|
| 1 | +# Taskdeck Cookie and Local-Storage Policy (Draft) |
| 2 | + |
| 3 | +> **Status: DRAFT — NOT LEGALLY BINDING** |
| 4 | +> This is a pre-launch working draft describing what the shipped Taskdeck |
| 5 | +> frontend actually stores in the browser today. It has **not** been reviewed |
| 6 | +> by qualified legal counsel. Operators launching a hosted instance must |
| 7 | +> validate this disclosure against their deployed configuration (they may have |
| 8 | +> added a reverse proxy, analytics, or similar that changes the picture) and |
| 9 | +> revise before publishing. Placeholder sections are marked |
| 10 | +> `[LEGAL REVIEW REQUIRED]`. |
| 11 | +
|
| 12 | +**Last updated:** 2026-04-23 (draft) |
| 13 | +**Tracking issue:** `#548` (LEGAL-01) |
| 14 | + |
| 15 | +## 1. Summary |
| 16 | + |
| 17 | +Taskdeck's shipped frontend **does not set cookies** for authentication, |
| 18 | +analytics, or advertising. Instead, it uses the browser's `localStorage` for |
| 19 | +a small number of strictly functional items. As a result, a cookie-consent |
| 20 | +banner is not strictly required for the product's default surface, because |
| 21 | +there is no non-essential cookie to consent to. |
| 22 | + |
| 23 | +`[LEGAL REVIEW REQUIRED]` — some EU DPAs apply ePrivacy / PECR-style consent |
| 24 | +requirements to any non-essential *client-side storage*, not only to cookies. |
| 25 | +Operators publishing this document should confirm with counsel whether their |
| 26 | +jurisdiction requires consent for the non-essential items in Section 3. The |
| 27 | +default configuration only uses *essential* items, so the question is only |
| 28 | +live if the operator enables analytics. |
| 29 | + |
| 30 | +## 2. Essential browser storage (default, active) |
| 31 | + |
| 32 | +These items are necessary for Taskdeck to function as the user requested. |
| 33 | +They are set in `localStorage` under predictable keys. |
| 34 | + |
| 35 | +| Item | Key | Purpose | Lifetime | |
| 36 | +|---|---|---|---| |
| 37 | +| Auth token | `taskdeck_token` | Holds the JWT used to authenticate API requests. Without this the app cannot stay signed in across reloads. | Persists until sign-out, explicit account deletion, or manual browser clear. Rejected and removed if structurally invalid. | |
| 38 | +| Session metadata | `taskdeck_session` | Holds the signed-in user's ID, username, and email, displayed in the UI shell. | Same lifetime as the auth token. | |
| 39 | +| Workspace mode | workspace-mode key | Remembers whether the user opted into a particular workspace mode (novice / advanced). | Persists until the user changes mode or clears browser storage. | |
| 40 | +| Feature flag overrides | feature-flags key | Stores local feature-flag overrides set via DevTools / QA flows. | Persists until cleared. | |
| 41 | +| Saved-view preferences | saved-views key | Stores user-authored saved views (filters, groupings) for boards. | Persists until the user deletes the view or clears browser storage. | |
| 42 | +| Archive-view UI hint | archived-boards visibility key | Remembers whether archived boards are hidden/shown in the sidebar. | Persists until the user toggles it or clears storage. | |
| 43 | + |
| 44 | +None of the items above are sent to third parties. They are all read and |
| 45 | +written by the Taskdeck frontend, and they do not act as tracking identifiers. |
| 46 | + |
| 47 | +## 3. Non-essential browser storage (off by default, opt-in) |
| 48 | + |
| 49 | +The following items exist in the codebase but are **off unless explicitly |
| 50 | +enabled**. If an operator enables analytics, the relevant items become active, |
| 51 | +and consent handling must be followed. |
| 52 | + |
| 53 | +| Item | Key | Purpose | Default state | |
| 54 | +|---|---|---|---| |
| 55 | +| Analytics-consent flag | consent key in `telemetryStore` | Records whether the user has opted in to product analytics. | **Not written unless the user interacts with the consent UI.** The code explicitly refuses to auto-restore consent when the browser sends Do-Not-Track or Global Privacy Control signals. | |
| 56 | +| Analytics script state | managed by `useAnalyticsScript` | Loads a third-party analytics script only after opt-in and only if the operator has configured one. The composable is cookie-free by design. | **Off by default.** No third-party analytics script is shipped or configured. | |
| 57 | + |
| 58 | +If the operator enables analytics: |
| 59 | + |
| 60 | +1. Update `SUB_PROCESSORS.md` with the analytics vendor. |
| 61 | +2. Update Section 3 of this file to describe the analytics surface in concrete |
| 62 | + terms (vendor, categories of data collected, retention). |
| 63 | +3. Add a consent banner/UI that matches the operator's jurisdiction's rules. |
| 64 | +4. Confirm that the analytics vendor is cookie-free if this document continues |
| 65 | + to claim so, and remove the "cookie-free" claim otherwise. |
| 66 | + |
| 67 | +## 4. Third-party cookies set by sub-processors |
| 68 | + |
| 69 | +If the operator enables OAuth sign-in (e.g., GitHub), the third party may set |
| 70 | +cookies on its own domains during the OAuth redirect flow. Those cookies are |
| 71 | +governed by the third party's cookie policy, not this one. The hosted Taskdeck |
| 72 | +instance itself does not mirror those cookies. |
| 73 | + |
| 74 | +If the operator places Taskdeck behind a CDN, reverse proxy, or WAF, that |
| 75 | +infrastructure layer may set essential infrastructure cookies (e.g., for |
| 76 | +load-balancer stickiness or bot protection). `[LEGAL REVIEW REQUIRED]` — |
| 77 | +operators should enumerate any such cookies here before publishing. |
| 78 | + |
| 79 | +## 5. Your choices |
| 80 | + |
| 81 | +- You can clear Taskdeck's essential storage by signing out or by clearing |
| 82 | + site data in your browser. Doing so will sign you out; your server-side |
| 83 | + account data is not affected. |
| 84 | +- You can revoke analytics consent (if you ever granted it) via the |
| 85 | + in-product controls; this clears the consent flag and stops the analytics |
| 86 | + script. |
| 87 | +- You can request data export and account deletion via the endpoints |
| 88 | + described in the Privacy Policy (Section 7). |
| 89 | + |
| 90 | +## 6. Changes to this policy |
| 91 | + |
| 92 | +Material changes (e.g., introduction of new analytics, a new category of |
| 93 | +client-side storage, a change from `localStorage` to cookies) will be |
| 94 | +announced in-product and reflected in the `Last updated` header of this file. |
| 95 | + |
| 96 | +--- |
| 97 | + |
| 98 | +**Out of scope for this draft:** consent-banner UI design, analytics vendor |
| 99 | +selection, CDN/WAF cookie enumeration, and jurisdiction-specific consent |
| 100 | +mechanics. See `README.md` in this directory for the launch checklist. |
0 commit comments