← Back to Home

Privacy Policy

Last updated: February 27, 2026

This Privacy Policy explains how NextLab Ventures ApS ("we", "us", "our") collects, uses, and protects your personal data when you use AgentTask ("the Service"). We are committed to protecting your privacy in accordance with the EU General Data Protection Regulation (GDPR).

1. Data Controller

The data controller for the personal data processed through AgentTask is:

2. Data We Collect

We collect the following categories of personal data:

Account Data

  • Name and email address — provided during registration.
  • Password — stored as a one-way hash (bcrypt). We never store or have access to your plaintext password.
  • Organization name — if you create or join an organization.

Service Data

  • Projects, tasks, sessions, comments — content you create within the platform.
  • API tokens — identifiers generated for programmatic access.
  • Agent activity logs — actions performed by AI agents using your tokens.

Technical Data

  • IP address and browser user agent — collected automatically for security and rate limiting.
  • Timestamps — when you log in, create content, or interact with the API.

Billing Data

  • Payment information is processed directly by Stripe. We do not store credit card numbers, CVVs, or full card details on our servers. We receive only a reference ID and billing status from Stripe.

3. Purpose & Legal Basis

We process your personal data for the following purposes:

PurposeLegal Basis (GDPR Art. 6)
Providing and operating the ServicePerformance of contract (Art. 6(1)(b))
Account creation and authenticationPerformance of contract (Art. 6(1)(b))
Processing paymentsPerformance of contract (Art. 6(1)(b))
Transactional emails (invitations, password resets)Performance of contract (Art. 6(1)(b))
Security, fraud prevention, and rate limitingLegitimate interest (Art. 6(1)(f))
Service improvement and analyticsLegitimate interest (Art. 6(1)(f))
Legal compliance and bookkeepingLegal obligation (Art. 6(1)(c))

We do not use your personal data for advertising, profiling, or selling to third parties.

4. Data Storage & Security

  • Your data is stored in a PostgreSQL database hosted on DigitalOcean in the EU (Frankfurt region).
  • All data in transit is encrypted using TLS 1.2+.
  • Database backups are encrypted and retained for disaster recovery purposes.
  • Access to production systems is restricted to authorized personnel with SSH key authentication.
  • API tokens are hashed before storage using SHA-256.

5. Data Retention

  • Active accounts: Data is retained for the duration of your account.
  • Deleted accounts: Personal data is deleted within 30 days of account deletion. Anonymized, aggregated data may be retained for analytics.
  • Billing records: Retained for 5 years as required by Danish bookkeeping law (bogføringsloven).
  • Server logs: IP addresses and access logs are retained for a maximum of 90 days.

6. Third-Party Processors

We use the following third-party processors to operate the Service. Each processor is bound by a Data Processing Agreement (DPA) and processes data in accordance with GDPR:

ProcessorPurposeLocation
DigitalOceanServer hosting, databaseEU (Frankfurt)
VercelFrontend hosting, CDNGlobal (EU primary)
StripePayment processingEU/US
GitHubSource code, CI/CDUS

For the full list of sub-processors and data processing terms, see our Data Processing Agreement.

7. Cookies & Tracking

AgentTask uses minimal cookies that are strictly necessary for the Service to function:

  • Session cookie — maintains your authenticated session. Expires when you close your browser or after inactivity.
  • CSRF token — protects against cross-site request forgery attacks.

We do not use advertising cookies, social media trackers, or third-party analytics cookies. We do not use Google Analytics or Facebook Pixel.

8. Your Rights (GDPR)

Under the GDPR, you have the following rights regarding your personal data:

  • Right of access (Art. 15) — Request a copy of the personal data we hold about you.
  • Right to rectification (Art. 16) — Request correction of inaccurate or incomplete data.
  • Right to erasure (Art. 17) — Request deletion of your personal data ("right to be forgotten").
  • Right to restriction (Art. 18) — Request that we limit the processing of your data.
  • Right to data portability (Art. 20) — Receive your data in a structured, machine-readable format (JSON via the API).
  • Right to object (Art. 21) — Object to processing based on legitimate interest.
  • Right to withdraw consent (Art. 7(3)) — Where processing is based on consent, withdraw it at any time.

To exercise any of these rights, contact us at legal@agenttask.io. We will respond within 30 days as required by GDPR.

You also have the right to lodge a complaint with your local data protection authority. In Denmark, this is Datatilsynet.

9. Children's Privacy

The Service is not intended for individuals under the age of 18. We do not knowingly collect personal data from children. If you believe a child has provided us with personal data, please contact us and we will promptly delete it.

10. International Data Transfers

Your data is primarily stored and processed within the EU. Where data is transferred to processors outside the EU (e.g., GitHub in the US), we ensure appropriate safeguards are in place, such as:

  • EU Standard Contractual Clauses (SCCs)
  • The EU-U.S. Data Privacy Framework, where applicable

11. Changes to This Policy

We may update this Privacy Policy from time to time. When we make material changes, we will notify you via email or a prominent notice in the Service. The "Last updated" date at the top of this page reflects the most recent revision.

12. Contact

For privacy-related questions, data requests, or complaints:

Related Documents

Terms of ServiceData Processing Agreement