Privacy Policy

Last Updated: November 9, 2025 Version: 1.0 Effective Date: November 9, 2025

Related Documents: This Privacy Policy should be read together with our Terms of Service, which govern your use of TaskForce services. This Privacy Policy is incorporated into the Terms of Service by reference.

Table of Contents

1. Who We Are
   • 1.1 Contracting Entity
   • 1.2 Data Protection Officer
   • 1.3 EU Representative
2. Information We Collect
   • 2.1 Account Information
   • 2.2 Business Information
   • 2.3 Payment Information
   • 2.4 Usage Data
   • 2.5 Technical Data
   • 2.6 Communications
   • 2.7 Customer Business Data
   • 2.8 Data We Do Not Collect
3. How We Use Your Information
   • 3.1 Legal Basis for Processing (GDPR)
   • 3.2 Service Provision
   • 3.3 Business Operations
   • 3.4 Legal and Compliance
4. Data Controller vs. Data Processor
   • 4.1 When We Are a Data Controller
   • 4.2 When We Are a Data Processor
   • 4.3 Your Responsibilities as Data Controller
5. How We Share Your Information
   • 5.1 Third-Party Subprocessors
   • 5.2 Customer-Requested Integrations
   • 5.3 Legal Requirements
   • 5.4 Business Transfers
   • 5.5 With Your Consent
6. International Data Transfers
   • 6.1 EU-Based Processing
   • 6.2 Standard Contractual Clauses
   • 6.3 Customer-Requested Transfers
   • 6.4 Transfer Mechanisms
7. Data Security
   • 7.1 Security Measures
   • 7.2 Credential Security
   • 7.3 Security Incidents
   • 7.4 Your Security Responsibilities
8. Data Retention
   • 8.1 Retention Periods
   • 8.2 Deletion Upon Termination
   • 8.3 Legal Retention Requirements
9. Your Data Protection Rights
   • 9.1 Rights Under GDPR (EU/EEA/Swiss Clients)
   • 9.2 Rights Under Other Laws
   • 9.3 How to Exercise Your Rights
   • 9.4 Response Times
   • 9.5 Verification Requirements
10. Cookies and Tracking Technologies
    • 10.1 Types of Cookies We Use
    • 10.2 Analytics and Performance
    • 10.3 Cookie Choices
11. Third-Party Services and Links
12. Children's Privacy
13. Changes to This Privacy Policy
14. Complaints and Supervisory Authorities
    • 14.1 For EU/EEA/Swiss Clients
    • 14.2 For US Clients
15. Contact Information

1. Who We Are

1.1 Contracting Entity

Your privacy relationship depends on which TaskForce entity you contract with, as determined by your billing address:

(a) For Clients Located in the United States:

Zero to MVP, Inc.

• A Delaware corporation
• Delaware File Number: 7666933
• Mailing Address: 16192 Coastal Highway, Lewes, DE 19958, United States
• Email: hello@taskforce.tech

(b) For Clients Located in the European Union, European Economic Area, or Switzerland:

Zero to MVP Private Company (Zero to MVP PC)

• A Greek Private Company (Ιδιωτική Κεφαλαιουχική Εταιρεία - ΙΚΕ)
• Business Registry Number (ΓΕΜΗ): 151939101000
• Tax Registration Number (ΑΦΜ): 801215594
• VAT Identification Number: EL801215594
• Registered Office: Agion Apostolon Petrou & Pavlou 46, Spata 19004, Greece
• Email: hello@taskforce.tech

(c) For Clients Located in All Other Jurisdictions:

By default, you contract with Zero to MVP, Inc. (US entity), though all data processing occurs in the EU.

"TaskForce" Brand: When this Privacy Policy refers to "TaskForce," "we," "us," or "our," it refers to the specific legal entity with which you are contracting.

1.2 Data Protection Officer

For Zero to MVP PC (EU Entity): Zero to MVP PC has determined that it is not required to appoint a Data Protection Officer under GDPR Article 37, as:

• We are not a public authority or body
• Our core activities do not involve regular and systematic monitoring of data subjects on a large scale
• We do not process special categories of data (Article 9) or criminal convictions data (Article 10) on a large scale

We act primarily as a data processor for customer business data, not as a data controller conducting large-scale behavioral monitoring or profiling.

For data protection inquiries, contact: legal@taskforce.tech

For Zero to MVP, Inc. (US Entity): We have designated an internal data protection contact. For data protection inquiries, contact: legal@taskforce.tech

1.3 EU Representative

For Zero to MVP, Inc. (US Entity): As we process data in the EU but are headquartered in the United States, we have designated Zero to MVP PC as our EU representative under GDPR Article 27 for matters related to EU data subject rights and supervisory authority inquiries.

2. Information We Collect

2.1 Account Information

When you create a TaskForce account, we collect:

• Business contact name: Name of the primary contact person
• Business email address: Email for account communications
• Account credentials: Username and securely hashed password
• Business phone number: Optional, for support purposes
• Account preferences: Communication preferences, timezone, language

2.2 Business Information

As a B2B-only service, we collect business information including:

• Business name: Legal name or trading name of your business
• Business registration details: Country of registration, business type
• Tax identification numbers: VAT number (EU/EEA/Swiss), EIN (US), or equivalent
• Business address: Registered business address
• Billing address: Address associated with payment method
• Business email domain: Used to verify business status
• Industry and business type: To understand your automation needs

B2B Verification: We verify that you are a legitimate business entity and not a consumer. This verification protects both parties by ensuring the service is used for its intended purpose.

2.3 Payment Information

Payment processing is handled by Stripe, Inc. We do not store your complete payment card information. We collect:

• Billing information: Name, billing address, email
• Payment metadata: Payment method type (card brand), last 4 digits, expiration
• Transaction records: Invoices, payment history, subscription details
• Tax information: VAT numbers, tax exemption certificates

Stripe Processing: Stripe collects and processes your full payment card details. See Stripe's Privacy Policy at https://stripe.com/privacy for details on how Stripe handles payment information.

2.4 Usage Data

We collect information about how you use our Services:

• Automation requests: Descriptions of automation workflows you request
• Automation configurations: Settings, parameters, and workflow definitions
• Service usage: Features used, frequency of use, automation execution logs
• Support interactions: Support tickets, questions, feedback
• Communications: Emails, messages, and other communications with our team

2.5 Technical Data

We automatically collect certain technical information:

• Device information: Browser type, operating system, device type
• IP address: For security, fraud prevention, and approximate geolocation
• Log data: API calls, error logs, performance metrics, access times
• Cookies and tracking: See Section 10 for details

2.6 Communications

We collect information from your communications with us:

• Email correspondence: Questions, support requests, feedback
• Survey responses: If you participate in surveys or feedback requests
• Marketing preferences: Whether you consent to marketing communications
• Testimonials and reviews: If you provide feedback or reviews

2.7 Customer Business Data

When providing automation services, we process data on your behalf:

• Third-party API credentials: API keys, access tokens, OAuth tokens
• Integrated platform data: Data from services you ask us to integrate (Slack, CRM systems, e-commerce platforms, etc.)
• Business process data: Customer data, transaction data, operational data processed by your automations

Important: For this data, you are the data controller and we are your data processor. See Section 4 for details.

2.8 Data We Do Not Collect

We do not knowingly collect or process:

• Consumer personal data: TaskForce is B2B-only; we do not serve consumers
• Protected Health Information (PHI): We are not HIPAA-compliant
• Payment card data (PCI): We are not PCI-DSS certified; Stripe handles payment processing
• Biometric data: Fingerprints, facial recognition, genetic data
• Children's data: Data of individuals under 13 years old (or 16 in the EU)
• Government IDs: Social Security Numbers, passport numbers, driver's licenses (except where legally required for business verification)
• Sensitive personal data: Racial or ethnic origin, political opinions, religious beliefs, trade union membership, sexual orientation (unless specifically provided by you in business data with your explicit consent)

3. How We Use Your Information

3.1 Legal Basis for Processing (GDPR)

For EU/EEA/Swiss clients, we process personal data under the following legal bases:

(a) Contractual Necessity (GDPR Article 6(1)(b)): Processing necessary to perform our contract with you, including:

• Providing automation services
• Managing your account and subscription
• Processing payments and billing
• Delivering customer support

(b) Legitimate Interests (GDPR Article 6(1)(f)): Processing necessary for our legitimate business interests, including:

• Improving our services and developing new features
• Preventing fraud and ensuring security
• Analyzing usage to optimize performance
• Marketing to existing customers (B2B marketing)
• Enforcing our legal rights

(c) Legal Obligation (GDPR Article 6(1)(c)): Processing necessary to comply with legal obligations, including:

• Tax and accounting requirements
• Responding to lawful requests from authorities
• Compliance with export control and sanctions laws

(d) Consent (GDPR Article 6(1)(a)): Where required by law or where we have obtained your explicit consent, including:

• Marketing communications (where consent is required)
• Optional analytics and performance tracking
• Use of your business name and logo for marketing (with consent)

3.2 Service Provision

We use your information to provide TaskForce services:

• Account Management: Create and manage your account, authenticate access
• Automation Development: Build, test, and deploy custom automation workflows
• Service Delivery: Execute automations, process data, integrate with third-party services
• Monitoring and Maintenance: Monitor automation performance, detect errors, fix bugs
• Customer Support: Respond to inquiries, troubleshoot issues, provide assistance
• Updates and Modifications: Update automations based on your requests

3.3 Business Operations

We use your information for business purposes:

• Billing and Payments: Process subscription payments, manage invoices, handle refunds
• Analytics and Improvement: Analyze usage patterns, improve service quality, develop new features
• Security and Fraud Prevention: Detect and prevent fraud, abuse, security incidents
• Marketing and Communications: Send service updates, product announcements, promotional offers (with appropriate consent)
• Legal and Compliance: Comply with legal obligations, enforce our Terms of Service

3.4 Legal and Compliance

We may use your information to:

• Comply with Laws: Respond to legal process, court orders, government requests
• Enforce Rights: Protect our rights, property, and safety, and those of our users and the public
• Prevent Illegal Activity: Investigate suspected illegal activity, fraud, or Terms violations
• Export Control Compliance: Verify compliance with export control and sanctions laws

4. Data Controller vs. Data Processor

Understanding the distinction between data controller and data processor is critical for GDPR compliance.

4.1 When We Are a Data Controller

TaskForce acts as a data controller for:

• Account Information: Your business contact details, login credentials
• Payment and Billing Information: Transaction history, invoices
• Usage Data: How you use our Services, feature usage
• Technical Data: IP addresses, device information, logs
• Communications: Emails and messages with our team
• Marketing Data: Marketing preferences, consent records

As a data controller, we determine the purposes and means of processing this data. We are responsible for ensuring compliance with data protection laws for this data.

4.2 When We Are a Data Processor

TaskForce acts as a data processor (you are the data controller) for:

• Customer Business Data: Data processed through your automation workflows
• Third-Party Integration Data: Data from platforms you ask us to integrate (Slack messages, CRM contacts, e-commerce orders, etc.)
• API Credentials: Credentials you provide for third-party services
• Automation-Processed Data: Any personal data processed by automations we build for you

As a data processor, we process this data solely on your instructions as the data controller. You determine the purposes and means of processing; we simply execute your instructions through the automation workflows.

4.3 Your Responsibilities as Data Controller

When we act as your data processor, you are responsible for:

• Lawful Basis: Ensuring you have a lawful basis to process personal data
• Consent and Notices: Obtaining necessary consents and providing privacy notices to data subjects
• Data Minimization: Only providing data necessary for the automation
• Data Subject Rights: Responding to data subject requests (we will assist as required)
• Data Protection Impact Assessments (DPIAs): Conducting DPIAs where required
• Third-Party Agreements: Ensuring appropriate agreements with integrated platforms
• International Transfers: Ensuring appropriate safeguards for data transfers outside the EU/EEA

Detailed Data Processing Terms: For complete data processing terms that satisfy GDPR Article 28 requirements, see Section 8.6 (Data Processing Agreement) of our Terms of Service.

5. How We Share Your Information

We do not sell your personal data or business data to third parties. We share information only as described below:

5.1 Third-Party Subprocessors

We use carefully selected subprocessors to help provide our Services:

(a) Infrastructure and Hosting:

Hetzner Online GmbH (Germany)

• Purpose: Cloud infrastructure, server hosting, data storage
• Data Processed: All customer data stored on our infrastructure
• Location: European Union (Germany)
• Safeguards: GDPR-compliant, ISO 27001 certified
• Privacy Policy: https://www.hetzner.com/legal/privacy-policy

(b) Error Monitoring and Performance:

Sentry (Functional Software, Inc.) - United States

• Purpose: Error tracking, performance monitoring, debugging
• Data Processed: Error logs, stack traces, limited metadata
• Privacy Policy: https://sentry.io/privacy/

PostHog Inc. - European Union

• Purpose: Product analytics, usage metrics
• Data Processed: User identifiers (email, user ID), usage data, feature analytics
• Privacy Policy: https://posthog.com/privacy

(c) Payment Processing:

Stripe, Inc. - Ireland/United States

• Purpose: Payment processing, subscription management, invoicing
• Data Processed: Payment information, billing details, transaction history
• Safeguards: PCI-DSS Level 1, GDPR-compliant
• Privacy Policy: https://stripe.com/privacy

(d) Advertising and Marketing:

Google LLC - United States/Ireland

• Purpose: Conversion tracking, advertising measurement, remarketing
• Data Processed: Device identifiers, IP addresses, browsing behavior, conversion events
• Safeguards: EU-US Data Privacy Framework participant, Standard Contractual Clauses available
• Privacy Policy: https://policies.google.com/privacy
• Opt-Out: US visitors can opt out via "Your Privacy Choices" link in the website footer

(e) Communication and Support:

We may use email service providers and customer support platforms to communicate with you and manage support requests.

5.2 Customer-Requested Integrations

Critical Understanding: When you request us to integrate third-party services into your automation workflows, those services become subprocessors because they receive and process your data.

Examples of Customer-Requested Subprocessors:

• Communication Platforms: Slack, Microsoft Teams, email services
• CRM Systems: Salesforce, HubSpot, Pipedrive
• E-commerce Platforms: Shopify, WooCommerce, Square
• Accounting Software: QuickBooks, Xero, FreshBooks
• Social Media Platforms: Reddit, Twitter, LinkedIn
• Productivity Tools: Google Workspace, Microsoft Office 365
• AI Services: Claude AI (Anthropic Inc.), OpenAI
• Any other platform or service you request integration with

Your Responsibilities for Customer-Requested Integrations:

• You acknowledge that these services will act as subprocessors
• You are responsible for reviewing their privacy policies and terms of service
• You must ensure you have appropriate agreements and authorizations with these services
• You are responsible for ensuring data transfers to these services comply with applicable laws
• You must execute necessary agreements (Data Processing Agreements, Standard Contractual Clauses) with these third parties where required

Subprocessor Changes: We will notify you at least 30 days in advance of adding or replacing infrastructure subprocessors (Section 5.1), giving you the opportunity to object. If you object, we will work with you to find an acceptable alternative solution or allow you to terminate the Services without penalty. Customer-requested integrations (Section 5.2) are added at your request and with your acknowledgment.

5.3 Legal Requirements

We may disclose your information if required by law or in response to:

• Legal Process: Subpoenas, court orders, legal proceedings
• Government Requests: Lawful requests from government authorities, law enforcement
• Legal Protection: To protect our rights, property, safety, or that of our users or the public
• Terms Enforcement: To investigate and enforce violations of our Terms of Service
• Fraud Prevention: To detect, prevent, or investigate fraud or security incidents

Notice: Where legally permitted, we will notify you before disclosing your information to authorities, unless prohibited by law or court order.

5.4 Business Transfers

If TaskForce is involved in a merger, acquisition, sale of assets, bankruptcy, or other business transaction, your information may be transferred as part of that transaction. We will notify you via email and/or prominent notice on our website of any change in ownership or use of your information, and any choices you may have regarding your information.

5.5 With Your Consent

We may share your information for other purposes with your explicit consent, such as:

• Marketing and Promotion: Using your business name and logo as a customer reference (with your consent)
• Case Studies: Developing case studies or testimonials showcasing our work (with your approval)
• Third-Party Services: Integrating additional services at your request

You may withdraw consent at any time by contacting us at hello@taskforce.tech.

6. International Data Transfers

6.1 EU-Based Processing

All TaskForce Services are delivered from the European Union, regardless of which entity you contract with:

• Primary Infrastructure: All data is processed and stored in the EU (Germany) on Hetzner infrastructure
• GDPR Compliance: We comply with GDPR for all customers globally
• No Routine Transfers to US: For our core infrastructure and processing, data remains in the EU

6.2 Standard Contractual Clauses and Transfer Safeguards

For subprocessors located outside the EU/EEA, we use Standard Contractual Clauses (SCCs) or other appropriate safeguards approved by the European Commission, including:

• Standard Contractual Clauses (SCCs)
• Adequacy decisions
• Binding Corporate Rules
• Other legally compliant transfer mechanisms

We execute Data Processing Agreements with all infrastructure subprocessors to ensure GDPR compliance and appropriate data protection safeguards.

SCCs: Standard Contractual Clauses are contractual commitments between data exporters and importers that provide adequate safeguards for personal data transferred outside the EU/EEA, as approved by the European Commission.

6.3 Customer-Requested Transfers

When you request integration with services located outside the EU/EEA:

• Your Responsibility: You are responsible for ensuring appropriate data transfer mechanisms are in place
• Due Diligence: You should verify that these services have adequate data protection safeguards
• Necessary Agreements: You should execute Data Processing Agreements and Standard Contractual Clauses with these services where required
• Consent and Authorization: You should obtain required consents for international data transfers if applicable under your local law

Examples:

• If you request Slack integration (US-based), Slack receives your data
• If you request Claude AI integration (US-based), Anthropic receives your data
• You are responsible for ensuring these transfers comply with GDPR and your obligations as data controller

6.4 Transfer Mechanisms

For international data transfers, we rely on:

• Standard Contractual Clauses (SCCs): EU Commission-approved SCCs for transfers to third countries
• Adequacy Decisions: Where the EU Commission has determined a country provides adequate protection
• Derogations: In specific situations under GDPR Article 49 (e.g., necessary for contract performance, with your explicit consent)

7. Data Security

7.1 Security Measures

We implement industry-standard security measures to protect your information:

(a) Technical Security:

• Encryption in Transit: All data transmitted over the internet uses TLS 1.2 or higher encryption
• Encryption at Rest: Data stored on our infrastructure is encrypted using AES-256 or equivalent
• Access Controls: Role-based access control (RBAC) limiting employee access to data
• Authentication: Secure authentication mechanisms, password hashing using bcrypt or equivalent
• Network Security: Firewalls, network monitoring, and protective measures

(b) Organizational Security:

• Employee Training: Regular security and privacy training for all personnel
• Confidentiality Agreements: All employees and contractors sign confidentiality agreements
• Least Privilege: Employees have access only to data necessary for their role
• Security Reviews: Periodic security assessments and monitoring

(c) Infrastructure Security:

• Secure Hosting: EU-based infrastructure with Hetzner (ISO 27001 certified)
• Regular Updates: Timely application of security patches and updates
• Monitoring: 24/7 monitoring for security incidents and anomalous activity
• Backup and Recovery: Regular backups with tested disaster recovery procedures

(d) Application Security:

• Secure Development: Secure coding practices, code reviews
• Vulnerability Management: Regular vulnerability scanning and penetration testing
• Error Handling: Secure error handling to prevent information disclosure
• Session Management: Secure session handling with automatic timeout

7.2 Credential Security

For API keys and third-party credentials you provide:

• Secure Transmission: We provide encrypted channels for credential transmission (never via unencrypted email)
• Encrypted Storage: API keys and credentials are stored encrypted with strong encryption algorithms
• Access Logging: All access to credentials is logged and monitored
• Least Privilege: We request credentials with minimum necessary permissions
• Rotation Reminders: We encourage regular credential rotation per third-party best practices

Your Responsibilities:

• Provide credentials with minimum necessary permissions (principle of least privilege)
• Regularly rotate credentials per third-party best practices
• Immediately notify us if you believe credentials have been compromised
• Monitor third-party service access logs for unauthorized activity
• Revoke our access immediately upon service termination

7.3 Security Incidents

Incident Response Process:

(a) Detection and Assessment: We continuously monitor for security incidents and assess severity immediately upon detection.

(b) Containment: We take immediate steps to contain incidents and prevent further unauthorized access.

(c) Notification:

• Personal Data Breaches (GDPR): We notify EU/EEA/Swiss clients without undue delay after becoming aware of a breach, and in any event within 72 hours when feasible, as required by GDPR Article 33.
• Other Security Incidents: We notify clients within 24 hours of security incidents affecting credentials, data integrity, or service availability.

(d) Information Provided:

• Nature of the security incident
• Categories and approximate number of affected data subjects (if applicable)
• Categories and approximate number of affected records
• Contact point for more information
• Likely consequences of the breach
• Measures taken or proposed to address the breach and mitigate harm

(e) Remediation: We take all reasonable steps to remediate the incident and prevent recurrence.

Your Obligations: Upon notification of a security incident affecting credentials, you agree to immediately rotate/revoke affected credentials.

7.4 Your Security Responsibilities

You are responsible for:

• Account Security: Maintaining the confidentiality of your account credentials
• Strong Passwords: Using strong, unique passwords for your account
• Access Control: Managing user access and permissions within your organization
• Monitoring: Monitoring your automation outputs for unusual or suspicious activity
• Reporting: Promptly reporting any suspected security incidents to hello@taskforce.tech
• Credential Management: Following security best practices for API credentials

8. Data Retention

8.1 Retention Periods

We retain personal data only as long as necessary for the purposes described in this Privacy Policy:

(a) Account and Business Information:

• Active Subscriptions: Retained for the duration of your active subscription
• After Termination: Retained for 30 days after subscription termination, then deleted
• Legal Retention: Certain data may be retained longer for legal, tax, or regulatory requirements

(b) Payment and Billing Records:

• Tax and Accounting: Retained for at least 7 years (US) or 10 years (EU/Greece) to comply with tax and accounting regulations
• Invoices: Retained for the legally required period in your jurisdiction

(c) Customer Business Data (Where We Are Data Processor):

• During Subscription: Retained as long as necessary to provide Services
• After Termination: Deleted within 30 days after subscription termination, unless you request earlier deletion
• Backups: Data may persist in backups for up to 90 days after deletion from production systems

(d) Communications and Support Records:

• Support Tickets: Retained for 3 years for quality assurance and dispute resolution
• Email Communications: Retained for the duration of the business relationship plus 2 years

(e) Usage and Technical Data:

• Log Data: Retained for 90 days for security and troubleshooting purposes
• Aggregated Analytics: Anonymized and aggregated data may be retained indefinitely

8.2 Deletion Upon Termination

Upon subscription termination:

(a) 30-Day Retrieval Period:

• You have 30 days to retrieve your data in a downloadable format
• We will provide your data in common, machine-readable formats (JSON, CSV)
• After 30 days, all customer business data is permanently deleted from production systems

(b) Permanent Deletion:

• We use secure deletion methods to permanently delete data
• Data is overwritten or cryptographically erased to prevent recovery
• Backups containing deleted data are purged within 90 days

(c) Exceptions:

• Data we are legally required to retain (tax records, payment history)
• Anonymized and aggregated data (no longer personally identifiable)
• Data necessary for ongoing legal proceedings or disputes

8.3 Legal Retention Requirements

We may retain certain data longer than stated above if required by:

• Tax Laws: Tax and accounting records (7-10 years)
• Legal Obligations: Compliance with legal or regulatory requirements
• Legal Defense: To establish, exercise, or defend legal claims
• Audit Requirements: For statutory audits or investigations

Data Minimization: We apply data minimization principles, retaining only what is necessary for the specific legal purpose.

9. Your Data Protection Rights

9.1 Rights Under GDPR (EU/EEA/Swiss Clients)

If you are located in the EU, EEA, or Switzerland, you have the following rights under GDPR:

(a) Right of Access (Article 15):

• Request confirmation of whether we process your personal data
• Obtain a copy of your personal data
• Receive information about how we process your data

(b) Right to Rectification (Article 16):

• Correct inaccurate or incomplete personal data
• Update your account information

(c) Right to Erasure / "Right to be Forgotten" (Article 17):

• Request deletion of your personal data in certain circumstances:
  • Data no longer necessary for the purposes collected
  • You withdraw consent (where consent was the legal basis)
  • You object to processing and there are no overriding legitimate grounds
  • Data processed unlawfully
  • Legal obligation requires erasure

Limitations: We may retain data where required by law or for legal claims.

(d) Right to Restriction of Processing (Article 18):

• Request restriction of processing in certain circumstances:
  • You contest the accuracy of the data
  • Processing is unlawful but you oppose erasure
  • We no longer need the data but you need it for legal claims
  • You have objected to processing pending verification

(e) Right to Data Portability (Article 20):

• Receive your personal data in a structured, commonly used, machine-readable format
• Transmit your data to another controller without hindrance
• Request direct transmission to another controller where technically feasible

(f) Right to Object (Article 21):

• Object to processing based on legitimate interests
• Object to direct marketing at any time (absolute right)
• Object to profiling (if applicable)

(g) Right Not to Be Subject to Automated Decision-Making (Article 22):

• Not be subject to decisions based solely on automated processing, including profiling, which produce legal effects or similarly significantly affect you

Note: TaskForce does not make automated decisions with legal or similarly significant effects.

(h) Right to Withdraw Consent (Article 7(3)):

• Withdraw consent at any time where processing is based on consent
• Withdrawal does not affect the lawfulness of processing based on consent before withdrawal

(i) Right to Lodge a Complaint:

• Lodge a complaint with a supervisory authority (see Section 14)

9.2 Rights Under Other Laws

(a) California Residents (CCPA/CPRA):

If you are a California resident and a business customer, you may have rights under the California Consumer Privacy Act (CCPA) as amended by the California Privacy Rights Act (CPRA), subject to B2B exemptions:

• Right to Know: Request disclosure of personal information collected, used, or shared
• Right to Delete: Request deletion of personal information
• Right to Correct: Request correction of inaccurate personal information
• Right to Opt-Out: Opt out of sale or sharing of personal information
• Right to Limit: Limit use and disclosure of sensitive personal information

Sale vs. Sharing Under CPRA:

• Sale: We do not sell your personal information for monetary consideration
• Sharing: We share personal information with Google Ads for cross-context behavioral advertising (conversion tracking and remarketing), which constitutes "sharing" under CPRA
• Your Right: You can opt out of this sharing at any time by clicking "Your Privacy Choices" in the website footer

Categories of Personal Information Shared for Advertising:

• Device identifiers (browser cookies, advertising IDs)
• IP addresses and approximate location
• Browsing behavior and website interactions
• Conversion events (e.g., form submissions, purchases)

B2B Exemption: Many CCPA/CPRA provisions do not apply to B2B transactions. As TaskForce is a B2B-only service, certain consumer rights may not apply. However, we honor opt-out requests for advertising regardless of B2B status.

(b) Other Jurisdictions:

Depending on your location, you may have rights under other data protection laws. Contact us at legal@taskforce.tech to inquire about your rights.

9.3 How to Exercise Your Rights

To exercise any of your data protection rights:

(a) Email Request: Send an email to legal@taskforce.tech with:

• Subject line: "Data Protection Request - [Right Name]"
• Your full name and business name
• Email address associated with your account
• Specific right you wish to exercise
• Details of your request

(b) Account Portal: For certain rights (access, rectification), you may be able to manage your data directly through your account dashboard.

(c) Written Request: Send a written request to our registered office address (see Section 15).

9.4 Response Times

We will respond to your request:

• GDPR Requests: Within one month of receipt, extendable by two further months for complex requests (we will inform you of any extension within one month)
• CCPA Requests: Within 45 days of receipt, extendable by 45 additional days (we will inform you of any extension)
• Other Requests: We aim to respond within 30 days

9.5 Verification Requirements

To protect your privacy and security, we must verify your identity before processing data protection requests:

• Account Verification: We may ask you to log in to your account
• Email Verification: We may send a verification email to your registered email address
• Additional Information: For deletion or access requests, we may request additional identifying information
• Business Verification: We may request proof of your authority to act on behalf of your business

Fraudulent Requests: We reserve the right to refuse requests that are manifestly unfounded, excessive, or repetitive.

10. Cookies and Tracking Technologies

10.1 Types of Cookies We Use

Cookies are small text files stored on your device when you visit our website or use our Services.

(a) Strictly Necessary Cookies:

• Purpose: Essential for the website to function, enable account authentication, maintain security
• Examples: Session cookies, authentication tokens, security cookies
• Duration: Session cookies (deleted when you close browser) or persistent cookies (up to 1 year)
• Legal Basis: Necessary for contract performance (no consent required)

(b) Functional Cookies:

• Purpose: Remember your preferences, settings, and choices
• Examples: Language preferences, timezone settings, UI preferences
• Duration: Up to 1 year
• Legal Basis: Legitimate interest in providing personalized service (consent requested)

(c) Analytics and Performance Cookies:

• Purpose: Understand how you use our Services, improve performance
• Service: PostHog (product analytics)
• Data Collected: User identifiers (email, user ID), page views, feature usage, session duration, behavioral data
• Duration: Up to 2 years
• Legal Basis: Legitimate interest in improving services (GDPR Article 6(1)(f)), consent for non-essential cookies where required

(d) Marketing and Advertising Cookies:

Google Ads (Google LLC):

• We use Google Ads for conversion tracking and advertising measurement
• Tracks conversions when visitors complete actions on our website (e.g., requesting service, making purchase)
• Used for remarketing to show relevant ads to previous visitors
• Data collected: Device identifiers, IP addresses, browsing behavior, conversion events
• Legal Basis:
  • Non-US visitors: Consent (when you click "Accept All" on cookie banner)
  • US visitors: Legitimate interest with opt-out option via "Your Privacy Choices" footer link
• Duration: Up to 90 days
• CPRA Note: For California residents, this activity constitutes "sharing" under CPRA. All US visitors can opt out via "Your Privacy Choices" link in the website footer

10.2 Analytics and Performance

PostHog Analytics:

• We use PostHog for product analytics and usage metrics
• PostHog collects user identifiers (email, user ID) along with usage data
• Data includes page views, feature usage, session duration, and user behavior
• Helps us understand feature adoption and improve user experience
• You can opt out of analytics tracking in your account settings or by disabling cookies

Error Monitoring (Sentry):

• We use Sentry to monitor errors and performance issues
• Error logs may include limited metadata (browser, OS, anonymized user ID)
• No personal data is intentionally sent to Sentry
• Necessary for maintaining service quality

10.3 Cookie Choices

(a) Browser Settings:

• Most browsers allow you to refuse cookies or delete cookies
• Blocking cookies may affect functionality of our Services
• Instructions for common browsers:
  • Chrome: Settings > Privacy and Security > Cookies
  • Firefox: Preferences > Privacy & Security > Cookies
  • Safari: Preferences > Privacy > Cookies
  • Edge: Settings > Privacy > Cookies

(b) Cookie Consent:

For US Visitors: We use analytics and advertising cookies by default to improve your experience and measure advertising effectiveness. You can opt out at any time by clicking "Your Privacy Choices" in the website footer. When you opt out, we stop using analytics and advertising cookies and only keep essential cookies needed for payment processing and account authentication.

For Non-US Visitors: When you first visit our website, you will see a cookie consent banner with two options:

• Essential Only: Only cookies required for payment processing and account authentication. No analytics or advertising cookies.
• Accept All: Essential cookies (payment processing and authentication), analytics cookies (to improve your experience), and advertising cookies (conversion tracking and remarketing).

Essential cookies for payment processing (Stripe) and account authentication are always used as they are required for the service to function.

You can change your preferences at any time by clearing your browser data and revisiting the site.

(c) Do Not Track:

• Some browsers support "Do Not Track" (DNT) signals
• Currently, there is no universal standard for DNT
• We do not alter our practices in response to DNT signals, but we provide cookie opt-out mechanisms

11. Third-Party Services and Links

Our Services may contain links to third-party websites, platforms, or services:

• Third-Party Privacy Policies: Third-party services have their own privacy policies and practices. We are not responsible for their privacy practices.
• Review Policies: We encourage you to review the privacy policies of any third-party services you use or integrate with TaskForce.
• No Endorsement: Links to third-party services do not imply endorsement.

Integrated Platforms: When you request integration with third-party platforms (Slack, CRM systems, etc.):

• Those platforms receive and process your data
• You should review their privacy policies
• You are responsible for ensuring compliance with their terms and applicable laws

12. Children's Privacy

TaskForce is a business-to-business service. We do not knowingly collect personal data from children:

• Age Restriction for Service Use: You must be at least 18 years old to contract for and use our Services directly. This is a contractual requirement for forming a binding B2B agreement.

• Children's Data Processing: While our Services are B2B-only and not intended for children:

  • We do not knowingly collect personal data directly from children under 13 (US) or 16 (EU)
  • If you (as a business customer) process data of minors through our Services, you are responsible as data controller for obtaining appropriate parental consent and ensuring compliance with children's privacy laws (COPPA, GDPR Article 8)
  • We are not designed to process children's data and cannot ensure COPPA or child-specific GDPR compliance

• Inadvertent Collection: If we learn we have collected personal data from a child, we will delete it immediately upon notification.

If you believe we have inadvertently collected data from a child, contact us immediately at legal@taskforce.tech.

13. Changes to This Privacy Policy

(a) Updates: We may update this Privacy Policy from time to time to reflect changes in our practices, legal requirements, or service offerings.

(b) Notice: We will notify you of material changes:

• Email Notification: We will send an email to your registered email address at least 30 days before changes take effect
• Website Notice: We will post a notice on our website
• Effective Date: The "Last Updated" date at the top of this policy will be updated

(c) Continued Use: Your continued use of the Services after the effective date of changes constitutes acceptance of the updated Privacy Policy.

(d) Objection: If you do not agree with changes, you may terminate your subscription before the changes take effect.

(e) Version History: Previous versions of this Privacy Policy may be requested by contacting legal@taskforce.tech.

14. Complaints and Supervisory Authorities

14.1 For EU/EEA/Swiss Clients

If you are located in the EU, EEA, or Switzerland and have concerns about our data processing practices, you have the right to lodge a complaint with a supervisory authority.

(a) Supervisory Authority for Zero to MVP PC (Greek Entity):

Hellenic Data Protection Authority (HDPA)

• Name: Αρχή Προστασίας Δεδομένων Προσωπικού Χαρακτήρα (ΑΠΔΠΧ)
• Address: Kifisias Ave. 1-3, 11523 Athens, Greece
• Website: www.dpa.gr
• Email: contact@dpa.gr
• Phone: +30 210 6475600

(b) Your Local Supervisory Authority:

You also have the right to lodge a complaint with the supervisory authority in your EU Member State, particularly:

• In your habitual residence
• In your place of work
• In the place where the alleged infringement occurred

List of EU Supervisory Authorities: https://edpb.europa.eu/about-edpb/about-edpb/members_en

(c) We Encourage Direct Contact First:

Before lodging a complaint with a supervisory authority, we encourage you to contact us directly at legal@taskforce.tech. We are committed to working with you to resolve any concerns.

14.2 For US Clients

If you are located in the United States:

(a) Federal Trade Commission (FTC):

You may file a complaint with the FTC regarding our privacy practices:

• Website: https://www.ftccomplaintassistant.gov/
• Phone: 1-877-FTC-HELP (1-877-382-4357)

(b) State Attorneys General:

You may also contact your state Attorney General's office regarding privacy concerns.

(c) California Residents:

California residents may contact the California Attorney General:

• Website: https://oag.ca.gov/contact/consumer-complaint-against-business-or-company
• Phone: 1-800-952-5225

15. Contact Information

15.1 General Privacy Inquiries

For general questions about this Privacy Policy or our privacy practices:

Email: hello@taskforce.tech

Response Time: We aim to respond within 2 business days.

15.2 Data Protection Requests

To exercise your data protection rights (access, deletion, correction, etc.):

Email: legal@taskforce.tech

Subject Line: "Data Protection Request - [Right Name]"

Response Time: Within 30 days (or as required by applicable law)

15.3 Data Protection Officer

For Zero to MVP PC (EU Entity):

Zero to MVP PC is not required to appoint a Data Protection Officer under GDPR Article 37. For data protection inquiries, contact:

• Email: legal@taskforce.tech
• Address: Agion Apostolon Petrou & Pavlou 46, Spata 19004, Greece

For Zero to MVP, Inc. (US Entity):

• Internal Data Protection Contact: legal@taskforce.tech

15.4 Registered Office Addresses

(a) Zero to MVP, Inc. (US Entity):

16192 Coastal Highway Lewes, DE 19958 United States

(b) Zero to MVP PC (Greek/EU Entity):

Agion Apostolon Petrou & Pavlou 46 Spata 19004 Greece

15.5 EU Representative

For matters related to GDPR compliance, EU data subject rights, or supervisory authority inquiries regarding Zero to MVP, Inc. (US entity):

EU Representative: Zero to MVP PC

• Address: Agion Apostolon Petrou & Pavlou 46, Spata 19004, Greece
• Email: legal@taskforce.tech

Appendix A: Data Processing Details

A.1 Categories of Data Subjects

When we act as a data processor (for customer business data):

• Your customers: Individuals whose data you process through automations
• Your employees: If processing employee data through automations
• Third-party contacts: Business contacts, vendors, partners

A.2 Categories of Personal Data Processed

• Identifiers: Names, email addresses, phone numbers, usernames
• Contact Information: Mailing addresses, billing addresses
• Commercial Information: Transaction data, purchase history, order details
• Internet/Electronic Activity: Usage data, interaction logs
• Professional Information: Job titles, company names, business roles

A.3 Processing Activities

• Data synchronization between platforms
• Automated workflows and business process automation
• Data transformation and formatting
• Notifications and alerts
• Reporting and analytics (on your behalf)

A.4 Data Retention Schedule Summary

Appendix B: GDPR Compliance Summary

B.1 Legal Bases for Processing

• Contract Performance: Account management, service delivery
• Legitimate Interests: Service improvement, security, fraud prevention
• Legal Obligation: Tax compliance, legal requests
• Consent: Marketing communications, optional analytics

B.2 Data Subject Rights Provided

✅ Right of Access ✅ Right to Rectification ✅ Right to Erasure ✅ Right to Restriction ✅ Right to Data Portability ✅ Right to Object ✅ Right to Withdraw Consent ✅ Right to Lodge a Complaint

B.3 Security Measures

✅ Encryption in transit (TLS 1.2+) ✅ Encryption at rest (AES-256) ✅ Access controls and authentication ✅ Regular security assessments ✅ Employee training and confidentiality agreements ✅ Incident response procedures ✅ Data breach notification (within 72 hours)

B.4 International Transfers

✅ EU-based infrastructure (Hetzner, Germany) ✅ Standard Contractual Clauses for US subprocessors ✅ EU representative designated (Zero to MVP PC)

For questions or concerns about this Privacy Policy, contact us at legal@taskforce.tech.