Privacy Policy

Last updated: March 2026

PrTask is committed to protecting your privacy and personal data. This Privacy Policy explains how PrTask collects, uses, shares, and protects your personal information when you use our platform. This policy applies to all users worldwide and addresses the specific requirements of data protection laws in the European Union, United Kingdom, California (USA), Philippines, Canada, Brazil, Japan, Singapore, Thailand, South Africa, Australia, India, South Korea, China, and New Zealand.

1. Data Controller

PrTask is the data controller responsible for your personal data. Our Data Protection Officer (DPO) can be reached at dpo@prtask.com. For general privacy inquiries, contact privacy@prtask.com. Our registered address is available on our Contact page. If you are located in the EU and PrTask does not have an EU establishment, we will appoint an EU representative as required by Article 27 of the GDPR.

2. Information We Collect

PrTask collects the following categories of personal data: (a) Account information: when you sign in with a supported SSO provider (GitHub, Google, Microsoft, Okta), we collect your username, display name, email address, and avatar URL; (b) Payment data: when you initiate or receive a payment, our payment provider processes payment details directly; developers provide their preferred payout method details; (c) Platform activity: task and pull request activity, code reviews, comments, and leaderboard participation; (d) Technical data: IP address, browser type, operating system, device information, and approximate geolocation derived from IP address; (e) KYC verification data: government-issued identification and selfie verification processed by our identity verification provider; (f) Tax information: tax identification numbers (W-9/W-8BEN) collected for tax compliance purposes.

CCPA Data Categories

Under the California Consumer Privacy Act, the categories of personal information we have collected in the past 12 months include: identifiers (name, email address, username, IP address); commercial information (transaction history, bounty payments); internet or electronic network activity (browsing history on PrTask, feature usage, log data); professional information (GitHub profile, portfolio, skills); and geolocation data (approximate location derived from IP address). We do not collect sensitive personal information as defined by the CCPA. We do not sell or share your personal information with third parties for cross-context behavioral advertising purposes.

3. How We Use Your Information

We use your information to operate the PrTask platform, process bounty payments, display public leaderboard profiles and achievement badges, communicate with you about task status and payments, and prevent fraud or abuse.

4. Legal Basis for Processing (GDPR Article 6)

We process your personal data under the following lawful bases: (a) Contract performance: processing necessary to fulfill our contract with you, including account management, payment processing, and platform operation; (b) Legitimate interest: processing necessary for our legitimate interests, including fraud prevention, platform security, and service improvement, where these interests are not overridden by your rights; (c) Consent: where you have given specific consent for processing, such as marketing communications and non-essential cookies; (d) Legal obligation: processing necessary to comply with applicable laws, including tax reporting, AML compliance, and data breach notification requirements. You may withdraw consent at any time without affecting the lawfulness of processing based on consent before withdrawal.

5. Information Sharing

We share your information with the following categories of recipients: (a) Payment processors (including Maya Business and Stripe) for payment processing and developer payouts; (b) Identity verification providers for KYC compliance; (c) GitHub for authentication and repository integration; (d) Cloudflare for hosting, CDN, and security services; (e) Tax authorities when required by law (IRS, BIR, EU tax authorities under DAC7). Your public profile (username, badges, completed tasks) is visible on the leaderboard. We do not sell your personal data to third parties. We do not share your data with third parties for cross-context behavioral advertising. We may disclose information if required by applicable law, a valid court order, or to protect the safety and rights of PrTask and its users.

6. Payment Data

All client payment card data is handled exclusively by our payment provider. PrTask never stores credit card numbers or CVVs on our servers. Developer payout details are stored securely and shared only with the chosen payout provider. Transaction records (amount, status, date) are retained for accounting purposes.

7. Data Retention

Account data is retained while your account is active. After account deletion, we retain: transaction records for 5 years as required by applicable tax regulations and AML record-keeping requirements; breach records for 24 months as required by PIPEDA; KYC verification records for 5 years as required by anti-money laundering laws. Anonymized and aggregated usage statistics may be retained indefinitely. We will delete or anonymize your personal data when it is no longer needed for the purpose for which it was collected, unless retention is required by law. You may request deletion of your data at any time, subject to these legal retention requirements.

8. Data Security

We use HTTPS encryption for all communications, GitHub OAuth tokens with minimal required scopes, and industry-standard security practices. However, no system is perfectly secure. Report vulnerabilities to security at prtask.com.

9. Your Data Rights

You have the right to access your personal data held by PrTask, correct inaccurate or incomplete data, request deletion of your data (subject to legal retention requirements), and object to processing of your data.

10. GDPR Compliance

If you are located in the European Economic Area (EEA), your personal data is protected under the General Data Protection Regulation (EU) 2016/679 (GDPR). PrTask processes your data under the lawful bases of contract performance, legitimate interest, consent, and legal obligation as detailed in Section 4 above. PrTask implements privacy by design and by default (Article 25), maintains Records of Processing Activities (Article 30), and conducts Data Protection Impact Assessments for high-risk processing. PrTask recognizes and responds to Global Privacy Control (GPC) signals. As an EU data subject, you have the right to:

• Access a copy of all personal data we hold about you
• Rectify inaccurate or incomplete personal data
• Erase your personal data (right to be forgotten), subject to legal retention obligations
• Restrict processing of your personal data in certain circumstances
• Data portability: receive your data in a structured, machine-readable format
• Object to processing based on legitimate interests, including profiling
• Withdraw consent at any time where processing is based on consent
• Lodge a complaint with your local supervisory authority

To exercise any of these rights, contact our Data Protection Officer at dpo@prtask.com. We will respond within 30 days as required by the GDPR. PrTask recognizes and responds to the Global Privacy Control (GPC) signal as a valid opt-out request.

11. UK GDPR and Data Protection Act 2018

If you are located in the United Kingdom, your personal data is protected under the UK GDPR and the Data Protection Act 2018, enforced by the Information Commissioner's Office (ICO). You have the same rights as EU data subjects listed above, adapted to UK law. PrTask maintains a lawful basis for processing UK residents' data and implements appropriate technical and organizational security measures. If PrTask does not have a UK establishment, we will appoint a UK representative as required. To exercise your rights or file a complaint, contact our DPO at dpo@prtask.com or the ICO at ico.org.uk.

12. CCPA Compliance

If you are a California resident, the California Consumer Privacy Act (CCPA), as amended by the California Privacy Rights Act (CPRA), grants you additional rights regarding your personal information. PrTask does not sell or share your personal information with third parties for cross-context behavioral advertising. PrTask provides the mandatory eleven disclosures required by the CCPA in this policy, including a 12-month lookback on data categories collected. Under the CCPA/CPRA, you have the right to:

• Know what personal information we collect, use, and disclose about you, including a 12-month lookback
• Request deletion of your personal information, subject to legal exceptions
• Opt out of the sale or sharing of your personal information (PrTask does not sell personal information)
• Non-discrimination for exercising your CCPA/CPRA rights
• Limit the use of sensitive personal information (PrTask does not collect sensitive personal information as defined by CCPA)

To submit a CCPA/CPRA request, email privacy@prtask.com with the subject line "CCPA Request." We will verify your identity before processing the request and respond within 45 days. PrTask honors Global Privacy Control (GPC) signals as a valid opt-out of the sale or sharing of personal information.

13. Philippines Data Privacy Act (RA 10173)

If you are a Philippine citizen or resident, your personal data is protected under Republic Act No. 10173 (Data Privacy Act of 2012), enforced by the National Privacy Commission (NPC). PrTask complies with the principles of transparency, legitimate purpose, and proportionality. You have the right to: be informed of the purpose and extent of processing; access your personal data; object to processing; erasure or blocking of personal data; rectify inaccurate data; file a complaint with the NPC; and claim damages for unauthorized processing. PrTask has appointed a Data Protection Officer and will register with the NPC as required for entities processing sensitive personal information. Contact our DPO at dpo@prtask.com to exercise your rights.

14. Brazil LGPD

If you are located in Brazil, your personal data is protected under the Lei Geral de Protecao de Dados (LGPD), enforced by the ANPD. PrTask processes your data under lawful bases including consent, contract performance, and legitimate interest. You have the right to: confirmation of data processing; access your data; correct incomplete or inaccurate data; anonymize, block, or delete unnecessary data; data portability; information about sharing with third parties; information about consent withdrawal; and revoke consent at any time. PrTask will respond to data subject requests within 15 days. Contact our DPO at dpo@prtask.com to exercise your LGPD rights.

15. Canada PIPEDA

If you are a Canadian resident, your personal information is protected under the Personal Information Protection and Electronic Documents Act (PIPEDA), enforced by the Office of the Privacy Commissioner of Canada (OPC). PrTask adheres to the ten Fair Information Principles: accountability, identifying purposes, consent, limiting collection, limiting use and disclosure, accuracy, safeguards, openness, individual access, and challenging compliance. You have the right to access your personal information and challenge its accuracy. PrTask will respond to access requests within 30 days. Contact privacy@prtask.com to exercise your rights or file a complaint.

16. Japan APPI

If you are located in Japan, your personal information is protected under the Act on the Protection of Personal Information (APPI), enforced by the Personal Information Protection Commission (PPC). PrTask publishes the purpose of data use, implements cybersecurity and physical safeguards, and provides an opt-out mechanism for third-party data sharing. We will notify the PPC and affected individuals in the event of a data breach. You have the right to request disclosure, correction, cessation of use, and deletion of your personal information. Contact dpo@prtask.com to exercise your rights.

17. Singapore PDPA

If you are located in Singapore, your personal data is protected under the Personal Data Protection Act 2012 (PDPA), enforced by the Personal Data Protection Commission (PDPC). PrTask has appointed a Data Protection Officer whose contact information is publicly available. You have the right to access and correct your personal data within 30 days. PrTask will notify the PDPC of any data breach that is likely to result in significant harm or is of a significant scale. We retain your personal data only as long as necessary for the purpose for which it was collected. Contact dpo@prtask.com to exercise your rights.

18. Thailand PDPA

If you are located in Thailand, your personal data is protected under the Personal Data Protection Act B.E. 2562 (PDPA), enforced by the Personal Data Protection Committee (PDPC). PrTask obtains consent before collecting, using, or disclosing your personal data. You have the right to: access your data; obtain a copy in a readable format; object to processing; request erasure or destruction; request suspension of use; and withdraw consent. PrTask implements appropriate security safeguards and conducts regular audits. Contact dpo@prtask.com to exercise your rights.

19. South Africa POPIA

If you are located in South Africa, your personal information is protected under the Protection of Personal Information Act (POPIA), enforced by the Information Regulator. PrTask complies with the eight conditions for lawful processing: accountability, processing limitation, purpose specification, further processing limitation, information quality, openness, security safeguards, and data subject participation. You have the right to access, correct, and delete your personal information. PrTask will notify the Information Regulator and affected individuals of any security compromise as soon as reasonably possible. Contact dpo@prtask.com to exercise your rights.

20. Australia Privacy Act 1988

If you are located in Australia, your personal information is protected under the Privacy Act 1988 and the Australian Privacy Principles (APPs), enforced by the Office of the Australian Information Commissioner (OAIC). PrTask maintains an up-to-date privacy policy and participates in the Notifiable Data Breaches scheme. You have the right to access and correct your personal information. PrTask does not use automated decision-making that significantly affects you without disclosure. PrTask complies with AI disclosure requirements effective December 2026. Contact privacy@prtask.com to exercise your rights or file a complaint with the OAIC.

21. India DPDP Act 2023

If you are located in India, your digital personal data is protected under the Digital Personal Data Protection Act 2023 (DPDP), enforced by the Data Protection Board of India. PrTask obtains your consent through clear affirmative action before processing your data. You have the right to: access a summary of your personal data and processing activities; correct and update your data; erase your data; nominate another person to exercise your rights; and file a grievance. PrTask maintains a grievance redressal mechanism and will respond to your requests promptly. Contact dpo@prtask.com to exercise your rights or file a grievance.

22. South Korea PIPA

If you are located in South Korea, your personal information is protected under the Personal Information Protection Act (PIPA), enforced by the Personal Information Protection Commission (PIPC). PrTask obtains truly voluntary consent (not bundled or coercive) for data processing. You have the right to: access your data; correct inaccurate data; request suspension of processing; request deletion; and data portability in a secure machine-readable format (effective March 2025). PrTask provides transparency on algorithmic processes and user profiling. If PrTask does not have a domestic establishment, we will appoint a domestic representative as required. Contact dpo@prtask.com to exercise your rights.

23. China PIPL

If you are located in China, your personal information is protected under the Personal Information Protection Law (PIPL), enforced by the Cyberspace Administration of China (CAC). PrTask does not bundle consent for multiple processing purposes and obtains separate consent for sensitive personal information. You have the right to: know about and decide on processing; restrict or refuse processing; access and copy your data; data portability; correct inaccurate data; request deletion; and request an explanation of processing rules. PrTask conducts Personal Information Protection Impact Assessments as required. Contact dpo@prtask.com to exercise your rights.

24. New Zealand Privacy Act 2020

If you are located in New Zealand, your personal information is protected under the Privacy Act 2020, enforced by the Office of the Privacy Commissioner. PrTask complies with the 13 Information Privacy Principles. You have the right to access and correct your personal information. PrTask will notify the Privacy Commissioner and affected individuals within 72 hours of any breach that causes or is likely to cause serious harm. PrTask complies with cross-border disclosure restrictions. Contact privacy@prtask.com to exercise your rights or file a complaint with the Privacy Commissioner.

25. International Data Transfers

PrTask servers are hosted via Cloudflare and your data may be processed in multiple jurisdictions. For transfers of personal data from the EEA, UK, or other jurisdictions with data transfer restrictions, PrTask implements appropriate safeguards including: Standard Contractual Clauses (SCCs) approved by the European Commission; UK International Data Transfer Agreement or Addendum where applicable; adequacy decisions where the destination country has been deemed to provide adequate protection; and supplementary measures where required by transfer impact assessments. PrTask does not transfer data to countries without adequate safeguards in place. You may request a copy of the safeguards used for international transfers by contacting dpo@prtask.com.

26. Children's Privacy

PrTask is not intended for users under 18 years of age. We do not knowingly collect personal data from minors. If you believe a minor has created an account, contact us for removal.

27. Data Breach Notification

PrTask maintains a comprehensive data breach response plan. In the event of a personal data breach: (a) GDPR: PrTask will notify the relevant supervisory authority within 72 hours and affected individuals when the breach is likely to result in a high risk to their rights and freedoms; (b) Philippines RA 10173: PrTask will notify the National Privacy Commission (NPC) and affected individuals within 72 hours; (c) New Zealand: notification to the Privacy Commissioner and affected individuals within 72 hours for breaches likely to cause serious harm; (d) CCPA: notification to affected California residents within the timeframe required by law; (e) All jurisdictions: PrTask will document the breach, conduct a forensic investigation, implement containment measures, notify affected users with a description of the breach, the types of data involved, and recommended protective measures, and conduct a post-incident review. Our Data Protection Officer serves as the primary breach response coordinator. Contact dpo@prtask.com for data breach concerns.

28. Cookies and Tracking Technologies

PrTask uses cookies and similar technologies as described in our Cookie Policy. Essential cookies are required for platform operation. Analytics and marketing cookies require your opt-in consent in the EU, UK, and other jurisdictions that mandate prior consent. You can manage your cookie preferences at any time. See our Cookie Policy for full details including a complete inventory of cookies used, their purposes, and retention periods.

29. Automated Decision-Making and Profiling

PrTask does not currently use automated decision-making or profiling that produces legal effects or similarly significant effects on users. If PrTask introduces such processing in the future, we will provide meaningful information about the logic involved, the significance, and the envisaged consequences, and will ensure that you have the right to obtain human intervention, express your point of view, and contest the decision, as required by GDPR Article 22 and equivalent provisions in other jurisdictions.

30. Do Not Sell or Share My Personal Information

PrTask does not sell your personal information to third parties. PrTask does not share your personal information with third parties for cross-context behavioral advertising. If this practice changes in the future, PrTask will provide a prominent "Do Not Sell or Share My Personal Information" link and a "Limit the Use of My Sensitive Personal Information" link as required by the CCPA/CPRA. PrTask honors Global Privacy Control (GPC) signals as a valid opt-out request.

31. Third-Party Services

PrTask integrates with third-party services including GitHub for authentication and repository integration, payment processors (including Maya Business) for transaction handling, Cloudflare for hosting and CDN, and identity verification providers for KYC compliance. Each third-party service operates under its own privacy policy. We only share the minimum data necessary for each integration to function. We maintain Data Processing Agreements (DPAs) with all third-party processors as required by GDPR and applicable data protection laws.

32. Changes to This Privacy Policy

PrTask may update this Privacy Policy from time to time. Material changes will be communicated via email or a prominent notice on the platform at least 30 days before taking effect. We review and update this policy at least annually. The "Last updated" date at the top of this policy indicates the most recent revision. Your continued use of PrTask after the effective date of changes constitutes acceptance of the updated policy. Previous versions of this policy are available upon request.

33. Contact

For privacy inquiries, data subject requests, or to exercise any of your rights under GDPR, CCPA, RA 10173, LGPD, or any other applicable data protection law, contact our Data Protection Officer at dpo@prtask.com. For general privacy inquiries, contact privacy@prtask.com. PrTask will respond to all data subject requests within the timeframe required by applicable law (30 days for GDPR, 45 days for CCPA, 15 days for LGPD, 30 days for PIPEDA/Singapore PDPA). You also have the right to lodge a complaint with the supervisory authority in your jurisdiction.