Privacy Policy

Account Information

When you register, we collect your name, email address, and password. Your password is hashed using bcrypt before storage and is never stored in plaintext.

OAuth Tokens

When you connect Trello, GitHub, or GitLab, we store the OAuth access token (and refresh token for GitLab) returned by the provider. These tokens are stored server-side in the database and are never sent to your browser. They are used solely to interact with the respective APIs on your behalf.

AI Provider API Keys

You provide your own API keys for Anthropic (Claude), OpenAI, or Groq. Each key is encrypted at rest using AES-256-GCM before being stored in the database. Keys are decrypted only at the moment an AI session is launched and are never returned to your browser.

Session History

When you run an AI session, we store a record including: the task source and board/repo name, the AI provider used, session mode, status, token counts, cost (in cents), start/end timestamps, and a log of session events (messages, tool calls, task completions). This data is used to power the History and Analytics pages.

User Settings

We store your preferences including monthly budget limit, budget alert threshold, and PR automation configuration.

Client-Side Storage

The following data is stored in your browser's localStorage and is never sent to our servers:

• Sidebar collapse state
• Theme preference (light/dark/auto)
• List of seen update notifications
• Cookie consent status

We use the information we collect to:

• Authenticate you and maintain your session
• Interact with Trello, GitHub, and GitLab APIs on your behalf
• Launch AI coding sessions using your own API keys
• Display your session history and cost analytics
• Enforce budget limits you configure
• Create pull requests and merge requests when configured

We do not use your data for advertising, profiling, or any purpose unrelated to providing the TaskPilot service.

All data is stored in a Turso (cloud SQLite) database. The database is encrypted in transit and at rest by the hosting provider.

• Passwords are hashed with bcrypt (never stored in plaintext)
• AI API keys are encrypted with AES-256-GCM using a server-side encryption key
• OAuth tokens are stored server-side and never exposed to the client
• Session cookies are HTTP-only and signed with a secret key

TaskPilot integrates with third-party services that have their own privacy policies:

• Trello (Atlassian) — for reading boards, cards, and checklists
• GitHub — for reading issues, creating branches, commits, and pull requests
• GitLab — for reading issues, creating branches, commits, and merge requests
• Anthropic, OpenAI, Groq — for AI model inference (using your own API keys)
• Turso — for database hosting

We send only the minimum data required to each service. Your code and task content are sent to the AI provider you select during a session, using your own API key.

Your data is retained for as long as your account exists. If you delete your account, all associated data — including session history, API keys, OAuth tokens, and settings — is permanently deleted. There is no backup retention period.

Session event logs may be large. You can delete individual sessions from the History page at any time.

You have the right to:

• Access your data — your settings, session history, and connected accounts are all visible in the app
• Delete your data — remove API keys, disconnect OAuth accounts, delete sessions, or delete your entire account
• Export your data — session history is viewable in-app and the project is open source
• Withdraw consent — disconnect any integration or remove your API key at any time from Settings

TaskPilot uses a single essential cookie for authentication. We do not use any tracking, analytics, or advertising cookies.

For full details, see our Cookie Policy.

If you have questions about this privacy policy, please open an issue on GitHub.

We may update this privacy policy from time to time. Changes will be posted on this page with an updated "Last updated" date. Continued use of the service after changes constitutes acceptance of the updated policy.