Privacy Policy

Last updated: March 26, 2026 · Effective: March 26, 2026

1. Who We Are

TaskZilla is operated by TaskZilla B.V., registered in the Netherlands (KvK pending). We act as the data controller for the personal data described in this policy. For questions, contact us at support.taskzilla.ai.

2. Scope

This policy applies to all users of the TaskZilla platform, website (taskzilla.ai), onboarding portal, and related services. It covers data processed through our AI-powered project management assistant, including integrations with third-party tools you connect.

3. Data We Collect

3.1 Data you provide

Account data — name, email address, workspace name, and team configuration provided during onboarding.
Workspace content — task descriptions, comments, project structures, standup reports, and other content you create or import through integrations.
Integration credentials — API tokens and webhook URLs for connected services (ClickUp, Telegram, GitHub, etc.), stored encrypted in our secrets vault.
Communications — messages you send to TaskZilla and through TaskZilla-managed channels.
Support requests — correspondence when you contact our support portal.

3.2 Data collected automatically

Device and log data — browser type, operating system, IP address, access timestamps, and referring URLs.
Usage data — features used, session duration, interaction patterns, and error logs (anonymized where possible).
Cookie data — see Section 11 below.

3.3 Data generated by AI processing

AI memory — TaskZilla maintains persistent AI memory systems to provide contextual, personalized assistance. This includes vector embeddings (ChromaDB) and entity relationships (Graphiti knowledge graph) derived from your workspace activity.
AI-generated outputs — standup reports, task summaries, priority assignments, and recommendations generated by our AI models based on your workspace data.

4. How We Use Your Data

We process your data for the following purposes:

Purpose	Legal basis (GDPR)
Providing the TaskZilla service (AI standup generation, task routing, memory recall)	Art. 6(1)(b) — performance of contract
AI memory systems for contextual assistance	Art. 6(1)(b) — performance of contract
Account administration and billing	Art. 6(1)(b) — performance of contract
Security monitoring and abuse prevention	Art. 6(1)(f) — legitimate interest
Service improvement and error diagnostics	Art. 6(1)(f) — legitimate interest
Transactional communications (onboarding, billing, security alerts)	Art. 6(1)(b) — performance of contract
Analytics and conversion optimization (optional cookies)	Art. 6(1)(a) — consent
Compliance with legal obligations	Art. 6(1)(c) — legal obligation

5. AI Processing and Automated Decision-Making

5.1 Artificial Intelligence disclosure

TaskZilla is an AI-powered project management assistant. It uses large language models and machine learning systems to generate content (including standups, task summaries, and recommendations), route tasks, assign priorities, and process team communications. All outputs generated by TaskZilla are produced by artificial intelligence and should be reviewed by a human before being relied upon for consequential decisions.

5.2 Automated processing

TaskZilla employs automated processing for the following functions:

Task routing and assignment — based on project structure, workload parameters, and configurable rules.
Priority classification — based on configurable criteria and rule-based logic.
Standup report generation — based on task status data from integrated tools.
Message routing — across integrated platforms based on channel configuration.
Memory recall — retrieving relevant context from persistent memory systems.

These automated processes are based on rule-based logic and AI model inference. No decisions made by TaskZilla constitute solely automated decisions with legal or similarly significant effects on individuals within the meaning of Article 22 of the GDPR. Users and workspace administrators retain full human oversight and may override, modify, or disregard any AI-generated output or automated action.

5.3 AI memory systems

TaskZilla employs persistent memory systems that retain context across sessions:

Vector database (ChromaDB) — stores semantic embeddings of workspace context for retrieval-augmented generation.
Knowledge graph (Graphiti) — stores entity relationships and session context for improved continuity.

Memory data is subject to automated decay (time-based and relevance-based) and is stored exclusively on EU infrastructure (Hetzner, Germany). You may request complete deletion of your data from these memory systems at any time.

5.4 Right to explanation

You have the right to obtain meaningful information about the logic involved in automated processing that affects you. TaskZilla's automated functions operate as follows:

Task routing uses configurable rules based on project structure, skill tags, and workload distribution.
Priority assignment uses rule-based classification against configurable criteria.
Standup generation uses LLM summarization of task status data from integrated tools.

You may request a more detailed explanation of any specific automated decision by contacting support.

6. Data Sharing and Sub-Processors

We do not sell your personal data. We share data only with the following categories of recipients:

6.1 AI model providers (sub-processors)

Provider	Purpose	Data location	Training use
Anthropic (Claude)	AI inference for task management, standup generation, and contextual responses	US (SCCs in place)	No — prompts are not used for model training
Google (Imagen)	Image generation for diagrams and visual content	US (SCCs in place)	No
Local models (Ollama)	On-premises inference for embeddings and lightweight tasks	EU (Hetzner, Germany)	N/A — fully local

For each sub-processor, we maintain data processing agreements ensuring GDPR-compliant processing. A current list of all sub-processors is available upon request.

6.2 Infrastructure providers

Hetzner Cloud (Germany) — hosting and compute.
Stripe (US, SCCs in place) — payment processing.
Langfuse (EU) — AI observability and tracing (with 500-character input caps).

6.3 Legal obligations

We may disclose data when required by applicable law, regulation, or valid legal process, or to protect our rights, safety, or property.

7. International Data Transfers

Your data is primarily stored and processed within the European Union (Hetzner Cloud, Germany). Where data is transferred to providers outside the EU/EEA (specifically, Anthropic and Stripe in the United States), we rely on:

Standard Contractual Clauses (SCCs) approved by the European Commission, supplemented by additional technical and organizational measures where appropriate.
Data minimization — we minimize the personal data included in prompts sent to non-EU AI model providers.

8. Data Retention

Data category	Retention period
Account data	Duration of subscription + 90 days
Workspace content	Duration of subscription + 90 days
AI memory (ChromaDB, Graphiti)	Subject to automated decay; deleted upon account closure or on request
Integration credentials	Deleted immediately upon disconnection or account closure
Usage analytics	Retained in anonymized form for up to 24 months
Log data	90 days (rolling)
Billing records	As required by Dutch tax law (7 years)

9. Your Rights (GDPR)

Under the General Data Protection Regulation, you have the following rights:

Access (Art. 15) — obtain a copy of the personal data we hold about you.
Rectification (Art. 16) — correct inaccurate or incomplete data.
Erasure (Art. 17) — request deletion of your data, including from AI memory systems. Embeddings computed from your personal data are themselves personal data and are included in erasure requests.
Restriction (Art. 18) — restrict processing in certain circumstances.
Data portability (Art. 20) — receive your data in a structured, machine-readable format.
Object (Art. 21) — object to processing based on legitimate interest.
Withdraw consent (Art. 7) — withdraw consent for optional cookies and analytics at any time.
Human review of automated decisions (Art. 22) — obtain human intervention, express your point of view, and contest any automated decision. We will respond within 30 days.
Lodge a complaint — you have the right to lodge a complaint with a supervisory authority. For the Netherlands, this is the Autoriteit Persoonsgegevens (AP).

To exercise any of these rights, contact us at support.taskzilla.ai. We will respond within 30 days.

10. Data Security

We implement appropriate technical and organizational measures to protect your data, including:

Encryption in transit (TLS 1.2+) and at rest for secrets and credentials.
Role-based access controls and scoped API keys.
Secrets vault with audit logging (no secrets in environment variables or code).
Sandboxed agent execution environments with filesystem restrictions.
500-character caps on AI observability inputs to prevent data leakage.
Automated weekly self-heal checks with 26 known issue detections.

See our Security page for full details.

11. Cookies

11.1 Essential cookies (always active)

Required for core functionality: session management, security tokens, and preference storage.

11.2 Optional cookies (consent required)

Analytics — measure page flow, experiments, and CTA performance. Only activated with your consent.
Marketing — enable remarketing pixels and campaign attribution. Only activated with your consent.

You can manage your preferences at any time via the "Cookie settings" button in the site footer. Declining optional cookies does not affect core functionality.

12. Children

TaskZilla is not directed at individuals under 16 years of age. We do not knowingly collect personal data from children. If we learn that we have inadvertently collected data from a child under 16, we will delete it promptly.

13. Changes to This Policy

We may update this policy from time to time. Material changes will be communicated at least 30 days in advance via email or an in-app notification. The "last updated" date at the top reflects the most recent revision.

Questions? Reach us at support.taskzilla.ai.