Privacy Policy

Last updated: June 12, 2026

Important: App vs Website

PrimeTask Desktop App is built for privacy by default. Your tasks, projects, and personal information stay on your device, and the app does not use tracking. Optional connected features require your explicit action.

This Website collects personal data when you choose to interact with us, such as creating an account, making a purchase, or subscribing to updates.

This policy explains what data we collect on this website and through our services, why we collect it, and your rights. PrimeTask is operated by TaskCore LTD (Company No. 17081972, 124 City Road, London, EC1V 2NX), who is the data controller responsible for your personal data. The PrimeTask desktop application is privacy-first and keeps your productivity data on your device by default. Optional connected features are only used when you choose to use them.

Contents

1. Website Visitors

When you visit our website without creating an account, we collect minimal data:

What we collect:

  • Analytics and website performance: We use privacy-conscious, cookieless analytics and website performance tools to understand how our website is used, improve performance, and measure sign-ups and purchases. These tools do not set cookies and do not identify you personally. Legal basis: legitimate interests
  • Cookies/local storage: Theme preference (light/dark) may be stored locally in your browser. We do not use advertising, affiliate, or cross-site tracking cookies
  • Affiliate referral links: If you arrive through an affiliate's referral link, we record a referral click (with pseudonymised technical information, such as a one-way keyed reference derived from your IP address) so the referring affiliate can see their click count. We do not set a tracking cookie for this and do not track you between separate visits. Legal basis: legitimate interests
  • Approximate location, for currency only: We estimate the country you are connecting from so we can show prices in one of our supported regional currencies (GBP, EUR, or USD), based on your region. This is an approximate, country-level estimate only. We do not pinpoint your precise location, we do not store it, and we do not use it for anything else. The currency and price that apply to any purchase are always the ones confirmed at checkout. Legal basis: legitimate interests

We do not sell your browsing data.

2. Beta Testers

When you apply for and participate in our beta program, we collect additional data to manage your account and provide support:

Account Information:

  • Email address: For account access and communication
  • Name: To personalize your experience
  • Platform preference: macOS or Windows
  • Application notes: Your reason for joining the beta
  • Privacy consent timestamp: When you agreed to this policy
  • Terms acceptance: Which version of our Terms of Service you accepted, and when

Session & Security Data:

  • IP address: For security and fraud prevention
  • Browser information: For security purposes

Bug Reports:

  • Bug descriptions: Title, description, steps to reproduce
  • System info: App version, OS version (provided by you)
  • Screenshots: Only if you choose to attach them
  • Messages: Communication with our team about bugs

Beta Program Communications:

As a beta tester, you may receive the following emails from us:

  • Welcome & approval emails: When you're approved for the beta
  • Activation reminders: If you haven't activated the app
  • Bug report updates: Replies and status changes on your bug reports
  • Release notifications: New versions and important updates

These communications are essential for beta program participation. You can opt out by deleting your beta account.

Software Updates:

PrimeTask may connect to update services when update-related actions are initiated. No productivity data is transmitted.

Device Activations:

When you activate PrimeTask, we collect limited technical information for license management and fraud prevention. See the Device Management & Licensing section below for details.

Note: The PrimeTask desktop app stores all your tasks, projects, and personal data locally on your device. We never have access to your productivity data. If you choose to use collaboration features (shared spaces), data is synchronised through your own cloud storage provider (e.g. Dropbox, Google Drive, or local network shares), not through PrimeTask servers. You are responsible for the security of your chosen sync provider.

Trial Users

When you register for a free trial, we collect the same account information as described in the Beta Testers section above. We store limited trial, activation, and device information to manage access and prevent abuse. Trial information is stored securely on your device.

After your trial, access to the app requires a valid license. Your data remains on your device and is never deleted by us. You may receive a limited number of follow-up emails (see Automated Email Communications below). You can request full account deletion at any time.

Customers (Standard & Pro)

When you purchase a PrimeTask license, we collect the same account information as described above, plus:

Purchase Data:

  • License tier: Standard or Pro
  • Transaction metadata: Purchase amount, currency, date, and payment status
  • Payment reference: A reference ID linking to your payment provider

We do not store your card numbers, CVV, expiry dates, or billing address. All payment processing is handled by Stripe. See the Payment Processing section below.

Newsletter & Notifications

When you subscribe to our newsletter, sign up for launch notifications, or opt in to product updates, we collect the following:

  • Email address (required)
  • Name (optional, if provided)
  • Consent record: When you agreed to receive communications

Purpose: To send you product updates, launch announcements, and occasional marketing communications about PrimeTask.

Legal basis: Your explicit consent, given by checking the privacy policy checkbox when subscribing.

Unsubscribe: Every email includes a one-click unsubscribe link. You can opt out at any time, and we will stop sending you emails immediately.

Retention: Your data is retained while your subscription is active. After unsubscribing, your record is marked as inactive. You may request full deletion at any time by contacting us.

Third parties: We never share, sell, or provide your email address or personal data to any third party.

Public Feedback Forms

We may share public feedback forms (surveys, polls) that anyone can respond to without creating an account. Here's what we collect and why:

Data Collected:

  • Survey responses: Your answers help us improve PrimeTask. Responses are stored in aggregated, anonymous form
  • IP address: Used solely for spam prevention. Automatically deleted after a short period
  • Name & email (optional): Entirely optional. If provided, stored only to help us follow up on your feedback

Bot Protection & Security:

  • Cloudflare Turnstile: Verifies you are a real person. May set a small cookie and send limited technical data (browser type) to Cloudflare. No personal data is shared. See Cloudflare's Privacy Policy

How Your Data Is Used:

  • Aggregated results: When enabled by the form creator, anonymous result summaries (e.g. vote counts, average ratings) may be displayed to other respondents. Individual responses are never identified
  • Data retention: Survey responses are retained for as long as the feedback form exists. IP addresses are automatically purged after a short period

Your rights: If you provided your email address, you can request deletion of your responses at any time by contacting privacy@primetask.app. Fully anonymous responses (no email, no name) cannot be traced back to any individual and are treated as anonymized data.

Automated Email Communications

You may receive a limited sequence of onboarding or follow-up emails based on your engagement level. We may measure engagement such as opens and link clicks. We may also test different subject lines to improve relevance.

How to Opt Out:

  • Every email includes a one-click unsubscribe link
  • Every email includes a link to permanently delete your registration

Legal basis: Legitimate interest, sending relevant, timely communications to improve user experience.

Community Features

The PrimeTask portal includes community features where you can share feedback, vote on features, and interact with other users.

Data Collected:

  • Community posts, feature votes, reactions

Privacy: Your identity is shown via a generated avatar, not your real name, email, or photo. Email addresses are never displayed to other users. Posts are visible to all portal users.

Device Management & Licensing

When you activate PrimeTask on a device, we collect limited technical information for license management and fraud prevention. This data is retained for the lifetime of your account and deleted upon account deletion.

Device Limits:

  • Trial: Up to 2 devices
  • Standard: Up to 2 devices
  • Pro: Up to 4 devices

You can manage your devices from the app or by contacting support.

Software Updates

PrimeTask may connect to update services when update-related actions are initiated. When you use update-related features, we may store limited technical information such as your current app version, update time, and update source for licence management, security, and support analytics. No productivity data is transmitted as part of this process.

3. Optional Third-Party Services (Desktop App)

Privacy by Default: The PrimeTask desktop app is 100% offline and private by default. The following features are completely optional and require your explicit consent before use.

Unsplash Stock Photos

PrimeTask allows you to add cover images to projects and workflows using Unsplash's free stock photo library. This feature requires internet access and your consent.

When you use Unsplash photos, the following is sent to Unsplash servers:

  • Search queries: The keywords you type when searching for images
  • Photo IDs: Identifiers for images you select (to credit photographers)
  • App identifier: That the request comes from PrimeTask

What is NOT shared: Your name, email, tasks, projects, or any personal data from PrimeTask. Unsplash has no access to your local data.

Managing Your Consent

  • A consent dialog appears the first time you try to use Unsplash
  • You can choose to allow for the current session only, or remember your choice
  • You can revoke access anytime in Settings → Privacy → Third-Party Services
  • If you never use Unsplash, no data is ever sent externally

Unsplash is a service by Unsplash Inc. For their privacy practices, see the Unsplash Privacy Policy.

iCloud & File Sync

PrimeTask offers optional sync features. These are fully opt-in: if you don't enable them, your data stays on one device only.

iCloud Sync (macOS):

  • Data is stored in your own private iCloud account -not accessible to us
  • You control which spaces use iCloud sync
  • Subject to Apple's iCloud terms and privacy policy

File Sync (Cross-Platform):

  • PrimeTask reads and writes files to a folder you select
  • Your cloud provider's app (Dropbox, Google Drive, etc.) handles the network transport -PrimeTask never contacts these providers directly
  • Optional encryption available for synced data
  • You are responsible for the security of your chosen sync provider

Payment Processing

Payments are processed securely by Stripe.

  • What Stripe receives: Your email address, card details, and billing address
  • What we store: Transaction metadata (amount, status, date) and a payment reference

We never store your card numbers, CVV, expiry dates, or billing address. Transaction metadata is retained as required by law.

Where Stripe Payments Europe Limited is the merchant of record for your purchase, Stripe (not TaskCore LTD) is the counterparty to the sale for tax and consumer-law purposes, and customer billing data is processed by Stripe under its own controller arrangements. See the Sub-Processors section below.

Affiliate Program

If you join our affiliate program:

  • Affiliate code: Your unique referral identifier
  • Referral clicks: Daily click counts with pseudonymised visitor information (visitor IP addresses are stored only as a one-way keyed reference, not in the clear; no tracking cookie is set)
  • Commission data: Sale amounts, commission earned, payout status
  • Payouts: Processed through Stripe Connect Express or Stripe Global Payouts, depending on the payment provider assigned to your account: financial identity data goes directly to Stripe, not stored by us
  • US tax-information reporting: Where you are a US-person affiliate and your aggregate commissions in a calendar year meet IRS reporting thresholds, your name, address, taxpayer identification number (TIN), and aggregate annual commission amount are shared with Track1099 (Avalara, Inc., United States) for the sole purpose of preparing, filing, and delivering IRS Form 1099-NEC. W-9 and W-8BEN or W-8BEN-E forms you submit are held in custody by Track1099, not by PrimeTask. See the Sub-Processors and International Transfers sections below.

The affiliate program is invitation-only and governed by a separate Affiliate Agreement.

Sub-Processors

We use the following sub-processors to deliver the service. Each is bound by a written processing agreement that requires equivalent technical and organisational safeguards.

Sub-processorLocationPurpose
Stripe Payments Europe LimitedIreland (EU)Payment processing for customer purchases, refunds, and affiliate payouts via Stripe Connect Express or Stripe Global Payouts
Stripe Payments Europe Limited (in its merchant-of-record capacity)Ireland (EU)Acting as merchant of record for customer transactions where applicable
Website hosting & cookieless analytics provider (specific provider available on request)United StatesWebsite hosting and cookieless, privacy-conscious analytics (aggregate usage only; no cookies, no cross-site tracking, no personal identification)
Track1099 / Avalara, Inc.United StatesUS tax-information reporting: preparation, filing, and delivery of IRS Form 1099-NEC; custody of W-9 and W-8BEN or W-8BEN-E forms (US-person affiliates only)

Retention: Track1099 retains tax-identification documents and 1099-NEC filings for at least 4 years after the last payment, in line with IRS recordkeeping requirements.

International Transfers

Most of your personal data is stored and processed inside the United Kingdom and the European Economic Area. Where a sub-processor (such as Cloudflare or Svix) operates global infrastructure, or where our website hosting and analytics provider is based in the United States, transfers outside the UK and EEA are protected by the EU Standard Contractual Clauses (Commission Implementing Decision (EU) 2021/914) supplemented by the ICO International Data Transfer Addendum (B.1.0, in force 21 March 2022), or by a sub-processor's active self-certification to the UK Extension to the EU-US Data Privacy Framework where in force, with supplementary safeguards where appropriate.

Where your affiliate payouts are processed via Stripe Global Payouts and you are a US person subject to US tax-information-reporting rules, your name, address, taxpayer identification number, and aggregate annual commission amount will be shared with Track1099 (Avalara, Inc., United States) for the sole and limited purpose of preparing, filing, and delivering IRS Form 1099-NEC. No personal data of affiliates who are not US persons, and no personal data of affiliates whose payouts are processed via Stripe Connect Express, is transferred to Avalara, Inc. for these purposes. That transfer is made under the EU Standard Contractual Clauses (Modules 1 and 2 as applicable) supplemented by the ICO International Data Transfer Addendum executed with Avalara, Inc. We have completed a transfer risk assessment (the data protection test under Article 45A of the UK GDPR, inserted by the Data (Use and Access) Act 2025 and in force from 5 February 2026, which continues and supersedes the framework formerly contained in section 17A of the Data Protection Act 2018) for this transfer. We will move this transfer to the UK Extension to the EU-US Data Privacy Framework (UK-US Data Bridge) if Avalara, Inc. becomes actively self-certified and that certification covers the relevant data categories.

Refund Process Data

When you request a refund, we collect and process the following data to operate our refund workflow (described in our Refund Policy):

Refund Request Data:

  • Customer-stated reason: Free-text reason you provide for the refund (optional, used for support quality + product improvement)
  • Attestation confirmation record: When you confirm your refund in your dashboard, we record the date and time, your IP address, your browser information, the exact confirmation statements you agreed to (and their version), and the version of the Refund Policy in force at the time. We keep this record as evidence of your agreement, alongside the timestamps of when the attestation email was sent and when the refund was processed
  • Stripe refund reference: The reference returned by Stripe when the refund is processed
  • Admin audit trail: Which admin approved or processed your refund + the time stamps of each state change

Anti-abuse signals: We maintain a record of refunds you have received in order to enforce the refund frequency limit stated in our Refund Policy. This record contains minimal numerical data and does not include refund reasons or details.

Legal basis: Contract performance (operating the refund process) and legitimate interests (preventing refund abuse). Retention follows the financial-records timeline below.

Financial Records & Retention

We are legally required to keep records of every purchase, refund, chargeback, and affiliate payout for a minimum period under UK accounting law:

Retention Periods:

  • Transaction records: 6 years minimum (Companies Act 2006 + VAT Act 1994). Includes order number, amount, currency, date, payment reference, and tax data.
  • Tax-year financial reports: Encrypted, immutable archive in EU-region cloud storage. Each generated report is hashed (SHA-256) + signed (HMAC) for tamper evidence. Retained 7 years (6-year statutory minimum + 1-year buffer).
  • Refund audit logs: Retained alongside the parent transaction record for the same 6-year period.
  • Affiliate fraud signal logs: Up to 3 years from the date of collection unless a longer period is required for legal, tax, or audit purposes.

GDPR Erasure & Pseudonymisation

If you exercise your right to erasure under UK GDPR after a refund or chargeback, we cannot fully delete the financial-record row because we are obliged to retain it under UK tax law. Instead, we pseudonymise the personal data on that row: your name and email address are replaced with a one-way cryptographic hash (SHA-256 with a versioned server-side salt) that cannot be reversed to identify you. The financial figures stay intact for HMRC; the personally identifying information is gone.

Lawful basis: UK GDPR Article 17(3)(b), retention is necessary for compliance with a legal obligation (Companies Act 2006, VAT Act 1994). Pseudonymisation is the most privacy-respecting compromise we can apply while still complying with HMRC retention.

Salt versioning: The cryptographic salt is versioned. If a salt is ever rotated (for example after a security incident), historical hashes within the previous version remain cross-referenceable for audit purposes; new hashes use the new version. This means a leaked salt cannot be used to reverse hashes from a different version.

GDPR Deletion Log:

Every erasure request is recorded in an internal log that contains no PII (only a salted hash of the original identifier, the row counts pseudonymised, and the salt version used). This log proves we acted on your request without retaining data that could re-identify you.

Inbound Email (refunds@)

Emails sent to refunds@primetask.app are processed through Resend (our email delivery provider) into our admin support queue. The body of your email, your sender address, and any attachments are stored alongside the corresponding transaction so support staff can review the request.

  • Spoofing protection: Resend verifies SPF / DKIM signatures on every inbound message. Forgeries are rejected before they reach our admin queue.
  • Rate limiting: Resend rate-limits inbound mail per sender to prevent abuse.
  • Webhook signature verification: Every inbound message is delivered to our system over a Svix-signed webhook; we reject any payload that doesn't cryptographically match.
  • Blocked sender list: Senders on our internal block list are filtered out before reaching admin review.

Retention: Inbound emails are retained alongside the related transaction record for the financial-records retention period (6 years). They are pseudonymised at the same time as the parent transaction if you exercise your right to erasure.

Account Deletion

You can delete your account at any time using the “Delete Account” option in your portal dashboard, the deletion link in any automated email, or by contacting privacy@primetask.app. For your protection, account deletion from the portal requires password verification and an email confirmation code.

Permanently Deleted:

  • Account, email, name, and all personal details
  • Device activations and license data
  • Session data
  • Email engagement data and marketing preferences

Anonymised (Retained for Legitimate Purposes):

  • Security logs (identity removed, retained for a limited period)
  • Bug reports (name replaced with “Deleted User”)
  • Community posts (anonymised)
  • Transaction metadata (retained as required by law)

Anti-Abuse Record:

For fraud prevention purposes, we retain a minimal device-level record indicating that a trial was used on a specific device. This record is kept separate from your account data and is used solely to prevent repeated trial abuse. It does not contain your name, email, or any account information.

We cannot delete: Data on your device (we have no access), records held by Stripe (contact Stripe directly), or emails already delivered.

Data Storage & Security

Where we store your data:

  • Secure database hosted in the EU, encrypted at rest
  • Website and API hosted on a secure platform with HTTPS/TLS encryption
  • Emails delivered via a trusted email delivery provider
  • Payments processed by Stripe

Security measures:

  • Passwords are securely hashed (never stored in plain text)
  • All connections use HTTPS/TLS encryption
  • Sessions are secured and expire automatically after inactivity
  • Regular security audits and updates

Data retention:

  • Account data: Kept until you delete your account
  • Session data: Automatically deleted after inactivity
  • Bug reports: Anonymised on account deletion
  • Security logs: Retained for a limited period, then deleted
  • Transaction metadata: Retained as required by law

Your Rights (UK GDPR)

Under the UK General Data Protection Regulation (UK GDPR), you have the following rights:

Right to Access

Request a copy of all data we have about you.

Right to Deletion

Delete your account and all associated data.

Right to Rectification

Correct inaccurate personal data.

Right to Restrict

Limit how we process your data.

Right to Data Portability

Request your data in a portable format.

Right to Complain

Lodge a complaint with the Information Commissioner's Office (ICO) at ico.org.uk.

We do not sell, rent, or share your personal information with third parties for marketing purposes.

How to exercise your rights: You can delete your account directly from your portal dashboard. For all other requests, contact us at privacy@primetask.app. We aim to respond within 30 days.

Contact Us

If you have any questions about this Privacy Policy or want to exercise your rights, please contact us:

PrimeTask

A product of TaskCore LTD (Company No. 17081972, 124 City Road, London, EC1V 2NX)

Privacy (PrimeTask): privacy@primetask.app

Privacy (TaskCore corporate): privacy@taskcore.co

General: contact@primetask.app

Website: primetask.app

For PrimeTask-specific questions (account, billing, support data) use the PrimeTask address. For company-wide privacy or data-protection matters use the TaskCore address. Both reach the designated data-protection team.

TaskCore LTD is registered with the UK Information Commissioner's Office (ICO) under registration reference ZC111910. Our entry on the public ICO register can be verified at ico.org.uk.

We aim to respond to all privacy-related requests within 30 days.

© 2026 PrimeTask. All rights reserved.

Terms of Service