Privacy Policy

‍Effective Date: August 13, 2025
Last Updated: August 13, 2025

1. Introduction

Welcome to LetWorkFlow.io ("we," "our," "us," "the Platform"), operated by Creatief Digital B.V., a company registered in the Netherlands. This Privacy Policy explains how we collect, use, disclose, and protect your information when you use our workflow management and billing platform.

This policy applies to all users of our services, including account owners, team members, clients, freelancers, and website visitors. By using LetWorkFlow.io, you agree to the collection and use of information in accordance with this policy.

2. Information We Collect

2.1 Information You Provide Directly

• Account Information: Name, email address, company name, business address, phone number, timezone
• Billing Information: Billing address, VAT number (for EU businesses), subscription plan selection (payment processing handled by Stripe - we never store credit card details)
• Profile Information: Professional title, photo (optional), role within organization
• Business Data: Projects, tasks, jobs, clients, revenue entries, expense records, time tracking data, financial reports
• Documents: Files you upload including contracts, invoices, project documents, deliverables
• Communications: Messages, comments, task descriptions, project notes

2.2 Information We Collect Automatically

• Usage Data: Features accessed, actions performed, frequency of use, workflow patterns
• Device and Browser Information: IP address, browser type and version, operating system, device type
• Log Data: Access timestamps, pages viewed, API calls made, error logs, performance metrics
• Cookies: Session cookies for authentication, preference cookies for user settings, Google Analytics cookies for usage analytics

2.3 Information from Third-Party Integrations

Upwork Integration (Optional - only when you explicitly connect your account):

• Profile information (name, email, freelancer/client status)
• Active contracts and job postings
• Time tracking entries and work diary data
• Payment and milestone information
• Messages related to contracts (metadata only)

Stripe Integration:

• Subscription status and payment confirmations
• Invoice status updates
• Customer ID for payment management

3. How We Use Your Information

3.1 Core Service Functions

• Provide access to workflow management tools
• Process subscriptions and calculate usage-based billing
• Generate financial reports and analytics
• Facilitate team collaboration and project management
• Create and manage secure document access with time-limited URLs
• Track billable seats for accurate subscription billing

3.2 Security and Compliance

• Authenticate users and maintain session security
• Enforce role-based access controls (RBAC)
• Maintain comprehensive audit logs for all document access
• Detect and prevent fraud, unauthorized access, and abuse
• Comply with tax regulations and financial reporting requirements

3.3 Communications

• Send transactional emails (invoices, payment confirmations, password resets)
• Deliver in-platform notifications about project updates
• Provide customer support responses
• Send critical security alerts and platform updates
• Marketing communications (only with explicit opt-in consent)

3.4 Service Improvement

• Analyze usage patterns to improve features
• Monitor system performance and reliability
• Develop new features based on user behavior
• Conduct internal analytics and reporting

4. Legal Basis for Processing (GDPR)

We process personal data based on:

• Contractual Necessity: To provide the services you've subscribed to
• Legal Obligations: To comply with tax, accounting, and data retention laws
• Legitimate Interests: For security, fraud prevention, and service optimization
• Consent: For optional features, marketing communications, and third-party integrations

5. Data Sharing and Disclosure

We share your information only in these specific circumstances:

5.1 Service Providers

• Stripe: Payment processing, subscription management, and invoicing
• Google Cloud Platform: Data storage and infrastructure (europe-west1 region for EU data)
• Email Service Providers: Transactional email delivery
• Upwork: Only when you explicitly authorize the OAuth connection

5.2 Within Your Organization

• Team members access data based on assigned roles (Admin, Manager, Member, Viewer)
• Project data shared according to your configured permissions
• Financial data visible based on role-based access controls

5.3 Legal Requirements

• When required by law, court order, or legal process
• To protect our rights, property, or safety
• To investigate potential violations of our Terms of Service
• In connection with a business transaction (merger, acquisition, or asset sale)

We never sell your personal data to third parties.

6. Data Security

We implement comprehensive security measures:

6.1 Technical Safeguards

• Encryption: AES-256-GCM for sensitive data at rest, TLS 1.3 for data in transit
• Access Control: Multi-layered RBAC with granular permissions
• Authentication: Secure session management with optional multi-factor authentication
• Document Security: Time-limited signed URLs (5-10 minute expiration) for sensitive documents
• API Security: Rate limiting, request signing, and webhook signature verification

6.2 Operational Security

• Comprehensive audit logging of all data access attempts
• Real-time anomaly detection and threat monitoring
• Regular security updates and patches
• Incident response procedures
• Employee access restricted on need-to-know basis

7. Data Retention

We retain data according to these schedules:

• Active Account Data: Duration of your subscription
• Closed Account Data: 30 days after account closure for recovery purposes
• Financial Records: 7 years for tax and regulatory compliance
• Audit Logs: 90 days for access logs, 2 years for compliance-related logs
• Deleted Content: 30 days in backup systems for recovery
• Upwork Sync Data: Refreshed regularly while integration is active, deleted upon disconnection

8. Your Privacy Rights

8.1 Rights for EU/EEA Residents (GDPR)

You have the right to:

• Access: Request a copy of your personal data
• Rectification: Correct inaccurate or incomplete data
• Erasure: Request deletion of your data (subject to legal retention requirements)
• Portability: Receive your data in a structured, machine-readable format
• Restriction: Limit how we process your data
• Objection: Object to certain processing activities
• Withdraw Consent: Withdraw consent for processing based on consent

8.2 Rights for California Residents (CCPA)

You have the right to:

• Know: What personal information we collect, use, and share
• Delete: Request deletion of your personal information
• Opt-Out: We do not sell personal information
• Non-Discrimination: Equal service regardless of exercising privacy rights

To exercise any of these rights, contact us at hello@letworkflow.io.

9. International Data Transfers

As we expand globally, your data may be processed in different regions:

• EU Data: Primarily processed in europe-west1 (Netherlands)
• US Data: Will be processed in US regions when we launch there
• Safeguards: We recommend implementing Standard Contractual Clauses for international transfers

We ensure appropriate protections for international transfers through technical and organizational measures.

10. Cookies and Tracking Technologies

We use cookies for:

• Essential Functions: Authentication, security, session management
• Preferences: Language, timezone, display settings
• Analytics: Google Analytics for usage patterns and platform improvement

Managing Cookies: You can control cookies through your browser settings. Disabling essential cookies may impact platform functionality.

Google Analytics: We use Google Analytics to understand platform usage. You can opt-out using the Google Analytics Opt-out Browser Add-on.

11. Children's Privacy

LetWorkFlow.io is not intended for users under 16 years of age. We do not knowingly collect personal information from children under 16. If we discover we have collected information from a child under 16, we will promptly delete it.

12. Third-Party Links

Our platform may contain links to third-party services (Stripe, Upwork). We are not responsible for their privacy practices. Please review their privacy policies before providing information to them.

13. Data Breach Notification

In the event of a data breach affecting your personal data:

• We will notify affected users within 72 hours of discovery (as required by GDPR)
• We will provide details about the nature and scope of the breach
• We will describe measures taken to address the breach
• We will recommend protective steps you can take

14. Changes to This Policy

We may update this Privacy Policy periodically. We will notify you of material changes via:

• Email notification to account administrators
• In-platform notifications
• Prominent notice on our website

The "Last Updated" date at the top reflects the most recent revisions.

15. Contact Information

For privacy inquiries, requests, or concerns:

Data Controller:
Creatief Digital B.V.
Amsterdam, Netherlands
Email: hello@letworkflow.io

Data Protection Officer:
Christopher
Email: hello@letworkflow.io

EU Residents: You may also lodge a complaint with your local supervisory authority if you believe your data protection rights have been violated.

16. Governing Law

This Privacy Policy is governed by the laws of the Netherlands. Any disputes shall be subject to the exclusive jurisdiction of the courts in Amsterdam, Netherlands.

‍