Privacy Policy for Nodask (Beta)

Effective Date: June 21, 2025

1. Introduction & Data Controller

Nodask is a visual task‑management app currently in beta, developed by an individual developer team (“we/us”).
Data controller: Skander Mhadhbi Contact Email: contact@nodask.com

We commit to your privacy and to comply with GDPR, CCPA, and PIPEDA.

2. What We Collect

• Account Data: Email address, Convex-authenticated session ID
• User Content: Workspaces, boards, tasks, subtasks, labels, statuses, task operators
• Metadata: Activity logs, timestamps, device/browser information (non-identifying)

Note: We do not use cookies or third-party tracking in this beta. If that changes, we will publish a cookie notice.

3. How We Use Your Data

Your data is processed solely to:

• Authenticate and manage your account via Convex
• Enable collaborative features and save your work
• Improve Nodask during beta testing

We do not use your data for advertising or third-party analytics.

Legal Basis (GDPR): processing is necessary to perform the service contract and for our legitimate interest in product improvement.

4. Infrastructure, Hosting & Security

• Frontend: Vercel (U.S. and global edge)
• Real-time backend: Fly.io (U.S. and EU edge)
• Authentication & database: Convex (U.S.-hosted)

Security Measures:

• Encryption in transit: HTTPS/TLS
• Encryption at rest: AES‑256
• Access strictly restricted via role-based access controls
• Audit logging enabled for all access
• Convex handles authentication using secure token-based mechanisms (no plaintext passwords stored)

5. Third‑Party Processors

We do not sell or monetize personal data. Third-party providers (Vercel, Fly.io, Convex) process data only to deliver Nodask under binding agreements. We require Data Processing Agreements (DPAs) from all processors.

6. International Data Transfers

We use Standard Contractual Clauses (SCCs) for data transfers outside your jurisdiction. You may request a copy of our executed SCCs.

7. Data Retention & Deletion

• Active accounts: retained while your account exists
• Soft‑deleted content (account, boards, tasks): recoverable for 30 days
• Inactive accounts: deleted after 12 months of inactivity, with prior notice
• Backups and logs: retained up to 90 days, then purged

8. Your Rights

You have the right to:

• Access, correct, delete, export your data
• Withdraw consent or object to processing
• Lodge a complaint with a supervisory authority

Requests made to contact@nodask.com will be addressed within 30 days.

9. Children’s Privacy

Not intended for children under 13. We do not knowingly collect data from minors. If discovered, we will delete it immediately.

10. Policy Updates

We may update this policy. Major changes will be communicated via email or in-app notification. Continued use implies acceptance.