Privacy Policy

This policy explains what data TaskDrop collects, how we use it, who we share it with, and your rights under UK GDPR.

1. Who We Are

TaskDrop is a UK-based software service providing AI-powered document generation for tradespeople. We use AI to transcribe voice notes, understand typed commands, and generate personalised payment reminders. Full details of how AI processes your data are in Section 6a below. For the purposes of UK GDPR, TaskDrop (operated by Owen-Nathaniel Moore, a sole trader registered in the United Kingdom) is the data controller for personal data collected through this service. For data protection queries, contact us at support@taskdrop.co.uk.

TaskDrop is registered with the Information Commissioner's Office (ICO) under registration number ZC122710. You can verify this on the ICO public register.

2. What Data We Collect

We collect two categories of personal data:

Your business data (provided during onboarding):

• Your name and business name
• Your WhatsApp phone number
• Your business address, email and phone number
• Your VAT number (if provided) and UTR number (if provided)
• Your date of birth (optional, used for Stripe Connect pre-fill if you activate TaskDrop Pay)
• Your bank details — bank name, account number and sort code (stored to auto-fill invoices)
• Your business logo (stored as an image file on our UK-based hosting server)
• Stripe Connect account ID (if you connect TaskDrop Pay to receive card payments)
• Stripe Express Dashboard access — when you click "Manage TaskDrop Pay account" in your dashboard, we generate a single-use Stripe-hosted login link. You are redirected to Stripe's platform where Stripe's own privacy policy governs any data you view or update. TaskDrop does not log or store the contents of your Stripe Express Dashboard session.

Your customers' data (submitted when generating documents):

• Customer names and addresses
• Customer email addresses
• Job descriptions and work details
• Generated quotes, invoices and reports

Voice notes (if you choose to use them):

• Audio recordings you send to TaskDrop via WhatsApp describing a job (e.g. customer name, amount, what was done). Voice notes are optional — you can type instead.
• The audio is transcribed to text and used to populate your invoice or quote fields. See Section 6a ("How AI is used") for details of how this transcription works.

You are responsible for ensuring you have the right to share your customers' data with us for the purpose of generating documents. If your voice notes contain audio of other people (such as customers), you are responsible for ensuring you have their consent to record and transmit the audio. By using our service you confirm this.

HMRC MTD data (if you connect your HMRC account):

• Your HMRC NINO (National Insurance number) and MTD ID — obtained via HMRC OAuth and used solely to submit quarterly returns
• Your HMRC access and refresh tokens — stored encrypted in our database and never exposed to third parties beyond HMRC
• Quarterly income and expense figures submitted to HMRC
• Prior income declarations — any income you manually declare as earned before joining TaskDrop in a given quarter
• Submission records — a log of each quarterly submission including the period dates, income figure reported, submission timestamp, and HMRC's API response. This is retained as an audit trail and to display your submission history in the dashboard.
• Fraud prevention data transmitted to HMRC as required by their specification, including: your device identifier, browser user agent, screen dimensions, window dimensions, timezone, and public IP address at the time of submission

Technical data (collected automatically when you visit our website):

• Your IP address — recorded in server access logs each time your browser makes a request to our server
• HTTP referrer — the URL of the page or link you came from before visiting taskdrop.co.uk (if your browser sends this)
• Browser and device information (user agent) — the browser type, version, and operating system your device reports
• Pages visited and timestamps — a record of which URLs were requested and when

This technical data is collected automatically by our web server (nginx) as part of normal server operation. It is used for security monitoring, fraud prevention, and debugging. We do not use it to build profiles of individual visitors or for marketing purposes. See Section 9 for retention periods.

3. How We Use Your Data

• To provide and operate the TaskDrop service
• To verify your identity and account status
• To send documents via WhatsApp
• To process card payments via Stripe (when TaskDrop Pay is enabled)
• To send service-related communications
• To respond to your support enquiries
• To compile and submit quarterly MTD ITSA returns to HMRC (if you connect your HMRC account)
• To comply with legal obligations, including HMRC fraud prevention requirements
• To improve and maintain the service (in aggregated, anonymised form)
• To detect, investigate, and prevent fraudulent, abusive, or unauthorised access to the service

4. Legal Basis for Processing

We process your data on the basis of:

• Contract performance — to deliver the service you signed up to
• Legitimate interests — to operate, secure, and improve our business
• Legal obligation — where required by UK law (e.g. tax records, anti-fraud)
• Consent — where you explicitly opt in (e.g. activating TaskDrop Pay, providing optional date of birth)
• Legal obligation — where processing is required by UK law, including transmission of fraud prevention data to HMRC as mandated by the Making Tax Digital specification, and retention of financial records under UK tax law

5. Data Storage & Security

Your subscriber data (account details, customer records, job history, expenses) is stored in Supabase (EU West — Ireland). Generated documents (PDFs of invoices and quotes) are stored in Supabase Storage (EU region). Business logo image files are stored on our UK-based hosting server (separate from Supabase) for performance reasons.

All data in transit is encrypted via HTTPS/TLS. Bank details (account number and sort code) are stored securely in Supabase and are only used to auto-populate your invoices and pre-fill Stripe Connect onboarding (if you activate TaskDrop Pay). They are never shared with third parties beyond Stripe for that specific purpose.

Documents and logos are retained for as long as your account is active. You can delete individual documents from your dashboard at any time. We do not automatically delete documents while your account remains active. When you delete your account (Section 7), your subscriber record is anonymised, your customer/job/expense/conversation/OTP/short link/lead enquiry/webhook event records are erased, and your logo is deleted from storage. MTD submission records and prior income declarations are anonymised but retained for 7 years in line with HMRC record-keeping requirements. Logo image files are deleted from our storage systems as part of the deletion process. In some cases a short propagation delay may apply.

6. Third Party Services

• Stripe — payment processing (TaskDrop Pay only). See Stripe's privacy policy.
• Resend — transactional email delivery (document emails, account notifications, MTD summaries)
• HMRC — where you have connected your HMRC account and initiated a Making Tax Digital submission, your quarterly income and expense figures and fraud prevention data are transmitted to HMRC via their Making Tax Digital APIs. See the MTD section above for full details.
• Meta Platforms / WhatsApp (US) — WhatsApp message delivery via the WhatsApp Business Cloud API, including OTP verification codes. Your phone number and message content are processed by Meta in order to deliver messages sent and received through TaskDrop. Meta is a US-based provider — data transfers are covered by Standard Contractual Clauses (SCCs). See WhatsApp's privacy policy.
• Supabase — secure database and file hosting (EU region)
• Cloudflare — security and content delivery
• OpenAI (US) — AI text processing. Used to understand typed commands (e.g. "INVOICE Mrs Davies £850") and to generate the wording of personalised payment reminder messages. OpenAI publicly commits that data sent via their API is not used to train their models. See OpenAI's privacy policy.
• Groq (US) — AI voice transcription (Whisper large-v3 model). When you send a voice note, the audio is transmitted to Groq, transcribed to text, and the text is returned to TaskDrop. Groq does not retain audio after transcription per their published data handling policy. See Groq's privacy policy.
• Meta Platforms / Facebook & Instagram (US) — optional integration allowing you to connect your Facebook Business Page to receive lead enquiries via WhatsApp. Only accessed if you choose to enable this feature. See Meta's privacy policy.

6a. How AI is used in TaskDrop

TaskDrop uses AI to make invoicing faster and more natural. We are transparent about what AI processes and what it does not.

AI processes:

• Voice notes you record (transcribed by Groq)
• Typed commands and job descriptions (parsed by OpenAI)
• Job descriptions used to generate personalised payment chase wording (written by OpenAI)

AI does NOT process:

• Your bank account number or sort code
• Your customer's bank details or payment card details
• Stripe payment transactions
• Your password or authentication data
• PDF documents stored in Supabase Storage

International data transfers: OpenAI and Groq are US-based. Data transferred to these processors is covered by the UK International Data Transfer Addendum (IDTA) and/or Standard Contractual Clauses (SCCs), which are the recognised UK GDPR mechanisms for transferring personal data outside the UK. The volume of personal data transferred is minimised — we only send the specific text or audio required to complete the task you asked for.

Your control over AI: Using voice notes is optional — you can type all data instead, in which case no audio is sent to Groq. If you'd rather TaskDrop didn't use AI to write personalised payment reminders, you can disable automated reminders in your dashboard and write your own messages. To request deletion of any content generated by AI, email support@taskdrop.co.uk.

6b. Facebook & Instagram Integration

TaskDrop offers an optional feature that allows you to connect your Facebook Business Page (and linked Instagram Business Account, if applicable) to receive lead enquiries directly in your WhatsApp. This feature is entirely optional — if you do not connect a Facebook Page, no Meta data is collected or processed by TaskDrop.

If you choose to connect your Facebook Business Page, we access and store the following data:

• Your Facebook Page ID and Page name
• A long-lived Page Access Token (used to receive lead and message events on your behalf)
• Your linked Instagram Business Account ID (if applicable)
• Lead enquiry data from Facebook Lead Ads or direct messages, which may include: customer name, job type, location, phone number, and email address

How we use this data: Lead and message data is used solely to forward enquiries to your registered WhatsApp number so you can respond and generate quotes. We do not share this data with any third party, use it for advertising, or process it for any purpose other than delivering this feature.

Storage: Page tokens and lead data are stored in Supabase (EU region) alongside your account data. Meta is a US-based provider; the Page Access Token is obtained via Meta's OAuth flow and stored securely in our EU database — no ongoing data transfer to Meta occurs as a result of storing this token.

Disconnecting: You can disconnect your Facebook Page at any time from the Account section of your TaskDrop dashboard. Disconnection deletes your Page Access Token from our systems immediately and stops all further lead forwarding. Lead records already forwarded to you are retained as part of your job history until you delete your account.

Data deletion requests: In accordance with Meta's Platform Terms, you may request deletion of any data we hold that originated from Facebook or Instagram by emailing support@taskdrop.co.uk or using the Delete My Data button in your dashboard.

7. Your Rights

Under UK GDPR you have the right to:

• Access the personal data we hold about you
• Request correction of inaccurate data
• Request deletion of your data — use the "Delete My Data" button in your dashboard, or contact support@taskdrop.co.uk
• Export a copy of your data — use the "Export My Data" button in your dashboard
• Object to processing of your data
• Data portability
• Withdraw consent at any time

To exercise any of these rights, email us at support@taskdrop.co.uk.

You also have the right to lodge a complaint with the UK's supervisory authority, the Information Commissioner's Office (ICO), if you believe your data has been handled unlawfully. You can contact the ICO at ico.org.uk/make-a-complaint or by calling 0303 123 1113. We would, however, appreciate the opportunity to address your concerns before you contact the ICO — please reach out to us first.

7a. Anonymous Tools

TaskDrop offers a Cowboy Rate Checker tool at taskdrop.co.uk/cowboy-rate-check which allows any visitor (including non-subscribers) to check whether a trade quote appears fair for their region. This tool does not require an account or login.

When you use the Cowboy Rate Checker, we collect and store:

• A hashed version of your IP address (we store a one-way hash — your actual IP address is not retained)
• Your browser user agent string
• The trade type, region, job description, and quote amount you entered
• The verdict and fair rate range returned

This data is used solely to improve the accuracy of our rate benchmarks and to detect abuse. It is not linked to any subscriber account, not shared with third parties, and is retained for 12 months before deletion. No personal data is required to use this tool.

8. Cookies

Our website uses the following cookies:

• cf_clearance — Set by Cloudflare, our security and performance provider. This cookie is used to confirm you have passed a browser security check and helps protect the site from malicious traffic. It is strictly necessary for security purposes and does not track you or collect personal data.
• _ga, _ga_* — Set by Google Analytics. We use Google Analytics to understand how visitors use our public website pages (such as which pages are visited, how long visitors stay, and what country they are from). This data is anonymous and aggregated — we cannot identify you personally from it. Google Analytics cookies are not placed on private pages such as the subscriber dashboard. You can opt out of Google Analytics tracking at any time by installing the Google Analytics Opt-out Browser Add-on.
• taskdrop_session — Set when you log into your subscriber dashboard. This keeps you logged in during your session using a secure random token. It is strictly necessary for the dashboard to function and expires after 7 days.

Strictly necessary cookies (cf_clearance, taskdrop_session) do not require consent under UK GDPR as they are essential for the service to function.

Analytics cookies (_ga, _ga_*) are placed only on public pages of our website, not on the subscriber dashboard. You can opt out at any time using the Google Analytics Opt-out Browser Add-on.

8a. Data Breach Notification

In the event of a personal data breach that is likely to result in a risk to your rights and freedoms, TaskDrop will notify the Information Commissioner's Office (ICO) within 72 hours of becoming aware of the breach, as required by UK GDPR. Where a breach is likely to result in a high risk to you personally, we will notify you directly — by WhatsApp message to your registered number and/or by email — without undue delay.

9. Data Retention

We retain your account data for as long as your account is active. After cancellation or extended inactivity, we run an automated retention routine (weekly):

• Conversations older than 24 hours are deleted
• Cancelled accounts older than 90 days are anonymised — your subscriber record is kept (with personal fields replaced by "[deleted]") for accounting purposes; jobs, conversations, and expenses are deleted
• Expired one-time codes (OTPs) and short links are deleted
• MTD prior income declarations and submission records (income figures, period dates, HMRC responses) are retained for 7 years from the end of the relevant tax year, in line with HMRC record-keeping requirements
• HMRC OAuth tokens (access token, refresh token) are deleted immediately when you disconnect your HMRC account from the dashboard. Your NINO and business ID are also cleared at that point.
• Server access logs (IP addresses, referrers, user agents, page requests) are retained for 30 days, then deleted automatically
• Error logs are kept for 90 days, then deleted
• Audit logs (records of significant account actions) are kept for 365 days for security and accountability

You can request earlier deletion at any time via the "Delete My Account" option in your dashboard or by emailing us. See Section 7 for what happens when you exercise your right to erasure.

10. Contact

Questions about this policy or your data? Email support@taskdrop.co.uk.