Privacy Policy

About This Privacy Policy

This Privacy Policy explains how HQAlign Ltd ("We", "Us", "Our") collects, uses, shares, and protects personal data when you use the HQAlign Platform at HQAlign.com (including the Service). It also explains your rights under UK data protection law and how to exercise them.

This Privacy Policy was last updated on 6th May 2026.

This Privacy Policy should be read alongside Our Terms and Conditions. This Privacy Policy governs how We process personal data; the Terms and Conditions govern your use of the Platform more generally. Where the two documents address different subject matter, both apply. In the unlikely event of any conflict between this Privacy Policy and the Terms and Conditions on a data protection matter, this Privacy Policy prevails on that data protection matter only; on all other matters the Terms and Conditions prevail.

Defined terms used in this Privacy Policy (including “Customer”, “Customer Data”, “Service”, “Platform”) have the meanings given to them in Our Terms and Conditions.

1. Who We Are (The Data Controller)

1.1 The data controller for the personal data described in this Privacy Policy is HQAlign Ltd, a company registered in England and Wales under company number 15815964. Our registered address is 71-75 Shelton Street, Covent Garden, London, UK.

1.2 We are registered with the UK Information Commissioner's Office (ICO) under registration number ZB803884.

1.3 We have not appointed a Data Protection Officer, as We are not required to do so under UK GDPR. For any privacy enquiry, please contact Us using the details in the “How To Contact Us” section below.

1.4 We were previously known as KanbanGenie Limited, and the Platform was previously offered under the name TaskVal at taskval.com. The change of company name was registered at Companies House on 5th May 2026, and the Platform was rebranded from "TaskVal" to "HQAlign" at the same time. This is a change of name only. The data controller is the same legal entity, with the same company number, registered address, and ICO registration as before, and the personal data We held under the previous names continues to be processed under the same lawful bases, retention periods, and safeguards described in this Privacy Policy. Any reference in any prior privacy notice, consent record, or communication to "KanbanGenie Limited" or "TaskVal" shall be read as a reference to HQAlign Ltd. Your rights as a Data Subject (set out below) are unaffected by the name change.

2. When We Are A Controller And When We Are A Processor

2.1 We act as a controller for personal data We collect about: visitors to the marketing pages of the Platform; individuals who register an account or use the Service; individuals who contact Us via Our contact forms or email; individuals who consent to receive marketing communications from Us. This Privacy Policy describes what We do with that personal data.

2.2 Where Customer (a business, organisation, or other entity) uses the Service, the personal data Customer uploads or submits about its own employees, contractors, or other individuals as Customer Data is processed by Us as a processor on Customer's instructions. Customer is the controller of that personal data and is responsible for providing its own privacy notice to those individuals. Our processing of Customer Data on Customer's behalf is governed by Our Terms and Conditions and the Data Processing Agreement at /legal/dpa; this Privacy Policy does not describe that processing.

If you are using the Service as an employee, contractor, or agent of an organisation that holds an account with Us, that organisation is the controller of your data within the Service, and you should refer to that organisation's privacy notice for information about how it processes your data. Your personal commitments in connection with your use of the Service are set out in Our Acceptable Use Policy at /legal/aup.

3. The Personal Data We Collect

3.1 When you visit the marketing pages of the Platform, We collect:

• Technical data: IP address, browser type and version, device type, operating system, time zone, and language settings;
• Usage data: pages visited, links clicked, the page that referred you to the Platform, and the date and time of your visit;
• Cookie and similar technology data (see clause 9 below).

3.2 When you register an account or use the Service, We collect:

• Identity data: your full name;
• Contact data: your email address;
• Authentication data: a securely hashed version of your password (We never store your password in plain text), invite code (during Early Access), session identifiers, and login timestamps;
• Profile data: any optional account or profile details you provide;
• Usage data: actions you take within the Service, features you use, and the time and frequency of use;
• Technical data: IP address, browser type, device type, and information needed for security, fraud prevention, and Service operation.

3.3 When you contact Us (by email, contact form, or in-product support), We collect the content of your message together with any contact details you provide.

3.4 When you consent to marketing, We record your consent (the time, the method, and the scope of consent) and your contact details for that purpose.

3.5 We do not knowingly collect special category personal data (such as data revealing race, ethnicity, political opinions, religious beliefs, trade union membership, genetic data, biometric data, health data, or data concerning a person's sex life or sexual orientation), and the Service is not designed to receive such data. You must not upload special category data into the Service. If you wish to do so, you must first obtain Our prior written consent and a written confirmation that the Service has been configured to handle the data lawfully (see also clause 3.4 of Our Data Processing Agreement).

4. How We Collect Your Personal Data

4.1 Directly from you: when you register an account, fill in a form on the Platform, contact Us, or interact with the Service.

4.2 Automatically: through cookies, server logs, and similar technologies as you use the Platform.

4.3 From third parties: in limited circumstances, We may receive personal data from invite-code referrers (in connection with Early Access), from infrastructure providers (e.g. abuse reports, fraud-prevention signals), or from publicly available sources.

5. Why We Use Your Personal Data and Our Legal Basis

5.1 We process personal data only where We have a lawful basis under Article 6 of the UK GDPR. The table below sets out the purposes of processing and the corresponding legal basis.

• To provide the Service to you (creating and operating your account, authenticating you, and delivering the features you use): legal basis is performance of a contract with you, or steps taken at your request prior to entering into a contract.
• To operate, secure, and improve the Platform (including monitoring, troubleshooting, security, fraud prevention, abuse detection, and analysing aggregated usage trends): legal basis is Our legitimate interests in running and improving Our business safely, balanced against your rights and freedoms.
• To communicate with you about the Service (operational notices such as security alerts, changes to terms, billing, and support replies): legal basis is performance of a contract with you and Our legitimate interests in communicating with users of the Service.
• To send marketing communications (for example, news about new features or offers): legal basis is your consent. You may withdraw consent at any time using the unsubscribe link in any marketing email or by contacting Us.
• To comply with legal and regulatory obligations (such as accounting, tax, and responding to lawful requests from authorities): legal basis is compliance with a legal obligation.
• To establish, exercise, or defend legal claims: legal basis is Our legitimate interests in protecting Our rights and property.

5.2 We do not currently use your personal data for automated decision-making that produces legal or similarly significant effects on you, and We do not currently engage in profiling of that kind. If We introduce such processing in the future, We will update this Privacy Policy and ensure compliance with Article 22 UK GDPR before doing so.

6. Sharing Your Personal Data

6.1 We share personal data only with the categories of recipient listed below, and only to the extent necessary for the purposes described in clause 5.

• Sub-processors and infrastructure providers: cloud hosting and computing providers, database providers, email delivery providers, customer-support tooling, monitoring and error-reporting providers, and (where used) analytics providers. These providers process personal data on Our behalf under written contracts requiring them to keep the data confidential and secure, and to use it only for the purposes We instruct.
• Professional advisers: lawyers, accountants, auditors, and insurers, where reasonably necessary.
• Authorities: law enforcement, regulators, courts, and other public authorities, where We are required to disclose by law or where We reasonably believe disclosure is necessary to protect Our rights or the rights, property, or safety of others.
• Successors: in the event of a merger, acquisition, restructuring, insolvency, or sale of all or part of Our business or assets, the recipient or prospective recipient, subject to appropriate confidentiality protections (including, where the data is shared with a prospective recipient before completion of the transaction, an undertaking that the data will be used only to evaluate or complete the transaction, will not be retained if the transaction does not complete, and will be subject to confidentiality terms no less protective than those in this Privacy Policy).

6.2 A current list of material sub-processors used in the provision of the Service is set out in Annex 3 of Our Data Processing Agreement at /legal/dpa.

6.3 We do not sell your personal data to anyone, and We do not share your personal data with third parties for their own marketing purposes.

7. International Transfers

7.1 The Service is hosted in the United Kingdom. The personal data You provide to Us when registering an account or using the Service is stored and primarily processed within the United Kingdom.

7.2 Some of Our sub-processors may process certain personal data outside the United Kingdom. In particular, when We activate the Google Analytics service described in clause 9, certain technical and usage data described in clause 3.1 will be transferred to and processed by Google (whose European entity is Google Ireland Limited, with onward transfers to Google LLC in the United States).

7.3 Where personal data is transferred to a country outside the United Kingdom that the UK Government has not designated as providing an adequate level of data protection, We rely on appropriate safeguards as required by Article 46 of the UK GDPR, including the UK International Data Transfer Agreement (IDTA), the UK Addendum to the EU Standard Contractual Clauses, the UK extension to the EU-US Data Privacy Framework (where applicable to the recipient), or another lawful transfer mechanism.

7.4 You may request further information about the safeguards in place for any specific international transfer by contacting Us.

8. How Long We Keep Your Personal Data

8.1 We keep personal data only for as long as is necessary for the purposes for which it was collected, plus any period required to comply with legal, regulatory, accounting, or reporting obligations, or to resolve disputes and enforce Our agreements.

8.2 Indicative retention periods:

• Account data: while your account is active, plus up to 60 days after account closure to allow for accidental-deletion recovery and operational wind-down. This 60-day period is aligned with the deletion timeline for Customer Personal Data in clause 12.4 of Our Data Processing Agreement, so that data covered by both this Privacy Policy and the DPA is deleted on a consistent schedule. Some account-related records may be retained for longer where required by law (for example, accounting records for six years under UK tax law). Encrypted backups may persist beyond active production deletion in accordance with Our backup policy and clause 12.5 of the DPA.
• Authentication and session data: rotated regularly during active use; expired sessions are purged within 30 days of expiry.
• Server logs and security logs: typically up to 12 months, except where We need to retain a specific log entry for longer to investigate or defend against an incident.
• Support correspondence: typically up to 24 months after the matter is closed.
• Marketing consent and contact records: until you withdraw consent or unsubscribe, plus a short period to prevent re-addition in error.
• Financial and tax records: six years after the end of the relevant accounting period, in line with UK statutory requirements.

8.3 Where retention periods are not fixed by law, We periodically review the personal data We hold and delete or anonymise data that is no longer required.

9. Cookies And Similar Technologies

9.1 Cookies are small text files that are placed on your device when you visit a website. We use cookies and similar technologies (such as local storage) within the Platform for the purposes described below.

9.2 Strictly necessary cookies and storage are required for the Platform to function. These are set without consent because the Privacy and Electronic Communications Regulations 2003 (PECR) permit this. Examples include:

• sid - a signed, HTTP-only session cookie used to authenticate logged-in users. Without this cookie, the Service cannot identify your session;
• isAuthenticated - a small client-side flag used to adapt navigation and account-aware menus to whether you are signed in. It does not contain any authentication credential or token;
• Local storage entries used for dark-mode preference and other essential UI state.

9.3 Analytics, performance, and other non-essential cookies: We will not set any non-essential cookies or similar technologies on your device without your prior consent, and you may withdraw consent at any time.

9.4 Google Analytics (planned): We intend to use Google Analytics, a web analytics service provided by Google Ireland Limited (or its successor in the European Economic Area / United Kingdom), to understand how visitors use the Platform in aggregate. When activated, Google Analytics will set cookies on your device (typically named _ga and _ga_<identifier>) and will collect technical and usage data including IP address (which Google may truncate), pages viewed, time spent, referring page, device and browser characteristics, and a randomly generated identifier. This information is used solely to produce aggregated, statistical reports about use of the Platform. We will not enable Google Analytics until We have implemented an appropriate consent mechanism, and Google Analytics will be set only where you have given consent. When activated, Google acts as Our sub-processor under the Google Ads Data Processing Terms (or the equivalent terms in force at the relevant time), and personal data may be transferred to the United States subject to the safeguards described in clause 7. You will be able to withdraw your consent at any time and to opt out of Google Analytics across all participating sites by installing Google's opt-out browser add-on, available from https://tools.google.com/dlpage/gaoptout. As at the “last updated” date of this Privacy Policy, Google Analytics is not active on the Platform. This Privacy Policy will continue to describe Google Analytics accurately if and when activation occurs.

9.5 Most browsers allow you to refuse or delete cookies through their settings. If you block strictly necessary cookies, parts of the Platform may not function correctly.

10. Marketing Communications

10.1 We will not send you marketing emails without your prior express consent. Where you have given consent, you may opt out at any time by clicking the unsubscribe link in any marketing email or by contacting Us.

10.2 Operational and service-related communications (such as security alerts, important notices about your account, billing communications, and changes to Our Terms and Conditions or this Privacy Policy) are not marketing communications and will continue to be sent while your account is active. These are necessary for the operation of the Service.

11. Your Rights Under UK Data Protection Law

11.1 Subject to certain conditions and exceptions under the UK GDPR and the Data Protection Act 2018, you have the following rights in relation to your personal data:

• Right of access: to obtain confirmation of whether We process personal data about you and a copy of that data;
• Right to rectification: to have inaccurate or incomplete personal data corrected;
• Right to erasure (the “right to be forgotten”): to have your personal data erased in certain circumstances;
• Right to restriction of processing: to restrict Our processing of your personal data in certain circumstances;
• Right to data portability: to receive personal data you have provided to Us in a structured, commonly used, machine-readable format, and to have it transmitted to another controller where technically feasible;
• Right to object: to object to processing carried out on the basis of Our legitimate interests, and (in all cases) to object to processing for direct marketing;
• Right to withdraw consent: where We rely on consent to process your personal data, you may withdraw your consent at any time. Withdrawal does not affect the lawfulness of processing carried out before withdrawal;
• Rights in relation to automated decision-making: to not be subject to a decision based solely on automated processing that has a legal or similarly significant effect (We do not currently carry out such automated decision-making).

11.2 To exercise any of these rights, please contact Us using the details in the “How To Contact Us” section below. We will respond within one month, although We may extend this by a further two months for complex or numerous requests (in which case We will notify you).

11.3 We may need to verify your identity before responding to a request, particularly if it concerns access to or deletion of personal data.

11.4 In most cases there is no fee for exercising your rights. Where a request is manifestly unfounded or excessive, We may charge a reasonable fee or refuse to act on the request, and We will tell you why.

12. Right To Complain To The ICO

If you are unhappy with how We have handled your personal data, We would prefer you to contact Us first so We can try to resolve the issue. However, you have the right at any time to lodge a complaint with the UK Information Commissioner's Office (the supervisory authority for data protection in the UK). You can find the ICO's current contact details, including their helpline and postal address, on their website at https://ico.org.uk.

Lodging a complaint with the ICO does not affect your other legal rights or remedies.

13. Children

The Service is intended for use by businesses, trades, professions, and other organisations (see clause 19 of Our Terms and Conditions). It is not directed at, and We do not knowingly collect personal data from, children under the age of 18. The 18-year threshold is conservative and consistent with Our business-use-only policy; it does not reflect a determination that 16- or 13-year thresholds (variously referenced in UK data protection law) are otherwise relevant to the Service. If you believe a child has provided Us with personal data, please contact Us so We can delete it.

14. Security

14.1 We take appropriate technical and organisational measures to protect personal data against unauthorised access, alteration, disclosure, loss, or destruction. These measures include encryption in transit, access controls, role-based permissions, secure password hashing, audit logging, and ongoing security review.

14.2 No method of transmission over the internet or storage on a computer is completely secure. While We strive to protect personal data, We cannot guarantee absolute security. You are responsible for keeping your account credentials confidential and for notifying Us promptly of any suspected unauthorised access to your account.

14.3 In the event of a personal data breach that is likely to result in a risk to the rights and freedoms of affected individuals, We will notify the ICO within 72 hours where required by law, and We will notify affected individuals where required by law.

15. Links To Other Websites

The Platform may contain links to third-party websites and services. This Privacy Policy applies only to Our processing of personal data; We are not responsible for the privacy practices of third-party websites or services, and We recommend that you read their privacy notices before providing any personal data to them.

16. Changes To This Privacy Policy

16.1 We may update this Privacy Policy from time to time. The “last updated” date at the top of this Privacy Policy will reflect any change.

16.2 Where the changes are material, We will take reasonable steps to bring them to your attention (for example, by email or by an in-product notice) before the changes take effect. Continued use of the Platform after the effective date constitutes your acknowledgement of the updated Privacy Policy.

17. How To Contact Us

For any questions about this Privacy Policy, or to exercise any of your rights, please contact Us via the contact form on the Platform at /contact, or by post to HQAlign Ltd, 71-75 Shelton Street, Covent Garden, London, UK.