Privacy Policy

Taskyn - AI Automation for UK Businesses

Last updated: 15 April 2026

Contents

1. Introduction 2. Who We Are (Data Controller)3. Our Role: Controller and Processor 4. Personal Data We Collect 4.1 Website Visitors and Prospective Clients 4.2 Clients (Businesses We Serve)4.3 Data Processed Through Workflows 4.4 Data from Meta Platforms (Facebook, Instagram, WhatsApp)5. How We Use Personal Data and Our Legal Basis 6. Sharing Personal Data: Sub-Processors 7. International Data Transfers 8. Data Retention 9. Security 10. Your Rights 11. Cookies 12. Children 13. Changes to This Policy 14. Contact

1. Introduction

Taskyn provides workflow automation and AI agent services to UK small and medium-sized enterprises, including the design, deployment, and maintenance of n8n automation workflows and AI-powered task agents. We take privacy and data protection seriously.

This Privacy Policy explains what personal data we collect, how we use it, who we share it with, your rights, and how we protect it - in accordance with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018.

2. Who We Are (Data Controller)

The data controller for personal data collected in connection with Taskyn's website and direct client relationships is:

Taskyn, operating from Glasgow, Scotland, United Kingdom
Email: team@taskyn.co.uk

3. Our Role: Controller and Processor

Taskyn acts in two capacities depending on the data involved:

As a data controller: when we collect data about website visitors, prospective clients, and our direct business clients (for example, contact details, account information, and billing records).
As a data processor: when we build, host, or operate workflows that process personal data on behalf of our clients. In these cases, our client is the controller and we process data only on their documented instructions under a Data Processing Agreement (DPA).

If your data is being processed through a Taskyn-built workflow on behalf of one of our clients, please contact that client directly - they are the controller of your data.

4. Personal Data We Collect

4.1 Website Visitors and Prospective Clients

Our website is hosted on Framer. Data collected may include:

Identity and contact data: name, email address, and company name (where you provide these through forms or discovery call bookings).
Technical data: IP address, browser type, device information, and operating system.
Usage data: pages visited, time on site, and referral source.
Cookies set by Framer for site performance and analytics.

4.2 Clients (Businesses We Serve)

Account data: name, email, role, and company name.
Billing data: billing address, VAT number, and payment information (processed by our payment provider - we do not store full card details).
Service configuration data: workflow specifications, credentials, and API keys you provide for us to integrate with your systems.
Communications: emails, messages, support tickets, and meeting notes relating to the delivery and support of your services.

4.3 Data Processed Through Workflows (On Behalf of Clients)

When we operate automation workflows on behalf of a client, those systems may process personal data belonging to the client's customers, employees, or contacts. The exact categories depend on the client's use case and may include:

Contact details: names, email addresses, and phone numbers.
Booking and appointment data.
CRM records, sales pipeline data, and lead information.
Customer enquiries, support communications, and message threads (including WhatsApp Business and Instagram DM integrations).
Review requests and responses.
Documents, files, and other content routed through the workflow.

We process this data only on the client's instructions, as set out in the applicable DPA. Workflows commonly integrate with third-party platforms chosen by the client (such as their CRM, email provider, calendar, or messaging platform), and data may pass through those services as part of normal workflow operation.

4.4 Data from Meta Platforms (Facebook, Instagram, WhatsApp)

Where a client engages Taskyn to build automation workflows that connect to Meta platforms - including Facebook Pages, Instagram Business accounts, and the WhatsApp Business Platform - Taskyn processes data obtained through the Meta Graph API and related Meta APIs on behalf of that client. Meta Platforms Ireland Limited is the source of this data; Taskyn acts as a data processor under the client's instructions.

Platforms connected:

Facebook Pages (via the Facebook Graph API)
Instagram Business and Creator accounts (via the Instagram Graph API)
WhatsApp Business Platform (via the WhatsApp Business Cloud API)

Data we may receive and process:

Page and account identifiers: Facebook Page ID, Instagram Business Account ID, WhatsApp Business Account ID and phone number ID.
Access tokens and credentials issued by Meta to authorise API calls on the client's behalf.
Inbound message content: Facebook Page messages, Instagram Direct Messages, and WhatsApp Business messages, including text, attachments, timestamps, and sender identifiers (such as Page-Scoped User IDs, Instagram-Scoped IDs, and WhatsApp phone numbers).
Outbound message content: replies, confirmations, reminders, and follow-ups sent through the workflow on the client's behalf.
Conversation metadata: thread IDs, message status (sent, delivered, read), and basic profile information (such as name and profile picture) where exposed by the relevant Meta API.

Permissions we request:

The exact permissions requested depend on the client's use case but typically include pages_messaging, pages_manage_metadata, pages_read_engagement, instagram_basic, instagram_manage_messages, business_management, and the relevant whatsapp_business_messaging and whatsapp_business_management scopes.

Purpose:

We use this data solely to deliver the automation workflows the client has commissioned - for example, routing customer enquiries to an AI agent, sending booking confirmations and reminders, qualifying leads, and triggering follow-up messages. We do not use Meta Platform data for advertising, profiling unrelated to the client's workflow, building independent user profiles, or training general-purpose AI models. We do not sell Meta Platform data.

Storage and transfer:

Meta Platform data is processed within Taskyn-managed n8n Cloud infrastructure and the client's connected systems. Where data passes to sub-processors located outside the UK (including the United States), the safeguards described in section 7 apply.

5. How We Use Personal Data and Our Legal Basis

Under UK GDPR, we must have a lawful basis for each processing activity:

Contract: to provide the services you have engaged us for, manage your account, and handle billing.
Legitimate interests: to operate and improve our website, secure our systems, prevent fraud, send service-related communications, and develop prospective business relationships where appropriate.
Consent: for marketing emails to individuals who are not existing clients, and for non-essential cookies. You may withdraw consent at any time.
Legal obligation: to comply with UK tax, accounting, and regulatory requirements.

6. Sharing Personal Data: Sub-Processors

To deliver our services, we share data with the following sub-processors:

Workflow infrastructure: n8n Cloud (operated by n8n GmbH) hosts and runs automation workflows.
Website hosting: Framer hosts our website and may set cookies for performance and analytics.
Communication and productivity tools: standard business tools used to communicate with clients and manage projects (email, messaging, and file storage).
Payment processing: where applicable, payments are handled by a regulated payment provider. We do not store full card details.
Meta platform integrations: Meta Platforms Ireland Limited (Facebook, Instagram) and WhatsApp Ireland Limited (WhatsApp Business Platform), where workflows connect to those services on the client's instructions.

A current, detailed list of sub-processors is available on request and forms part of our DPA with clients. We do not sell personal data.

7. International Data Transfers

Some of our sub-processors operate outside the UK, including in the United States and the European Union. Where we transfer personal data internationally, we rely on safeguards approved under UK GDPR, including:

The UK International Data Transfer Agreement (IDTA) or the UK Addendum to the EU Standard Contractual Clauses.
Adequacy decisions (for example, the UK-US Data Bridge where the recipient is certified, or the UK's adequacy decision covering the EEA).

Further information about specific safeguards is available on request.

8. Data Retention

Website analytics and cookies: retained for the period set by Framer (typically up to 14 months).
Marketing and prospective client contacts: retained until you unsubscribe, or after 24 months of inactivity.
Client account and billing records: retained for the duration of the engagement and for 6 years thereafter to meet UK accounting and tax obligations.
Workflow data processed on behalf of clients: retained per the client's instructions in the DPA. On termination, data is deleted or returned within 30 days unless otherwise agreed in writing.
Backups: securely overwritten on a rolling 30-to-90-day cycle.

9. Security

We apply organisational and technical security measures appropriate to the risks of our processing activities, including:

Encryption of data in transit (TLS) and at rest where applicable.
Role-based access controls and the principle of least privilege.
Multi-factor authentication on all administrative accounts.
Secure storage of API keys and credentials in dedicated secret managers (not in workflow configuration files or version control).
Regular review of sub-processor access and audit logs.
Incident response procedures, including breach notification to the ICO within 72 hours where required.

10. Your Rights

Under UK GDPR, you have the right to:

Access the personal data we hold about you.
Request correction of inaccurate or incomplete data.
Request erasure (the 'right to be forgotten'), subject to legal exceptions.
Restrict or object to certain processing, including direct marketing (you can opt out at any time).
Request data portability in a structured, machine-readable format.
Withdraw consent at any time, where processing relies on consent.
Lodge a complaint with the Information Commissioner's Office (ICO) at ico.org.uk.

To exercise any of these rights, contact us at team@taskyn.co.uk. We will respond within one calendar month.

If your data is processed by Taskyn on behalf of one of our business clients, please direct your request to that client in the first instance. We will support them in responding.

11. Cookies

Our website is built on Framer, which sets cookies for site functionality and analytics. Strictly necessary cookies are used to make the site work. Non-essential cookies are only used with your consent where required by PECR. You can manage preferences through any cookie banner on the site or through your browser settings.

12. Children

Our services are directed at businesses, not individuals under the age of 13. We do not knowingly collect personal data from children. If you believe a child has provided us with personal data, contact us and we will delete it promptly.

13. Changes to This Policy

We may update this Privacy Policy from time to time. The "Last updated" date at the top reflects the most recent revision. We will communicate material changes to clients directly.

14. Contact

For questions, concerns, or data rights requests:

Email: team@taskyn.co.uk
Location: Glasgow, Scotland, United Kingdom

Another AI Template

Use For Free