Privacy Policy
Last updated: April 2026
1. Introduction
This Privacy Policy explains how Tasks Checklist (the "Service", "we", "us" or "our") collects, uses, stores, shares and protects your personal data when you use our Microsoft Teams application and our website at checklists.forteams.app.
We are committed to protecting your privacy and handling your personal data in accordance with the EU General Data Protection Regulation (GDPR), the UK GDPR, and other applicable data protection laws.
This Policy is provided in compliance with Articles 13 and 14 of the GDPR. By using the Service you acknowledge that you have read and understood this Policy.
2. Who We Are (Data Controller)
The data controller responsible for your personal data is:
IE Anastasiia Pirozhenko
Operator of Tasks Checklist and related applications published under the "ForTeams" brand.
Contact email: [email protected]
Privacy requests: [email protected]
We have not formally designated a Data Protection Officer as we are not required to do so under Article 37 GDPR. All privacy enquiries are handled directly by the controller using the contact details above.
3. Personal Data We Collect
We collect and process the following categories of personal data:
- Identity and account data: your Microsoft Entra / Teams user identifier (OID), tenant identifier, display name, email address, preferred language, and time zone. These are provided by the Microsoft Teams platform when you open the Service.
- Content data: checklists, tasks, notes, comments, file attachments and other content you create, upload or share within the Service.
- Usage data: features you interact with, actions taken, session duration, and in-app events. This is collected for analytics and product improvement.
- Technical data: IP address, browser type and version, operating system, device identifiers, referring URLs, and diagnostic logs (including error reports).
- Billing data (where applicable): subscription plan, billing country, VAT/tax identifier, and transaction history. Card details are handled by our payment provider and are never stored on our servers (see Section 10).
- Support data: the content of any emails or messages you send to us, together with any information you choose to provide when requesting support.
4. Where Your Data Comes From
Most personal data we hold about you is obtained directly from you when you use the Service (for example, when you create content or contact support).
In addition, in accordance with Article 14 GDPR, we inform you that the following data is received indirectly:
- From Microsoft Corporation: when you install and launch the Service inside Microsoft Teams, Microsoft provides us with your identity and tenant information (user object ID, tenant ID, display name, email and locale). This is necessary to authenticate you and to isolate your data from other tenants.
- From Paddle (our payment provider): if you purchase a subscription, Paddle shares the billing country, subscription status and transaction metadata with us so we can apply the correct entitlements to your account.
5. How We Use Your Personal Data and Legal Basis
We only process personal data where we have a lawful basis to do so under Article 6 GDPR. The table below summarises each purpose and its legal basis.
| Purpose | Legal basis |
|---|---|
| Providing and operating the Service (authentication, storing and retrieving your content, synchronising with Microsoft Teams) | Performance of a contract (Art. 6(1)(b) GDPR) |
| Processing subscriptions and invoicing | Performance of a contract (Art. 6(1)(b)) and compliance with legal obligations such as tax law (Art. 6(1)(c)) |
| Sending transactional emails (account, billing, password, notifications you have opted in to) | Performance of a contract (Art. 6(1)(b)) |
| Customer support | Performance of a contract (Art. 6(1)(b)) and legitimate interests in delivering quality support (Art. 6(1)(f)) |
| Security monitoring, abuse prevention, fraud detection and enforcing our Terms of Service | Legitimate interests in keeping the Service secure (Art. 6(1)(f)) |
| Product analytics, diagnostics and service improvement | Legitimate interests in improving the Service (Art. 6(1)(f)) |
| AI-assisted features (e.g. converting documents to checklists) | Performance of a contract when you choose to use the feature (Art. 6(1)(b)) |
| Optional product announcements and marketing emails | Consent (Art. 6(1)(a)) — you can withdraw consent at any time |
| Legal claims, regulatory compliance, responding to lawful requests | Compliance with legal obligations (Art. 6(1)(c)) and legitimate interests (Art. 6(1)(f)) |
Where processing is based on our legitimate interests, we have assessed that those interests are not overridden by your rights and freedoms. You have the right to object to such processing (see Section 13).
6. AI Features
The Service includes optional AI-assisted features (for example, converting a document into a checklist). These features use OpenAI's API as a sub-processor. When you choose to use an AI feature:
- Your content is sent to OpenAI only to produce the requested output and then returned to you.
- We have configured our OpenAI API usage so that submitted content is not used to train OpenAI's models.
- AI-generated output is advisory only and you remain in control of whether and how to use it. No legal or similarly significant decisions are made automatically.
- You can avoid AI processing by not using the AI features.
7. Sub-Processors and Recipients
We use the following sub-processors to help us deliver the Service. Each sub-processor processes personal data only on our instructions and is bound by a written data processing agreement that meets the requirements of Article 28 GDPR.
| Provider | Purpose | Location |
|---|---|---|
| DigitalOcean, LLC | Application hosting, managed PostgreSQL database, object storage (Spaces), automated backups | United States (EU region available) |
| Cloudflare, Inc. | Content delivery, DDoS protection, web application firewall, DNS | Global (edge network) |
| Microsoft Corporation | Teams platform, identity federation (Entra ID) | Global (customer's Microsoft 365 region) |
| OpenAI, LLC | AI-assisted content generation (optional, user-initiated) | United States |
| Paddle.com Market Limited | Merchant of record for subscription billing, payment processing, tax remittance, invoicing | United Kingdom / United States |
| Postmark (ActiveCampaign, LLC) | Delivery of transactional email | United States |
| PostHog Inc. | Product analytics and usage telemetry | United States |
We may also disclose personal data to competent public authorities or professional advisers where required by law, to protect our rights, or to prevent fraud. We do not sell your personal data to any third party.
We review this list of sub-processors at least annually. We will notify affected users in advance of any material change that introduces a new sub-processor with access to customer content.
8. International Data Transfers
Some of our sub-processors are located outside the European Economic Area (EEA) and the United Kingdom, primarily in the United States. Whenever we transfer personal data outside the EEA/UK, we ensure an appropriate level of protection through one or more of the following safeguards:
- The European Commission's Standard Contractual Clauses (SCCs) (2021) together with supplementary technical measures, including encryption of data in transit (TLS 1.2 or higher) and at rest (AES-256).
- Where available, reliance on the EU-US Data Privacy Framework (and its UK and Swiss extensions) for sub-processors that are certified under it.
- The UK International Data Transfer Addendum (IDTA) for transfers from the United Kingdom.
A copy of the safeguards in place for a particular transfer can be requested by writing to [email protected].
9. Data Retention
We retain personal data only for as long as necessary to fulfil the purposes for which it was collected, including any legal, accounting or reporting requirements. Our standard retention periods are:
| Data category | Retention period |
|---|---|
| Account data (identity, tenant, settings) | Duration of the subscription plus 30 days, then deleted |
| Content data (checklists, tasks, attachments) | Duration of the subscription plus 30 days, then deleted |
| Database backups | 7 days rolling point-in-time recovery (managed by DigitalOcean) |
| Billing and tax records | Up to 10 years as required by applicable tax and accounting law |
| Support correspondence | 2 years from last contact |
| Server and access logs | Up to 90 days |
| Product analytics events | Up to 12 months |
Where retention is driven by a legal obligation, the relevant law determines the period. Data may be retained for longer in anonymised form for statistical purposes.
10. Data Security
We implement appropriate technical and organisational measures to protect personal data against unauthorised access, disclosure, alteration or destruction, including:
- TLS 1.2+ encryption for all data in transit (TLS 1.3 by default, weak ciphers disabled)
- AES-256 encryption for all data at rest in databases, object storage and backups
- Multi-factor authentication on all administrative access
- Role-based access control, least-privilege IAM and audit logging
- Cloudflare web application firewall and DDoS protection at the perimeter
- Continuous dependency scanning, quarterly vulnerability scanning, and patching within defined SLAs
- Annual information security risk assessments
Despite these measures, no method of electronic transmission or storage is 100% secure. In the unlikely event of a personal data breach affecting you, we will notify you and the competent supervisory authority in accordance with Articles 33 and 34 GDPR.
11. Payment Processing
Paddle.com Market Limited acts as the merchant of record for all paid subscriptions. When you make a purchase, payment and card details are collected and processed directly by Paddle under their own privacy policy, available at paddle.com/legal/privacy. We never see or store full card details on our servers; we receive only subscription and transaction metadata required to provide the Service.
12. Cookies and Similar Technologies
We use a small number of cookies and similar browser-storage technologies. The categories we use are:
- Strictly necessary: authentication session cookies, security tokens (CSRF), and preferences required to operate the Service. These cookies are exempt from consent requirements because they are essential.
- Analytics: first-party cookies set by PostHog to measure product usage and improve the Service. Where required by law, these are set only with your consent.
We do not use advertising or cross-site tracking cookies. You can clear cookies from your browser at any time; doing so may require you to sign in again.
13. Automated Decision-Making and Profiling
We do not carry out any automated decision-making that produces legal effects concerning you or similarly significantly affects you, within the meaning of Article 22 GDPR. AI-assisted features are advisory only, triggered by your action, and do not make decisions about you.
14. Your Rights
Subject to applicable law, you have the following rights in relation to your personal data:
- Right of access — to obtain confirmation of whether we process your personal data and a copy of that data.
- Right to rectification — to have inaccurate or incomplete data corrected.
- Right to erasure ("right to be forgotten") — to have your personal data deleted where one of the grounds in Article 17 GDPR applies.
- Right to restriction of processing — to limit how we use your data in certain circumstances.
- Right to data portability — to receive your data in a structured, commonly used, machine-readable format and to transmit it to another controller.
- Right to object — to object to processing based on legitimate interests, including profiling, and at any time to direct marketing.
- Right to withdraw consent — where processing is based on consent, you can withdraw it at any time without affecting the lawfulness of processing already performed.
- Right to lodge a complaint with a supervisory authority — in particular in the EU/EEA member state of your residence, place of work, or the place of the alleged infringement. A list of EU supervisory authorities is available at edpb.europa.eu. UK residents may contact the Information Commissioner's Office at ico.org.uk.
15. How to Exercise Your Rights
To exercise any of the rights listed above, please contact us at [email protected]. We will respond within one month of receiving your request, as required by Article 12(3) GDPR. That period may be extended by a further two months where necessary, taking into account the complexity and number of requests; we will inform you of any such extension.
We may need to verify your identity before acting on your request to ensure that we do not disclose personal data to the wrong person. Exercising your rights is free of charge, unless your request is manifestly unfounded or excessive.
16. Statutory or Contractual Requirement
Providing your Microsoft Teams identity and account data is a requirement necessary to enter into and perform our contract with you; without it we cannot authenticate you or provide the Service. Providing billing data is required to complete a paid subscription. All other personal data is provided voluntarily and is not a statutory or contractual requirement.
17. Children's Privacy
The Service is a business productivity tool and is not directed at children. We do not knowingly collect personal data from children under the age of 16. If you believe a child has provided us with personal data, please contact us and we will delete it promptly.
18. Changes to This Privacy Policy
We may update this Privacy Policy from time to time to reflect changes in our practices, the Service, or legal requirements. When we make material changes, we will update the "Last updated" date at the top of this page and, where appropriate, notify you by in-app notice or by email before the changes take effect. We encourage you to review this Policy periodically.
19. Contact Us
If you have any questions about this Privacy Policy or wish to exercise your rights, please contact us:
IE Anastasiia Pirozhenko
General enquiries: [email protected]
Privacy requests: [email protected]