Legal

Privacy Policy

Questions: hello@taskra.ai
Plain-English summary: Taskra is an AI customer support tool for Shopify sellers. We process your store data (products, orders, policies) and your customers' messages to generate automatic replies. We use Anthropic's Claude AI as a sub-processor. We never sell your data. Your customers' messages are deleted from AI logs within 7 days. You are always in control.

1Who We Are

Taskra ("Taskra", "we", "us", "our") is an AI-powered customer support platform for Shopify ecommerce sellers. Our service allows merchants to automate responses to customer enquiries across email and live chat using artificial intelligence trained on the merchant's own store data.

Taskra Labs Ltd is registered in England and Wales. For the purposes of the UK GDPR and EU GDPR, Taskra acts as the data controller for merchant account data, and as a data processor for customer message data processed on behalf of merchants.

Our registered address and data protection contact:
Taskra Labs Ltd, London, United Kingdom
Email: hello@taskra.ai

2What We Collect

2.1 Merchant account data (you, the Shopify seller)

Data typeWhat we collectWhy
Account informationName, email address, password (hashed), company nameTo create and manage your Taskra account
Billing informationSubscription plan, billing history. Payment card details are handled directly by Shopify Billing API — Taskra never stores card numbers.To process subscription payments
Shopify store dataStore URL, products, prices, variants, policies, FAQs, order history, tracking information — imported via Shopify Admin APITo train Taskra AI on your specific store so it gives accurate answers
Configuration dataAI behaviour rules, guardrails, brand voice settings, team members, notification preferencesTo customise Taskra to your brand and business rules
Usage dataPages visited in the dashboard, features used, session timestampsTo improve the product and provide analytics

2.2 Your customers' data (end shoppers)

Data typeWhat we collectWhy
Customer messagesEmail content, live chat messages sent to your store's support address or chat widgetTo generate AI replies on your behalf
Contact detailsCustomer name and email address (where provided by the customer or available from Shopify order data)To personalise replies and for lead capture (if enabled)
Order contextOrder number, status and tracking — pulled from Shopify when a customer references an order in a messageTo give accurate, real-time order updates in AI replies

2.3 Technical data (all users)

  • IP address, browser type, operating system
  • Referring URL and pages visited on taskra.ai
  • Device type and screen resolution
  • Error logs and performance data

3How We Use Your Data

PurposeLegal basis (UK/EU GDPR)
Providing and operating the Taskra service — including generating AI replies to customer messagesContract performance (Article 6(1)(b))
Processing billing and subscription management via Shopify Billing APIContract performance (Article 6(1)(b))
Sending transactional emails — onboarding, password resets, usage alerts, performance summariesContract performance (Article 6(1)(b))
Sending marketing emails about new Taskra features (merchants only)Legitimate interests (Article 6(1)(f)) — you may unsubscribe at any time
Improving the Taskra platform — analysing usage patterns, fixing bugs, improving AI accuracyLegitimate interests (Article 6(1)(f))
Complying with legal obligations — fraud prevention, tax records, responding to lawful requestsLegal obligation (Article 6(1)(c))
Sending daily/weekly/monthly performance summary emails (if enabled by the merchant)Contract performance (Article 6(1)(b)) — merchant configures recipients and frequency
We never use your data for: selling to third parties, training AI models on your customers' conversations, advertising profiling, or any purpose not listed above.

4AI Processing & Sub-processors

Taskra uses artificial intelligence to generate replies to customer messages. To do this, message content is processed by the following AI service provider acting as our sub-processor:

Sub-processorPurposeData transferredLocationSafeguards
Anthropic PBCAI language model (Claude API) — generates customer support repliesCustomer message content, relevant store context (product info, order data, policies)United StatesData Processing Addendum (DPA) with EU Standard Contractual Clauses (SCCs). API logs retained for 7 days maximum, then permanently deleted. Data is never used to train Anthropic's models.
Important: When a customer sends your store a message and Taskra generates a reply, the text of that message is transmitted to Anthropic's API. The message is processed and deleted from Anthropic's systems within 7 days. Anthropic does not use this data for model training. This is covered by Anthropic's commercial Data Processing Addendum, effective January 2026.

4.1 How we minimise AI data exposure

  • We only send the minimum context needed to generate an accurate reply — never entire customer databases
  • We do not include payment card data, passwords or other sensitive financial data in AI prompts
  • API calls are encrypted in transit using TLS 1.2 or higher
  • Anthropic's retention window for API logs is 7 days (reduced from 30 days in September 2025)
  • We are the data controller; Anthropic acts as data processor under a binding DPA

4.2 Other sub-processors

Sub-processorPurposeLocation
Shopify Inc.Shopify Admin API — we read your store's product, order and policy data via OAuthCanada / USA
Stripe Inc. (via Shopify Billing)Payment processing for Taskra subscriptionsUSA
Postmark / Mailgun (email delivery)Sending transactional emails and customer reply emails on behalf of merchantsUSA
Cloud hosting provider (e.g. Google Cloud / AWS)Hosting Taskra application servers, databases and file storageUnited Kingdom / EU

We will notify you at least 15 days before adding any new sub-processor that processes personal data. You may object by contacting hello@taskra.ai.

5Shopify Merchant Data

When you connect your Shopify store to Taskra, you authorise us to access specific data via Shopify's OAuth API. We request only the permissions required to operate the service:

  • Products & variants — to answer product questions accurately
  • Orders & order status — to respond to tracking and order queries
  • Store policies & pages — to answer returns, shipping and policy questions
  • Abandoned checkouts — to trigger cart recovery messages (if enabled)
  • Script tags — to install the Taskra live chat widget on your storefront

We do not request access to your Shopify admin settings, financial reports, staff accounts or payment processing data. You can revoke our access at any time from your Shopify Admin under Settings > Apps and sales channels.

5.1 Protected customer data

Shopify classifies certain fields as "protected customer data" that require explicit approval from Shopify before an app can access them. Taskra has requested and been approved for access to the following protected fields, which are necessary to provide the core service:

  • Customer name and email address — to personalise AI replies and for lead capture
  • Order history and order status — to answer order tracking and returns queries accurately
  • Shipping address — only where referenced in a customer's own message, to confirm delivery details

We do not request access to customer payment card data, tax-exempt status, or any other protected fields not listed above. All protected data access is governed by Shopify's Partner Program Agreement and our Data Processing Addendum.

Shopify merchant data is stored on our secure servers and is deleted within 30 days of you closing your Taskra account or uninstalling the app (see Section 6.3 for automatic deletion via Shopify's shop/redact webhook).

6Your Customers' Messages & Personal Data

Taskra processes messages sent by your end customers (the shoppers on your Shopify store) on your behalf, as your data processor. You, the merchant, are the data controller for your customers' personal data. This means:

  • You are responsible for ensuring your store's own privacy policy discloses that AI-assisted customer support is used
  • You must have a lawful basis for processing your customers' data (typically the performance of a contract when they make a purchase or enquiry)
  • Your customers can exercise their data rights (access, deletion etc.) directly with you as the data controller
  • Taskra will assist you in responding to any data subject requests relating to messages processed through our platform
Recommended for merchants: Add a line to your own store's privacy policy such as: "We use Taskra, an AI-powered customer support tool, to help respond to your enquiries. Messages you send to our support team may be processed by Taskra and its AI provider (Anthropic) to generate responses. Message content is deleted from AI systems within 7 days."

6.1 Lead capture

If you enable Taskra's lead capture feature, the AI will ask visitors for their name and email address during chat conversations where high buying intent is detected. This data is stored in your Taskra dashboard and is only accessible to you. You must ensure you have a lawful basis and appropriate consent to collect and use this lead data under applicable privacy law.

6.2 Cart recovery

If you enable the cart recovery feature, Taskra uses Shopify's abandoned checkout webhook to identify customers who left without completing a purchase. Their email address (already held by Shopify from their checkout session) is used to send a personalised recovery message. This is sent from your store's email address. You are the data controller for this processing.

6.3 Shopify mandatory compliance webhooks

As required by Shopify for all apps listed on the Shopify App Store, Taskra implements the following three mandatory GDPR compliance webhooks:

  • customers/data_request — When a customer requests a copy of their personal data from your store, Shopify notifies Taskra. We compile all data held about that customer (message history, lead capture, order context) and make it available to you within 30 days.
  • customers/redact — When a customer requests deletion of their data, Shopify sends this webhook. We permanently delete all personal data associated with that customer from our systems within 30 days. Anonymised aggregate data (e.g. message volume counts) may be retained where it cannot be linked back to an individual.
  • shop/redact — 48 hours after a merchant uninstalls the Taskra app, Shopify sends this webhook. We permanently delete all data associated with that store within 48 hours. Billing records are retained for 7 years as required by UK law.

Taskra confirms receipt of each compliance webhook with a 200 HTTP status response and completes all required actions within the timeframes specified above.

7Cookies & Tracking

7.1 Taskra website (taskra.ai)

Cookie / technologyTypePurposeDuration
Session tokenStrictly necessaryKeeps you logged in to the Taskra dashboardSession / 30 days
CSRF tokenStrictly necessaryProtects against cross-site request forgery attacksSession
Analytics (e.g. Plausible or similar privacy-first tool)AnalyticsAnonymous page view and feature usage tracking — no cross-site tracking, no fingerprinting30 days

We do not use advertising cookies, Facebook Pixel, Google Ads remarketing or any cross-site tracking technology on taskra.ai.

7.2 The Taskra chat widget (on your Shopify store)

When the Taskra chat widget is installed on a merchant's store, it sets a single session cookie to maintain chat continuity during a visitor's session. This cookie does not track visitors across other websites and expires when the browser session ends. Merchants should disclose this in their own store's cookie policy.

8Data Sharing

We do not sell, rent or trade your personal data or your customers' personal data to any third party, ever.

We share data only in the following limited circumstances:

  • Sub-processors — as listed in Section 4, only to the extent necessary to provide the service
  • Legal requirements — if required by law, court order or regulatory authority (e.g. the ICO in the UK), we may disclose data. We will notify you where legally permitted to do so
  • Business transfer — if Taskra is acquired or merges with another company, your data may be transferred to the new entity. We will notify you in advance and your rights will be maintained
  • With your consent — for any other purpose not listed here, only with your explicit consent

We never share merchant account data or customer message data with other Taskra merchants.

9Data Retention

Data categoryRetention period
Customer messages processed via AI (Anthropic API)7 days — automatically deleted from Anthropic's systems
Customer message content stored in Taskra inbox12 months from the date of the message, or until the merchant deletes it
Merchant account data (name, email, settings)For the duration of the active account, plus 30 days after account closure (to allow recovery), then deleted
Shopify store data (products, orders, policies)Synced in real time; deleted within 30 days of account closure or Shopify app uninstall
Billing records7 years — required for tax and accounting compliance under UK law
Security logs and access logs90 days
Lead capture data (customer emails collected via chat)Until the merchant deletes it, or account closure + 30 days

You can request deletion of your data at any time by contacting hello@taskra.ai. We will process deletion requests within 30 days, except where retention is required by law.

10Security

We implement industry-standard technical and organisational measures to protect your data:

  • Encryption in transit: All data transmitted between your browser, Taskra servers and our sub-processors uses TLS 1.2 or higher
  • Encryption at rest: All databases and file storage are encrypted at rest using AES-256
  • Access controls: Role-based access controls (RBAC) and multi-factor authentication (MFA) required for all Taskra staff with data access
  • Least-privilege principle: Staff access to production data is strictly limited to what is required for their role
  • Shopify OAuth: We use Shopify's official OAuth flow — we never ask for or store your Shopify admin password
  • Vulnerability management: Regular security reviews and dependency updates
  • Incident response: We maintain an incident response plan. In the event of a data breach, we will notify affected users and the ICO within 72 hours as required by UK GDPR

Despite these measures, no system is 100% secure. If you believe your account has been compromised, contact us immediately at security@taskra.ai.

11Your Rights

Under UK GDPR and EU GDPR, you have the following rights regarding your personal data. To exercise any of these rights, contact hello@taskra.ai. We will respond within 30 days.

Right of Access
Request a copy of all personal data we hold about you.
Right to Rectification
Request correction of inaccurate or incomplete personal data.
Right to Erasure
Request deletion of your personal data ("right to be forgotten"), subject to legal retention obligations.
Right to Restrict Processing
Request that we limit how we use your data in certain circumstances.
Right to Data Portability
Receive your data in a structured, machine-readable format to transfer to another service.
Right to Object
Object to processing based on legitimate interests, including direct marketing.
Automated Decision-Making
Rights related to automated processing — Taskra does not make solely automated decisions with legal or significant effect on individuals.
Right to Withdraw Consent
Where processing is based on consent, you may withdraw it at any time without affecting prior processing.

If you are unhappy with how we handle your data, you have the right to lodge a complaint with the Information Commissioner's Office (ICO) — the UK data protection regulator — at ico.org.uk or by calling 0303 123 1113. For EU residents, you may contact your local supervisory authority.

11.1 California residents — CCPA / CPRA rights

If you are a resident of California, USA, the California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA) give you additional rights over your personal data:

  • Right to know — Request details of the categories and specific pieces of personal information we have collected, the sources, purposes, and categories of third parties with whom it is shared.
  • Right to delete — Request deletion of personal information we have collected, subject to certain exceptions.
  • Right to opt out of sale or sharing — Taskra does not sell or share personal information for cross-context behavioural advertising. No opt-out mechanism is required, but you may contact us to confirm.
  • Right to correct — Request correction of inaccurate personal information.
  • Right to limit use of sensitive personal information — We do not collect or use sensitive personal information beyond what is necessary to provide the service.
  • Right to non-discrimination — We will not discriminate against you for exercising any of your CCPA / CPRA rights.

To exercise any California privacy rights, contact us at hello@taskra.ai. We will verify your identity and respond within 45 days (with an extension to 90 days where necessary).

12International Data Transfers

Taskra is based in the United Kingdom. Some of our sub-processors are based in the United States (including Anthropic, Shopify, and our email delivery provider). When we transfer personal data outside the UK or European Economic Area (EEA), we ensure appropriate safeguards are in place:

  • Standard Contractual Clauses (SCCs) — incorporated into our Data Processing Addendum with Anthropic and other US-based sub-processors, as approved by the European Commission and adopted by the ICO for UK transfers
  • UK International Data Transfer Agreements (IDTAs) — where required for UK-specific transfers
  • Adequacy decisions — where the destination country has been deemed adequate by the UK or EU

You may request a copy of the transfer safeguards we rely on by contacting hello@taskra.ai.

13Children's Privacy

Taskra is a business-to-business service intended for adults aged 18 and over. We do not knowingly collect personal data from children under the age of 13 (or under 16 in the EEA). If you believe a child has provided us with personal data, please contact hello@taskra.ai and we will delete it promptly.

14Changes to This Policy

We may update this Privacy Policy from time to time. If we make material changes — particularly changes that affect how we process your personal data or your customers' data — we will notify you by:

  • Email to the address registered on your Taskra account, at least 14 days before the change takes effect
  • A notice in the Taskra dashboard

Minor changes (such as clarifications or corrections) will be updated here without advance notice. The "Effective date" at the top of this page will always reflect the date of the current version. We recommend reviewing this page periodically.

Your continued use of Taskra after a material change takes effect constitutes your acceptance of the updated policy.

15Contact Us

For any privacy-related questions, data subject requests, or concerns about how we handle your data, please contact our data protection team:

Data Protection Team

We aim to respond to all privacy enquiries within 5 working days, and all formal data subject requests within 30 days.

hello@taskra.ai

Taskra Labs Ltd · London, United Kingdom