Privacy Policy

1. Who We Are

Det 5 Element ApS ("TASKTOGO", "we", "us", "our") operates the TASKTOGO platform at tasktogo.com and the TASKTOGO mobile application. We are the data controller for personal data collected through these services.

Contact: privacy@tasktogo.com

2. Data We Collect

Account data: name, email address, hashed password, profile picture, job title, date of birth, country, mobile number, and any other fields you complete in your profile.

Content data: tasks, messages, files, calendar entries, group posts, and other content you create or share within the platform.

Usage data: features accessed, session timestamps, and error events collected to operate and improve the service.

Device data: device type, operating system version, app version, and Expo push token (required for push notifications on mobile).

Authentication tokens: short-lived access tokens and refresh tokens stored in your device's secure keychain (iOS Keychain / Android Keystore) or an encrypted browser store.

Preference data: language, theme mode, notification settings, and session duration preference.

3. Legal Bases for Processing (GDPR Art. 6)

Performance of a contract (Art. 6(1)(b)): processing your account data and content data to deliver the service you signed up for.

Legitimate interests (Art. 6(1)(f)): crash monitoring and error logging (via Sentry) to maintain service reliability; security monitoring and fraud prevention.

Legal obligation (Art. 6(1)(c)): retaining billing records as required by Danish bookkeeping law (Bogføringsloven).

Consent (Art. 6(1)(a)): sending push notifications and, where applicable, marketing communications. You may withdraw consent at any time via your device or account settings.

4. How We Use Your Data

Creating and maintaining your account and providing access to all features of TASKTOGO.

Delivering platform features: task management, scheduling, group messaging, notifications, and file attachments.

Sending transactional emails: account verification, password reset, security alerts, and billing receipts.

Monitoring service performance and fixing bugs through anonymised crash reports.

Investigating and preventing security incidents and unauthorised access.

Complying with applicable legal obligations.

5. Data Retention

Account and content data: retained for the lifetime of your account and for 30 days after deletion, after which it is permanently erased.

Billing and transaction records: retained for 5 years as required by Danish bookkeeping law.

Crash and error logs (Sentry): retained for 90 days.

Server access logs: retained for 30 days.

Backup copies may persist for up to 30 days after deletion from live systems before being purged from all backups.

6. Data Storage and Security

All data is stored on servers located within the European Union. We apply TLS 1.2+ encryption for all data in transit and encryption at rest for stored data.

Access to production data is restricted to authorised personnel on a need-to-know basis. We conduct regular security reviews.

In the event of a personal data breach that is likely to result in a high risk to your rights and freedoms, we will notify you and the Danish Data Protection Agency (Datatilsynet) within 72 hours, as required by GDPR Articles 33–34.

7. Cookies and Local Storage

We use only strictly necessary cookies and local storage items required for authentication (session tokens) and remembering your preferences (language, theme).

We do not use advertising, tracking, behavioural profiling, or third-party analytics cookies. No cookie consent banner is displayed because no non-essential cookies are set.

8. Push Notifications

If you grant permission on your mobile device, we send push notifications using the Expo push service. Your Expo push token is stored on our servers and associated with your account solely for this purpose.

You can revoke notification permission at any time in your device settings (Settings → Notifications → TASKTOGO). Revoking permission stops all future push notifications without affecting any other part of the service.

9. Crash Reporting

We use Sentry (sentry.io) for crash and error monitoring. When the app crashes or encounters an error, Sentry automatically collects: a stack trace, the app version, device OS and model, and a session identifier.

Sentry does not collect personal content such as message text, task descriptions, or file contents. All Sentry data is processed under a Data Processing Agreement and retained for 90 days.

We do not use behavioural analytics or third-party advertising platforms.

10. Sharing Your Data

We do not sell, rent, or trade your personal data. We share data only with sub-processors required to operate the service:

• Sentry (error monitoring) — United States, protected by EU Standard Contractual Clauses.

• Expo / EAS (mobile app distribution and push notifications) — United States, protected by EU Standard Contractual Clauses.

• Apple App Store and Google Play (app delivery) — operating under their own Data Processing Agreements.

• Cloud infrastructure and hosting providers operating within the EU.

A full list of sub-processors is available at tasktogo.com/subprocessors.

11. International Data Transfers

Some sub-processors (Sentry, Expo) are based in the United States. When personal data is transferred outside the European Economic Area, we rely on EU Standard Contractual Clauses (Commission Decision 2021/914) as the appropriate safeguard under GDPR Chapter V.

12. Your Rights

Under the GDPR you have the following rights regarding your personal data:

• Right of access (Art. 15): request a copy of the personal data we hold about you.

• Right to rectification (Art. 16): request correction of inaccurate or incomplete data.

• Right to erasure (Art. 17): request deletion of your data, subject to legal retention obligations.

• Right to restrict processing (Art. 18): ask us to limit how we use your data in certain circumstances.

• Right to data portability (Art. 20): receive your data in a structured, machine-readable format.

• Right to object (Art. 21): object to processing based on legitimate interests.

• Right to withdraw consent: where processing is based on consent, withdraw it at any time without affecting the lawfulness of prior processing.

To exercise any of these rights, email privacy@tasktogo.com. We will respond within 30 days.

13. Right to Complain

If you believe we are handling your personal data unlawfully, you have the right to lodge a complaint with the Danish Data Protection Agency:

Datatilsynet · Carl Jacobsens Vej 35, 2500 Valby, Denmark · dt.dk · +45 33 19 32 00

You may also contact the supervisory authority in your country of residence.

14. Children

TASKTOGO is intended for users aged 16 and over. We do not knowingly collect personal data from children under 16.

If you are a parent or guardian and believe a child under 16 has created a TASKTOGO account, contact privacy@tasktogo.com and we will delete the account and all associated data promptly.

15. Changes to This Policy

If we make material changes — for example, to the categories of data collected or the purposes of processing — we will notify you by email or in-app notice at least 14 days before the changes take effect.

The current version is always available at tasktogo.com/privacy. Continued use of the service after the effective date constitutes acceptance of the updated policy.

16. Contact

Det 5 Element ApS

privacy@tasktogo.com