How long does setup take?

You can create your first audit form within minutes using our AI-powered form builder. Just describe what you need to inspect, and the platform generates a ready-to-use checklist. No training or onboarding calls required - it's fully self-service.

Can I import existing forms?

AI-powered document-to-form transformation is on our roadmap. In the meantime, our form builder makes it fast to recreate your existing checklists - most users build a complete audit form in under 10 minutes.

Does it work offline?

Absolutely. Our Progressive Web App (PWA) works seamlessly offline. Inspectors can complete audits in the field without connectivity, and data syncs automatically when back online. Native iOS and Android apps are planned for the future.

How do you handle security?

Security is built into everything we do. All data is encrypted at rest and in transit, and we use role-based access controls so team members only see what they need. Your audit data stays private and protected.

Can I integrate with other systems?

Integration APIs are on our roadmap. We'd love to hear which tools you use most - reach out and let us know what integrations would be most valuable for your workflow.

Privacy Policy | Ongo Audit

Introduction

The Applicable Taskworld Entity (“Taskworld”, “we”, “us”) respects your privacy and is committed to protecting your personal data. This Privacy Policy explains what personal data we collect through Ongo Audit (the “App”, “Services”), how we use it, with whom we share it, and what rights you have. Taskworld operates contracting entities in multiple countries; the “Applicable Taskworld Entity” is the entity within the Taskworld group that has contracted with the Customer for the Services, as identified in the Customer’s Order Form or Customer Agreement. If you have any questions, contact us at privacy@taskworld.com.

This Privacy Policy applies to all personal data collected through the Ongo Audit mobile applications (iOS and Android), the Ongo Audit web app and progressive web app (PWA), associated APIs, and any related interactions you have with us (for example, support requests).

This Privacy Policy does not apply to third-party applications or services that integrate with the Services, or to other Taskworld products with their own privacy policies.

The Services are designed for use by adult employees, contractors, and agents of an organization that has subscribed to the Services. The Services are not intended for children, and we do not knowingly collect personal data from anyone under 18.

3.1 Controller and contact

The Applicable Taskworld Entity is the controller responsible for processing personal data in connection with the App, except where the App is provided under a contract with an organization (your employer, a Customer, or another entity), in which case that organization is the controller of Customer Data and Taskworld acts as a processor on its behalf.

Contact details

Legal entity: the Applicable Taskworld Entity, as identified in the Customer’s Order Form.
Postal address: the registered address of the Applicable Taskworld Entity, as set out in the Customer’s Order Form or available on request via privacy@taskworld.com.
Email: privacy@taskworld.com
Data Protection Officer: available on request via privacy@taskworld.com

You have the right to lodge a complaint with the data protection authority of your jurisdiction. We would, however, appreciate the chance to address your concerns first.

3.2 Changes to this Privacy Policy

We keep this Privacy Policy under regular review. The “Last Updated” date at the top of this page indicates when it was most recently updated. Material changes will be posted here and, where appropriate, notified to you in the App or by email.

3.3 The data we collect about you

We may collect, use, store, and transfer the following categories of personal data:

Identity Data: first name, last name, username or similar identifier, role, and language preference.
Contact Data: work email address and, where provided by the Customer, phone number.
Authentication Data: password (stored as a hash), magic-link tokens, session tokens, and authentication timestamps.
Device Data: device model, operating system, OS version, app version, locale, time zone, and a unique installation identifier used for push notifications and crash reporting.
Technical Data: IP address, network type, browser type and version (for the web/PWA), and other technical data automatically collected when you use the Services.
Submission Data: form responses, comments, incident reports, corrective actions, attachments (including photos), audit scores, and timestamps of submission and edits.
Geolocation Data: latitude and longitude captured at the moment of a form submission, when the form requires location verification. The App does not track location continuously or in the background.
Photo and Camera Data: photos taken with the device camera in the App and, where you select an existing photo, photos chosen from your device’s photo library.
Usage Data: information about how you interact with the App (screens viewed, features used, errors encountered), collected on an anonymous, device-level basis (not linked to your user account).
Diagnostic Data: crash reports, performance metrics, and error logs collected on an anonymous, device-level basis.
Session Replay Data: a reconstructed playback of user interactions with the web app interface (clicks, scrolls, page navigations, and form-element interactions) for product-improvement purposes. The values you enter in form fields, photos, and geolocation readings are not captured in session replay. Session replay is collected on an anonymous, device-level basis and is subject to a 30-day rolling retention window.
Support Data: information you provide when you contact us for support, including the content of your messages.

We do not collect Special Categories of Personal Data (such as data revealing race, ethnicity, religious beliefs, political opinions, trade union membership, health data, sex life, sexual orientation, or genetic or biometric data), and we do not collect data about criminal convictions or offenses.

We do not collect financial data from end users. End users do not make payments through the App; payment, where applicable, is handled between Taskworld and the Customer outside the App.

3.4 How we collect your personal data

Information provided by your Customer. Most user accounts are created by your Customer’s administrator using your work email and an assigned role. Identity, Contact, and authentication-related data typically originate with the Customer.
Information you give us directly. Authentication data when you sign in, Submission Data when you complete forms, photos when you capture or select images, and Support Data when you contact us.
Information collected automatically when you use the Services. Device Data, Technical Data, Usage Data, and Diagnostic Data are collected automatically through standard mobile and web mechanisms.
Information from third parties. We may receive Diagnostic and Usage Data from our analytics provider (anonymous, device-level only; not linked to your user account). We may receive technical metadata from cloud and infrastructure providers. The full list of providers is published on our Sub-processors page.

3.5 How we use your personal data

We use personal data only when the law allows us to. The legal bases we rely on are:

Performance of a contract with you or with the Customer that authorizes your access to the Services.
Legitimate interests, including providing, securing, and improving the Services, where those interests are not overridden by your rights.
Compliance with a legal obligation that applies to us.
Consent, where the law requires it (for example, for certain marketing communications or, in some jurisdictions, for non-essential cookies).

We process personal data for the following purposes:

Purpose	Data categories	Lawful basis
Provisioning, authenticating, and operating Authorized User accounts	Identity, Contact, Authentication, Device	Performance of contract; legitimate interests
Delivering core App functionality (assignments, submissions, photos, geolocation, incidents, corrective actions, chat)	Submission, Geolocation, Photo, Identity	Performance of contract; legitimate interests
Providing Customer dashboards, exports (for example to Power BI), and reporting	Submission, Geolocation, Photo, Identity, Usage	Performance of contract; legitimate interests
Securing the Services, preventing fraud and abuse, and investigating incidents	Technical, Device, Usage, Authentication	Legitimate interests; legal obligation
Diagnosing and fixing crashes and bugs	Diagnostic, Device, Technical	Legitimate interests
Understanding how the Services are used and improving them	Usage, Diagnostic, Device	Legitimate interests
Responding to support requests	Support, Identity, Contact	Performance of contract; legitimate interests
Complying with legal, tax, accounting, and regulatory obligations	All categories as required	Legal obligation

No advertising. Ongo Audit does not display advertisements. We do not use personal data for advertising or for ad measurement. We do not sell personal data, and we do not “share” personal data for cross-context behavioral advertising as defined under California or similar laws.

No automated decision-making. Taskworld does not use the data collected through the Services to make automated decisions that produce legal or similarly significant effects on you. The Customer may use Submission Data within its own processes; that use is governed by the Customer.

3.6 Marketing

The App does not send marketing communications to end users. If a Customer-administrator opts in to receive product update emails through a separate channel, those communications are governed by Taskworld’s general marketing privacy notices and can be unsubscribed at any time.

3.7 Disclosure of your personal data

We may share your personal data with the following categories of recipients:

Your Customer. Submission Data, Geolocation Data, Photo Data, Usage Data, and identifying information are visible to administrators, managers, and other Authorized Users at your Customer with appropriate access. The Customer determines who within its organization has access.
Service providers (processors). We use service providers for cloud hosting, the application database, product analytics and crash reporting, transactional email and notification delivery, and customer support tools. The current list of authorized sub-processors — including their purpose and the location where they process data — is published and kept up to date on our Sub-processors page. All service providers are bound by contractual data-protection obligations and may process personal data only on our instructions and for specified purposes.
Professional advisers. Lawyers, auditors, bankers, and insurers, where necessary for legal, tax, or audit purposes.
Authorities. Where required by law, court order, or to protect Taskworld’s rights, property, or safety, or the rights, property, or safety of others.
Successors. In connection with a merger, acquisition, financing, reorganization, or sale of assets, in which case the successor will be bound by this Privacy Policy or one substantially similar.

We do not allow our service providers to use your personal data for their own purposes. They may process your personal data only as instructed by us and in line with our contracts.

3.8 International transfers

Personal data may be hosted in regions outside your own. The hosting locations of each sub-processor are listed on our Sub-processors page.

Where personal data is transferred outside your jurisdiction, we ensure an appropriate level of protection by relying on one or more of the following safeguards:

transfers to jurisdictions recognized as providing an adequate level of protection by the relevant authority;
standard contractual clauses or equivalent contractual safeguards with the receiving party;
other lawful transfer mechanisms.

You can request more information about the specific transfer mechanism used by contacting privacy@taskworld.com.

3.9 Data security

We use industry-standard security measures to protect personal data from accidental loss, unauthorized access, alteration, or disclosure, including:

encryption in transit using TLS 1.2 or higher;
passwords stored as salted hashes using PBKDF2-SHA256 (310,000 iterations) with an application-side pepper;
short-lived authentication sessions (1-hour access tokens, 36-hour refresh tokens; magic-link tokens valid for 10 minutes);
role-based access controls within the Services;
encryption at rest using AES-256 across all data stores;
routine backups and monitored systems.

We have procedures to handle suspected personal data breaches and will notify you and applicable regulators where legally required.

3.10 Data retention

We retain personal data only for as long as reasonably necessary for the purposes set out in this Privacy Policy, including to satisfy legal, tax, accounting, or reporting requirements.

In general:

Account data is retained for as long as your account is active under a Customer subscription, and is deleted or returned in accordance with the Customer Agreement when the subscription ends (typically within 30 days, subject to legal retention requirements).
Submission Data (form responses, photos, geolocation associated with submissions) is retained according to the Customer’s configuration and the Customer Agreement. The Customer is the controller of Submission Data and is responsible for its retention and deletion.
Usage and Diagnostic Data: retained on a 30-day rolling window. Session replay data is also retained for 30 days.
Support Data is retained for up to 24 months after the last interaction.
Aggregated and anonymized data may be retained indefinitely.

In some cases we may anonymize personal data (so it can no longer be associated with you) and use it for research, statistical, or product-improvement purposes without further notice.

3.11 Your legal rights

Subject to applicable law, you may have the following rights with respect to your personal data:

Access: receive a copy of personal data we hold about you.
Rectification: request correction of inaccurate or incomplete data.
Erasure: request deletion of personal data, subject to limitations.
Restriction: request that we suspend processing in specific circumstances.
Portability: receive your personal data in a structured, commonly used, machine-readable format, where applicable.
Objection: object to processing based on legitimate interests, including direct marketing.
Withdrawal of consent: where we rely on consent, withdraw it at any time without affecting the lawfulness of prior processing.
Lodge a complaint with a supervisory authority.

If you are an Authorized User of a Customer, please direct your request first to your Customer’s administrator, since the Customer is typically the controller of Submission Data and other Customer Data. We will support the Customer in responding to your request. For Identity, Contact, and account data held by Taskworld, you may contact us directly at privacy@taskworld.com.

To request deletion of your account, you may use the “Delete account” button inside the App, contact your Customer’s administrator, or email privacy@taskworld.com. After a deletion request is received, we will delete or anonymize your personal data within thirty (30) days, except where retention is required by law.

We will respond to legitimate requests within one month. Complex or numerous requests may take longer; we will inform you if we need an extension.

3.12 Account deletion (App Store and Google Play)

End users may request deletion of their account and associated personal data by:

tapping the “Delete account” button inside the App, which sends a deletion request to Taskworld; or
emailing privacy@taskworld.com from the email address associated with the account; or
contacting their Customer’s administrator, who can disable the account.

Once a deletion request is received through any of these channels, Taskworld will process the deletion or anonymization of personal data associated with the account within thirty (30) days.

Where you are an Authorized User of a Customer, Submission Data (form responses, photos, geolocation values, incident reports) submitted in the course of your work may be retained by the Customer in accordance with the Customer’s policies and applicable law, even after your personal account data has been deleted or anonymized. Aggregated, anonymized, or legally required data may also be retained.

3.13 California, EEA/UK, and other regional disclosures

If you are a resident of California, the EEA, the UK, or another jurisdiction with specific privacy laws, you may have additional rights. Taskworld does not sell personal data and does not “share” personal data for cross-context behavioral advertising. For specific rights and to exercise them, contact privacy@taskworld.com.