Privacy Policy
Effective date: 17 March 2026
1. Introduction
TaskBerry is a day planning application for freelancers and professionals. It is operated by Groeien met Gydo, a company registered in the Netherlands (KvK: 81071698, VAT: NL003525719B18), with its registered address at Van Houweningenstraat 70, 1052 TR Amsterdam, The Netherlands.
This Privacy Policy explains what personal data we collect when you use TaskBerry, why we collect it, how we use it, and what rights you have under the General Data Protection Regulation (GDPR) and the Dutch UAVG (Uitvoeringswet AVG).
Groeien met Gydo is the data controller for all personal data processed through the TaskBerry application and website (taskberry.app). As the controller, we determine the purposes and means of processing your personal data.
By creating an account and using TaskBerry, you acknowledge that you have read and understood this policy. If you have questions or concerns, please contact us at privacy@taskberry.app.
2. Data We Collect
We collect only the data that is necessary to provide and improve TaskBerry. Below is an overview of what we collect and why.
Account data
Your email address is required to create and maintain a TaskBerry account. We use it to send you a magic-link login email and, where applicable, important service notifications. We do not collect your name unless you voluntarily provide it.
Task data
The core purpose of TaskBerry is task management. When you use the app, we store the tasks you create, including their titles, descriptions, labels, dates, time entries, size estimates, deadlines, completion status, and any value statements you attach. This data belongs to you and is stored in our database under your user account.
AI conversation data
When you use the AI assistant, your messages and the AI's responses are stored in our database (the coach_sessions table). This history is used to provide continuity across sessions — so the assistant can reference what was discussed previously. You can delete your conversation history at any time from your account settings.
Context notes
You can provide personal context to help the AI assistant understand your working style and situation — for example, "I work four days a week" or "Mondays are for client calls." These notes are stored in our database and included in AI prompts when you use the assistant. You control what context notes exist and can delete individual notes at any time.
Usage settings
We store your personal preferences such as your daily capacity in minutes and your workday end time. These settings are used to power the capacity bar and overflow indicators on your day board.
Billing data
When you subscribe to a paid plan, we store your Stripe customer ID, plan tier (Free, Starter, or Pro), and subscription status. We do not store your credit card number, card expiry, or any other raw payment instrument data. Payment card data is handled exclusively by Stripe and never touches our servers.
Technical data
Our hosting infrastructure (Vercel and Supabase) automatically logs server-side technical data including IP addresses, HTTP request paths, timestamps, and browser user agent strings. These logs are used for security monitoring, abuse prevention, and diagnosing technical issues. We do not use this data for profiling or marketing purposes.
3. How We Use Your Data
We process your personal data only for specific, documented purposes. The GDPR requires us to identify a legal basis for each purpose. Here is an overview:
| Purpose | Legal basis |
|---|---|
| Providing and operating the TaskBerry service (authentication, task storage, settings, labels, capacity tracking) | Contract performance — Art. 6(1)(b) GDPR |
| Sending your messages and relevant task context to Google Gemini to power the AI assistant feature | Contract performance — Art. 6(1)(b) GDPR |
| Processing subscription payments via Stripe and managing your plan tier | Contract performance — Art. 6(1)(b) GDPR |
| Storing AI conversation history to provide continuity across assistant sessions | Legitimate interest — Art. 6(1)(f) GDPR. Our legitimate interest is providing a coherent assistant experience. You can delete your history at any time. |
| Server-side access logs for security monitoring and abuse prevention | Legitimate interest — Art. 6(1)(f) GDPR. Our legitimate interest is protecting the security and integrity of the service. |
| Retaining billing and transaction records for tax and accounting purposes | Legal obligation — Art. 6(1)(c) GDPR (Dutch tax law, 7-year retention requirement) |
| Measuring aggregate usage through Google Analytics to understand how the product is used | Consent — Art. 6(1)(a) GDPR. Analytics cookies are only placed after you give explicit consent via our cookie banner. |
We do not use your data for automated decision-making or profiling that produces legal or similarly significant effects. We do not sell your personal data to any third party.
4. AI Assistant
The AI assistant feature is powered by Google Gemini, a large language model provided by Google LLC. When you send a message to the assistant, that message — along with relevant context such as your tasks for the day and any context notes you have set — is transmitted to the Gemini API for processing. The AI's response is then returned and displayed to you.
Google's use of your data: We use a paid Gemini API plan. Under Google's paid API terms, Google does not use your data to train, improve, or develop its AI models. Your messages are processed in real time to generate a response. Google may retain conversation data for up to 55 days for abuse monitoring purposes under its API usage policies, after which it is deleted from Google's systems.
Storage on our side: Conversation history is stored in our database so that the assistant can reference previous sessions and provide a more coherent experience. This history is tied to your account and is accessible only by you.
Transparency: The AI assistant is always clearly identified as an automated AI system. You are never talking to a human when using this feature.
Your control: You can delete your entire AI conversation history at any time from your account settings. If you prefer not to use the AI assistant, you can simply not use that feature — all other parts of TaskBerry work without it.
Advice to avoid sensitive data: We recommend you do not include highly sensitive personal data (such as health information, financial account numbers, or information about third parties without their consent) in your AI assistant messages or context notes, as this data will be sent to Google's API for processing.
5. Data Processors (Sub-processors)
We work with a limited number of trusted third-party processors to operate TaskBerry. Each processor is bound by a Data Processing Agreement (DPA) and may only process your data according to our documented instructions.
| Processor | Purpose | Location | DPA |
|---|---|---|---|
| Supabase Inc. | Database hosting and user authentication | EU (Frankfurt, Germany) | supabase.com/legal/dpa |
| Vercel Inc. | Web application hosting and CDN | EU/US (SCCs in place) | vercel.com/legal/dpa |
| Google LLC | AI assistant processing (Gemini API) | US (SCCs in place) | cloud.google.com/security/compliance/eu-scc |
| Stripe Inc. | Payment processing and subscription management | EU/US (SCCs in place) | stripe.com/legal/dpa |
| Upstash Inc. | Rate limiting for AI features (Redis) | US (SCCs in place) | upstash.com/legal |
| Google LLC | Website analytics (Google Analytics) — consent-gated | US (consent + SCCs in place) | analytics.google.com/analytics/terms |
6. International Data Transfers
Some of our processors are located in the United States. Transferring personal data from the European Economic Area (EEA) to the US is only permitted when adequate safeguards are in place.
For all US-based processors (Vercel, Google, Stripe, Upstash), we rely on Standard Contractual Clauses (SCCs) as approved by the European Commission (Commission Implementing Decision (EU) 2021/914) as the legal mechanism for transferring your data. SCCs impose contractual obligations on the recipient to protect your data to EEA standards.
Google and Stripe also participate in the EU-US Data Privacy Framework (DPF), which provides an additional adequacy mechanism recognised by the European Commission. Participation in the DPF means these companies are certified to handle EU personal data in compliance with EU data protection requirements.
Our primary database (Supabase) is hosted in Frankfurt, Germany, within the EU, so no international transfer occurs for your core application data.
You can request a copy of the applicable SCCs or DPA for any processor by contacting us at privacy@taskberry.app. You can also access each processor's own DPA via the links in Section 5 above.
7. Data Retention
We retain your data for as long as necessary to deliver the service and meet our legal obligations. The table below sets out the specific retention periods for each category.
| Data category | Retention period |
|---|---|
| Account data and task data | For the duration of your account, plus 30 days after account deletion (to allow accidental-deletion recovery) |
| AI conversation history | 12 months from the session date, or until account deletion, whichever comes first. You can also delete your history manually at any time. |
| Context notes | For the duration of your account. You can delete individual notes at any time. |
| Billing records and transaction data | 7 years from the date of the last transaction, as required by Dutch tax law (Artikel 52 AWR) |
| Server access logs (Vercel and Supabase) | Maximum 90 days, after which logs are automatically purged |
| Google Analytics data | 14 months, as configured in our Google Analytics account. Only collected after explicit consent. |
| Google Gemini (Google-side processing) | Up to 55 days for abuse monitoring under Google's paid API terms, after which Google deletes the data from its systems |
When you request account deletion, we will delete your personal data from our active systems within the 30-day grace period. Data that we are required to retain for legal reasons (such as billing records) will be isolated and not used for any other purpose.
8. Cookies
TaskBerry uses a small number of cookies. We distinguish between strictly necessary cookies (which do not require your consent) and optional analytics cookies (which require your explicit consent before being placed).
Strictly necessary cookies
These cookies are essential for the service to function and are placed regardless of your cookie preferences.
| Cookie name | Purpose |
|---|---|
| supabase-auth-token | Stores your authentication session so you remain logged in between page loads and browser sessions. Contains a JWT that expires and is automatically refreshed. |
| taskberry-consent | Stores your cookie consent preference (accepted or declined) so we do not show the cookie banner on every visit. |
Analytics cookies
These cookies are placed only after you give your explicit consent via our cookie banner. You can withdraw your consent at any time via the Cookie Settings link in the footer.
| Cookie name | Purpose |
|---|---|
| _ga | Google Analytics. Distinguishes unique users by assigning a randomly generated number as a client identifier. Expires after 2 years. |
| _gid | Google Analytics. Used to distinguish users. Expires after 24 hours. |
We do not use advertising cookies, tracking pixels, or any cookies for marketing or retargeting purposes.
You can manage or withdraw your analytics cookie consent at any time by clicking the Cookie Settings link in the footer of any page.
9. Your Rights
Under the GDPR, you have the following rights regarding your personal data. These rights apply to the extent permitted by applicable law and may be subject to certain conditions or limitations.
Right of access (Art. 15)
You have the right to request a copy of all personal data we hold about you, along with information about how it is processed — including the purposes, categories of data, and recipients.
Right to rectification (Art. 16)
If any of the personal data we hold about you is inaccurate or incomplete, you have the right to request that we correct it. Much of your data (tasks, labels, context notes) can be corrected directly within the application.
Right to erasure (Art. 17)
Also known as the "right to be forgotten." You can request that we delete your personal data. We will honour this request within 30 days, except where we have a legal obligation to retain certain data (such as billing records under Dutch tax law).
Right to restriction of processing (Art. 18)
In certain circumstances — for example, if you contest the accuracy of your data, or if processing is unlawful but you do not want erasure — you can request that we restrict how we use your data while the issue is being resolved.
Right to data portability (Art. 20)
Where processing is based on your consent or on a contract, and carried out by automated means, you have the right to receive a copy of your personal data in a structured, commonly used, machine-readable format (such as JSON or CSV). You can also ask us to transmit this data to another controller where technically feasible.
Right to object (Art. 21)
Where we process your personal data on the basis of legitimate interest, you have the right to object to that processing. We will stop processing unless we can demonstrate compelling legitimate grounds that override your interests, rights, and freedoms. You can object to the use of server logs for security purposes, for example.
Right to withdraw consent (Art. 7(3))
Where processing is based on your consent (such as Google Analytics), you can withdraw your consent at any time. Withdrawal does not affect the lawfulness of processing that occurred before the withdrawal. You can withdraw analytics consent via the Cookie Settings link in the footer.
How to exercise your rights
To exercise any of the rights above, send an email to privacy@taskberry.app. Please include enough information for us to identify your account (your email address is sufficient). We will respond within 30 days of receiving your request. If your request is complex or we receive a high volume of requests, we may extend this period by a further two months, and we will inform you of this extension within 30 days.
If you are not satisfied with our response, or if you believe we are processing your personal data unlawfully, you have the right to lodge a complaint with the Dutch data protection authority:
- Autoriteit Persoonsgegevens
- Website: autoriteitpersoonsgegevens.nl
- Telephone: +31 88 1805 250
You also have the right to lodge a complaint with the supervisory authority in the EU member state where you habitually reside, work, or where the alleged infringement took place.
10. Security
We take the security of your personal data seriously and implement appropriate technical and organisational measures to protect it against unauthorised access, accidental loss, disclosure, or destruction.
- Encryption in transit: All communication between your browser and TaskBerry servers is encrypted using TLS (Transport Layer Security). Connections over plain HTTP are automatically redirected to HTTPS.
- Encryption at rest: Your data is stored on Supabase (hosted on AWS Frankfurt) and Vercel, both of which encrypt data at rest using AES-256 at the infrastructure level.
- Access controls: Our database uses Row Level Security (RLS), which means each user can only access their own data. API routes verify your identity on every request using a signed JWT. Service-role database access (which bypasses RLS) is restricted to server-side webhook processing only and is not accessible to client-side code.
- Authentication: TaskBerry uses magic-link authentication via Supabase. We do not store passwords. Sessions expire and tokens are automatically refreshed.
- No data sales: We do not sell, rent, or trade your personal data to any third party for any purpose. We share data with processors only to the extent necessary to operate the service.
Despite these measures, no system is completely secure. In the unlikely event of a personal data breach that is likely to result in a risk to your rights and freedoms, we will notify the Autoriteit Persoonsgegevens within 72 hours and, where required, inform affected users without undue delay.
11. Children
TaskBerry is not directed at children under the age of 16 and we do not knowingly collect personal data from minors. The service is a professional productivity tool intended for use by adults.
If you are under 16, please do not use TaskBerry or provide any personal data through the service. If we become aware that we have inadvertently collected personal data from a child under 16, we will delete that data as promptly as possible. If you believe we may have collected data from a minor, please contact us at privacy@taskberry.app.
12. Changes to This Policy
We may update this Privacy Policy from time to time to reflect changes in the service, our processing activities, or applicable law. The date at the top of this page always shows when the policy was last updated.
For material changes — meaning changes that significantly affect your rights or how we process your data — we will notify you at least 30 days before they take effect. We will do this via email to the address associated with your account, and/or via an in-app notice when you log in.
For minor clarifications or corrections (such as fixing a typo or updating a link), we may update the policy without advance notice.
Continuing to use TaskBerry after a policy change takes effect constitutes your acknowledgement of the updated policy. If you do not agree with the changes, you can request deletion of your account by emailing privacy@taskberry.app.
13. Contact
If you have questions about this Privacy Policy, want to exercise your rights, or have a concern about how we process your data, please contact us:
- Email: privacy@taskberry.app
- Company: Groeien met Gydo
- Address: Van Houweningenstraat 70, 1052 TR Amsterdam, The Netherlands
- KvK: 81071698
We aim to respond to all privacy-related enquiries within 5 business days. For formal rights requests (access, erasure, portability, etc.), we will respond within 30 days as required by the GDPR.