Data Protection & Privacy Policy
Version 1.2.0 · Effective date: 20 April 2026 · Prepared by the Data Protection, Workflow & Security Officer, TaskIt!
1. Introduction and Scope
TaskIt! ("we", "us", "our") is committed to protecting the privacy and personal data of all users, including children and vulnerable individuals who may use, or indirectly appear in, the service. This policy explains what personal data we collect, why, how long we keep it, and the rights you hold under the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018 (DPA 2018).
This policy applies to all processing activities carried out by TaskIt!, including the web application, associated APIs, and any email communications we send.
2. Data Controller
The data controller for all personal data processed by TaskIt! is:
J Rowson (sole trader)
Website: jahosi.co.uk
J Rowson is registered as a Data Controller with the Information Commissioner's Office (ICO) under the domain jahosi.co.uk, in accordance with the Data Protection Act 2018 and UK GDPR. You can verify this registration on the ICO's public register at ico.org.uk/esdwebpages/search.
For all data-protection enquiries please contact us via the website above.
3. Personal Data We Collect
| Category | Data Items | Purpose |
|---|---|---|
| Account | Username, email address, hashed password | Authentication and identity management |
| Tasks & Groups | Task titles, notes, due dates, status; group names | Provision of core task-management features |
| Security Logs | Failed-login counts, account lock timestamps | Fraud prevention and account protection |
| Authentication Tokens | Magic-link tokens, one-time passwords (stored hashed or short-lived) | Secure passwordless and two-factor authentication |
| User Reports | Reporter ID, reported-user ID, reason text | Safeguarding and community moderation |
| Technical | IP addresses (processed transiently by rate-limiting middleware) | Denial-of-service protection; not stored persistently |
| Preferences | Date & time locale preference; per-task notification settings (email / browser popup per timing window) | Personalise date display; deliver the reminders you choose |
| Calendar Integration | Private ICS token (cryptographically random, not linked to any external service) | Allow opt-in calendar subscription |
| Feedback | Message text; whether you consent to in-app admin reply | Improve the service and respond to user queries |
| Gamification (opt-in) | XP totals, skill levels, achievement unlock records, streak counts, freeze credits; enabled/disabled flag | Provide the opt-in productivity gamification features. Disabled by default; fully controlled by the user |
We do not collect special-category data (Article 9 UK GDPR), payment information, or data relating to children's identities beyond what a user voluntarily provides as part of a task description.
3a. Important: Do Not Submit Sensitive or Special-Category Data
⚠️ Sensitive Data Warning
TaskIt! is a general-purpose task manager. It is not approved or certified for processing special-category personal data under Article 9 UK GDPR or any equivalent regulation. You must not submit any of the following in task titles, notes, group names, feedback, or any other field:
- Healthcare or medical information (diagnoses, medications, treatment records)
- Government-issued identifiers (passport numbers, National Insurance numbers, tax IDs)
- Industrial, commercial, or trade secrets
- Financial account details (bank account numbers, credit card numbers)
- Biometric or genetic data
- Data revealing racial or ethnic origin, political opinions, religious beliefs, or sexual orientation
- Criminal records or allegations
Submitting such data is a breach of these Terms. If you inadvertently submit sensitive data, delete it immediately using the in-app tools, or use the self-service account deletion feature.
3b. What the Administrator Can and Cannot See
The system administrator of this TaskIt! instance has access to the following through the Admin Panel:
- Registered usernames and email addresses (for account management purposes)
- Aggregate usage statistics (total user count, task count — not individual task content)
- Accounts locked due to failed login attempts
- User reports submitted via the in-app reporting feature
- Feedback and feature requests submitted via the Feedback form
The administrator cannot easily view individual task titles, task details, task notes, or group contents through the standard Admin Panel interface. Such data is stored in the database and would require direct database access to retrieve. The design intent is that task content remains private to the users who create and share it within their groups.
Notwithstanding the above, as the data controller has physical or logical access to the server and database, no absolute technical barrier exists. Users should not rely on administrative privacy alone as a substitute for not submitting sensitive data in the first place.
4. Lawful Bases for Processing
- Contract (Article 6(1)(b)): Processing your account details, tasks, and group memberships is necessary to provide the service you have signed up for.
- Legitimate Interests (Article 6(1)(f)): Security logging, rate limiting, and safeguarding reports are processed on the basis of our legitimate interests in protecting users and preventing abuse, balanced against your rights.
- Legal Obligation (Article 6(1)(c)): We may retain certain records where required by law.
5. Safeguarding
TaskIt! takes child safeguarding and the protection of vulnerable users seriously. Where a user-report concerns a minor or a safeguarding concern, it will be escalated to the Data Controller without delay and, where required by law, referred to the appropriate statutory authority (e.g. local safeguarding board, police). Users are encouraged to report any content or behaviour they consider harmful using the in-app reporting feature.
6. Data Retention
| Data Type | Retention Period |
|---|---|
| User account (active) | Until account deletion requested |
| Tasks and groups | Until deleted by the user or account closure |
| Magic-link & OTP tokens | 15 minutes (magic link) / 10 minutes (OTP) after issuance; purged on use or expiry |
| Security / lock-out data | Cleared on account unlock; otherwise 6 months |
| User reports | 7 years (safeguarding obligation) |
| Feedback messages | Until archived by the administrator or account closure |
| Gamification data (opt-in) | Until account deletion or explicit opt-out (data preserved on opt-out; deleted on account closure) |
| ICS calendar token | Until regenerated by the user or account closure |
7. Data Security
We apply the following technical and organisational measures:
- Database encryption at rest: The entire SQLite database file is encrypted using SQLCipher (AES-256 in CBC mode), ensuring that all stored data — including usernames, email addresses, task content, and all other records — is unreadable without the encryption key, even if the underlying storage is compromised.
- Passwords are stored using bcrypt with a work factor of 10 (never in plain text). This means passwords cannot be recovered even by the data controller.
- All session tokens are cryptographically random (256-bit entropy) and single-use.
- Password-reset tokens are purpose-bound (tagged
reset) and cannot be reused for login; they expire after 15 minutes. - Two-factor authentication (email OTP) is required for all password-based logins.
- Account lockout after repeated failed authentication attempts.
- Transport-layer security (TLS/HTTPS) is required between clients and the server.
- API rate limiting is applied to all endpoints to mitigate brute-force attacks.
- The database is stored on-server only; no third-party cloud database is used.
- SMTP credentials are stored within the encrypted database and never exposed via the API.
8. Sharing and Transfers
We do not sell, rent, or share personal data with third parties for marketing purposes. Data may be shared:
- SMTP provider: Your email address is passed to the configured SMTP relay solely to deliver authentication and notification emails.
- Legal requirements: We may disclose data if required by law, court order, or to protect the safety of users.
All data is stored and processed within the United Kingdom. If data is transferred outside the UK, adequate safeguards (e.g. UK adequacy decisions or appropriate safeguards under Article 46 UK GDPR) will be applied.
9. Your Rights
Under UK GDPR you have the right to:
- Access the personal data we hold about you.
- Rectification of inaccurate or incomplete data.
- Erasure ("right to be forgotten") — you may delete your account and all associated data immediately and without administrator involvement by using the Delete My Account button in your Profile page. This permanently removes your account, tasks, notes, group memberships, and all other personal data. For data held under a safeguarding obligation (user reports, 7-year retention — see §6), a separate erasure request must be submitted to the Data Controller.
- Restriction of processing in certain circumstances.
- Data portability where processing is based on consent or contract and is carried out by automated means.
- Object to processing based on legitimate interests.
- Lodge a complaint with the Information Commissioner's Office (ICO) at ico.org.uk.
To exercise any of these rights, please contact us via jahosi.co.uk. We will respond within 30 days.
10. Browser Storage (localStorage) — No Tracking Cookies
TaskIt! does not use tracking or advertising cookies. We store the following
items in your browser's localStorage to make the application function correctly.
All storage is first-party, stored locally in your browser only, and never shared with third
parties. You can clear this data at any time via your browser settings or by signing out.
| Key | Contents | Purpose & Basis |
|---|---|---|
| jbToken | JSON Web Token (JWT) — cryptographically signed, no personal data embedded | Strictly necessary — maintains your authenticated session |
| jbUser | Username, email, role, locale preference | Strictly necessary — populates the UI and locale formatting without a round-trip to the server on each page load |
| taskit_app_version | The app version string last seen (e.g. 1.3.1) |
Strictly necessary — detects when a new version is deployed and prompts the update banner |
| jbPopupFired | Set of task IDs and timing keys, keyed to today's date | Functional — prevents duplicate browser popup notifications firing for the same task on the same day. Cleared daily |
| jbGamifAsked | Flag ("1") set when the gamification opt-in prompt has been shown |
Functional — ensures the opt-in dialog is shown only once per device, respecting your choice |
| jbCookieNotice | Flag ("1") set when the storage notice has been dismissed |
Functional — prevents the informational storage notice from reappearing after you acknowledge it |
No cookies (HTTP Set-Cookie headers) are used by TaskIt!. All
session management relies solely on localStorage as described above. Because
none of the above storage is used for tracking, profiling, or advertising, no consent banner
is legally required under UK PECR for strictly necessary or purely functional storage.
We display an informational notice on first visit as a matter of transparency.
11. Changes to This Policy
This policy may be updated from time to time. The current version and effective date are displayed at the top of this page. Continued use of the service after a material change constitutes acceptance of the updated policy.
12. Contact
Data Protection Officer contact:
jahosi.co.uk
To submit feedback, feature requests, or to contact the administrator, use the Feedback & Feature Requests form in the app's Profile section.