Privacy Policy
1Who We Are
Taskra ("Taskra", "we", "us", "our") is an AI-powered customer support platform for Shopify ecommerce sellers. Our service allows merchants to automate responses to customer enquiries across email and live chat using artificial intelligence trained on the merchant's own store data.
Taskra Labs Ltd is registered in England and Wales. For the purposes of the UK GDPR and EU GDPR, Taskra acts as the data controller for merchant account data, and as a data processor for customer message data processed on behalf of merchants.
Our registered address and data protection contact:
Taskra Labs Ltd, London, United Kingdom
Email: hello@taskra.ai
2What We Collect
2.1 Merchant account data (you, the Shopify seller)
| Data type | What we collect | Why |
|---|---|---|
| Account information | Name, email address, password (hashed), company name | To create and manage your Taskra account |
| Billing information | Subscription plan, billing history. Payment card details are handled directly by Shopify Billing API — Taskra never stores card numbers. | To process subscription payments |
| Shopify store data | Store URL, products, prices, variants, policies, FAQs, order history, tracking information — imported via Shopify Admin API | To train Taskra AI on your specific store so it gives accurate answers |
| Configuration data | AI behaviour rules, guardrails, brand voice settings, team members, notification preferences | To customise Taskra to your brand and business rules |
| Usage data | Pages visited in the dashboard, features used, session timestamps | To improve the product and provide analytics |
2.2 Your customers' data (end shoppers)
| Data type | What we collect | Why |
|---|---|---|
| Customer messages | Email content, live chat messages sent to your store's support address or chat widget | To generate AI replies on your behalf |
| Contact details | Customer name and email address (where provided by the customer or available from Shopify order data) | To personalise replies and for lead capture (if enabled) |
| Order context | Order number, status and tracking — pulled from Shopify when a customer references an order in a message | To give accurate, real-time order updates in AI replies |
2.3 Technical data (all users)
- IP address, browser type, operating system
- Referring URL and pages visited on taskra.ai
- Device type and screen resolution
- Error logs and performance data
3How We Use Your Data
| Purpose | Legal basis (UK/EU GDPR) |
|---|---|
| Providing and operating the Taskra service — including generating AI replies to customer messages | Contract performance (Article 6(1)(b)) |
| Processing billing and subscription management via Shopify Billing API | Contract performance (Article 6(1)(b)) |
| Sending transactional emails — onboarding, password resets, usage alerts, performance summaries | Contract performance (Article 6(1)(b)) |
| Sending marketing emails about new Taskra features (merchants only) | Legitimate interests (Article 6(1)(f)) — you may unsubscribe at any time |
| Improving the Taskra platform — analysing usage patterns, fixing bugs, improving AI accuracy | Legitimate interests (Article 6(1)(f)) |
| Complying with legal obligations — fraud prevention, tax records, responding to lawful requests | Legal obligation (Article 6(1)(c)) |
| Sending daily/weekly/monthly performance summary emails (if enabled by the merchant) | Contract performance (Article 6(1)(b)) — merchant configures recipients and frequency |
4AI Processing & Sub-processors
Taskra uses artificial intelligence to generate replies to customer messages. To do this, message content is processed by the following AI service provider acting as our sub-processor:
| Sub-processor | Purpose | Data transferred | Location | Safeguards |
|---|---|---|---|---|
| Anthropic PBC | AI language model (Claude API) — generates customer support replies | Customer message content, relevant store context (product info, order data, policies) | United States | Data Processing Addendum (DPA) with EU Standard Contractual Clauses (SCCs). API logs retained for 7 days maximum, then permanently deleted. Data is never used to train Anthropic's models. |
4.1 How we minimise AI data exposure
- We only send the minimum context needed to generate an accurate reply — never entire customer databases
- We do not include payment card data, passwords or other sensitive financial data in AI prompts
- API calls are encrypted in transit using TLS 1.2 or higher
- Anthropic's retention window for API logs is 7 days (reduced from 30 days in September 2025)
- We are the data controller; Anthropic acts as data processor under a binding DPA
4.2 Other sub-processors
| Sub-processor | Purpose | Location |
|---|---|---|
| Shopify Inc. | Shopify Admin API — we read your store's product, order and policy data via OAuth | Canada / USA |
| Stripe Inc. (via Shopify Billing) | Payment processing for Taskra subscriptions | USA |
| Postmark / Mailgun (email delivery) | Sending transactional emails and customer reply emails on behalf of merchants | USA |
| Cloud hosting provider (e.g. Google Cloud / AWS) | Hosting Taskra application servers, databases and file storage | United Kingdom / EU |
We will notify you at least 15 days before adding any new sub-processor that processes personal data. You may object by contacting hello@taskra.ai.
5Shopify Merchant Data
When you connect your Shopify store to Taskra, you authorise us to access specific data via Shopify's OAuth API. We request only the permissions required to operate the service:
- Products & variants — to answer product questions accurately
- Orders & order status — to respond to tracking and order queries
- Store policies & pages — to answer returns, shipping and policy questions
- Abandoned checkouts — to trigger cart recovery messages (if enabled)
- Script tags — to install the Taskra live chat widget on your storefront
We do not request access to your Shopify admin settings, financial reports, staff accounts or payment processing data. You can revoke our access at any time from your Shopify Admin under Settings > Apps and sales channels.
5.1 Protected customer data
Shopify classifies certain fields as "protected customer data" that require explicit approval from Shopify before an app can access them. Taskra has requested and been approved for access to the following protected fields, which are necessary to provide the core service:
- Customer name and email address — to personalise AI replies and for lead capture
- Order history and order status — to answer order tracking and returns queries accurately
- Shipping address — only where referenced in a customer's own message, to confirm delivery details
We do not request access to customer payment card data, tax-exempt status, or any other protected fields not listed above. All protected data access is governed by Shopify's Partner Program Agreement and our Data Processing Addendum.
Shopify merchant data is stored on our secure servers and is deleted within 30 days of you closing your Taskra account or uninstalling the app (see Section 6.3 for automatic deletion via Shopify's shop/redact webhook).
6Your Customers' Messages & Personal Data
Taskra processes messages sent by your end customers (the shoppers on your Shopify store) on your behalf, as your data processor. You, the merchant, are the data controller for your customers' personal data. This means:
- You are responsible for ensuring your store's own privacy policy discloses that AI-assisted customer support is used
- You must have a lawful basis for processing your customers' data (typically the performance of a contract when they make a purchase or enquiry)
- Your customers can exercise their data rights (access, deletion etc.) directly with you as the data controller
- Taskra will assist you in responding to any data subject requests relating to messages processed through our platform
6.1 Lead capture
If you enable Taskra's lead capture feature, the AI will ask visitors for their name and email address during chat conversations where high buying intent is detected. This data is stored in your Taskra dashboard and is only accessible to you. You must ensure you have a lawful basis and appropriate consent to collect and use this lead data under applicable privacy law.
6.2 Cart recovery
If you enable the cart recovery feature, Taskra uses Shopify's abandoned checkout webhook to identify customers who left without completing a purchase. Their email address (already held by Shopify from their checkout session) is used to send a personalised recovery message. This is sent from your store's email address. You are the data controller for this processing.
6.3 Shopify mandatory compliance webhooks
As required by Shopify for all apps listed on the Shopify App Store, Taskra implements the following three mandatory GDPR compliance webhooks:
- customers/data_request — When a customer requests a copy of their personal data from your store, Shopify notifies Taskra. We compile all data held about that customer (message history, lead capture, order context) and make it available to you within 30 days.
- customers/redact — When a customer requests deletion of their data, Shopify sends this webhook. We permanently delete all personal data associated with that customer from our systems within 30 days. Anonymised aggregate data (e.g. message volume counts) may be retained where it cannot be linked back to an individual.
- shop/redact — 48 hours after a merchant uninstalls the Taskra app, Shopify sends this webhook. We permanently delete all data associated with that store within 48 hours. Billing records are retained for 7 years as required by UK law.
Taskra confirms receipt of each compliance webhook with a 200 HTTP status response and completes all required actions within the timeframes specified above.
9Data Retention
| Data category | Retention period |
|---|---|
| Customer messages processed via AI (Anthropic API) | 7 days — automatically deleted from Anthropic's systems |
| Customer message content stored in Taskra inbox | 12 months from the date of the message, or until the merchant deletes it |
| Merchant account data (name, email, settings) | For the duration of the active account, plus 30 days after account closure (to allow recovery), then deleted |
| Shopify store data (products, orders, policies) | Synced in real time; deleted within 30 days of account closure or Shopify app uninstall |
| Billing records | 7 years — required for tax and accounting compliance under UK law |
| Security logs and access logs | 90 days |
| Lead capture data (customer emails collected via chat) | Until the merchant deletes it, or account closure + 30 days |
You can request deletion of your data at any time by contacting hello@taskra.ai. We will process deletion requests within 30 days, except where retention is required by law.
10Security
We implement industry-standard technical and organisational measures to protect your data:
- Encryption in transit: All data transmitted between your browser, Taskra servers and our sub-processors uses TLS 1.2 or higher
- Encryption at rest: All databases and file storage are encrypted at rest using AES-256
- Access controls: Role-based access controls (RBAC) and multi-factor authentication (MFA) required for all Taskra staff with data access
- Least-privilege principle: Staff access to production data is strictly limited to what is required for their role
- Shopify OAuth: We use Shopify's official OAuth flow — we never ask for or store your Shopify admin password
- Vulnerability management: Regular security reviews and dependency updates
- Incident response: We maintain an incident response plan. In the event of a data breach, we will notify affected users and the ICO within 72 hours as required by UK GDPR
Despite these measures, no system is 100% secure. If you believe your account has been compromised, contact us immediately at security@taskra.ai.
11Your Rights
Under UK GDPR and EU GDPR, you have the following rights regarding your personal data. To exercise any of these rights, contact hello@taskra.ai. We will respond within 30 days.
If you are unhappy with how we handle your data, you have the right to lodge a complaint with the Information Commissioner's Office (ICO) — the UK data protection regulator — at ico.org.uk or by calling 0303 123 1113. For EU residents, you may contact your local supervisory authority.
11.1 California residents — CCPA / CPRA rights
If you are a resident of California, USA, the California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA) give you additional rights over your personal data:
- Right to know — Request details of the categories and specific pieces of personal information we have collected, the sources, purposes, and categories of third parties with whom it is shared.
- Right to delete — Request deletion of personal information we have collected, subject to certain exceptions.
- Right to opt out of sale or sharing — Taskra does not sell or share personal information for cross-context behavioural advertising. No opt-out mechanism is required, but you may contact us to confirm.
- Right to correct — Request correction of inaccurate personal information.
- Right to limit use of sensitive personal information — We do not collect or use sensitive personal information beyond what is necessary to provide the service.
- Right to non-discrimination — We will not discriminate against you for exercising any of your CCPA / CPRA rights.
To exercise any California privacy rights, contact us at hello@taskra.ai. We will verify your identity and respond within 45 days (with an extension to 90 days where necessary).
12International Data Transfers
Taskra is based in the United Kingdom. Some of our sub-processors are based in the United States (including Anthropic, Shopify, and our email delivery provider). When we transfer personal data outside the UK or European Economic Area (EEA), we ensure appropriate safeguards are in place:
- Standard Contractual Clauses (SCCs) — incorporated into our Data Processing Addendum with Anthropic and other US-based sub-processors, as approved by the European Commission and adopted by the ICO for UK transfers
- UK International Data Transfer Agreements (IDTAs) — where required for UK-specific transfers
- Adequacy decisions — where the destination country has been deemed adequate by the UK or EU
You may request a copy of the transfer safeguards we rely on by contacting hello@taskra.ai.
13Children's Privacy
Taskra is a business-to-business service intended for adults aged 18 and over. We do not knowingly collect personal data from children under the age of 13 (or under 16 in the EEA). If you believe a child has provided us with personal data, please contact hello@taskra.ai and we will delete it promptly.
14Changes to This Policy
We may update this Privacy Policy from time to time. If we make material changes — particularly changes that affect how we process your personal data or your customers' data — we will notify you by:
- Email to the address registered on your Taskra account, at least 14 days before the change takes effect
- A notice in the Taskra dashboard
Minor changes (such as clarifications or corrections) will be updated here without advance notice. The "Effective date" at the top of this page will always reflect the date of the current version. We recommend reviewing this page periodically.
Your continued use of Taskra after a material change takes effect constitutes your acceptance of the updated policy.
15Contact Us
For any privacy-related questions, data subject requests, or concerns about how we handle your data, please contact our data protection team:
Data Protection Team
We aim to respond to all privacy enquiries within 5 working days, and all formal data subject requests within 30 days.