How we handle your data.

Taskezy FZ-LLC ("Taskezy", "we", "us") is a UAE free-zone company building an internal AI assistant for small businesses. The assistant is named Tia; the product is Taskezy.

This policy covers three surfaces:

• taskezy.co— the marketing website you’re reading.
• The Taskezy admin app — used by customer business owners and their teams to manage their workspace.
• The WhatsApp assistant — Tia, accessed by customer team members through their existing WhatsApp.

From the marketing site.If you submit a waitlist or contact form, we collect the email address you provide and any message text or company name you choose to share. We log the page you submitted from, your browser’s user agent, and ahashed form of your IP address (SHA-256, truncated). We do not store raw IP addresses.

From the admin app. When a customer signs up, we collect names, work email addresses, hashed passwords, role, and organisation details (business name, trade licence number, jurisdiction, VAT TRN, default currency, workweek). For platform security we record sign-in attempts and refresh-token versions.

From the WhatsApp assistant.When a customer team member sends a WhatsApp message to Tia, we receive the message content (text, photos, documents, voice notes), the sender’s phone number, and the message metadata Meta forwards to us. We persist the conversation history in the customer’s workspace so Tia can answer in context.

Cookies and analytics. The marketing site uses only essential cookies. We do not run third-party advertising trackers. The admin app uses a session cookie issued by our auth system; it is HTTP-only, Secure, and same-site.

• To run the service. We use the data above to authenticate users, respond to WhatsApp messages, post expense entries to your accounting system on your confirmation, and produce the morning brief.
• To improve the product. We review aggregated usage signals and conversation samples (with your consent during pilot phase) to find friction and fix bugs.
• To reply to you. Waitlist and contact-form submissions are used to write back. We do not add you to a marketing list without explicit opt-in.
• To meet legal obligations. Audit logs, billing records, and any data we are required to retain under UAE law.

We do notsell your data, and we do not use customer message content to train machine-learning models — neither ours nor a third party’s.

We rely on a small set of vendors to deliver the service. Each processes only what it needs:

• Anthropic— processes message content to generate Tia’s replies. Anthropic’s commercial-API policy excludes API traffic from training. Customers on the Enterprise plan may bring their own Anthropic key, in which case the customer is the data controller for that traffic.
• Meta Platforms — operates WhatsApp Business Platform. WhatsApp messages flow through Meta to reach us under their terms.
• Railway — hosts our application servers, Postgres database, and Redis cache during the v1 pilot. We will migrate workloads to AWS me-central / me-south for customers with KSA residency requirements.
• Stripe / Paddle / Lemon Squeezy — for billing and VAT compliance once we are on paid plans.
• OpenAI (Whisper) — for audio transcription of voice notes in v1. We will revisit Arabic-tuned alternatives before KSA expansion.

We host data in regions appropriate to our customer base. v1 runs in Railway’s nearest UAE/EU region; we will move customers subject to KSA PDPL to AWS me-central or me-south on request. Thebooks-of-record for any accounting entry stays in your ERP (Zoho Books, Wafeq, etc.) — we are not the source of truth for invoices, bills, or journal entries.

Retention. Conversation history and audit logs are retained for the lifetime of the workspace plus 12 months. Waitlist and contact-form data is retained for up to 24 months from last contact. You can ask us to delete sooner — see your rights below.

• Passwords are hashed with bcrypt at cost factor 12. Plaintext passwords are never logged or stored.
• Web sessions use signed JWE cookies. Refresh-token versioning allows immediate revocation on a security event.
• All traffic is served over TLS. Internal service-to-service traffic uses Railway’s private network.
• We follow the principle of least privilege for engineer access to production. Access is logged.

Under UAE PDPL — and KSA PDPL where it applies — you may:

• Request a copy of the personal data we hold about you.
• Correct data that is wrong or out of date.
• Ask us to delete data, subject to retention obligations we may have under law.
• Withdraw consent for processing where consent was the basis for that processing.
• Object to specific processing activities.

Email privacy@taskezy.co with the email address tied to your workspace, and we will respond within 30 days.

Taskezy is designed for business use by adults. We do not knowingly collect data from anyone under 18. If you believe we have, contact us and we will delete it.

We may update this policy as the product evolves. The effective date at the top reflects the latest version. Material changes — new sub-processors, new categories of data, region migrations — will be announced to customers in the admin app and over email at least 30 days before they take effect.

Privacy questions: privacy@taskezy.co.

Anything else: /contact or hello@taskezy.co.