1. Data controller
The data controller under GDPR is:
- Oleg Kuzubov, individual, Latvia;
- data contact: support@gettaskzen.eu.
When we incorporate (LV SIA), we will notify users in advance about the change of controller.
2. What we collect
- E-mail and name — for authentication and identification in your pair;
- task content, chat messages, attachments — data you add yourself;
- technical data: signup time, last sign-in IP, user-agent — for security purposes;
- optional: city for the weather widget.
We do not use advertising cookies and do not share data with advertising networks.
3. Purposes of processing
- provide the service to you and your pair partner;
- ensure security (rate-limiting, bot protection);
- send transactional e-mails (invitations, password reset, material changes).
4. Legal basis
Processing is based on Art. 6(1)(b) GDPR — performance of the contract concluded by accepting the Terms of Service.
5. Recipients
- Supabase Inc.(database & authentication) — servers in the EU (eu-central-1, Frankfurt). DPA available on request.
- Vercel Inc. (application hosting) — request processing on both EU and US edge nodes.
- Resend (Resend Labs Inc.) — e-mail delivery (confirmations, magic-link).
For transfers to the US we rely on the European Commission's Standard Contractual Clauses.
6. Retention
- active account — for as long as you use the service;
- after account deletion — up to 30 days (backups), then full deletion;
- archive of a cancelled pair — the customer retains the archive until explicit deletion (see Terms §4); the executor loses access immediately upon cancellation.
7. Your rights (GDPR)
- right of access (Art. 15);
- right to rectification (Art. 16);
- right to erasure — “right to be forgotten” (Art. 17);
- right to restriction (Art. 18);
- right to data portability (Art. 20) — export as CSV/ZIP;
- right to object (Art. 21).
How to delete your account (GDPR Art. 17): in your profile, open «Settings → Danger zone» and press «Delete account». Deletion is immediate. If you are the customer: all your pairs and their content (tasks, chat, files) are deleted entirely; executors in those pairs lose access. If you are the executor: your active pairs are moved to the customer's archive, your name in existing messages and files is replaced with «Deleted user». A deletion audit log containing a hash of your e-mail (not the e-mail itself) is kept for 30 days for compliance purposes. Backups are purged within 30 days.
Other requests (access, rectification, portability, objection) go to the same address. Response time: up to 14 days.
8. Cookies and similar technologies
We classify cookies and browser storage into three categories. You choose which categories to allow via the cookie banner on first visit. You can change your choice at any time via the «Cookie preferences» link in the footer.
- Strictly necessary — Supabase authentication session (cookie + local storage entries managed by
@supabase/ssr). Required for sign-in. Cannot be disabled while using the service. Legal basis: Art. 6(1)(b) GDPR (contract performance); exempt from prior consent under ePrivacy Directive Art. 5(3). - Analytics (opt-in) — product analytics via PostHog Cloud EU (Frankfurt). Tracks page views and feature usage to help us improve the product. Person profiles are
identified_only, autocapture and session recording are disabled. Legal basis: Art. 6(1)(a) GDPR (your consent). - Error tracking (opt-in) — client-side error reports via Sentry. Sends stack traces, URLs and breadcrumbs of user actions in the few seconds before a crash so we can fix bugs. May incidentally include URL parameters and form labels. Cookies/IP are stripped server-side (
sendDefaultPii: false, custombeforeSendfilter). Legal basis: Art. 6(1)(a) GDPR (your consent).
Your consent is stored in your browser's localStorage under the key taskzen_cookie_consent_v1. Refusing analytics or error tracking does not restrict your access to any feature of the service. Server-side operational error logs (internal application errors that occur without a user request, never containing user content) are kept under legitimate interest (Art. 6(1)(f) GDPR) and are not subject to the cookie consent above.
9. Security
TLS encryption in transit, at-rest encryption on Supabase, database row-level security, sign-in rate limits. Absolute security cannot be guaranteed — use a strong password and do not share access.
10. Complaint to a supervisory authority
If you believe the processing infringes GDPR, you may lodge a complaint with the Latvian Data State Inspectorate (Datu valsts inspekcija) or with the supervisory authority of your EU country of residence.
11. Changes
Material changes will be announced by e-mail at least 14 days before taking effect.
12. Contact
Any questions: support@gettaskzen.eu.