TF
Task Flow
Kanban workspace
Privacy

Privacy policy

Last updated June 2026

Task Flow ("we", "us", "the service") is a Kanban workspace for teams. This policy explains what information we collect, why we collect it, and how we keep it safe.

1. Information we collect

Account information. When you register, we store your full name, email address, company name, and a securely-hashed password. We never store your password in plaintext.

Workspace content. Projects, boards, columns, cards, comments, due dates, assignments, attachments, and audit-log entries you create or modify inside your workspace. This content is private to your company and only members of your company workspace can see it.

Operational data. Sign-in timestamps, IP address used to access the service, device-pairing tokens (for the Android companion app), and security-related events such as password changes and two-factor enrolment.

Contact form. If you submit the public contact form on this site, we store your name, email, optional company and phone, and the message you sent — solely to reply to your enquiry.

2. How we use your information

  • To run the service: authenticate you, route tasks to the right people, send transactional emails (password reset, task assignment, account approval).
  • To keep the service safe: detect abuse, enforce rate limits, and maintain audit logs.
  • To improve the product: aggregate, anonymous usage statistics. We do not sell or share your workspace content with third parties.

3. Cookies and similar technologies

We use a small number of strictly-necessary cookies — most importantly your authenticated session cookie (tm_auth) and an anti-forgery cookie. We do not run third-party advertising trackers, analytics pixels, or social-network buttons.

4. Third-party services

We may use third-party infrastructure providers (e.g. our email provider) to deliver transactional messages. These providers process data only on our instructions and are bound by their own privacy commitments. Self-hosted deployments may differ — check with the organisation that operates your specific Task Flow instance.

5. Data retention

We retain your workspace content for as long as your account is active. When a company workspace is deleted, all associated cards, attachments, and activity logs are removed within 30 days. Audit logs and security events may be retained longer where required by law.

6. Lawful basis for processing (GDPR)

If you're located in the European Economic Area, the UK, or another jurisdiction with equivalent rules, we process your personal data under the following lawful bases:

  • Contract (Article 6(1)(b)) — to provide the service you signed up for: authentication, board access, transactional emails, and the companion mobile app.
  • Legitimate interest (Article 6(1)(f)) — to keep the service safe (rate limiting, abuse detection, audit logging) and to maintain aggregate, anonymous usage statistics.
  • Consent (Article 6(1)(a)) — where applicable, such as enabling push notifications on the mobile app.
  • Legal obligation (Article 6(1)(c)) — where we're required to keep records for tax, accounting, or law-enforcement purposes.

7. Your rights under GDPR

If GDPR or UK GDPR applies to you, you have the following rights regarding your personal data:

  • Access — request a copy of the personal data we hold about you.
  • Rectification — correct inaccurate or incomplete data. You can update most of your profile data yourself from Profile.
  • Erasure ("right to be forgotten") — request deletion of your account. You can delete your own account from Profile › Delete account; this removes your personal data and anonymises any contributions you made to shared workspaces.
  • Restriction — ask us to limit processing of your data while a complaint is being investigated.
  • Portability — request a machine-readable export of the data you provided to us.
  • Objection — object to processing based on legitimate interests.
  • Withdraw consent — where processing relies on consent, you can withdraw it at any time without affecting prior lawful processing.
  • Lodge a complaint — with your local data-protection authority (e.g. the ICO in the UK).

To exercise any of these rights, use the contact form. If your workspace is hosted by an organisation other than us, contact that organisation's administrator first — they are the data controller for their workspace content.

8. International transfers

Our servers are operated from data centres in the regions advertised at sign-up. Where data is transferred outside the EEA or UK, we rely on Standard Contractual Clauses or equivalent safeguards. Self-hosted deployments are operated entirely by the hosting organisation.

9. Security

Passwords are stored using BCrypt. Sensitive small fields (such as TOTP secrets used for two-factor authentication) are encrypted at rest. Access to internal databases is restricted and logged.

10. Children

The service is intended for use by businesses and is not directed at children under 16. We do not knowingly collect personal information from anyone in this age group.

11. Changes to this policy

We may update this policy from time to time. The "Last updated" date at the top of this page reflects the most recent revision. Material changes will be communicated via the email on file for your account.

12. Contact

Questions about this policy? Use the contact form and we'll get back to you within one business day.