Legal

Privacy Policy

Effective date: May 14, 2026  ·  Last updated: May 14, 2026

1. Overview

Teamtastic ("Teamtastic", "we", "our", or "us") operates the team workspace available at app.teamtastic.net and the marketing website at teamtastic.net (collectively, the "Service").

This Privacy Policy explains what personal data we collect when you use Teamtastic, why we collect it, how we use and store it, and what controls you have over your information. By using the Service, you agree to the practices described here.

Teamtastic is a collaborative workspace for teams and individuals. Workspaces are invite-based: you join because a workspace owner created one and extended an invitation. Where a workspace is operated by an organization, that organization is the data controller for content created by its members; Teamtastic acts as a data processor for that content on the organization's behalf.

2. Who We Are

The Service is operated by Teamtastic. Our privacy contact is privacy@teamtastic.net. We will respond to privacy enquiries within 30 days.

3. Data We Collect

We collect data you provide directly, data generated by your use of the Service, and data from third-party services you connect.

3.1 Account and Profile Data

Your email address is required for authentication and notifications. Your name, profile picture, timezone, language, and work hours are optional and are used to personalise your experience for you and your teammates. If you provide an emergency contact (name and phone number), that information is visible only to users with a manager or owner role in your organization. Passwords are hashed with bcrypt (12 rounds) and are never stored in plaintext.

3.2 Google Sign-In

If you sign in with Google, we store your Google account ID, email, and profile picture URL. This is used for authentication only. Teamtastic does not request Google Calendar, Gmail, or other Google Workspace scopes. You can revoke Teamtastic's access at any time from your Google Account settings.

3.3 Workspace Content

We store the content you and your teammates create within the Service, including tasks, messages, time-off requests, scheduled calls, and wiki pages. This content is stored in our database, hosted on Railway, and is accessible only to members of your organization with appropriate role-based permissions. File attachments are stored separately on Cloudflare R2 and served via time-limited signed URLs.

3.4 Technical and Usage Data

Sessions are managed with a JWT stored in an HttpOnly, Secure cookie and expire after 30 days. We log IP addresses and user-agent strings as part of normal infrastructure operation. JavaScript errors and performance traces are sent to Sentry and may include your user ID, email, and page state at the time of the error. Server-side logs contain timestamps, log levels, and service names; they do not include message content or file data. We also track a per-user daily count of AI tokens consumed to enforce usage limits.

3.5 Billing Data

Subscription billing is handled by Paddle (see Section 5). We store only the Paddle customer ID, subscription ID, status, price ID, and current billing period end date. We do not store payment card numbers or bank details; those remain with Paddle.

4. How We Use Your Data

We use the data described above to provide and improve the Service, which includes authenticating you, delivering notifications and emails, enforcing access controls, processing subscription changes, monitoring for errors, and generating AI-assisted content on your explicit request. We do not sell your data, use it for advertising, or train our own AI models on your content.

5. Third-Party Services

The following sub-processors handle data on our behalf. Each has its own privacy practices.

6. AI Features

Teamtastic includes optional AI features powered by the Anthropic Claude API. These features are never triggered automatically; they always require an explicit user action such as clicking "Draft with AI". When you use one, only the minimum necessary context (such as a task description or conversation excerpt) is sent to Anthropic's API over an encrypted connection. Anthropic does not use API inputs to train its models under its standard API terms. Each user has a daily token limit (default 50,000) that resets at midnight UTC; organizations can set this to zero to disable AI features entirely.

7. Cookies and Sessions

Product app (app.teamtastic.net)

When you use the Teamtastic application, we use a session cookie (an HttpOnly, Secure JWT that expires after 30 days), a short-lived CSRF token, and localStorage for your theme and locale preference. Sentry may set session cookies for error-replay sampling; these are functional and tied to error tracking.

Marketing site (teamtastic.net)

This public website uses Google Analytics to collect aggregate statistics (pages visited, approximate geography, device type). Google may set cookies such as _ga. We do not use advertising cookies or sell this data. You can block analytics with a browser extension, disable third-party cookies, or use Google's opt-out add-on. The product app does not load Google Analytics.

Questions: privacy@teamtastic.net.

8. Data Sharing

We share your data only in the circumstances below. We never sell, rent, or share your personal data for advertising or marketing.

  • Within your organization: members can see data appropriate to their role. Managers additionally have access to emergency contact info and leave balances. Owners have access to all organization data.
  • With sub-processors: the services listed in Section 5, solely to operate the Service.
  • Outbound webhooks: if your organization configures an outgoing webhook URL, task and PTO event data is sent to that destination. You control this configuration.
  • Legal obligations: if required by applicable law, court order, or governmental authority. We will notify you where legally permitted.
  • Business transfers: in the event of a merger, acquisition, or asset sale, your data may transfer to the acquiring entity, with reasonable notice to affected users.
  • With your consent: for any purpose not listed here.

9. Security

Our security measures include invite-only registration, bcrypt-hashed passwords, TLS encryption in transit, HttpOnly session cookies, role-based access controls on every endpoint, time-limited signed URLs for file downloads, HMAC-SHA256 signature verification on inbound webhooks, rate limiting on sensitive endpoints, and a full audit log for any super-admin impersonation. New credential accounts must verify their email address before accessing a workspace.

No system is completely secure. If you discover a vulnerability, please disclose it responsibly to security@teamtastic.net.

10. Data Retention

Data is retained for as long as your organization's account is active. When a member is removed, their profile data is kept to preserve task history and audit trails, but their login credentials are deactivated. When an organization owner requests workspace deletion, all associated data is permanently deleted within 30 days unless we are legally required to retain it. Session tokens expire after 30 days of inactivity. Server logs are kept for up to 90 days. Billing records are retained for 7 years for financial compliance purposes.

To request deletion of your data, contact your organization's Owner or email privacy@teamtastic.net.

11. Your Rights and Controls

You can update your profile, notification preferences, password, and quiet-hours settings at any time from the Settings page. If you signed in with Google, you can revoke Teamtastic's access from your Google Account settings. Any member can export their tasks as a CSV; managers can export a full organization ZIP including members, teams, tasks, leave requests, and wiki pages.

You may also contact us at privacy@teamtastic.net to request access to, correction of, deletion of, or a portable copy of your personal data, or to object to or restrict certain processing. We will respond within 30 days and may need to verify your identity first.

12. GDPR, CCPA, and International Transfers

European Economic Area (GDPR)

If you are in the EEA, UK, or Switzerland, our lawful bases for processing are: contract performance (core Service delivery), legitimate interests (security, error monitoring, and service improvement), consent (AI features and push notifications), and legal obligation (billing records). Data may be processed in the United States; where we transfer data internationally, we rely on Standard Contractual Clauses or equivalent mechanisms. You have the right to lodge a complaint with your local data protection authority.

California (CCPA / CPRA)

California residents may request disclosure of the personal information we collect, request deletion, and opt out of sale (we do not sell personal information). Contact us at privacy@teamtastic.net to exercise these rights.

13. Children's Privacy

Teamtastic is a professional workplace tool for individuals aged 16 and over. We do not knowingly collect personal data from children under 16. If you believe a child has provided us with data, contact privacy@teamtastic.net and we will delete it promptly.

14. Changes to This Policy

We may update this policy from time to time. Material changes will be announced via an in-app notification and, for changes that affect your rights, by email. The revised policy will be posted at teamtastic.net/privacy with a new effective date. Continued use of the Service after that date constitutes acceptance of the changes.

15. Contact Us

For privacy questions, rights requests, or concerns, email us at privacy@teamtastic.net. We aim to respond within 30 days.