Privacy Policy

Last updated: June 27, 2026

This Privacy Policy explains how Bwired di Bersier Benoit Jonathan ("we", "us") collects and processes personal data when you use OmniTask Pro (the "Service") at tasks.centralo.work. We act as the data controller for the data described below.

1. Who we are

2. What data we collect

  • Account data: email address, hashed password, authentication identifiers.
  • App data you create: companies, contacts, tasks, notes, calendar entries.
  • Mailbox data (if you connect one): IMAP/SMTP credentials (encrypted at rest with AES-256-GCM) or Google OAuth refresh tokens (encrypted), plus the email messages, folders, attachments and read/unread state we sync on your behalf.
  • Technical data: IP address, user agent, timestamps of key actions (login, consent, export, deletion).
  • Consent records: the cookie/privacy choices you make and the policy version in effect at that time.

3. Why we process it (legal bases)

  • Performance of a contract (Art. 6(1)(b) GDPR): providing the Service you signed up for.
  • Legitimate interests (Art. 6(1)(f)): securing the Service, preventing abuse, keeping an audit trail.
  • Consent (Art. 6(1)(a)): optional analytics/marketing cookies, and connecting a Google account via OAuth.
  • Legal obligation (Art. 6(1)(c)): retaining limited records where required by law.

4. Subprocessors

We share data only with the providers necessary to run the Service:

  • Lovable Cloud (Supabase backend, EU/US): database, authentication, file storage, server functions.
  • Cloudflare: hosting and edge delivery.
  • Google LLC: if you choose to connect a Gmail account, we call the Gmail API on your behalf using OAuth tokens stored encrypted.
  • Your IMAP/SMTP provider: if you connect a non-Gmail mailbox, we send/receive mail through it on your behalf.
  • Lovable AI Gateway: optional AI features (e.g. email triage) send the relevant message content for processing.

A signed Data Processing Agreement (DPA) is in place with each subprocessor where applicable.

5. International transfers

Some subprocessors are based outside the EEA. Transfers are covered by Standard Contractual Clauses or equivalent safeguards under Art. 46 GDPR.

6. How long we keep your data

  • Account data: until you delete your account.
  • Synced email messages: for the retention window configured on each mailbox (default 30 days), then removed locally.
  • Audit and consent logs: up to 24 months for security and accountability.
  • Deleted accounts: a 30-day grace period during which you can cancel deletion. After 30 days the data is permanently purged from our active systems; backups roll off within a further 30 days.

7. Your rights

Under the GDPR you have the right to:

  • access the data we hold about you;
  • rectify inaccurate data;
  • erase your data ("right to be forgotten");
  • restrict or object to processing;
  • data portability (export in a machine-readable format);
  • withdraw consent at any time;
  • lodge a complaint with your local supervisory authority (in Italy, the Garante per la protezione dei dati personali).

You can exercise most of these rights yourself from the in-app Privacy Center, or by emailing privacy@centralo.work.

8. Security

We use TLS in transit, AES-256-GCM encryption at rest for mailbox secrets, row-level security in the database, scoped OAuth tokens and least-privilege server-side access.

9. Changes

We will notify you of material changes by updating the "Last updated" date above and, when appropriate, asking you to re-confirm consent.