Privacy Policy for Taskschmiede

Last updated: 21 March 2026

This Privacy Policy explains how Quest Financial Technologies S.à r.l.-S., a company established in Luxembourg ("QFT", "Taskschmiede", "we", "us", or "our"), collects, uses, stores, shares, and protects personal data in connection with the Taskschmiede platform, related websites, APIs, portals, support services, and associated communications.

Taskschmiede is offered worldwide, but the data controller is established in Luxembourg and processes personal data in accordance with applicable European Union and Luxembourg data protection law, including the General Data Protection Regulation (EU) 2016/679 ("GDPR").

1. Controller

Quest Financial Technologies S.à r.l.-S.
99A, rue Laurent Menager
L-2143 Luxembourg
Luxembourg
Send us a message.

If we appoint a Data Protection Officer, their contact details will be published here.

2. Scope

This Privacy Policy applies to:

• the Taskschmiede website;
• the Taskschmiede application, portal, APIs, and related backend services;
• account registration and organisation onboarding;
• customer support, product communications, and legal/compliance interactions;
• any other processing activities described in this Policy.

3. Categories of personal data we process

Depending on how Taskschmiede is used, we may process the following categories of personal data:

3.1 Account and identity data

• full name of the natural person behind a user account;
• username and display name;
• email address;
• password hash and authentication-related metadata;
• account status, role, permissions, and tenancy/organisation links.

3.2 Company and business relationship data

Where a user acts for or on behalf of a legal entity, we may process:

• company name;
• company address;
• billing address;
• VAT number, registration number, or other business identifiers;
• business contact persons and their professional contact details;
• organisation membership, ownership, or administrator relationships.

3.3 Contact and profile data

• phone number;
• postal address;
• preferred language;
• communication preferences;
• support and onboarding information voluntarily provided by the user.

3.4 Service usage and technical data

• IP addresses;
• login timestamps;
• browser, device, and operating system information;
• API usage logs;
• audit trails and security logs;
• feature usage, events, and operational metadata generated through use of the service.

3.5 Content and workspace data

We may process personal data contained in:

• tasks, projects, endeavour/workspace data;
• comments, messages, descriptions, attachments, artifacts, and metadata;
• notifications and collaboration records;
• imported or user-submitted data processed through the platform.

3.6 Billing, transaction, and compliance data

• invoices, payment status, and transaction references;
• customer communication relating to orders, subscriptions, or disputes;
• records required for tax, accounting, fraud prevention, and legal compliance.

3.7 Support and correspondence data

• emails, tickets, bug reports, and support messages;
• records of account, legal, privacy, or security requests.

4. Sources of personal data

We collect personal data:

• directly from users during signup, onboarding, purchasing, support, or account administration;
• from organisation administrators who invite or register users;
• from use of the platform and our systems;
• from service providers, payment providers, or identity/security providers where relevant;
• from publicly available business information where necessary for company verification, invoicing, fraud prevention, or contract administration.

5. Purposes and legal bases of processing

We process personal data only where a valid legal basis exists. Depending on the context, the legal basis may be contract, legal obligation, legitimate interests, or consent.

5.1 To create and manage user accounts

We process identity, contact, login, and account data to register users, authenticate them, manage access rights, and operate their accounts.

Legal basis: performance of a contract; where applicable, steps taken prior to entering into a contract.

5.2 To onboard and manage organisations

We process company and contact data to create organisation workspaces, assign administrators, manage licences/subscriptions, and operate B2B relationships.

Legal basis: performance of a contract; legitimate interests in business administration.

5.3 To provide and operate the service

We process workspace, usage, technical, and content data to deliver Taskschmiede functionality, collaboration features, APIs, notifications, and support.

Legal basis: performance of a contract.

5.4 To secure the platform and prevent abuse

We process technical data, logs, audit records, and related information to detect fraud, misuse, unauthorised access, abuse of the service, security incidents, and threats to the integrity and confidentiality of the platform.

Legal basis: legitimate interests in maintaining the security, integrity, and reliability of our services; where necessary, compliance with legal obligations.

5.5 To communicate with users and customers

We process contact and account data to send service-related notices, onboarding information, security alerts, transactional communications, legal notices, and support responses.

Legal basis: performance of a contract; legitimate interests in operating and administering the service.

5.6 To comply with legal obligations

We may process and retain personal data where required by tax, accounting, anti-fraud, contractual, legal hold, court, or regulatory obligations.

Legal basis: compliance with a legal obligation.

5.7 To improve the service

We may process usage and operational data to troubleshoot, monitor performance, improve features, and develop the platform, subject to proportionality and data minimisation.

Legal basis: legitimate interests in maintaining and improving the service.

5.8 Automated analysis and AI-assisted features

Taskschmiede uses artificial intelligence for certain platform features, including content moderation, behavioral analysis, report generation, and support triage. These features are powered by locally hosted AI models running on Taskschmiede's own infrastructure.

No user data is transmitted to external AI service providers. All AI processing occurs within our own servers. No customer content is used to train AI models.

Legal basis: performance of a contract (features integral to the service); legitimate interests in platform safety and quality (content moderation, behavioral monitoring).

5.9 To send optional marketing or product updates

Where we send optional promotional or newsletter-type communications, we will do so in accordance with applicable law and, where required, based on consent.

Legal basis: consent or legitimate interests, depending on the communication and applicable law. Users may opt out at any time, and consent may be withdrawn.

6. Whether providing data is mandatory

Certain data is necessary for us to create an account, identify the user, provide the service, contract with an organisation, issue invoices, ensure security, and comply with legal obligations. If required information is not provided, we may be unable to create an account, provide access, or maintain the service relationship.

7. Disclosure of personal data

We may disclose personal data only where necessary and appropriate to:

• hosting, infrastructure, security, backup, and IT service providers;
• email, support, and notification providers;
• payment processors and accounting providers;
• identity, access management, or anti-abuse service providers;
• professional advisers, auditors, insurers, or legal counsel;
• courts, regulators, law enforcement, or competent authorities where legally required;
• acquirers or successors in the event of a merger, acquisition, restructuring, or asset transfer, subject to applicable confidentiality and data protection obligations.

Where third parties process personal data on our behalf, they act as processors under appropriate contractual safeguards.

8. International transfers

Because Taskschmiede may provide services worldwide and may use service providers in multiple jurisdictions, personal data may be transferred to countries outside the European Economic Area.

Where such transfers occur, we will implement appropriate safeguards as required by GDPR, such as:

• transfer to countries subject to an adequacy decision; or
• use of the European Commission's Standard Contractual Clauses; or
• other lawful transfer mechanisms where applicable.

Users may contact us for further information about the safeguards relevant to a particular transfer.

9. Retention periods

We retain personal data only for as long as necessary for the purposes for which it was collected, and longer only where justified by legal obligations, dispute handling, fraud prevention, security, or the establishment, exercise, or defence of legal claims.

Indicative retention logic for Taskschmiede may be as follows:

• Account data: for the lifetime of the account and for a limited period thereafter to handle reactivation, disputes, abuse prevention, and legal claims.
• Organisation and contract data: for the duration of the customer relationship and any applicable statutory retention period thereafter.
• Billing and accounting records: for the period required by applicable tax, accounting, and commercial law.
• Security logs and audit logs: for a limited and proportionate period necessary for security, incident response, and compliance.
• Support records: as long as reasonably necessary to resolve the issue, improve support quality, and defend legal claims.
• Workspace/content data: until deleted by the customer or user, the account/organisation relationship ends, or retention is otherwise required for legal or contractual reasons.

Where deletion is not possible or appropriate, we may restrict processing or anonymise data. Where a valid erasure request conflicts with a legal retention duty, we will retain only the data that must be kept and restrict it as appropriate.

10. Data subject rights

Under the GDPR, individuals have rights including:

• the right to be informed;
• the right of access;
• the right to rectification;
• the right to erasure;
• the right to restriction of processing;
• the right to data portability;
• the right to object; and
• rights related to automated decision-making and profiling.

You may exercise your rights by sending us a message.

We may need to verify your identity before fulfilling a request. We will assess requests in accordance with applicable law. Some rights are subject to limitations and exceptions, including where data must be retained to comply with legal obligations or to establish, exercise, or defend legal claims.

10.1 Right of access

You may request confirmation whether we process your personal data and obtain a copy of relevant personal data, together with supplementary information required by law.

10.2 Right to rectification

You may ask us to correct inaccurate or incomplete personal data.

10.3 Right to erasure / right to be forgotten

You may request deletion of personal data where it is no longer needed, where processing was unlawful, or where another legal ground for erasure applies. This right does not apply in every case. In particular, certain data may need to be retained due to legal obligations or other recognised exceptions.

10.4 Right to restriction

You may ask us to restrict processing in circumstances provided by law, for example while a dispute about accuracy or lawfulness is being resolved.

10.5 Right to data portability

Where processing is based on consent or contract and carried out by automated means, you may request your personal data in a structured, commonly used, machine-readable format.

10.6 Right to object

You may object to processing based on legitimate interests, including certain analytics, security balancing, or direct marketing contexts, subject to applicable legal tests.

10.7 Withdrawal of consent

Where processing is based on consent, you may withdraw consent at any time. Withdrawal does not affect processing already carried out before withdrawal.

11. Deletion requests, legal retention, and "right to forget"

Taskschmiede supports the principle that users should be able to request deletion of personal data that is no longer necessary or no longer lawfully processed. At the same time, some data may have to be retained:

• to comply with tax, accounting, or other legal obligations;
• to resolve disputes or enforce agreements;
• to detect or prevent fraud, abuse, or security incidents;
• to establish, exercise, or defend legal claims.

Where a deletion request is valid but full erasure is not legally possible, we will, where appropriate:

• delete what can be deleted;
• retain only what must be retained;
• restrict access to retained data;
• keep retained data only for the legally required period;
• anonymise data where feasible.

12. Query rights and data access requests

Users may request information about:

• whether their personal data is processed;
• what categories of personal data are held;
• the purposes and legal bases of processing;
• retention periods;
• recipients or categories of recipients;
• transfers outside the EEA and related safeguards.

Requests can be submitted by sending us a message.

13. Security

We implement appropriate technical and organisational measures designed to protect personal data against unauthorised or unlawful processing and against accidental loss, destruction, or damage. Such measures may include access control, least-privilege permissions, logging, encryption where appropriate, secure development and deployment practices, backups, and incident management procedures.

14. Children

Taskschmiede is generally intended for persons who are 16 years of age or older. If a user is under 16, Taskschmiede may only be used where this is lawful and where the required consent or authorisation of a parent or legal guardian has been obtained.

Taskschmiede is not intended for children unless expressly configured and offered in a lawful context with appropriate notices and safeguards. We do not knowingly collect children's personal data unless the relevant legal basis, notices, and any required parental or guardian authorisation are in place.

If we become aware that personal data has been collected from a child in a manner that does not comply with applicable law, we will take appropriate steps to delete, anonymise, or restrict the relevant data as required.

Parents, legal guardians, or users who believe that data relating to a child may have been provided to Taskschmiede unlawfully may send us a message.

15. Automated decision-making

Unless expressly stated otherwise for a specific feature, Taskschmiede does not use solely automated decision-making that produces legal effects or similarly significant effects on individuals. If that changes, we will provide the information required by law.

Taskschmiede uses AI-assisted features (such as content moderation scoring and behavioral analysis) to support platform safety and service quality. These features provide indicators and recommendations to human operators; they do not autonomously take actions that produce legal effects or similarly significant effects on users without human review.

16. Complaints

If you believe that your personal data has been processed unlawfully, you may contact us first so that we can try to resolve the issue.

You also have the right to lodge a complaint with the competent supervisory authority. For a Luxembourg-established controller, this is generally the Commission nationale pour la protection des données (CNPD) in Luxembourg.

17. Changes to this Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in the law, our services, or our processing practices. We will publish the updated version on this page and update the "Last updated" date. Where required by law, we will provide additional notice.