Privacy Policy
This Privacy Policy explains how 1296869 Ontario Limited, operating as Artala ("Artala," "we," "us," or "our"), collects, uses, stores, and protects your personal information when you use the Artala platform (the "Service").
By using the Service, you acknowledge that you have read and understood this Privacy Policy. If you do not agree with our practices, please do not use the Service.
1. Data Controller
For the purposes of applicable data protection laws (including the EU General Data Protection Regulation and Canada's Personal Information Protection and Electronic Documents Act), the data controller is:
1296869 Ontario Limited, operating as Artala
Ontario, Canada
privacy@artala.app
When a workspace owner invites users and manages workspace data, Artala acts as a data processor on behalf of that workspace owner (the data controller for their organisation's data).
2. Information We Collect
Account Information. When you register, we collect your name, email address, and a password (stored as a cryptographic hash — we never store plaintext passwords). If you enable two-factor authentication, we store the associated TOTP secret.
Workspace and Project Data. Data you and your workspace members enter into the Service, including tasks, comments, attachments, timesheets, board configurations, custom fields, and any other content ("Customer Data"). Customer Data is owned by you as described in our Terms of Service.
Billing Information. Payment information (credit card numbers, billing addresses) is collected and processed directly by our payment processor, Stripe. We do not store credit card numbers on our servers. We may receive and store limited billing details from Stripe such as the last four digits of your card, card brand, and billing country for display in your account.
Usage and Technical Data. We collect information about how you interact with the Service, including browser type, device information, IP address, pages visited, and feature usage. This data is used to maintain and improve the Service.
Communications. If you contact us at support@artala.app, we retain the correspondence to respond to your inquiry and improve our support.
3. How We Use Your Information
We use your information for the following purposes:
- To provide, operate, and maintain the Service
- To process subscriptions and payments
- To send transactional emails (account verification, password resets, workspace invitations, task notifications, weekly digests)
- To provide AI-powered features (workspace assistant, task creation, playbook generation, digest summaries)
- To enforce our Terms of Service and protect against abuse
- To comply with legal obligations
We do not sell your personal information to third parties. We do not use Customer Data for advertising purposes.
4. Legal Basis for Processing (GDPR)
If you are located in the European Economic Area (EEA), United Kingdom, or Switzerland, our legal basis for processing your personal data depends on the context:
| Purpose | Legal Basis |
|---|---|
| Providing the Service and managing your account | Performance of a contract (Article 6(1)(b)) |
| Processing payments and tax compliance | Legal obligation (Article 6(1)(c)) |
| Sending transactional emails | Performance of a contract (Article 6(1)(b)) |
| Improving the Service and analytics | Legitimate interests (Article 6(1)(f)) |
| AI feature processing | Performance of a contract (Article 6(1)(b)) |
5. Third-Party Service Providers
We share your information with the following categories of service providers, solely to operate the Service:
| Provider | Purpose | Data Shared | Location |
|---|---|---|---|
| Microsoft Azure | Hosting, database, file storage | All Service data | West Europe (Netherlands) |
| Stripe | Payment processing | Billing details, email, tax IDs | United States |
| Twilio SendGrid | Transactional email delivery | Email address, name, email content | United States |
| Anthropic | AI features (workspace assistant, task generation) | Workspace metadata, task data relevant to the query | United States |
| Cloudflare | Website hosting, CDN, DNS | IP address, request metadata | Global edge network |
Each provider processes data in accordance with their own privacy policies and applicable data protection agreements. Where data is transferred outside of the EEA, we rely on Standard Contractual Clauses or the provider's adequacy framework.
6. AI Feature Data Processing
When you use AI features, relevant workspace data (such as task titles, descriptions, assignees, statuses, and dates) is sent to our AI provider (Anthropic) to generate responses. This data is transmitted securely and is not used by the AI provider to train their models. AI processing is triggered only when you actively use an AI feature — workspace data is not passively sent to AI providers.
7. Data Retention
We retain your account information and Customer Data for as long as your account is active. Following account deletion or workspace termination, we retain data for up to 90 days to allow for recovery, after which it is permanently deleted from our systems and backups.
Billing records are retained as required by applicable tax and accounting laws (typically 7 years).
Audit logs are retained for the lifetime of the workspace and deleted with the workspace.
8. Data Security
We implement appropriate technical and organisational measures to protect your data, including encryption in transit (TLS), encryption at rest for database and file storage, role-based access controls within the application, HMAC-signed webhooks for API integrations, two-factor authentication support, and session management with revocation.
While we take reasonable steps to protect your information, no method of transmission or storage is 100% secure. We cannot guarantee absolute security.
9. Your Rights
For all users. You may at any time:
- Access and update your personal information through your account settings
- Export your personal data using the built-in data export feature
- Delete your account using the self-service account deletion feature (GDPR Article 17 — Right to Erasure)
- Request information about what data we hold about you by contacting privacy@artala.app
Additional rights under GDPR (EEA/UK/Swiss users). You have the right to request restriction of processing, object to processing based on legitimate interests, request data portability, and lodge a complaint with your local data protection authority.
Rights under PIPEDA (Canadian users). You have the right to access your personal information, challenge its accuracy, and withdraw consent for non-essential processing by contacting privacy@artala.app.
10. International Data Transfers
The Service is hosted in the Microsoft Azure West Europe region (Netherlands). Some of our service providers (Stripe, SendGrid, Anthropic) are based in the United States. Where personal data is transferred outside of the EEA, we ensure appropriate safeguards are in place, including Standard Contractual Clauses approved by the European Commission.
11. Email Communications (CASL Compliance)
We send transactional emails that are necessary for the operation of the Service (account verification, password resets, workspace invitations, task notifications). These are exempt from consent requirements under Canada's Anti-Spam Legislation (CASL) as they relate to an existing business relationship.
Weekly digest emails are a feature of the Service that you can enable or disable in your account settings. By enabling digest emails, you consent to receiving them. You may withdraw this consent at any time through your settings.
We do not send marketing or promotional emails.
12. Children
The Service is not directed to individuals under the age of 16. We do not knowingly collect personal information from children. If we become aware that we have collected data from a child under 16, we will take steps to delete that information promptly.
13. Changes to This Policy
We may update this Privacy Policy from time to time. We will notify you of material changes by posting the updated policy on our website with a new version number and effective date. Your continued use of the Service after such changes constitutes acceptance of the updated policy.
14. Contact
For privacy-related questions or requests:
1296869 Ontario Limited, operating as Artala
Email: privacy@artala.app