Privacy Policy

1. Introduction

This Privacy Policy applies to all personal information collected by Nexus Media (Pty) Ltd (“Nexus Media”, “we”, “us”, or “our”) through the TaskCalendar platform, accessible at taskcalendar.app and associated subdomains.

As a responsible party under POPIA, we are accountable for ensuring that your personal information is processed lawfully, fairly, and transparently. We only collect information that is adequate, relevant, and not excessive for the purposes described in this Policy.

2. Information We Collect

Account Information

When you register, we collect:

• Full name
• Email address
• Password (stored as a secure hash; we never store plaintext passwords)
• Google account ID and email (if you sign up or connect via Google)

Usage and Activity Data

When you use TaskCalendar, we automatically collect:

• Tasks, descriptions, tags, and assignments you create
• Activity logs (task status changes, completions, role changes)
• Team and brand membership data
• Timestamps of actions performed within the platform

Technical Data

Our servers and infrastructure may log:

• IP address and approximate geographic location
• Browser type, version, and operating system
• Pages visited and features used within TaskCalendar
• Session duration and frequency of use

Google Calendar Data

If you connect Google Calendar, we store an OAuth refresh token linked to your account. See Section 6 for full details.

3. How We Use Your Information

We use your personal information to:

• Create and manage your TaskCalendar account
• Provide, operate, and improve the Service
• Authenticate you and maintain secure sessions
• Enable team collaboration features (task assignment, activity feeds)
• Sync tasks to your Google Calendar where you have enabled this feature
• Send transactional emails (account confirmations, password resets, invitations)
• Respond to your support requests and communications
• Monitor and enforce compliance with our Terms of Service
• Comply with legal obligations and respond to lawful requests from authorities

We do not sell your personal information to third parties. We do not use your data for advertising profiling.

4. Legal Basis for Processing (POPIA)

Under POPIA, we process your personal information on the following grounds:

• Contractual necessity: Processing required to provide the Service you have registered for (account management, task operations, team features).
• Consent: Where you have given explicit consent, such as connecting your Google Calendar or receiving optional communications.
• Legitimate interest: For security monitoring, fraud prevention, and improving the Service, where these interests are not overridden by your rights.
• Legal obligation: Where we are required by South African law to retain or disclose information.

5. Information Sharing and Disclosure

We share your personal information only in the following circumstances:

Within Your Team

Your name and the tasks you create or are assigned to are visible to other members of your TaskCalendar team. Team administrators can see all team activity. Your email address is visible to team administrators and super admins only.

Service Providers

We use the following sub-processors who may process your data:

• Supabase: Database hosting and authentication infrastructure.
• Vercel: Application hosting and edge network.
• Google LLC: OAuth authentication and Calendar API (where enabled).

All service providers are bound by data processing agreements and are required to handle your data in accordance with applicable privacy laws.

Legal Requirements

We may disclose your information where required by law, court order, or regulatory authority, or where we believe disclosure is necessary to protect the rights, property, or safety of Nexus Media, our users, or the public.

Business Transfers

In the event of a merger, acquisition, or sale of assets, your personal information may be transferred as part of that transaction. We will notify you before your information is transferred and becomes subject to a different privacy policy.

6. Google Calendar Integration

What We Access

When you connect Google Calendar, we request the calendar.events OAuth scope. This allows TaskCalendar to:

• Create calendar events for tasks assigned to you that have due dates
• Update those events when task details change
• Delete those events when tasks are deleted or you are unassigned

We do not read your existing calendar events. We cannot access other Google services or your contacts. We store only the OAuth refresh token necessary to perform these operations on your behalf.

How We Store It

Your Google OAuth refresh token is stored encrypted in our database, associated with your user account. It is never shared with other users or third parties beyond what is required to call the Google Calendar API.

Revoking Access

You can disconnect Google Calendar at any time via Settings > Integrations > Disconnect. This immediately clears your refresh token from our systems. You can also revoke our access through your Google Account at myaccount.google.com/permissions.

TaskCalendar's Use of Google API Data

TaskCalendar's use of information received from Google APIs adheres to the Google API Services User Data Policy, including the Limited Use requirements.

7. Data Security

We implement industry-standard security measures to protect your personal information:

• All data is transmitted over HTTPS (TLS 1.2 or higher)
• Passwords are hashed using bcrypt before storage
• Database access is restricted to authorised service accounts only
• Row-level security policies are applied where appropriate
• OAuth tokens are stored in secured, access-controlled storage
• Regular security reviews and dependency audits

Despite these measures, no method of transmission or storage is 100% secure. In the event of a data breach that poses a risk to your rights and freedoms, we will notify you and the Information Regulator within the timeframes required by POPIA.

8. Data Retention

We retain your personal information for as long as your account is active or as needed to provide the Service.

• Account data: Retained while your account exists. Upon deletion, personal identifiers are removed within 30 days.
• Task data: Retained while your team exists. Deleted with the team or on account deletion if you are the only member.
• Activity logs: Retained for up to 12 months for security and audit purposes, then purged.
• Google OAuth tokens: Deleted immediately upon disconnecting Google Calendar or deleting your account.
• Technical logs: Retained for up to 90 days for debugging and security purposes.

9. Your Rights under POPIA

As a data subject under POPIA, you have the following rights regarding your personal information:

• Right of access: Request a copy of the personal information we hold about you.
• Right to correction: Request that inaccurate or incomplete personal information be corrected. You can update most information directly in Settings > Profile.
• Right to deletion: Request deletion of your personal information, subject to legal and contractual obligations. You can delete your account in Settings > Account.
• Right to object: Object to the processing of your personal information on grounds relating to your particular situation, where processing is based on legitimate interest.
• Right to withdraw consent: Where processing is based on consent (e.g. Google Calendar integration), you may withdraw consent at any time without affecting the lawfulness of prior processing.
• Right to complain: Lodge a complaint with South Africa's Information Regulator if you believe your rights have been violated.

To exercise any of these rights, contact our Information Officer at support@taskcalendar.app. We will respond within 30 days.

You may also contact the Information Regulator directly:
inforegulator.org.za · inforeg@justice.gov.za

10. Cookies and Tracking

TaskCalendar uses minimal cookies necessary for the Service to function:

• Session cookies: Used to maintain your authenticated session (NextAuth.js session token). These expire when you sign out or after a period of inactivity.
• CSRF protection cookies: Used to prevent cross-site request forgery attacks.

We do not use advertising cookies, third-party tracking pixels, or analytics cookies that track you across other websites. You can control cookies through your browser settings; however, disabling session cookies will prevent you from staying signed in.

11. Children's Privacy

TaskCalendar is not directed at or intended for use by children under the age of 18. We do not knowingly collect personal information from persons under 18. If you believe a minor has provided us with personal information, please contact us at support@taskcalendar.app and we will delete it promptly.

12. International Data Transfers

TaskCalendar is hosted on infrastructure that may process data in jurisdictions outside South Africa, including the United States and European Union (via Supabase and Vercel). Where personal information is transferred internationally, we ensure appropriate safeguards are in place, including:

• Data processing agreements with sub-processors that include standard contractual clauses
• Use of services that maintain SOC 2 or equivalent security certifications

These transfers are conducted in compliance with POPIA Section 72 requirements for cross-border information transfers.

13. Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, or legal requirements. When we make material changes, we will notify you by email or via an in-app notice at least 14 days before the changes take effect.

The date at the top of this page reflects when the Policy was last updated. We encourage you to review this Policy periodically.

14. Information Officer Contact

Nexus Media has appointed an Information Officer as required by POPIA. For any privacy enquiries, data subject requests, or concerns:

We aim to respond to all privacy enquiries within 30 days. For unresolved matters, you may escalate to the Information Regulator of South Africa.