Privacy Policy
Last updated: May 2026
At SaberTask, we take your privacy seriously. This Privacy Policy explains, in line with the General Data Protection Regulation (Regulation (EU) 2016/679, "GDPR") and Lei n.º 58/2019 of 8 August (the Portuguese law implementing the GDPR), what personal data we collect when you use sabertask.com or the SaberTask mobile app, how we use it, who we share it with, how long we keep it, and what rights you have. The data controller is SaberTask LDA (VAT PT518467546), Rua Hermano Neves N.º 18, Piso 3, Escritório 7, 1600-477 Lisboa, Portugal.
Information We Collect
We collect information you provide directly to us, such as when you create an account, use our services, or contact us for support. This may include your name, email address, company name, phone number, and payment information. We also automatically collect certain information when you use our services, including device information, IP address, and usage data.
Location Data
The SaberTask mobile app accesses your device's approximate and precise location (GPS) only when you use features that require it: when you clock in or out of a shift, when you start or finish a task on site, and while you have an active shift so your employer's dispatcher can see field activity on the Live Dashboard. Location is not collected in the background when the app is closed, is not used for advertising, and is never sold or shared with third parties. Location data is visible only to your employer's account (the business that invited you to SaberTask) and is retained with the related timesheet or task record. You can revoke the app's location permission at any time in your device settings, which will disable clock-in and on-site task features that rely on it.
Legal Basis for Processing
Under Article 6(1) of the GDPR, we only process personal data when we have a valid legal basis. We rely on the following bases:
Performance of a contract (Article 6(1)(b))
We process account data, login credentials, billing information and user-generated content (tasks, projects, timesheets, and location data tied to a shift or task) because doing so is necessary to provide the SaberTask service you or your employer signed up for.
Legitimate interests (Article 6(1)(f))
We rely on legitimate interests for (a) basic server and security logging to protect the service and its users against fraud and abuse; (b) sending product-related transactional emails to administrators to keep the service usable; and (c) limited usage analytics on aggregated, non-identifying data where consent is not required. In each case we have carried out a balancing test and concluded that our interests do not override your rights and freedoms because the processing is limited in scope, expected by users of a workforce SaaS product, and you can object at any time.
Consent (Article 6(1)(a))
We rely on consent for non-essential cookies and embeds on sabertask.com (analytics, marketing, Calendly), for any direct marketing emails, and for any other processing specifically described to you as opt-in. You can withdraw consent at any time without affecting the lawfulness of processing carried out before withdrawal.
Compliance with legal obligations (Article 6(1)(c))
We process invoicing, accounting and tax records because Portuguese law (Decreto-Lei n.º 28/2019) and EU VAT rules require us to retain them. We may also disclose data when compelled by a valid legal order.
How We Use Your Information
We use the information we collect to provide, maintain, and improve our services, process transactions, send you technical notices and support messages, and respond to your comments and questions. We may also use your information to send you promotional communications, though you can opt out at any time. Each purpose is covered by one of the legal bases described in the previous section.
Information Sharing
We do not sell, trade, or rent your personal information. We share data only with the categories of recipients listed below, and only to the extent necessary for the purpose described:
- Your employer's account, if you are a field user invited by them: timesheets, on-site task records and the location data attached to those records are visible to the business that invited you.
- Our sub-processors (listed in the next section): technical service providers acting under written data processing agreements that bind them to GDPR-equivalent safeguards.
- Public authorities: only where required by a valid legal order, court request or statutory obligation.
- Professional advisers (lawyers, accountants, auditors): bound by confidentiality, only where necessary to defend our legal interests.
Sub-Processors
We use the following sub-processors to operate sabertask.com and the SaberTask service. Each is bound by a data processing agreement under Article 28 of the GDPR.
Vercel Inc.
- Purpose
- Website and application hosting; Vercel Web Analytics (loaded only with analytics consent).
- Location
- United States, with EU regions used where available.
- Transfer mechanism
- EU-US Data Privacy Framework (Vercel Inc. is self-certified) and Standard Contractual Clauses.
Calendly LLC
- Purpose
- Demo booking widget embedded on sabertask.com (loaded only with marketing consent).
- Location
- United States.
- Transfer mechanism
- EU-US Data Privacy Framework.
Wildbit, LLC (Postmark)
- Purpose
- Transactional email delivery for contact-form submissions and account notifications.
- Location
- United States.
- Transfer mechanism
- Standard Contractual Clauses.
Outrank
- Purpose
- Content management system used to publish articles on sabertask.com/articles. Does not process customer or end-user personal data.
- Location
- European Economic Area.
- Transfer mechanism
- No transfer outside the EEA.
We may add or replace sub-processors from time to time. The list above is the current list; you can also request it by emailing contact@sabertask.com. Where a sub-processor change would materially affect customer data, we will notify business customers in advance so they can object.
International Data Transfers
Some of our sub-processors are established outside the European Economic Area (EEA), primarily in the United States. For each such transfer we rely on a transfer mechanism recognised under Chapter V of the GDPR: the EU-US Data Privacy Framework where the recipient is self-certified, and the European Commission's Standard Contractual Clauses (Module 2 or Module 3 as applicable) where it is not. Where required, we also carry out a transfer impact assessment and apply supplementary measures such as encryption in transit and at rest. The applicable mechanism for each sub-processor is listed in the Sub-Processors section above.
How Long We Keep Your Data
We keep personal data only for as long as we have a clear purpose. Retention may be extended where required by law or to defend legal claims.
| Data category | Retention period |
|---|---|
| Account profile (name, email, phone, company) | For the duration of the account, plus 6 months after closure. |
| Login credentials (hashed passwords, MFA secrets) | Deleted within 30 days of account closure. |
| Tasks, projects, timesheets and other user-generated content | For the duration of the account, plus 6 months after closure. |
| Location data attached to a shift or task | Stored with the related record; default 24 months from creation unless the customer's business agreement specifies otherwise. |
| Server, security and usage logs | 12 months. |
| Device identifiers and IP addresses | 12 months. |
| Invoices, accounting and tax records | 10 years (Decreto-Lei n.º 28/2019). |
| Encrypted backups | Rotated and purged within 90 days. |
| Cookie consent record | Up to 6 months in browser local storage, refreshed on each revisit. |
Data Security
We implement appropriate technical and organisational security measures in accordance with Article 32 of the GDPR to protect your personal information. We use bank-level encryption, and your data is backed up daily and stored securely in European data centres. No method of transmission over the Internet is 100% secure.
Data Breach Notification
If we become aware of a personal data breach that is likely to result in a risk to your rights and freedoms, we will notify the Comissao Nacional de Protecao de Dados (CNPD) without undue delay and, where feasible, within 72 hours of becoming aware of it (Article 33 GDPR). Where the breach is likely to result in a high risk to your rights and freedoms, we will also notify the individuals concerned without undue delay (Article 34 GDPR). We maintain an internal incident response procedure and document all personal data breaches as required by Article 33(5).
Your Rights
Under the GDPR you have the following rights in relation to your personal data:
- Right of access (Article 15): Obtain confirmation of whether we process data about you and receive a copy together with information about how it is processed.
- Right to rectification (Article 16): Have inaccurate data corrected and incomplete data completed.
- Right to erasure (Article 17): Ask us to delete your data where one of the grounds in Article 17 applies. See the Data Deletion section below for the procedure.
- Right to restriction of processing (Article 18): Ask us to limit how we process your data in specific situations, for example while we verify an accuracy challenge.
- Right to data portability (Article 20): Receive the personal data you provided to us in a structured, commonly used and machine-readable format, and have it transmitted to another controller where technically feasible. SaberTask provides an in-app export option, and you can also request a portable export by emailing contact@sabertask.com.
- Right to object (Article 21): Object at any time to processing based on legitimate interests, including profiling, on grounds relating to your particular situation. You can object to direct marketing at any time, without justification.
- Rights related to automated decision-making (Article 22): SaberTask does not subject users to decisions based solely on automated processing, including profiling, that produce legal or similarly significant effects. If this ever changes, we will inform you and provide the safeguards required by Article 22.
- Right to withdraw consent (Article 7(3)): Where we rely on your consent, you can withdraw it at any time using the in-product setting, the "Cookie settings" link in the footer, or by emailing contact@sabertask.com. Withdrawal does not affect the lawfulness of processing carried out before withdrawal.
- Right to lodge a complaint (Article 77): You can lodge a complaint with the Comissao Nacional de Protecao de Dados (CNPD), Av. D. Carlos I, n.º 134, 1.º, 1200-651 Lisboa, Portugal, www.cnpd.pt, or with the supervisory authority of your habitual residence, place of work, or place of the alleged infringement.
To exercise any of these rights, contact us using the details in the "Contact and Data Protection Officer" section below. We will respond within one month of receipt and may extend by a further two months for complex requests, as permitted by Article 12(3) of the GDPR.
Data Protection Officer
Although SaberTask is not required to appoint a DPO under Article 37(1) of the GDPR (we are not a public authority, our core activities do not consist of large-scale monitoring of the public, and we do not process special categories of data on a large scale), we have voluntarily designated an internal Data Protection contact. You can reach our DPO at sebastian@sabertask.com for any privacy or data protection matter, including rights requests.
Minimum Age
SaberTask is a workforce management tool intended for businesses and their employees. We do not knowingly collect personal data from individuals under 18 years of age, and the service is not directed at minors. If you believe a minor has provided us with personal data, please contact us so we can delete it.
Whether You Have to Provide Your Data
Providing the personal data we collect at sign-up (name, work email and the data needed for billing) is a contractual requirement to create and maintain a SaberTask account. If you do not provide it, we will not be able to create your account or deliver the service. Some data is also a statutory requirement (for example, invoice details under Portuguese tax law). Optional information, such as analytics and marketing consent, is purely voluntary and not providing it does not affect your ability to use the service.
Data Deletion Requests
The SaberTask app is published by SaberTask LDA (VAT PT518467546). You can ask us to delete your account and associated data at any time by following the steps below.
How to request deletion
- In the app: open Settings > Account > Delete account. This immediately starts the deletion process.
- By email: send a request to contact@sabertask.com from the email address registered on your account, using the subject line "Data Deletion Request". We confirm receipt within 5 business days and complete deletion within 30 days.
Data we delete
Account profile (name, email, phone, company), login credentials, user-generated content (tasks, projects, checklists, files, photos, comments, messages), device identifiers, IP addresses and usage logs.
Data we retain and for how long
Invoices and accounting records are retained for 10 years as required by Portuguese tax law (Decreto-Lei n.º 28/2019). Encrypted backups are rotated and permanently purged within 90 days of the deletion request.
Governing Law and Supervisory Authority
This Privacy Policy is governed by the General Data Protection Regulation (Regulation (EU) 2016/679) and by Lei n.º 58/2019 of 8 August (the Portuguese law implementing the GDPR). The competent supervisory authority is the Comissao Nacional de Protecao de Dados (CNPD), Av. D. Carlos I, n.º 134, 1.º, 1200-651 Lisboa, Portugal, geral@cnpd.pt, www.cnpd.pt.
Contact and Data Protection Officer
If you have any questions about this Privacy Policy or wish to exercise any of your rights, you can reach us at the addresses below.
Data Controller
SaberTask LDA, VAT PT518467546, Rua Hermano Neves N.º 18, Piso 3, Escritório 7, 1600-477 Lisboa, Portugal.
Data Protection Officer
Email: sebastian@sabertask.com
General privacy questions
Email contact@sabertask.com. We aim to respond within 5 business days and to formal rights requests within the one-month deadline set by Article 12(3) of the GDPR.