TaskFlow AI
עברית|Back to home

Privacy Policy

Last updated: May 13, 2026

This Privacy Policy explains how AllChat J4U Ltd. (Israeli company number 515738813), operating the TaskFlow AI service (the “Service”, “we”, “us”, or “our”), collects, uses, stores, shares, and protects information about users (“you”, “your”) of the platform available at taskflow-ai.com and related services.

We are committed to protecting your privacy in accordance with the Israeli Privacy Protection Law (1981), the EU General Data Protection Regulation (GDPR), the California Consumer Privacy Act as amended by the CPRA (CCPA), and the Google API Services User Data Policy, including the Limited Use requirements.

1. Information We Collect

1.1 Account information

  • Full name, email address, phone number
  • Business name and role
  • Profile picture (if provided)
  • Authentication credentials (passwords are hashed; we never store them in plaintext)

1.2 WhatsApp data

  • Group names, member lists, and group metadata for groups you connect
  • Messages routed through the Service for the purpose of classification, AI-powered insights, and automated workflows
  • Media attachments (images, documents, audio) shared in connected groups
  • Phone numbers of group members for analysis and spam detection

1.3 Google account data (when you connect Google integration)

  • Your Google account email address and profile picture
  • OAuth access and refresh tokens (encrypted at rest with AES-256-GCM)
  • Limited Drive access via the drive.file scope: we can only see and modify files that the Service has created or that you explicitly opened with the Service
  • Sheets access via the spreadsheets scope: we read and write only to spreadsheets you explicitly designate as sync destinations

1.4 Payment information

Payment information is processed by our payment processors (Cardcom in Israel and others as applicable). We do not store full credit card numbers on our servers. We retain billing records (amount, date, plan, billing email) for accounting and tax purposes.

1.5 Technical and usage data

  • IP address, browser type, operating system, device identifiers
  • Login times, session duration, pages visited, features used
  • Error logs and diagnostic information
  • Cookies and similar tracking technologies (see Section 8)

2. How We Use Information

We use the information we collect for the following purposes (legal bases under GDPR shown in brackets):

  • Service provision: message classification, board management, notifications, group protection, AI assistance [contractual necessity]
  • Account management: authentication, billing, support [contractual necessity]
  • Service improvement: performance analytics, bug fixes, feature development [legitimate interest]
  • Communication: service announcements, security alerts, billing notices [contractual necessity / legitimate interest]
  • Safety and abuse prevention: detecting misuse, preventing fraud, protecting users [legitimate interest]
  • Legal compliance: tax, accounting, regulatory requirements [legal obligation]
  • Marketing: only with your explicit, separately- given consent [consent — withdrawable at any time]

3. Google API Services — Limited Use Disclosure

TaskFlow AI's use and transfer of information received from Google APIs to any other app will adhere to the Google API Services User Data Policy, including the Limited Use requirements.

What we access

  • Google Drive: only files created by the TaskFlow application or files you explicitly open with the TaskFlow application via the Google file picker (the drive.file scope)
  • Google Sheets: read and write access to spreadsheets you explicitly designate as TaskFlow sync destinations
  • Your Google profile email address and profile picture

What we do not do

  • We do not use Google user data to serve advertising
  • We do not sell, rent, or transfer Google user data to third parties
  • We do not use Google user data to train generalized AI/ML models
  • We do not read or process any files in your Google Drive that you did not explicitly share with the TaskFlow application
  • Human access to Google user data is limited to: (a) with your explicit consent, (b) for security purposes (e.g., investigating abuse), (c) to comply with applicable law, or (d) for aggregated and anonymized internal operations

How to revoke access

You may revoke TaskFlow's access to your Google account at any time by visiting myaccount.google.com/permissions or by clicking “Disconnect” in your TaskFlow integration settings. Revoking access stops future synchronization; data previously synced to your own Google Drive/Sheets remains in your possession.

4. How We Share Information

We do not sell your personal information. We share data only with the following categories of recipients:

  • Service providers (sub-processors): Supabase (database, EU/US), Vercel (hosting, US), OpenAI (AI inference, US), Anthropic (AI inference, US), Cardcom (payments, Israel), Green API (WhatsApp gateway, multiple regions), Resend (email, US), Google (when integration is enabled). Each is bound by a data processing agreement
  • Other workspace members: data within your workspace is visible to other members you have invited
  • Legal authorities: when required by valid legal process (court order, subpoena), and only to the minimum extent required by law
  • Business transfers: in the event of a merger, acquisition, or asset sale, with notice to you and the opportunity to delete your data

5. Data Retention

  • Account data: retained for as long as your account is active, plus 90 days after deletion
  • Message metadata: per your selected plan (Trial: 7 days; Starter: 30; Business: 90; Enterprise: 365)
  • Message content: processed in real-time, not stored long-term unless explicitly enabled by you
  • Billing records: 7 years (Israeli tax law requirement)
  • OAuth tokens: until you disconnect the integration or your account is deleted
  • Backup data: up to 30 days after primary data deletion

6. Your Rights

Depending on your jurisdiction, you have the following rights:

  • Access: request a copy of the data we hold about you
  • Correction: ask us to fix inaccurate or incomplete data
  • Erasure (“right to be forgotten”): request deletion of your personal data, subject to legal retention obligations
  • Portability: receive your data in a structured, machine-readable format
  • Restriction of processing: limit how we use your data in specific circumstances
  • Objection: object to processing based on legitimate interests or direct marketing
  • Withdrawal of consent: where processing is based on consent, you may withdraw it at any time
  • Lodge a complaint: with your local data protection authority (e.g., the Israeli Privacy Protection Authority, or your EU Member State's DPA)

California residents (CCPA/CPRA): you additionally have the right to know what categories of personal information we collect and disclose, the right to non-discrimination for exercising your rights, and the right to opt out of any “sale” or “sharing” of personal information (we do not sell or share for cross-context advertising).

To exercise any of these rights, email us at privacy@taskflow-ai.com. We will respond within 30 days.

7. International Data Transfers

We are based in Israel. Data may be processed in Israel, the European Union, the United States, and other countries where our sub-processors operate. For transfers from the EU/EEA, we rely on the European Commission's adequacy decision regarding Israel, and Standard Contractual Clauses (SCCs) where applicable. By using the Service, you consent to such transfers.

8. Cookies and Tracking

We use the following categories of cookies:

  • Strictly necessary: authentication session, workspace selection, CSRF protection — cannot be disabled
  • Functional: language preference, UI state — can be disabled in your browser settings
  • Analytics: aggregated usage statistics (no individual user tracking by third parties)

9. Security

We implement industry-standard technical and organizational measures to protect your data:

  • TLS 1.3 encryption in transit
  • AES-256 encryption at rest (database and backups)
  • AES-256-GCM encryption for OAuth tokens
  • Hashed passwords (bcrypt or equivalent)
  • Role-based access controls; least-privilege principle for staff
  • Row-level security policies in our database
  • Regular security audits and penetration testing
  • Incident response procedures with notification within 72 hours of confirmed breach (per GDPR)

No system is 100% secure. You are responsible for safeguarding your login credentials.

10. Children's Privacy

The Service is not intended for users under the age of 16 (or the age of digital consent in your jurisdiction, whichever is higher). We do not knowingly collect personal information from children. If you believe we have collected such information, please contact us for immediate deletion.

11. Changes to This Policy

We may update this Privacy Policy from time to time. Material changes will be notified by email and via an in-app banner at least 30 days before they take effect. Continued use of the Service after the effective date constitutes acceptance of the revised policy.

12. Contact Us

Data Controller: AllChat J4U Ltd. (Israeli company number 515738813), Petah Tikva, Israel.

For EU users: we have not appointed a representative in the EU at this time, as we do not regularly process EU residents' data on a large scale. You may still contact us at the address above.

AllChat J4U Ltd. · Israeli company number 515738813 · Petah Tikva, Israel