Privacy Policy

1. Introduction

This Privacy Policy explains how VAMS LABS LLP ("we", "us", "our"), operating under the brand name Q-Kanban, collects, uses, stores, and protects your personal data when you use our task management platform available at tasks.qrowd.in (the "Service").

VAMS LABS LLP is a Limited Liability Partnership registered in Rajasthan, India. By using the Service, you consent to the practices described in this Privacy Policy in accordance with the Digital Personal Data Protection Act, 2023 ("DPDP Act"), the Information Technology Act, 2000, and other applicable Indian laws.

2. Data We Collect

2.1 Information You Provide

• Account Information: Name, email address, and profile picture when you create an account.
• Organization Data: Organization name, logo, and team structure.
• Task and Work Data: Tasks, milestones, comments, descriptions, tags, dates, priorities, and assignments you create within the Service.
• Client Data: Names, email addresses, phone numbers, and company names of clients you add to the platform.
• File Uploads: Documents and images you attach to tasks (limited to PDF, JPEG, PNG, GIF, WebP, and SVG formats, maximum 5 MB per file).
• Communication Data: Comments, mentions, and other content you post within the Service.

2.2 Information Collected Automatically

• Session Data: IP address and user agent (browser and device information) collected for security and fraud prevention purposes.
• Activity Logs: Records of actions you perform within the Service, including task creation, status changes, assignments, and comments, for audit and accountability purposes.
• Usage Analytics: Anonymized product usage events (such as task creation and sign-in events) collected through PostHog analytics to improve the Service.

3. Legal Basis for Processing

We process your personal data based on your informed consent, which you provide at the time of account creation. By creating an account and accepting this Privacy Policy, you consent to the collection, processing, and storage of your personal data as described herein, including the use of analytics to improve the Service.

You may withdraw your consent at any time by requesting account deletion as described in Section 9 of this policy. Withdrawal of consent will result in termination of your access to the Service.

4. How We Use Your Data

• To provide, maintain, and improve the Service, including task management, collaboration, and notification features.
• To authenticate your identity and manage your account and sessions.
• To send transactional emails, including email verification, organization invitations, task assignments, deadline reminders, and mention notifications.
• To detect, prevent, and address security threats, fraud, and unauthorized access.
• To generate anonymized, aggregated insights for product improvement, analytics, and benchmarking. Such aggregated data will not identify you or your organization.
• To comply with applicable laws and respond to lawful requests from authorities.

5. Cookies and Tracking

We use the following cookies:

• Session Cookie (better-auth.session_token): Essential for authentication and session management. This cookie is required to use the Service.
• Sidebar State Cookie: Stores your UI preference for sidebar visibility. This is a functional cookie that enhances your experience.
• Analytics (PostHog): We use PostHog to collect anonymized usage data to improve the Service. By consenting to this Privacy Policy at signup, you consent to analytics tracking. PostHog data is sent to servers in the European Union.
• Session Replays: We may record anonymized session replays with sensitive inputs masked to diagnose issues and improve the user experience. These recordings capture page interactions but do not capture passwords, payment details, or other sensitive form inputs.

6. Third-Party Data Processors

We share your data with the following categories of third-party service providers who process data on our behalf:

• Analytics Provider: For product usage analytics (data processed in the EU).
• Email Service Provider: For delivering transactional emails (data processed in the US).
• Cloud Storage Provider: For storing file attachments you upload.
• Infrastructure Provider: For rate limiting and platform reliability.
• Payment Processor: For processing subscription payments. We do not store your payment card details; these are handled entirely by our payment processor.

A complete, up-to-date list of our sub-processors is maintained on a separate page.

7. Cross-Border Data Transfers

Your personal data is primarily stored in our database hosted in Singapore. In the course of providing the Service, your data may be transferred to and processed in the following jurisdictions:

• European Union: Analytics data processed by our analytics provider.
• United States: Transactional emails processed by our email service provider.
• Global: File storage and infrastructure services distributed across multiple regions.

These transfers are made in accordance with applicable data protection laws, and we ensure that our processors maintain appropriate security standards.

8. Data Retention

• Session Data (IP address, user agent): Retained for 90 days after session expiry, then permanently deleted.
• Account and Work Data: Retained for the duration of your active account.
• Post-Cancellation: Upon account cancellation or organization deletion, your data is retained for 90 days to allow for recovery, after which it is permanently deleted.
• File Attachments: Deleted files are soft-deleted and permanently removed from storage through periodic cleanup processes.
• Email Delivery Records: Retained for operational purposes and periodically purged.

9. Your Rights

Under the DPDP Act, 2023, you have the following rights regarding your personal data:

• Right to Access: You may request information about the personal data we hold about you.
• Right to Correction: You may request correction of inaccurate or incomplete personal data.
• Right to Erasure: You may request deletion of your personal data. We will process deletion requests within 30 days. To request deletion, contact us at [email protected].
• Right to Withdraw Consent: You may withdraw your consent at any time by requesting account deletion. Withdrawal will result in termination of your access to the Service.
• Right to Grievance Redressal: You may raise concerns with our Grievance Officer (see Section 13).

10. Data Security

We implement appropriate technical and organizational measures to protect your personal data, including:

• Encrypted data transmission (HTTPS/TLS).
• Cryptographically secure session tokens for authentication.
• Multi-tenant data isolation ensuring organizational data separation.
• Security headers including clickjacking protection, MIME sniffing prevention, and referrer policy enforcement.
• Rate limiting to prevent abuse and unauthorized access attempts.
• File upload validation to prevent malicious file uploads.
• Invite-only registration during beta to control access.

11. Data Breach Notification

In the event of a personal data breach, we will notify the Data Protection Board of India as required under the DPDP Act. We also commit to notifying affected users within 72 hours of becoming aware of a breach, providing details of the nature of the breach, the data affected, and the remedial measures taken.

12. Children's Data

The Service is not intended for individuals under the age of 18. We do not knowingly collect personal data from persons under 18 years of age. If we become aware that we have collected personal data from a person under 18, we will take steps to delete such data promptly. If you believe a minor has provided us with personal data, please contact us at [email protected].

13. Grievance Officer

In accordance with the Information Technology Act, 2000 and the Information Technology (Intermediary Guidelines and Digital Media Ethics Code) Rules, 2021, we have appointed the following Grievance Officer:

14. Client Data Responsibility

When you enter information about your clients (including their names, email addresses, phone numbers, and company details) into the Service, you act as the Data Fiduciary for that data under the DPDP Act. You are responsible for obtaining appropriate consent from your clients before entering their personal data into the Service. We process such client data solely on your behalf as a Data Processor.

15. Changes to This Policy

We may update this Privacy Policy from time to time. When we make material changes, we will notify you by email at least 30 days before the changes take effect. Your continued use of the Service after the effective date of the revised policy constitutes your acceptance of the changes.

16. Contact Us

If you have any questions about this Privacy Policy or our data practices, please contact us at: