1. Who is responsible for your data
The data controller is Natalie Abadie (sole trader), established in Malta (EU), 10 Censu Xerri, Sliema, Malta ("TareaBox", "we"). Contact for any privacy matter: hello@tareabox.com.
Because we are established in Malta, the EU General Data Protection Regulation (GDPR) applies to our processing of your personal data regardless of your nationality or where you live (GDPR Art. 3). If you are outside the EU, the rights of your own country may also apply — see §11 "Your regional rights".
2. Scope
This policy covers the TareaBox website (tareabox.com) and the TareaBox app. TareaBox is a content-planning and AI-automation service used by people worldwide.
3. What we collect, why, and our legal basis
We only collect what we need to run the service. We do not sell your personal data.
| Data | What it is | Why / legal basis (GDPR Art. 6) |
|---|---|---|
| Account | Email, name, password (stored hashed by our auth provider — we never see it), preferred language | To create and run your account — contract (6(1)(b)) |
| Consent records | That you accepted the Terms and Privacy Policy, and confirmed you are 16+, with a timestamp | To prove valid consent — legal obligation / legitimate interest (6(1)(c)/(f)) |
| Sign-up / access | Invitation-code redemption; waitlist email + language | To run the closed beta and control access — legitimate interest (6(1)(f)) |
| Approximate location & device (at sign-up/waitlist) | Country, region, city, time zone (derived from your connection), browser type and browser language | Security, abuse-prevention and understanding where demand comes from — legitimate interest (6(1)(f)) |
| Brand profile | The brand information you provide or build in the AI interview (voice, style, stories, links) — may contain personal data you choose to enter | To provide the service — contract (6(1)(b)) |
| AI interview | The conversation transcript and a working summary the assistant keeps | To build your brand profile — contract (6(1)(b)) |
| Media | Images, video and audio you upload | To store and use them in your content — contract (6(1)(b)) |
| Payments [BILLING] | Billing email and a payment reference; your card is handled by Stripe — we never store card numbers | To process payments — contract (6(1)(b)) |
| Communications | Emails we send you (invitations, confirmations, alerts) and your messages to support | To operate and support the service — contract / legitimate interest |
What we deliberately do NOT collect at sign-up: your raw IP address, GPS coordinates (latitude/longitude), or postal code.
Approximate-location note: the country/region/city/time-zone come from network signals provided by our hosting platform; they are approximate and used to keep the service safe and understand demand — not to track you.
4. Special-category (sensitive) data and biometrics
We do not currently process biometric data or other special categories under GDPR Art. 9. Voice dictation in the interview is speech-to-text transcription (the audio is sent to a transcription provider and then discarded); it is not a voiceprint and is not used to identify you. If we ever add features that clone a real person's face or voice, we will ask for that person's explicit, separate consent first, and update this policy.
5. How AI is used
TareaBox uses third-party AI providers to run its automations:
- a large-language-model provider processes the interview and content-generation prompts (the text you write and the assistant's replies);
- a voice-transcription provider converts dictated audio to text (audio is discarded after transcription);
- an image-generation provider processes image prompts and any reference images you supply.
These providers process your input only to return a result to you. We do not use your content to train third-party AI models, and we do not make automated decisions that produce legal or similarly significant effects about you (GDPR Art. 22).
Our authorised personnel (currently the platform operator) may access your data — including brand profiles and interview transcripts — to operate, support, secure and improve the service.
6. Who we share data with (processors / sub-processors)
We share data with vetted service providers acting on our instructions (GDPR Art. 28). By category and current providers:
| Category | Provider | What they process | Location |
|---|---|---|---|
| Database, authentication, storage | Supabase | Account data, app data, some stored files | Cloud (EU/US) |
| Hosting & infrastructure | Vercel | App hosting, logs, connection signals | US (global edge) |
| File storage | Cloudflare R2 | Your uploaded media | EU/US |
| Payments [BILLING] | Stripe | Billing email, tokenised card, payment history | US |
| AI — text | Anthropic (Claude) | Interview & content prompts/replies | US |
| AI — voice transcription | Groq | Dictated audio (discarded after) | US |
| AI — image generation | KIE.ai | Image prompts and reference images | US |
| Email delivery | Resend | Recipient email, message content | EU/US |
| Video processing | A dedicated video server (Hostinger, EU) | Video files for compression | EU |
| Automation orchestration (backup) | n8n | Session/brand context (only if used) | Operator infrastructure |
We keep an up-to-date list of sub-processors and will inform users of material changes. We do not share your data with advertisers.
7. International data transfers
Some providers are located in the United States or process data globally. When we transfer personal data outside the EU/EEA, we rely on an appropriate safeguard — typically the EU Standard Contractual Clauses and/or the provider's adherence to the EU-US Data Privacy Framework — as required by GDPR Chapter V (Art. 44-46).
8. How long we keep it
- We keep your account and content for as long as your account is active.
- When you delete your account (Settings → Delete account), we perform a real deletion: your user record is removed, brands where you are the only member are deleted, and their stored media is purged.
- Backups: encrypted backups are retained for a short period (currently 7 days) and then cycle out.
- Records we must keep for legal/accounting reasons (e.g. payment and consent records) are retained as required by law.
- We are introducing per-plan media-retention limits; until then we do not auto-delete your media — it stays until you delete it or close your account.
9. How we protect your data
- Tenant isolation enforced at the database level (Row-Level Security) — one brand can never see another's data.
- Private storage with short-lived signed links (files are never public).
- Encryption in transit (HTTPS) and at rest.
- Secure, httpOnly session cookies (no tokens in the browser's local storage).
- EXIF/GPS metadata is stripped from images on upload.
- Secrets are redacted from logs and error reports.
- Multi-factor authentication (MFA) is required for the platform administrator account.
10. Your rights
Depending on where you live, you have the right to: access your data and get a copy; rectify it; erase it; restrict or object to processing; data portability; and withdraw consent at any time (without affecting prior processing).
- Delete your account and download your data: from your account settings (data export is being rolled out; meanwhile request it at hello@tareabox.com).
- To exercise any right, email hello@tareabox.com. We respond within one month (GDPR Art. 12). We may need to verify your identity first.
- You can complain to a supervisory authority. In Malta, the Office of the Information and Data Protection Commissioner (IDPC) — https://idpc.org.mt/file-a-complaint/. You may also complain to the authority in your own country.
11. Your regional rights
- EU/EEA & UK: the GDPR / UK GDPR rights above, and the right to lodge a complaint with your local authority.
- California (CCPA/CPRA): the right to know, delete, correct, and opt out of "sale"/"sharing" of personal information — we do not sell or share your personal information. We do not discriminate for exercising your rights.
- Brazil (LGPD), Japan (APPI), and other countries: you have the access, correction and deletion rights granted by your local law. Contact hello@tareabox.com and we will help.
12. Children
TareaBox is not for anyone under 16. We do not knowingly collect data from children under 16. If you believe a child has given us data, contact hello@tareabox.com and we will delete it.
13. Cookies
The app uses only the cookies it needs to work and to remember your preferences:
| Cookie | Purpose | Type |
|---|---|---|
Session (sb-*) |
Keeps you logged in | Essential (httpOnly, secure) |
tb_theme, tb_fontsize |
Remember dark/light and text size | Preference |
| Language | Remember your language | Preference |
tb_tz |
Time zone for the calendar | Preference |
We do not use analytics or advertising cookies in the app. The website (tareabox.com) uses a cookie-consent tool for any non-essential cookies; you can manage them there.
14. Changes to this policy
We may update this policy; we will post the new version with an updated effective date and, for material changes, notify you.
15. Contact
hello@tareabox.com · Data-protection authority (Malta): IDPC — https://idpc.org.mt/file-a-complaint/.