Privacy Policy
On this page
01Who is responsible for your data
The data controller is Natalie Abadie (sole trader), established in Malta (EU), 10 Censu Xerri, Sliema, Malta (“TareaBox”, “we”). Contact for any privacy matter: hello@tareabox.com.
Because we are established in Malta, the EU General Data Protection Regulation (GDPR) applies to our processing of your personal data regardless of your nationality or where you live (GDPR Art. 3). If you are outside the EU, the rights of your own country may also apply — see §11 “Your regional rights”.
02Scope
This policy covers the TareaBox website (tareabox.com) and the TareaBox app. TareaBox is a content-planning and AI-automation service used by people worldwide.
03What we collect, why, and our legal basis
We only collect what we need to run the service. We do not sell your personal data.
| Data | What it is | Why / legal basis (GDPR Art. 6) |
|---|---|---|
| Account | Email, name, password (stored hashed — we never see it), preferred language | Create and run your account — contract (6(1)(b)) |
| Consent records | That you accepted the Terms & Privacy Policy and confirmed you are 16+, with a timestamp | Prove valid consent — legal obligation / legitimate interest |
| Sign-up / access | Invitation-code redemption; waitlist email + language | Run the closed beta and control access — legitimate interest |
| Approximate location & device | Country, region, city, time zone, browser type & language (derived from your connection) | Security, abuse-prevention, demand insight — legitimate interest |
| Brand profile | The brand info you provide or build in the AI interview (voice, style, stories, links) | Provide the service — contract |
| AI interview | The conversation transcript and a working summary the assistant keeps | Build your brand profile — contract |
| Media | Images, video and audio you upload | Store and use them in your content — contract |
| Payments Paid plans | Billing email and a payment reference; card handled by Stripe — we never store card numbers | Process payments — contract |
| Communications | Emails we send you and your messages to support | Operate and support the service — contract / legitimate interest |
What we deliberately do NOT collect at sign-up: your raw IP address, GPS coordinates (latitude/longitude), or postal code.
The country / region / city / time-zone come from network signals provided by our hosting platform; they are approximate and used to keep the service safe and understand demand — not to track you.
04Special-category (sensitive) data and biometrics
We do not currently process biometric data or other special categories under GDPR Art. 9. Voice dictation in the interview is speech-to-text transcription (the audio is sent to a transcription provider and then discarded); it is not a voiceprint and is not used to identify you. If we ever add features that clone a real person’s face or voice, we will ask for that person’s explicit, separate consent first, and update this policy.
05How AI is used
TareaBox uses third-party AI providers to run its automations:
- a large-language-model provider processes the interview and content-generation prompts;
- a voice-transcription provider converts dictated audio to text (audio is discarded after transcription);
- an image-generation provider processes image prompts and any reference images you supply.
These providers process your input only to return a result to you. We do not use your content to train third-party AI models, and we do not make automated decisions that produce legal or similarly significant effects about you (GDPR Art. 22).
Our authorised personnel (currently the platform operator) may access your data — including brand profiles and interview transcripts — to operate, support, secure and improve the service.
06Who we share data with (processors / sub-processors)
We share data with vetted service providers acting on our instructions (GDPR Art. 28):
| Category | Provider | What they process | Location |
|---|---|---|---|
| Database, auth, storage | Supabase | Account data, app data, some files | Cloud (EU/US) |
| Hosting & infrastructure | Vercel | App hosting, logs, connection signals | US (global edge) |
| File storage | Cloudflare R2 | Your uploaded media | EU/US |
| Payments Paid plans | Stripe | Billing email, tokenised card, history | US |
| AI — text | Anthropic (Claude) | Interview & content prompts/replies | US |
| AI — voice transcription | Groq | Dictated audio (discarded after) | US |
| AI — image generation | KIE.ai | Image prompts and reference images | US |
| Email delivery | Resend | Recipient email, message content | EU/US |
| Video processing | Hostinger (EU) | Video files for compression | EU |
We keep an up-to-date list of sub-processors and will inform users of material changes. We do not share your data with advertisers.
07International data transfers
Some providers are located in the United States or process data globally. When we transfer personal data outside the EU/EEA, we rely on an appropriate safeguard — typically the EU Standard Contractual Clauses and/or the provider’s adherence to the EU-US Data Privacy Framework — as required by GDPR Chapter V (Art. 44–46).
08How long we keep it
- We keep your account and content for as long as your account is active.
- When you delete your account, we perform a real deletion: your user record is removed, brands where you are the only member are deleted, and their stored media is purged.
- Backups: encrypted backups are retained for a short period (currently 7 days) and then cycle out.
- Records we must keep for legal/accounting reasons (e.g. payment and consent records) are retained as required by law.
09How we protect your data
- Tenant isolation enforced at the database level (Row-Level Security).
- Private storage with short-lived signed links (files are never public).
- Encryption in transit (HTTPS) and at rest.
- Secure, httpOnly session cookies (no tokens in local storage).
- EXIF/GPS metadata is stripped from images on upload.
- Secrets are redacted from logs and error reports.
- Multi-factor authentication is required for the administrator account.
10Your rights
Depending on where you live, you have the right to: access your data and get a copy; rectify it; erase it; restrict or object to processing; data portability; and withdraw consent at any time.
To exercise any right, email hello@tareabox.com. We respond within one month (GDPR Art. 12). You can also complain to a supervisory authority — in Malta, the Office of the Information and Data Protection Commissioner (IDPC).
11Your regional rights
- EU/EEA & UK: the GDPR / UK GDPR rights above, and the right to lodge a complaint locally.
- California (CCPA/CPRA): know, delete, correct, and opt out of “sale”/“sharing” — we do not sell or share your personal information.
- Brazil (LGPD), Japan (APPI), and other countries: the access, correction and deletion rights granted by your local law.
12Children
TareaBox is not for anyone under 16. We do not knowingly collect data from children under 16. If you believe a child has given us data, contact hello@tareabox.com and we will delete it.
13Cookies
The app uses only the cookies it needs to work and to remember your preferences:
| Cookie | Purpose | Type |
|---|---|---|
Session (sb-*) | Keeps you logged in | Essential |
tb_theme, tb_fontsize | Remember dark/light and text size | Preference |
| Language | Remember your language | Preference |
tb_tz | Time zone for the calendar | Preference |
We do not use analytics or advertising cookies in the app. The website uses a cookie-consent tool for any non-essential cookies.
14Changes to this policy
We may update this policy; we will post the new version with an updated effective date and, for material changes, notify you.
15Contact
hello@tareabox.com · Data-protection authority (Malta): IDPC.
↑ Back to top
Tarea