Privacy Policy

1. Introduction

Welcome to FlashTasks AI ("we," "our," or "us"). This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our task management application, available as a web application and mobile app (collectively, the "Service").

By using FlashTasks AI, you agree to the collection and use of information in accordance with this Privacy Policy. If you do not agree with our policies and practices, please do not use our Service.

2. Information We Collect

2.1 Personal Information You Provide

When you register for and use our Service, we collect:

• Account Information: Email address, name, password (encrypted)
• Profile Information: Optional profile details you choose to provide
• Task Data: Tasks, notes, categories, reminders, and related metadata you create
• Location Data: Geographic locations associated with tasks (when you choose to add them)
• Voice Data: Temporary voice recordings when using speech-to-text features (processed and immediately deleted)

2.2 Information Collected via Google OAuth

When you sign in using Google Sign-In, we collect:

• Basic Profile Information: Your Google email address, name, and profile picture
• Google Calendar Data (Optional): If you enable Google Calendar sync, we access your calendar events to synchronize tasks. You can revoke this permission at any time through your Google Account settings.

How We Use Google Data:

• Google Sign-In is used solely for authentication
• We do not share your Google data with third parties
• Calendar data is used only to create/update calendar events for your tasks
• You can disconnect Google Calendar sync at any time in Settings

2.3 Automatically Collected Information

We automatically collect:

• Device Information: Device type, operating system, unique device identifiers
• Usage Data: Features used, actions taken, time spent in the app
• Log Data: IP address, browser type, access times, pages viewed
• Location Data: Approximate location based on IP address (for location-based task suggestions)
• Mobile Permissions:
  • Location: For location-based task features (optional, can be disabled)
  • Microphone: For speech-to-text task creation (temporary, processed locally when possible)
  • Notifications: For task reminders and updates

2.4 AI-Generated Data

When using AI features:

• AI Analysis: Your task content is processed by AI services (Google Generative AI, Anthropic Claude) to provide suggestions, categorization, and insights
• Processing: AI processing happens in real-time; we do not permanently store AI analysis data separately from your tasks
• Third-Party AI Providers: Task content sent to AI providers is subject to their privacy policies (Google AI, Anthropic)

3. How We Use Your Information

We use collected information for:

3.1 Service Delivery

• Providing, operating, and maintaining the Service
• Managing your account and authentication
• Processing and storing your tasks, notes, and categories
• Enabling AI-powered features (task suggestions, categorization, insights)
• Synchronizing data across your devices
• Sending task reminders and notifications

3.2 Service Improvement

• Understanding how users interact with our Service
• Developing new features and functionality
• Analyzing usage patterns to improve performance
• Debugging and fixing technical issues

3.3 Communication

• Sending service-related emails (account verification, password reset)
• Notifying you of policy changes or important updates
• Responding to your inquiries and support requests

3.4 Security

• Monitoring for suspicious activity and fraud prevention
• Enforcing our Terms of Service
• Protecting against security threats

4. Data Storage and Security

4.1 Data Location

• Primary Database: MongoDB Atlas hosted on AWS (Stockholm, eu-north-1 region)
• Data Processing: Your data is processed in the European Economic Area (EEA)

4.2 Security Measures

We implement industry-standard security measures:

• Encryption: Data in transit is encrypted using TLS/SSL; passwords are hashed using bcrypt
• Authentication: JWT-based authentication with secure token refresh mechanisms
• Access Control: Role-based access controls and principle of least privilege
• Infrastructure: Secure cloud hosting with regular security updates
• Monitoring: Continuous monitoring for security threats and anomalies

Important: No method of transmission over the internet is 100% secure. While we strive to protect your data, we cannot guarantee absolute security.

4.3 Data Retention

• Active Accounts: We retain your data as long as your account is active
• Account Deletion: Upon account deletion, your personal data is immediately and permanently deleted from our systems
• Backups: Backup copies are deleted within 30 days of account deletion
• Legal Requirements: We may retain certain data if required by law (e.g., for tax or legal purposes)

5. Third-Party Services

We use the following third-party services that may collect and process your data:

5.1 AI Services

• Google Generative AI (Gemini): Processes task content for AI features
• Anthropic Claude: Provides AI-powered task insights and suggestions
• Privacy: Your data is sent to these services only when using AI features

5.2 Authentication

• Google Sign-In: OAuth authentication provider
• Privacy: Subject to Google's Privacy Policy

5.3 Cloud Services

• MongoDB Atlas (AWS): Database hosting in Stockholm (eu-north-1)
• Vercel: Web application hosting
• Render.com: Backend API hosting

5.4 Mobile Services

• Firebase Cloud Messaging: Push notifications for task reminders
• Firebase App Distribution: Beta testing distribution
• Privacy: Subject to Firebase Privacy Policy

5.5 Email Services

• SMTP Provider: For sending transactional emails (account verification, password reset)

5.6 Future Analytics (Optional)

We may implement Google Analytics in the future. If implemented, you will be notified and can opt out.

6. Data Sharing and Disclosure

We do not sell your personal information. We may share data in the following circumstances:

6.1 With Your Consent

Sharing data with third-party integrations you explicitly enable (e.g., Google Calendar sync)

6.2 Service Providers

Third-party vendors who perform services on our behalf (hosting, AI processing, email delivery). These providers are contractually obligated to protect your data and use it only for specified purposes.

6.3 Legal Requirements

• When required by law, legal process, or government request
• To protect our rights, property, or safety, or that of our users or the public
• To enforce our Terms of Service

6.4 Business Transfers

In connection with a merger, acquisition, or sale of assets, user data may be transferred (you will be notified of any such change)

7. Your Rights (GDPR Compliance)

As FlashTasks AI operates from Norway (EEA), we comply with the General Data Protection Regulation (GDPR). You have the following rights:

7.1 Access and Portability

• Right to Access: Request a copy of your personal data
• Data Portability: Export your data in a machine-readable format (available in Settings → Export Data)

7.2 Correction and Deletion

• Right to Rectification: Update or correct your personal information (available in Settings → Profile)
• Right to Erasure ("Right to be Forgotten"): Delete your account and all associated data (Settings → Delete Account)

7.3 Control and Objection

• Right to Object: Object to processing of your data for specific purposes
• Right to Restrict Processing: Request limitation of how we process your data
• Withdraw Consent: Revoke consent for optional data processing (e.g., location access, AI features)

7.4 Exercising Your Rights

To exercise any of these rights, contact us at FlashTasksAI@gmail.com. We will respond within 30 days.

You also have the right to lodge a complaint with a supervisory authority (Norway: Datatilsynet).

8. Children's Privacy

FlashTasks AI is not intended for children under 16 years of age (GDPR requirement). We do not knowingly collect personal information from children under 16.

If you believe we have collected information from a child under 16, please contact us immediately at FlashTasksAI@gmail.com, and we will delete such information.

9. International Data Transfers

While our primary data storage is in the EEA (Stockholm), some third-party services (Google AI, Anthropic) may process data outside the EEA. We ensure such transfers comply with GDPR through:

• Standard Contractual Clauses (SCCs)
• Adequacy decisions by the European Commission
• Other lawful transfer mechanisms

10. Cookies and Tracking

10.1 Web Application

• Essential Cookies: Authentication tokens, session management (required for service functionality)
• CSRF Tokens: Security tokens to prevent cross-site request forgery

10.2 Mobile Application

• Local Storage: Secure storage of authentication tokens and app preferences
• No Third-Party Tracking: We do not currently use analytics or advertising trackers

10.3 Future Analytics

If we implement Google Analytics or similar services, we will:

• Update this Privacy Policy
• Notify active users via email and in-app notification
• Provide opt-out mechanisms

11. Changes to This Privacy Policy

We may update this Privacy Policy from time to time. When we do:

• The "Last Updated" date at the top will be revised
• Material changes will be communicated via:
  • Email notification to your registered email address
  • In-app notification when you next use the Service
• Continued use of the Service after changes constitutes acceptance

We encourage you to review this Privacy Policy periodically.

12. California Privacy Rights (CCPA)

If you are a California resident, you have additional rights under the California Consumer Privacy Act (CCPA):

• Right to Know: Request disclosure of data collected and how it's used
• Right to Delete: Request deletion of your personal information
• Right to Opt-Out: Opt out of the sale of personal information (Note: We do not sell personal information)
• Non-Discrimination: We will not discriminate against you for exercising your rights

To exercise these rights, contact us at FlashTasksAI@gmail.com.

13. Contact Us

If you have questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us:

For GDPR-related inquiries, you may also contact the Norwegian Data Protection Authority (Datatilsynet):

• Website: https://www.datatilsynet.no/
• Email: postkasse@datatilsynet.no