Effective date: 24 June 2026
TaskBerry is a day planning application for freelancers and professionals. It is operated by Groeien met Gydo, a company registered in the Netherlands (KvK: 81071698, VAT: NL003525719B18), with its registered address at Van Houweningenstraat 70, 1052 TR Amsterdam, The Netherlands.
This Privacy Policy explains what personal data we collect when you use TaskBerry, why we collect it, how we use it, and what rights you have under the General Data Protection Regulation (GDPR) and the Dutch UAVG (Uitvoeringswet AVG).
Groeien met Gydo is the data controller for all personal data processed through the TaskBerry application and website (taskberry.app). As the controller, we determine the purposes and means of processing your personal data.
By creating an account and using TaskBerry, you acknowledge that you have read and understood this policy. If you have questions or concerns, please contact us at privacy@taskberry.app.
We collect only the data that is necessary to provide and improve TaskBerry. Below is an overview of what we collect and why.
Your email address is required to create and maintain a TaskBerry account. We use it to send you a magic-link login email and, where applicable, important service notifications. We do not collect your name unless you voluntarily provide it.
The core purpose of TaskBerry is task management. When you use the app, we store the tasks you create, including their titles, descriptions, labels, dates, time entries, size estimates, deadlines, completion status, and any value statements you attach. This data belongs to you and is stored in our database under your user account.
When you use the AI assistant, your messages and the AI's responses are stored in our database (the coach_sessions table). This history is used to provide continuity across sessions — so the assistant can reference what was discussed previously. You can delete your conversation history at any time from your account settings.
You can provide personal context to help the AI assistant understand your working style and situation — for example, "I work four days a week" or "Mondays are for client calls." These notes are stored in our database and included in AI prompts when you use the assistant. You control what context notes exist and can delete individual notes at any time.
We store your personal preferences such as your daily capacity in minutes and your workday end time. These settings are used to power the capacity bar and overflow indicators on your day board.
When you subscribe to a paid plan, we store your Stripe customer ID, plan tier (Free or Pro), and subscription status. We do not store your credit card number, card expiry, or any other raw payment instrument data. Payment card data is handled exclusively by Stripe and never touches our servers.
Our hosting infrastructure (Vercel and Supabase) automatically logs server-side technical data including IP addresses, HTTP request paths, timestamps, and browser user agent strings. These logs are used for security monitoring, abuse prevention, and diagnosing technical issues.
We process your personal data only for specific, documented purposes. The GDPR requires us to identify a legal basis for each purpose. Here is an overview:
| Purpose | Legal basis |
|---|---|
| Providing and operating the TaskBerry service (authentication, task storage, settings, labels, capacity tracking) | Contract performance — Art. 6(1)(b) GDPR |
| Sending your messages and relevant task context to Google Gemini to power the AI assistant feature | Contract performance — Art. 6(1)(b) GDPR |
| Processing subscription payments via Stripe and managing your plan tier | Contract performance — Art. 6(1)(b) GDPR |
| Storing AI conversation history to provide continuity across assistant sessions | Legitimate interest — Art. 6(1)(f) GDPR. Our legitimate interest is providing a coherent assistant experience. You can delete your history at any time. |
| Server-side access logs for security monitoring and abuse prevention | Legitimate interest — Art. 6(1)(f) GDPR. Our legitimate interest is protecting the security and integrity of the service. |
| Sending the occasional product or reactivation email if you stop using TaskBerry | Legitimate interest — Art. 6(1)(f) GDPR. Our legitimate interest is helping people who signed up but drifted away get value from the product. You can opt out anytime with the one-click link in the email or the toggle in your account settings. |
| Retaining billing and transaction records for tax and accounting purposes | Legal obligation — Art. 6(1)(c) GDPR (Dutch tax law, 7-year retention requirement) |
| Measuring aggregate usage through Google Analytics to understand how the product is used | Consent — Art. 6(1)(a) GDPR. Analytics cookies are only placed after you give explicit consent via our cookie banner. |
Within TaskBerry, we do not use your data for automated decision-making or profiling that produces legal or similarly significant effects. If you grant marketing consent, TaskBerry shares conversion data with Meta (see section 5 and section 8), which lets Meta optimise your ads on its own basis. We do not sell your personal data to any third party.
The AI assistant feature is powered by Google Gemini, a large language model provided by Google LLC. When you send a message to the assistant, that message — along with relevant context such as your tasks for the day and any context notes you have set — is transmitted to the Gemini API for processing. The AI's response is then returned and displayed to you.
Google's use of your data: We use a paid Gemini API plan. Under Google's paid API terms, Google does not use your data to train, improve, or develop its AI models. Your messages are processed in real time to generate a response. Google may retain conversation data for up to 55 days for abuse monitoring purposes under its API usage policies, after which it is deleted from Google's systems.
Storage on our side: Conversation history is stored in our database so that the assistant can reference previous sessions and provide a more coherent experience. This history is tied to your account and is accessible only by you.
Transparency: The AI assistant is always clearly identified as an automated AI system. You are never talking to a human when using this feature.
Your control: You can delete your entire AI conversation history at any time from your account settings. If you prefer not to use the AI assistant, you can simply not use that feature — all other parts of TaskBerry work without it.
Advice to avoid sensitive data: We recommend you do not include highly sensitive personal data (such as health information, financial account numbers, or information about third parties without their consent) in your AI assistant messages or context notes, as this data will be sent to Google's API for processing.
We work with a limited number of trusted third parties to operate TaskBerry. Each processor is bound by a Data Processing Agreement (DPA) and may only process your data according to our documented instructions. Meta is the exception: for the Meta Business Tools (the Meta Pixel and the Conversions API), Meta and TaskBerry act as joint controllers. In that role Meta is not a sub-processor under our DPA but an independent controller, and this data sharing is governed by the Meta Business Tools terms, including the joint controller addendum.
The Status column distinguishes processors that are actively handling user data today ("Active") from those whose data path is wired in the codebase or planned for an upcoming feature but not yet processing live customer data ("Pre-disclosed"). We list pre-disclosed processors so that you have notice of every processor that could receive your data, even before the corresponding feature is enabled.
| Processor | Purpose | Location | Status | DPA |
|---|---|---|---|---|
| Supabase Inc. | Database, authentication and storage | EU (Frankfurt, Germany) | Active | supabase.com/legal/dpa |
| Vercel Inc. | Web application hosting, edge functions and CDN | EU/US (SCCs in place) | Active | vercel.com/legal/dpa |
| Vercel Inc. (Vercel Analytics) | Aggregated website usage analytics (EU-hosted) | EU/US (SCCs in place) | Active (analytics consent required) | vercel.com/legal/dpa |
| Google LLC (Gemini API) | AI assistant processing | US (SCCs + DPF) | Active | cloud.google.com/terms/data-processing-addendum |
| Stripe Inc. | Payment processing and subscription management | EU/US (SCCs + DPF; EU data residency available) | Active | stripe.com/legal/dpa |
| Upstash Inc. | Rate limiting and Redis cache | US (SCCs in place) | Active | upstash.com/trust/dpa |
| Resend, Inc. | Transactional and lifecycle email delivery | US (SCCs in place) | Active | resend.com/legal/dpa |
| Google LLC (Google Analytics) | GA4 website analytics | US (SCCs + DPF) | Active (analytics consent required) | analytics.google.com/terms/dpa |
| Atlassian (Trello) | Task import integration | US (SCCs in place) | Pre-disclosed (no live customers yet) | atlassian.com/legal/data-processing-addendum |
| Google Workspace (Gmail) | Inbound email integration (planned) | US (SCCs + DPF) | Pre-disclosed | cloud.google.com/terms/data-processing-addendum |
| Meta Platforms Ireland Ltd. | Advertising pixel (Meta Pixel) and server-side conversion measurement (Conversions API) | IE/US (SCCs + DPF) | Active (only with marketing consent) | facebook.com/legal/terms/businesstools |
| LinkedIn Corporation | Advertising pixel (LinkedIn Insight Tag) | US (SCCs + DPF) | Pre-disclosed (not yet wired) | linkedin.com/legal/l/dpa |
| Google LLC (Google Ads) | Advertising conversion tracking | US (SCCs + DPF) | Pre-disclosed (not yet wired) | cloud.google.com/terms/data-processing-addendum |
Meta appears in this table for completeness, but it is not a processor: for the Meta Business Tools, Meta is a joint controller, as explained above. For Meta, the DPA column points to the Meta Business Tools terms, not to a data processing agreement.
Following the Court of Justice of the European Union's "Schrems II" judgment (Case C-311/18), transfers of personal data to the United States require additional safeguards beyond Standard Contractual Clauses (SCCs). Several of our US-based sub-processors — Resend, Google LLC, Meta Platforms, LinkedIn Corporation, and Upstash — combine SCCs with their certification under the EU-US Data Privacy Framework (DPF), an adequacy decision adopted by the European Commission on 10 July 2023 (Commission Implementing Decision (EU) 2023/1795).
Stripe offers EU data residency for primary processing and additionally relies on SCCs and DPF certification for incidental transfers. Resend relies on SCCs; we are tracking its DPF certification status and will update this disclosure when confirmed. We monitor ongoing legal challenges to the DPF (often referred to as "Schrems III") and will update this policy if the adequacy decision is invalidated or materially modified.
Under Article 15 GDPR you have the right to obtain information about the safeguards we rely on for any third-country transfer of your personal data, and under Article 21 GDPR you have the right to object to processing based on legitimate interest, including international transfers. You may exercise these rights by contacting privacy@taskberry.app.
Some of our processors are located in the United States. Transferring personal data from the European Economic Area (EEA) to the US is only permitted when adequate safeguards are in place.
For all US-based processors (Vercel, Google, Stripe, Upstash), we rely on Standard Contractual Clauses (SCCs) as approved by the European Commission (Commission Implementing Decision (EU) 2021/914) as the legal mechanism for transferring your data. SCCs impose contractual obligations on the recipient to protect your data to EEA standards.
Google and Stripe also participate in the EU-US Data Privacy Framework (DPF), which provides an additional adequacy mechanism recognised by the European Commission. Participation in the DPF means these companies are certified to handle EU personal data in compliance with EU data protection requirements.
Our primary database (Supabase) is hosted in Frankfurt, Germany, within the EU, so no international transfer occurs for your core application data.
You can request a copy of the applicable SCCs or DPA for any processor by contacting us at privacy@taskberry.app. You can also access each processor's own DPA via the links in Section 5 above.
We retain your data for as long as necessary to deliver the service and meet our legal obligations. The table below sets out the specific retention periods for each category.
| Data category | Retention period |
|---|---|
| Account data and task data | For the duration of your account, plus 30 days after account deletion (to allow accidental-deletion recovery) |
| AI conversation history | 12 months from the session date, or until account deletion, whichever comes first. You can also delete your history manually at any time. |
| Context notes | For the duration of your account. You can delete individual notes at any time. |
| Billing records and transaction data | 7 years from the date of the last transaction, as required by Dutch tax law (Artikel 52 AWR) |
| Server access logs (Vercel and Supabase) | Maximum 90 days, after which logs are automatically purged |
| Google Analytics data | 14 months, as configured in our Google Analytics account. Only collected after explicit consent. |
| Google Gemini (Google-side processing) | Up to 55 days for abuse monitoring under Google's paid API terms, after which Google deletes the data from its systems |
When you request account deletion, we will delete your personal data from our active systems within the 30-day grace period. Data that we are required to retain for legal reasons (such as billing records) will be isolated and not used for any other purpose.
TaskBerry uses a small number of cookies. We distinguish between strictly necessary cookies (which do not require your consent) and optional analytics cookies (which require your explicit consent before being placed).
These cookies are essential for the service to function and are placed regardless of your cookie preferences.
| Cookie name | Purpose |
|---|---|
| supabase-auth-token | Stores your authentication session so you remain logged in between page loads and browser sessions. Contains a JWT that expires and is automatically refreshed. |
| taskberry-consent | Stores your cookie consent preference (accepted or declined) so we do not show the cookie banner on every visit. |
These cookies are placed only after you give your explicit consent via our cookie banner. You can withdraw your consent at any time via the Cookie Settings link in the footer.
| Cookie name | Purpose |
|---|---|
| _ga | Google Analytics. Distinguishes unique users by assigning a randomly generated number as a client identifier. Expires after 2 years. |
| _gid | Google Analytics. Used to distinguish users. Expires after 24 hours. |
When you grant analytics consent, we use Google Analytics 4 and Vercel Analytics to measure how the site is used in aggregate. When you grant marketing consent, we use the Meta Pixel to measure ad performance and to optimise our advertising campaigns. The LinkedIn Insight Tag and Google Ads conversion tracking belong to the same marketing category and may run on the same basis. No tracking, marketing, or advertising scripts run without your explicit consent for the relevant category.
Alongside the Meta Pixel in your browser, and only when you have granted marketing consent, we share certain data directly from our server with Meta through the Conversions API. This covers your email address, which we hash with SHA-256 beforehand so it is never sent in readable form, your IP address, your user agent, and the Meta cookie identifiers _fbp and _fbc. We use this data only to measure ad conversions, for example when a trial turns into a paid subscription. Limited Data Use applies to these events, an extra restriction on how Meta may process the data. The identifiers we capture (_fbp, _fbc, the IP address, and the user agent) are stored only transiently and deleted the moment the conversion is sent to Meta.
The marketing cookies involved include _fbp and _fbc (Meta), _gcl_au, _gcl_aw, _gac_* (Google Ads conversion linker), and lidc, bcookie, UserMatchHistory (LinkedIn Insight Tag, third-party from licdn.com). The LinkedIn and Google pixels are not yet wired; we will update and re-disclose that list before either of those pixels is activated.
You can manage or withdraw your cookie consent at any time by clicking the Cookie Settings link in the footer of any page. Withdrawing consent for a category stops the corresponding scripts from collecting new data.
Under the GDPR, you have the following rights regarding your personal data. These rights apply to the extent permitted by applicable law and may be subject to certain conditions or limitations.
You have the right to request a copy of all personal data we hold about you, along with information about how it is processed — including the purposes, categories of data, and recipients.
If any of the personal data we hold about you is inaccurate or incomplete, you have the right to request that we correct it. Much of your data (tasks, labels, context notes) can be corrected directly within the application.
Also known as the "right to be forgotten." You can request that we delete your personal data. We will honour this request within 30 days, except where we have a legal obligation to retain certain data (such as billing records under Dutch tax law).
In certain circumstances — for example, if you contest the accuracy of your data, or if processing is unlawful but you do not want erasure — you can request that we restrict how we use your data while the issue is being resolved.
Where processing is based on your consent or on a contract, and carried out by automated means, you have the right to receive a copy of your personal data in a structured, commonly used, machine-readable format (such as JSON or CSV). You can also ask us to transmit this data to another controller where technically feasible.
Where we process your personal data on the basis of legitimate interest, you have the right to object to that processing. We will stop processing unless we can demonstrate compelling legitimate grounds that override your interests, rights, and freedoms. You can object to the use of server logs for security purposes, for example.
Where processing is based on your consent (such as Google Analytics), you can withdraw your consent at any time. Withdrawal does not affect the lawfulness of processing that occurred before the withdrawal. You can withdraw analytics consent via the Cookie Settings link in the footer.
To exercise any of the rights above, send an email to privacy@taskberry.app. Please include enough information for us to identify your account (your email address is sufficient). We will respond within 30 days of receiving your request. If your request is complex or we receive a high volume of requests, we may extend this period by a further two months, and we will inform you of this extension within 30 days.
If you are not satisfied with our response, or if you believe we are processing your personal data unlawfully, you have the right to lodge a complaint with the Dutch data protection authority:
You also have the right to lodge a complaint with the supervisory authority in the EU member state where you habitually reside, work, or where the alleged infringement took place.
We take the security of your personal data seriously and implement appropriate technical and organisational measures to protect it against unauthorised access, accidental loss, disclosure, or destruction.
Despite these measures, no system is completely secure. In the unlikely event of a personal data breach that is likely to result in a risk to your rights and freedoms, we will notify the Autoriteit Persoonsgegevens within 72 hours and, where required, inform affected users without undue delay.
TaskBerry is not directed at children under the age of 16 and we do not knowingly collect personal data from minors. The service is a professional productivity tool intended for use by adults.
If you are under 16, please do not use TaskBerry or provide any personal data through the service. If we become aware that we have inadvertently collected personal data from a child under 16, we will delete that data as promptly as possible. If you believe we may have collected data from a minor, please contact us at privacy@taskberry.app.
We may update this Privacy Policy from time to time to reflect changes in the service, our processing activities, or applicable law. The date at the top of this page always shows when the policy was last updated.
For material changes — meaning changes that significantly affect your rights or how we process your data — we will notify you at least 30 days before they take effect. We will do this via email to the address associated with your account, and/or via an in-app notice when you log in.
For minor clarifications or corrections (such as fixing a typo or updating a link), we may update the policy without advance notice.
Continuing to use TaskBerry after a policy change takes effect constitutes your acknowledgement of the updated policy. If you do not agree with the changes, you can request deletion of your account by emailing privacy@taskberry.app.
If you have questions about this Privacy Policy, want to exercise your rights, or have a concern about how we process your data, please contact us:
We aim to respond to all privacy-related enquiries within 5 business days. For formal rights requests (access, erasure, portability, etc.), we will respond within 30 days as required by the GDPR.