Our privacy promise
Your content is encrypted in transit and at rest, using per-organization keys wrapped by AWS KMS. We never use your content to train AI models — our AI provider is configured for no training and short retention.
Our support team cannot read your content. We've designed admin access to make that technically impossible, not just forbidden — the database denies content reads to the admin role, and our cloud IAM denies the encryption key to the admin principal.
We're not end-to-end encrypted, and we want to be honest about that. End-to-end encryption would cost you search, AI assistance, reliable cross-device sync, and account recovery — tradeoffs we don't think most people want for a to-do list. If E2E is a hard requirement for you, Signal and Proton Drive are better fits.
1. What we collect
1.1 Account information
When you create an account we collect your email address, a securely hashed password (or an OAuth identifier if you sign in with Apple or Google), and the time-based one-time password (TOTP) secret you enroll for second-factor authentication. We do not collect or send SMS one-time codes.
1.2 Content you create
Crosstask stores the lists, tasks, subtasks, notes, comments, reminders, version snapshots, and attachments you create. Note, comment, reminder message, and version snapshot content is envelope-encrypted with a per-organization key (see Section 3). Attachments are stored in object storage and are never sent to AI providers.
1.3 Device and usage data
We collect minimal telemetry necessary to operate the service: device push tokens (to deliver notifications), per-request metadata for our AI gateway (model, token count, cost — never the prompt body itself), error reports without content, and standard web server logs (IP, user agent, request path, response time) with 30-day retention.
1.4 Payment information
Subscription purchases are processed by Apple (App Store) or Stripe (Windows / web). Crosstask receives a customer identifier and entitlement status from RevenueCat. We do not see or store your payment card details.
2. How we use your data
- To run the service: sync your content across your devices, deliver notifications, render shared lists.
- To bill subscriptions: grant entitlements based on the receipt your store provides.
- For opt-in AI features: when you trigger an AI action, the relevant text within the action's scope (titles, notes, comments) is sent to our AI provider. AI is off by default; you enable it explicitly and can turn it off in Settings → AI.
- To meet legal obligations: respond to lawful subpoenas, prevent abuse, retain a metadata-only deletion log for compliance.
We do not sell your data. We do not display advertising in the app.
3. Encryption
3.1 In transit
All traffic between your device and our servers uses TLS 1.3. We use Cloudflare for DNS only — there is no Worker-proxy intercepting your traffic in our v1 stack.
3.2 At rest
Our database storage is AES-256 encrypted at the disk layer.
Above that, the columns containing your content —
tasks.notes, task_comments.body,
task_reminders.message, list_versions.snapshot,
and task_versions.snapshot — are envelope-encrypted
with a per-organization data encryption key (DEK). Each DEK is
wrapped by a key-encryption key (KEK) held in AWS KMS in
us-west-2.
3.3 Access controls
- Postgres Row-Level Security on every user-data table with
FORCE ROW LEVEL SECURITY. - Direct database writes are revoked for client roles; all mutations flow through
SECURITY DEFINERfunctions that validate the caller's identity. - The admin database role has
REVOKE SELECTon content columns. - The admin IAM principal on AWS denies
kms:Decryptagainst the KEK.
Both controls are independent. One failing does not unlock content access — the other still blocks decryption.
4. AI features
Crosstask offers four optional AI helpers: natural-language quick-add, breaking a task into subtasks, rewriting notes, and summarizing discussions. AI is opt-in and off by default.
When you enable AI and trigger an action, the relevant text within that action's scope is sent directly to Anthropic's API. Attachments are never sent. Under Anthropic's default API terms, prompts are not used to train models; they may be retained for up to 30 days for abuse monitoring. Crosstask is enrolling in Anthropic's Zero Data Retention (ZDR) program; until that enrollment is approved, the 30-day retention applies.
Crosstask does not log AI prompts beyond per-request metrics (model, token count, cost, fields sent). You can turn AI off at any time in Settings → AI.
5. Retention and deletion
5.1 Version history
We keep a rolling window of edits so you can undo or compare. Free tier: 7 days. Pro tier: 30 days. Snapshots are encrypted with the same per-organization key as your live content.
5.2 Account deletion
You can delete your account at any time from Settings → Account → Delete account. Deletion is 30-day reversible — signing back in within that window cancels the deletion.
After 30 days we crypto-shred: the wrapped data encryption key is dropped from the database, which makes all encrypted content permanently unrecoverable, even from backups. A metadata-only record (account ID and deletion timestamp, no content) is retained for 7 years for compliance.
See Account deletion for step-by-step instructions.
5.3 Backups
We use Supabase Point-In-Time Recovery (7-day retention). Post-GA we will also take weekly archival snapshots to S3 with 90-day retention. Both inherit the same envelope-encryption at rest. Deleted accounts cannot be recovered from any backup after crypto-shred — the wrapped key is gone from every copy within the rotation window.
6. Sharing
Lists you share with another Crosstask user are decrypted in that user's client just like your own content. Public share links (where you generate a read-only link for a list) render the list server-side, which means our servers decrypt the relevant content for that request. The user who created the link controls when to revoke it.
7. Subprocessors
Crosstask uses the following processors to run the service:
| Processor | Purpose | Region |
|---|---|---|
| Supabase | Database, auth, edge functions, storage | us-west-2 |
| AWS (KMS, S3) | Key management, backup archival | us-west-2 |
| Cloudflare | DNS, bot mitigation (Turnstile) | Global |
| Anthropic | AI model inference (opt-in) | United States |
| RevenueCat | Subscription receipt verification | United States |
| Apple | App Store billing, Sign in with Apple | United States |
| Stripe | Subscription billing (Windows / web) | United States |
| Apple APNs | Push notification delivery | Global |
8. Children
Crosstask is not directed at children under 13 (or the equivalent minimum age in your jurisdiction) and we do not knowingly collect information from them. If you believe a child has provided information, contact privacy@crosstask.app and we will delete it.
9. Your rights
Depending on where you live, you may have rights to access, correct, export, or delete the personal information we hold about you, and to object to certain processing. You can exercise these rights from within the app (Settings → Account) or by emailing privacy@crosstask.app. We respond within 30 days.
10. International transfers
Our servers are in the United States (Oregon). If you use Crosstask from outside the US, your information will be transferred to and processed in the US.
11. Changes to this policy
We may update this policy from time to time. Material changes will be announced in-app at least 14 days before they take effect. Privacy promises (encryption, AI training, admin access) are not downgraded without a separate user notification.
12. Contact
Privacy questions: privacy@crosstask.app
Security disclosures: security@crosstask.app