How we use your personal data and what cookies we use.
This Privacy Policy explains how KanbanGenie Limited (trading as TaskVal) (“We”, “Us”, “Our”) collects, uses, shares, and protects personal data when you visit Our Site at TaskVal.com or use Our Service (the TaskVal SaaS platform). It also explains your rights under UK data protection law and how to exercise them.
This Privacy Policy was last updated on 1st May 2026.
This Privacy Policy should be read alongside Our Terms and Conditions. This Privacy Policy governs how We process personal data; the Terms and Conditions govern your use of the Platform more generally. Where the two documents address different subject matter, both apply. In the unlikely event of any conflict between this Privacy Policy and the Terms and Conditions on a data protection matter, this Privacy Policy prevails on that data protection matter only; on all other matters the Terms and Conditions prevail.
Defined terms used in this Privacy Policy (including “Customer”, “Customer Data”, “Service”, “Site”, “Platform”) have the meanings given to them in Our Terms and Conditions.
1.1 The data controller for the personal data described in this Privacy Policy is KanbanGenie Limited, a company registered in England and Wales under company number 15815964. Our registered address is 71-75 Shelton Street, Covent Garden, London, UK.
1.2 We are registered with the UK Information Commissioner's Office (ICO) under registration number ZB803884.
1.3 We have not appointed a Data Protection Officer, as We are not required to do so under UK GDPR. For any privacy enquiry, please contact Us using the details in the “How To Contact Us” section below.
2.1 We act as a controller for personal data We collect about: visitors to Our Site; individuals who register an account or use the Service; individuals who contact Us via Our contact forms or email; individuals who consent to receive marketing communications from Us. This Privacy Policy describes what We do with that personal data.
2.2 Where Customer (a business, organisation, or other entity) uses the Service, the personal data Customer uploads or submits about its own employees, contractors, or other individuals as Customer Data is processed by Us as a processor on Customer's instructions. Customer is the controller of that personal data and is responsible for providing its own privacy notice to those individuals. Our processing of Customer Data on Customer's behalf is governed by Our Terms and Conditions and any Data Processing Agreement entered into with Customer; this Privacy Policy does not describe that processing.
3.1 When you visit Our Site, We collect:
3.2 When you register an account or use the Service, We collect:
3.3 When you contact Us (by email, contact form, or in-product support), We collect the content of your message together with any contact details you provide.
3.4 When you consent to marketing, We record your consent (the time, the method, and the scope of consent) and your contact details for that purpose.
3.5 We do not knowingly collect special category personal data (such as data revealing race, ethnicity, political opinions, religious beliefs, trade union membership, genetic data, biometric data, health data, or data concerning a person's sex life or sexual orientation), and the Service is not designed to receive such data. You should not upload special category data into the Service except where the Service is expressly designed to handle it.
4.1 Directly from you: when you register an account, fill in a form on Our Site, contact Us, or interact with the Service.
4.2 Automatically: through cookies, server logs, and similar technologies as you use Our Site or the Service.
4.3 From third parties: in limited circumstances, We may receive personal data from invite-code referrers (in connection with Early Access), from infrastructure providers (e.g. abuse reports, fraud-prevention signals), or from publicly available sources.
5.1 We process personal data only where We have a lawful basis under Article 6 of the UK GDPR. The table below sets out the purposes of processing and the corresponding legal basis.
5.2 We do not use your personal data for automated decision-making that produces legal or similarly significant effects on you, and We do not engage in profiling of that kind.
6.1 We share personal data only with the categories of recipient listed below, and only to the extent necessary for the purposes described in clause 5.
6.2 A current list of material sub-processors used in the provision of the Service is set out in Annex 3 of Our Data Processing Agreement at /legal/dpa.
6.3 We do not sell your personal data to anyone, and We do not share your personal data with third parties for their own marketing purposes.
7.1 The Service is hosted in the United Kingdom. The personal data You provide to Us when registering an account or using the Service is stored and primarily processed within the United Kingdom.
7.2 Some of Our sub-processors may process certain personal data outside the United Kingdom. In particular, when We activate the Google Analytics service described in clause 9, certain technical and usage data described in clause 3.1 will be transferred to and processed by Google (whose European entity is Google Ireland Limited, with onward transfers to Google LLC in the United States).
7.3 Where personal data is transferred to a country outside the United Kingdom that the UK Government has not designated as providing an adequate level of data protection, We rely on appropriate safeguards as required by Article 46 of the UK GDPR, including the UK International Data Transfer Agreement (IDTA), the UK Addendum to the EU Standard Contractual Clauses, the UK extension to the EU-US Data Privacy Framework (where applicable to the recipient), or another lawful transfer mechanism.
7.4 You may request further information about the safeguards in place for any specific international transfer by contacting Us.
8.1 We keep personal data only for as long as is necessary for the purposes for which it was collected, plus any period required to comply with legal, regulatory, accounting, or reporting obligations, or to resolve disputes and enforce Our agreements.
8.2 Indicative retention periods:
8.3 Where retention periods are not fixed by law, We periodically review the personal data We hold and delete or anonymise data that is no longer required.
9.1 Cookies are small text files that are placed on your device when you visit a website. We use cookies and similar technologies (such as local storage) on Our Site and within the Service for the purposes described below.
9.2 Strictly necessary cookies and storage are required for the Site or the Service to function. These are set without consent because the Privacy and Electronic Communications Regulations 2003 (PECR) permit this. Examples include:
sid - a signed, HTTP-only session cookie used to authenticate logged-in users. Without this cookie, the Service cannot identify your session;isAuthenticated - a small client-side flag used to adapt navigation and account-aware menus to whether you are signed in. It does not contain any authentication credential or token;9.3 Analytics, performance, and other non-essential cookies: We will not set any non-essential cookies or similar technologies on your device without your prior consent, and you may withdraw consent at any time.
9.4 Google Analytics (planned): We intend to use Google Analytics, a web analytics service provided by Google Ireland Limited (or its successor in the European Economic Area / United Kingdom), to understand how visitors use Our Site and the Service in aggregate. When activated, Google Analytics will set cookies on your device (typically named _ga and _ga_<identifier>) and will collect technical and usage data including IP address (which Google may truncate), pages viewed, time spent, referring page, device and browser characteristics, and a randomly generated identifier. This information is used solely to produce aggregated, statistical reports about use of Our Site and the Service. We will not enable Google Analytics until We have implemented an appropriate consent mechanism, and Google Analytics will be set only where you have given consent. When activated, Google acts as Our sub-processor under the Google Ads Data Processing Terms (or the equivalent terms in force at the relevant time), and personal data may be transferred to the United States subject to the safeguards described in clause 7. You will be able to withdraw your consent at any time and to opt out of Google Analytics across all participating sites by installing Google's opt-out browser add-on, available from https://tools.google.com/dlpage/gaoptout. As at the “last updated” date of this Privacy Policy, Google Analytics is not active on Our Site or the Service. This Privacy Policy will continue to describe Google Analytics accurately if and when activation occurs.
9.5 Most browsers allow you to refuse or delete cookies through their settings. If you block strictly necessary cookies, parts of the Site or Service may not function correctly.
10.1 We will not send you marketing emails without your prior express consent. Where you have given consent, you may opt out at any time by clicking the unsubscribe link in any marketing email or by contacting Us.
10.2 Operational and service-related communications (such as security alerts, important notices about your account, billing communications, and changes to Our Terms and Conditions or this Privacy Policy) are not marketing communications and will continue to be sent while your account is active. These are necessary for the operation of the Service.
11.1 Subject to certain conditions and exceptions under the UK GDPR and the Data Protection Act 2018, you have the following rights in relation to your personal data:
11.2 To exercise any of these rights, please contact Us using the details in the “How To Contact Us” section below. We will respond within one month, although We may extend this by a further two months for complex or numerous requests (in which case We will notify you).
11.3 We may need to verify your identity before responding to a request, particularly if it concerns access to or deletion of personal data.
11.4 In most cases there is no fee for exercising your rights. Where a request is manifestly unfounded or excessive, We may charge a reasonable fee or refuse to act on the request, and We will tell you why.
If you are unhappy with how We have handled your personal data, We would prefer you to contact Us first so We can try to resolve the issue. However, you have the right at any time to lodge a complaint with the UK Information Commissioner's Office (the supervisory authority for data protection in the UK). You can find the ICO's current contact details, including their helpline and postal address, on their website at https://ico.org.uk.
Lodging a complaint with the ICO does not affect your other legal rights or remedies.
The Service is intended for use by businesses, trades, professions, and other organisations (see clause 19 of Our Terms and Conditions). It is not directed at, and We do not knowingly collect personal data from, children under the age of 18. If you believe a child has provided Us with personal data, please contact Us so We can delete it.
14.1 We take appropriate technical and organisational measures to protect personal data against unauthorised access, alteration, disclosure, loss, or destruction. These measures include encryption in transit, access controls, role-based permissions, secure password hashing, audit logging, and ongoing security review.
14.2 No method of transmission over the internet or storage on a computer is completely secure. While We strive to protect personal data, We cannot guarantee absolute security. You are responsible for keeping your account credentials confidential and for notifying Us promptly of any suspected unauthorised access to your account.
14.3 In the event of a personal data breach that is likely to result in a risk to the rights and freedoms of affected individuals, We will notify the ICO within 72 hours where required by law, and We will notify affected individuals where required by law.
Our Site and the Service may contain links to third-party websites and services. This Privacy Policy applies only to Our processing of personal data; We are not responsible for the privacy practices of third-party websites or services, and We recommend that you read their privacy notices before providing any personal data to them.
16.1 We may update this Privacy Policy from time to time. The “last updated” date at the top of this Privacy Policy will reflect any change.
16.2 Where the changes are material, We will take reasonable steps to bring them to your attention (for example, by email or by an in-product notice) before the changes take effect. Continued use of Our Site or Our Service after the effective date constitutes your acknowledgement of the updated Privacy Policy.
For any questions about this Privacy Policy, or to exercise any of your rights, please contact Us via the contact form on Our Site at /contact, or by post to KanbanGenie Limited, 71-75 Shelton Street, Covent Garden, London, UK.