diff --git a/lib/tasks/legacy_user_permissions_to_comments.rake b/lib/tasks/legacy_user_permissions_to_comments.rake
new file mode 100644
index 000000000..123ec8413
--- /dev/null
+++ b/lib/tasks/legacy_user_permissions_to_comments.rake
@@ -0,0 +1,43 @@
+namespace :legacy do
+  desc "Convert legacy user_permissions rows into User comments"
+  task user_permissions_to_comments: :environment do
+    say = ->(msg) { puts "[legacy:user_permissions_to_comments] #{msg}" }
+
+    connection = ActiveRecord::Base.connection
+
+    rows = connection.exec_query(<<~SQL)
+      SELECT up.user_id, p.security_cat AS permission_name
+      FROM user_permissions up
+      INNER JOIN permissions p ON p.id = up.permission_id
+    SQL
+
+    say.call "Found #{rows.rows.size} legacy user_permissions rows to process"
+
+    processed = 0
+    skipped   = 0
+
+    rows.each do |row|
+      user_id         = row["user_id"]
+      permission_name = row["permission_name"]
+
+      user = User.find_by(id: user_id)
+      unless user
+        skipped += 1
+        next
+      end
+
+      body = "Legacy data note: user had permission to #{permission_name}. " \
+             "Deleted legacy permission tracking for all users on 2026-03-05."
+
+      # Avoid creating duplicate comments if the task is re-run
+      unless user.comments.where(body: body).exists?
+        user.comments.create!(body: body)
+        processed += 1
+      else
+        skipped += 1
+      end
+    end
+
+    say.call "Created #{processed} comments on users (skipped #{skipped})."
+  end
+end
diff --git a/spec/tasks/legacy_user_permissions_to_comments_spec.rb b/spec/tasks/legacy_user_permissions_to_comments_spec.rb
new file mode 100644
index 000000000..a4feb6b6c
--- /dev/null
+++ b/spec/tasks/legacy_user_permissions_to_comments_spec.rb
@@ -0,0 +1,54 @@
+require "rails_helper"
+require "rake"
+
+RSpec.describe "legacy:user_permissions_to_comments" do
+  before(:all) do
+    Rails.application.load_tasks
+  end
+
+  before do
+    Rake::Task["legacy:user_permissions_to_comments"].reenable
+
+    # Define lightweight AR models if they don't exist yet, so the task can run.
+    unless defined?(Permission)
+      class Permission < ApplicationRecord
+        self.table_name = "permissions"
+      end
+    end
+
+    unless defined?(UserPermission)
+      class UserPermission < ApplicationRecord
+        self.table_name = "user_permissions"
+      end
+    end
+  end
+
+  def run_task
+    Rake::Task["legacy:user_permissions_to_comments"].invoke
+  end
+
+  let!(:user) { create(:user) }
+  let!(:permission) { Permission.create!(security_cat: "Manage Reports") }
+
+  it "creates a legacy comment on the user for each permission" do
+    UserPermission.create!(user_id: user.id, permission_id: permission.id)
+
+    expect { run_task }.to change { user.comments.count }.by(1)
+
+    comment = user.comments.last
+    expect(comment.body).to eq(
+      "Legacy data note: user had permission to Manage Reports. " \
+      "Deleted legacy permission tracking for all users on 2026-03-05.",
+    )
+  end
+
+  it "is idempotent when run multiple times" do
+    UserPermission.create!(user_id: user.id, permission_id: permission.id)
+
+    run_task
+    first_count = user.comments.count
+
+    expect { run_task }.not_to change { user.comments.count }
+    expect(user.comments.count).to eq(first_count)
+  end
+end