Privacy Policy
Last updated 12 June 2026 · Effective 3 June 2026
This policy explains how [GG Legal Entity Ltd] ("GG", "we", "us") collects and uses personal data when you visit taskgg.com, create an account, or use the service. It is written to satisfy Articles 13 and 14 of the EU and UK GDPR and the disclosure duties of the US state privacy laws.
1. Our role: controller vs. processor
We wear two hats. When you load the personal data of your own contacts, leads and clients into the service, you are the controller and we are your processor — we only act on your documented instructions, and the terms governing that data are in our Data Processing Addendum (DPA), not this policy.
This policy covers the data for which we are the controller: the account, billing, support and device data of the people who sign up for and administer a workspace, prospects who contact us, and visitors to our website.
2. Who is responsible
The controller is [GG Legal Entity Ltd], [Registered office — Street, City, Postal Code, Country]. You can reach our privacy team at legal@taskgg.com and our Data Protection Officer at legal@taskgg.com.
- EU representative (Art. 27 GDPR): [EU Representative — name & EU address, Art. 27 GDPR].
- UK representative (Art. 27 UK GDPR): [UK Representative — name & UK address, Art. 27 UK GDPR].
3. What we collect and why
| Category | Examples | Purpose | Legal basis (GDPR) |
|---|---|---|---|
| Account data | Name, work email, organisation, role, hashed password, workspace settings | Create and secure your account; provide the service | Contract (Art. 6(1)(b)) |
| Billing data | Plan, seats, billing contact, invoices; card data handled by our payment processor | Take payment, prevent fraud, meet tax/accounting law | Contract; legal obligation (Art. 6(1)(b),(c)) |
| Usage & device data | Pages viewed, features used, IP address, browser, timestamps, logs | Operate, secure, debug and improve the service | Legitimate interests (Art. 6(1)(f)) |
| Support data | Messages you send us, tickets, correspondence | Answer your requests and keep a record | Legitimate interests; contract |
| Marketing data | Email, marketing preferences, event/webinar sign-ups | Send service and (with consent) marketing messages | Consent / legitimate interests (Art. 6(1)(a),(f)) |
| Cookies | Session/auth cookie, theme preference, any analytics IDs | Keep you signed in, remember preferences, measure usage | Consent / legitimate interests — see Cookie Policy |
We do not seek to collect special-category data (health, race, beliefs, etc.) about account holders, and we ask that you not put such data into free-text fields. We do not knowingly collect data from children — the service is for business use only (see §11).
4. AI processing & automated features
GG uses artificial intelligence to summarise communications, classify intent and suggest next steps. The model provider is named in our sub-processor list. Two points matter for your privacy:
- You are interacting with an AI system. Summaries, intent labels and enrichment suggestions are machine-generated. We surface them as drafts for a human to confirm — for example, client enrichment is shown for you to confirm before anything is saved. This disclosure is made in line with Article 50 of the EU AI Act.
- No solely-automated decisions with legal effect. We do not make decisions that produce legal or similarly significant effects about you with no human involvement (Art. 22 GDPR).
- Your content is not used to train third-party models. We send data to our AI sub-processor only to generate output for you, under terms that prohibit using it to train their foundation models.
5. Where we get the data
Most data comes directly from you when you sign up and use the service (Art. 13). We also receive data about you from others (Art. 14): from your workspace administrator if they invite you, from our payment processor (billing status), from analytics and security tooling, and — for business enrichment — from public registries (e.g. EU VAT/VIES and company registries) and public web sources.
6. Who we share it with
We do not sell your personal data. We share it with:
- Sub-processors who help run the service (hosting, AI, email delivery, payments, analytics) — the current list is at /legal/subprocessors, each bound by a DPA.
- Your organisation — if you join via a workspace, its administrators can see and manage your account and activity within that workspace.
- Professional advisers (lawyers, accountants, auditors) under confidentiality.
- Authorities where we are legally required, and acquirers in a merger, sale or reorganisation (with notice).
7. International transfers
We and our sub-processors may process data outside the EEA and the UK (including in the United States). Where we do, we rely on an adequacy decision where one exists, or on the European Commission’s Standard Contractual Clauses and, for UK data, the ICO’s International Data Transfer Agreement (IDTA) / UK Addendum, together with supplementary safeguards and a transfer risk assessment. You can request a copy of the relevant safeguards from legal@taskgg.com.
8. How long we keep it
- Account data: for the life of your account and then deleted or anonymised within a reasonable period after closure (typically up to 90 days), subject to backups.
- Billing records: as long as required by tax and accounting law (commonly 6–10 years).
- Logs & security data: a limited rolling window proportionate to the security purpose.
- Marketing data: until you unsubscribe or object, then suppressed.
Customer data you control is retained and deleted per the DPA and your workspace settings.
9. Your rights (EU / UK GDPR)
Subject to conditions, you can ask us to:
- Access the personal data we hold and get a copy;
- Rectify inaccurate or incomplete data;
- Erase data (“right to be forgotten”);
- Restrict or object to processing, including objecting to direct marketing at any time;
- Port data you gave us to another provider;
- Withdraw consent where processing is based on consent, without affecting prior processing.
Exercise any of these by emailing legal@taskgg.com. We respond within one month. If you are unhappy you can complain to your local supervisory authority — in the UK the Information Commissioner’s Office (ICO), or in the EU your national data-protection authority — but we’d appreciate the chance to help first.
10. US state privacy rights
If you are a resident of California or another US state with a comprehensive privacy law — including Virginia, Colorado, Connecticut, Utah, Texas, Oregon, Montana, Iowa, Indiana, Tennessee, Delaware, New Jersey, New Hampshire, Nebraska, Maryland, Minnesota, Rhode Island, Kentucky and Florida — you may have the right to know, access, correct, delete and port your personal information, and to appeal a refusal.
- No sale; no “sharing” for cross-context behavioural advertising. We do not sell personal information or share it for cross-context behavioural advertising as those terms are defined under the CCPA/CPRA. We therefore do not need a “Do Not Sell or Share My Personal Information” mechanism, but you may still exercise your other rights.
- No discrimination for exercising your rights.
- Sensitive information is used only to provide the service, not for inferring characteristics.
Submit a request to legal@taskgg.com; we will verify your identity before acting and you may use an authorised agent.
11. Security & children
We use organisational and technical measures appropriate to the risk — encryption in transit, tenant isolation (row-level), access controls, audit logging and least-privilege access. No system is perfectly secure; report concerns to hello@taskgg.com. The service is intended for business users aged 18+ and is not directed at children; we do not knowingly collect children’s data.
12. Changes & contact
We may update this policy; the “last updated” date above reflects the latest revision and we will notify you of material changes. Questions? Email legal@taskgg.com or write to [GG Legal Entity Ltd], [Registered office — Street, City, Postal Code, Country].