Privacy Policy

1. Data controller

The data controller is Mindora Labs, established in Spain.

Privacy contact: mindora.data@gmail.com.

2. Data we collect

We collect only the data needed to operate and bill the service:

• Account: email, name, hashed password (bcrypt — we never store passwords in clear), authentication provider (email or Google), creation date, and the date you declared being at least 16 years old.
• Sessions: session token, the IP address you logged in from, and user-agent (for audit and abuse detection).
• Tasks: the prompt you submit (goal), the plan generated by the system, and the resulting files. These may contain whatever you choose to share.
• Billing: amount charged, tier (simple/medium/complex), the payment method on file at Stripe (we never see your card; only the opaque identifier Stripe returns), and internal payment identifiers.
• Technical metrics: real cost per invocation, tokens per model, latencies. Linked to a user only by their internal user_id.
• Server logs: HTTP access lines (method, path, status code, response time) and messages emitted by our code. These may include your email when we send transactional emails.

3. Purpose and legal basis

• Performance of the contract (Art. 6(1)(b) GDPR): create your account, run your tasks, charge you, deliver results, and provide support.
• Legal obligation (Art. 6(1)(c)): keep billing records for the minimum period required by Spanish Law 58/2003 (General Tax Law) — typically 4 years.
• Legitimate interest (Art. 6(1)(f)): technical monitoring, abuse prevention, minimal security audit logs.
• Explicit consent (Art. 6(1)(a)): minimum age declaration (16) and acceptance of these policies at signup.

4. Third parties (processors)

We rely on the following providers to operate the service. Each maintains its own privacy policy which you should review if it concerns you:

• Stripe, Inc. — payment processing. Your card details flow directly from your browser to Stripe; we only receive an opaque identifier. European entity (Stripe Ireland) for EU users. stripe.com/privacy.
• Resend (USA) — transactional email delivery (password reset, deletion confirmation). We share recipient, name, and the email body. resend.com/legal/privacy-policy.
• Google Cloud Platform (data hosted in the europe-west1 region, Belgium) — compute, storage, database, and logs. cloud.google.com/terms/cloud-privacy-notice.
• Anthropic, PBC (USA) — inference with the Claude model. anthropic.com/legal/privacy.
• OpenAI, Inc. (USA) — inference with the GPT-5 models. openai.com/policies/privacy-policy.
• DeepSeek (China) — inference with the DeepSeek Chat model. deepseek.com. Important: submitting a task may dispatch it to DeepSeek in China. If you do not want that to happen, do not use Taskos.
• Namecheap — taskos.tech domain registrar. Does not receive task data.

With each provider that processes personal data we have a contract or equivalent agreement (DPA / Data Processing Addendum). We do not sell or rent your data.

5. International transfers

Anthropic, OpenAI and DeepSeek operate outside the EEA (USA and China respectively). These transfers rely on the European Commission's Standard Contractual Clauses or equivalent frameworks. By using Taskos you expressly accept that your prompt and the generated content may be sent to those providers for processing.

6. Retention and deletion

• We retain your data while your account is active to provide the service.
• You can request deletion at any time from /account/delete. Your account is flagged for deletion for 30 days (recovery window); after that we anonymise your personal data (email, name, password) and delete the files you generated.
• Billing records (amount, date, sums) are kept in pseudonymised form for the minimum period required by Spanish Law 58/2003 (4 years).

7. Your rights (GDPR)

You have the right to:

• Access your data (right of access).
• Have it rectified if inaccurate.
• Have it erased (right to be forgotten, Art. 17).
• Object to certain processing.
• Receive a portable copy of your data.
• Withdraw consent at any time.

To exercise these rights write to mindora.data@gmail.com. We respond within 30 calendar days.

If you believe we are not respecting your rights you may file a complaint with the Spanish Data Protection Agency (AEPD) at aepd.es.

8. Minimum age

Taskos is not directed at children under 16. By signing up you expressly declare that you are at least that age. If we detect that an account belongs to a minor under 16, we will delete it.

9. Security

We use end-to-end TLS, bcrypt-hashed passwords, external credentials stored in Google Secret Manager with restricted access, and least-privilege policies on every component. No system is perfect, but we commit to notifying you within 72 hours if we detect a breach of your data, per Art. 33 GDPR.

10. Cookies and local storage

We do not use tracking cookies or advertising cookies. We use browser localStorage to keep your session token after sign-in. It is cleared when you press "Sign out".

11. Beta phase — use of aggregated data

Taskos is in Beta. During this phase we may analyse aggregated and pseudonymised data (usage metrics, latencies, success and cost ratios) to debug, improve the service, and tune pricing.

What we do during Beta:

• Review server logs to diagnose specific incidents (traceable by user_id).
• Compute aggregate statistics (task volume, refund rates, most-used models) without identifying any individual user in internal reports.
• Reach out to you specifically if we detect an issue with one of your tasks (reactive support).

What we do not do during Beta (or after):

• Train our own or third-party models on the content of your tasks.
• Share identifiable data with advertisers or commercial partners.
• Manually review the content of your tasks unless you explicitly request it (for example, when opening a support ticket).

GDPR guarantees (access, rectification, erasure, portability, and objection rights described in section 7) remain fully in place during the Beta phase.

12. Changes to this policy

When we modify material aspects we will show a banner on the site and update the date at the top of this document. Continued use of the service after the effective date implies acceptance of the new terms.