// legal
privacy policy
How we handle your data — the short version: it's yours, it stays in the EU, and we never sell it.
This policy explains what personal data Coalface Tasks (“we”, “us”, “our”) collects, why, and what rights you have over it. It covers our website, our hosted application, and the WordPress and Shopify products we publish. If you run Coalface Tasks self-hosted on your own infrastructure, you are the data controller for the data in that installation and this policy does not apply to it.
1. Who we are
Coalface Tasks is operated by a UK-based sole trader and is the data controller for the personal data described in this policy. For any privacy question, or to exercise the rights described below — including a request for our registered contact details — email us at privacy@coalfacetasks.com.
2. What we collect
- Account data. Your name and email address when you create an account, and any profile details you choose to add.
- Content you create. Tasks, boards, notes, checklists, attachments and other content you enter into the app. Sensitive fields (task descriptions, notes and subtask titles) are encrypted at rest.
- Billing data. When you subscribe to a paid plan, payment is handled by Paddle, our Merchant of Record. We do not see or store your full card details — we receive only the billing metadata needed to manage your subscription and meet our accounting obligations.
- Technical data. Standard server and security logs (IP address, browser type, timestamps) generated when you use the site or app, used to keep the service running and secure.
- Data from connected sites. If you connect a WordPress or Shopify site, task and board data syncs to your account. Member emails are not synced by default and are only shared on an explicit opt-in basis.
3. How we use it
- To provide, maintain and secure the service.
- To process payments and manage subscriptions (via Paddle).
- To send account, security and — where you have opted in — notification emails.
- To meet legal and accounting obligations (see “How long we keep it”).
We do not sell your personal data, and we do not use the content you create to train AI models. AI features are off by default; when enabled, the specific content you act on is sent to our AI provider to generate a result, and vault secrets are never sent.
4. Cookies & analytics
Our website is served through Cloudflare and uses only the cookies strictly necessary to run the site and keep it secure. The application uses a small number of essential cookies to keep you signed in and to protect your session. We do not run third-party advertising trackers.
5. Who processes your data for us
We use a small set of trusted subprocessors to run the service. Our infrastructure is hosted in the EU (Frankfurt).
6. How long we keep it
We keep account and content data for as long as your account is active. When you delete data or close your account, we remove it, subject to short backup retention windows. Billing and transaction records are kept for 7 years to meet UK accounting and tax obligations, even after an account is closed.
7. Your rights
Under UK GDPR you have the right to access, correct, export or erase your personal data, and to object to or restrict certain processing. You can export your data from within the app at any time in open formats. To make any other request, email privacy@coalfacetasks.com. You also have the right to complain to the UK Information Commissioner’s Office (ICO).
8. Security
Sensitive content is encrypted at rest under per-group keys. We enforce TLS in transit, offer two-factor and step-up authentication, and a managers-only vault for credentials. See our security page for more.
9. Changes to this policy
We may update this policy from time to time. Material changes will be reflected by the “last updated” date above, and where appropriate we will notify you.
Questions about your privacy? Email privacy@coalfacetasks.com.