudflare R2 object storage. Only the URL reference is stored in our database; the files themselves live in the object store and are accessible only via signed (time-limited) URLs.
Cache & Queue
Temporary data such as session tokens, rate-limit counters, and background job queues are stored in Upstash Redis. This data is short-lived and not used for persistent storage of personal information.
International Transfers
Our primary infrastructure is located in the United States. If you access the Service from outside the US, your data will be transferred internationally. Such transfers are governed by Standard Contractual Clauses (SCCs) or other appropriate safeguards as required by applicable law.
Data Retention
- Account & profile data — Retained for as long as your account is active. When you delete your account, your profile data is removed within 30 days.
- Project data — All projects, conversations, PRDs, architectures, and tasks are cascade-deleted when you delete a project or your account.
- AI agent artifacts — Files stored in object storage are deleted within 90 days of the associated agent run, or immediately upon project deletion.
- Server & access logs — Automatically deleted after 90 days.
AI Processing & Your Data
Because TaskQuad is an AI-powered platform, your inputs are processed by large language models. Here is exactly what that means for your privacy:
What is sent to AI providers
- Your project description and discovery conversation messages are sent to OpenAI (primary) or Anthropic (fallback) to generate AI responses.
- PRD content is sent when requesting architecture generation.
- Architecture content is sent when generating task plans.
- We do not send payment data, passwords, or credentials to AI providers.
How AI providers handle your data
OpenAI and Anthropic process your inputs to return completions. Under our API agreements, they do not use API inputs to train their models by default. Please review OpenAI's Privacy Policy and Anthropic's Privacy Policy for full details.
Sensitive information recommendation
We strongly recommend not entering sensitive personal data (passwords, private keys, health data, financial account numbers) in discovery conversations or project descriptions, as this data will be transmitted to third-party AI providers.
Security
We implement industry-standard technical and organizational measures to protect your data:
- TLS encryption on all data in transit between your browser and our servers.
- Encryption at rest for all database storage via Vercel Postgres.
- AES-256 encryption for third-party integration OAuth tokens stored in our database.
- Rate limiting via Redis to prevent brute-force attacks and API abuse.
- Isolated sandbox environments (Docker containers on Fly.io) for AI agent code execution — network-restricted and time-limited.
- Access controls — all API routes enforce authentication; project data is verified against ownership before any operation.
- Webhook verification via Svix signature checking for all incoming Clerk webhook events.
Despite these measures, no system is 100% secure. If you discover a security vulnerability, please report it responsibly to security@taskquad.dev before public disclosure.
Optional Third-Party Integrations
When you connect Jira, Linear, or Trello through the project settings:
- We store an encrypted OAuth access token for that provider.
- Task data you choose to export is sent to the connected service.
- We receive webhook events from those services to sync status changes back to TaskQuad.
- Disconnecting an integration deletes the stored token and stops all synchronization.
- Your use of those services remains subject to their own privacy policies.
Children's Privacy
TaskQuad is not directed at children under 18 years of age. We do not knowingly collect personal data from children. If you believe a child has provided personal data to us, please contact us at privacy@taskquad.dev and we will delete it promptly.
Your Rights
Depending on your jurisdiction, you may have the following rights regarding your personal data. To exercise any of these rights, contact us at privacy@taskquad.dev. We will respond within 30 days.
| Right | What it means |
|---|---|
| Right of Access | Request a copy of all personal data we hold about you. |
| Right to Rectification | Ask us to correct inaccurate or incomplete personal data. |
| Right to Erasure | Request deletion of your personal data ("right to be forgotten"). Deleting your account triggers deletion of all associated project data. |
| Right to Data Portability | Receive your data in a structured, machine-readable format (JSON/CSV). |
| Right to Object | Object to processing of your data for direct marketing or legitimate-interest purposes. |
| Right to Restrict Processing | Ask us to pause processing your data while a complaint is investigated. |
| Right to Withdraw Consent | Where processing is based on consent, you may withdraw it at any time without affecting prior processing. |
If you are located in the EU/EEA and believe we have not addressed your concern adequately, you have the right to lodge a complaint with your local data protection authority (DPA).
Changes to This Policy
We may update this Privacy Policy from time to time to reflect changes in our practices, technology, or legal requirements. We will notify you of material changes by:
- Posting the updated policy on this page with a new "Last updated" date.
- Sending a notification email to your registered address for significant changes.
Your continued use of the Service after the effective date of the updated policy constitutes your acceptance of the changes.
Contact Us
For privacy-related questions, data requests, or to report a concern, please reach out: