Privacy Policy
Last updated: 2026-05-23
TaskMe (a 909 Technologies product) collects the minimum data needed to run the service. Here's what we collect, what we do with it, and what we don't do.
1. What we collect
From owners (you signed up):
- Email address (for sign-in + notifications).
- Username, display name, bio, project list (whatever you put in settings).
- Tasks people send you + your replies + the email outbox.
- IP-hash + user-agent for audit logging (not raw IPs — we hash them).
From requestors (people sending you requests):
- Email address (so they can confirm + get tracking links).
- Optional name.
- The request content + attachments.
- Same IP-hash for abuse detection.
2. Cookies
We set a small number of first-party cookies. No third-party tracking.
- tm_td — recognizes a returning requestor (90 days). Lets you reply to your own requests without re-verifying.
- tm_me_verified — proves a verified browser owns a given email, so the cross-owner /me view works (90 days).
- tm_intake_mode — remembers your preference for form vs chat intake (30 days).
- next-auth.session-token — your owner sign-in session (JWT, 30 days).
No analytics cookies. No advertising cookies. No fingerprinting.
3. What we share
The short list:
- AWS — we run on AWS (Aurora Postgres, S3, SES, Bedrock, Lambda). AWS handles infrastructure and email delivery under their enterprise data-protection terms.
- Cloudflare Turnstile — anti-bot challenge on intake forms. Cloudflare receives challenge metadata but no task content.
- Nobody else. No advertisers, no data brokers, no ML training partners.
4. What we don't do
- We don't sell your data.
- We don't share it with marketers or analytics vendors.
- We don't use your tasks or comments to train any AI model.
- We don't show ads.
5. Email
We send email via Amazon SES from hello@taskme.build. Our domain has SPF, DKIM, and DMARC configured so other mail servers can verify our sender identity.
Owners get notification emails when requests come in or comments arrive. Requestors get tracking-link emails + status updates. There's currently no "unsubscribe" because every email is transactional (you triggered it by participating in a task) — if you want to stop receiving any TaskMe email, delete your account.
6. Data retention + deletion
Tasks, comments, and attachments persist until you delete them. Audit logs and email outbox records persist for 90 days then get pruned. Soft-deleted tasks are permanently purged 30 days after deletion.
You can delete your entire account by emailing hello@taskme.build (self-service coming soon). We'll process the request within 7 days.
7. Security
Data in transit is encrypted (TLS 1.2+). Data at rest in Aurora and S3 is encrypted with AWS-managed keys. Magic-link tokens are hashed (never stored plaintext). Reply-thread tokens are HMAC-signed. We never store raw OTP codes — only bcrypt hashes.
8. Children
TaskMe is not designed for children under 13 and we don't knowingly collect their data.
9. Changes
Material changes to this policy get advance notice via the dashboard or email. We'll keep the "last updated" date current at the top of this page.
10. Contact
Privacy questions, deletion requests, "what do you have about me" → hello@taskme.build.