Privacy Policy

1. Introduction and Data Controller

Creative Digital BV (besloten vennootschap), registered with the Dutch Chamber of Commerce (Kamer van Koophandel) under number 94498156, with its registered office in Amsterdam, the Netherlands ("Creative Digital," "we," "us," or "our"), operates the LetWorkFlow.io platform (the "Service").

This Privacy Policy explains how we collect, use, disclose, store, and protect your Personal Data when you visit our website at www.letworkflow.io and use our Service. We are committed to protecting your privacy and processing your Personal Data in compliance with the General Data Protection Regulation (EU) 2016/679 ("GDPR"), the Dutch GDPR Implementation Act (Uitvoeringswet AVG), and other applicable data protection legislation.

For the purposes of the GDPR, Creative Digital BV is the Data Controller for the Personal Data we collect directly from you (e.g., account registration, billing, website usage). Where you use our Service to process Personal Data of your own clients, employees, or other individuals, you are the Data Controller and Creative Digital acts as the Data Processor on your behalf, governed by our Data Processing Agreement (DPA).

Data Protection Contact

For any questions or concerns about this Privacy Policy or our data practices, you may contact us at:

Creative Digital BV
Attn: Data Protection
Amsterdam, the Netherlands
Email: privacy@letworkflow.io

2. Definitions

• "Personal Data" means any information relating to an identified or identifiable natural person, as defined in Article 4(1) of the GDPR.
• "Processing" means any operation performed on Personal Data, whether by automated means or not, such as collection, recording, organization, structuring, storage, adaptation, retrieval, consultation, use, disclosure, dissemination, erasure, or destruction.
• "Data Controller" means the entity that determines the purposes and means of the Processing of Personal Data.
• "Data Processor" means the entity that processes Personal Data on behalf of the Data Controller.
• "Data Subject" means the identified or identifiable natural person to whom Personal Data relates.
• "Customer Data" means all data that you or your Authorized Users submit to or generate through the Service, including data relating to your clients, projects, and financials.
• "Sub-Processor" means a third party engaged by Creative Digital to process Personal Data on behalf of the Customer.

3. Information We Collect

We collect and process the following categories of Personal Data:

3.1 Account and Registration Data

When you create an account or sign up for our Service, we collect:

• Full name
• Email address
• Company or organization name
• Phone number (optional)
• Profile photo or avatar (optional)
• Role and position within your organization
• Authentication credentials (password hash; we never store plaintext passwords)

3.2 Billing and Payment Data

When you subscribe to a paid plan, we collect:

• Billing name and address
• VAT identification number (for EU business customers)
• Payment method metadata (last four digits of card number, card type, expiration date)
• Transaction history and invoice records

Important: We do not store full credit card numbers, CVV/CVC codes, or other sensitive payment card data. All payment processing is handled by our PCI DSS-compliant payment processor, Stripe, Inc. See Section 7 for details.

3.3 Service Usage Data

When you use our Service, we may collect:

• Projects, jobs, activities, and tasks you create and manage
• Client profiles, contact information, and project data you enter
• Financial data you input (revenue, expenses, budgets, invoices)
• Documents you upload (files, images, PDFs)
• Comments, notes, and collaboration data
• Team member assignments, roles, and workload data
• Wellbeing check-in responses (if you use this optional feature)
• Activity logs and audit trails

3.4 Technical and Device Data

When you visit our website or use our Service, we automatically collect:

• IP address
• Browser type and version
• Operating system
• Device type and screen resolution
• Language preferences
• Referring URL and pages visited
• Date, time, and duration of visits
• Click patterns and interaction data

3.5 Communication Data

When you contact us or interact with our communications, we collect:

• Email correspondence and support requests
• Contact form submissions
• Newsletter subscription preferences
• Waitlist registration information (name, email, company name, team size)
• Feedback and survey responses

3.6 Interactive Tools and Calculator Data

When you use interactive tools on our website, such as the ROI Calculator, we collect:

• Responses to calculator questions (business type, team size, revenue range, current tools, weekly admin hours)
• Calculated results (estimated savings, ROI projections, recommended plan)
• Email address (only if you voluntarily provide it to receive your results)
• Marketing consent status (whether you opted in to receive marketing communications)

Calculator responses are stored locally in your browser session (sessionStorage) and are automatically cleared when you close your browser tab. If you provide your email address, your results and contact information are transmitted to our email service provider (ConvertKit) for delivery of your personalised report. No raw financial figures are sent to analytics services; only banded categories (e.g., "€20k-50k") are used for aggregate analysis.

Legal basis: Consent (Article 6(1)(a) GDPR) for marketing emails; Legitimate interest (Article 6(1)(f) GDPR) for transactional result delivery. You may request deletion of your calculator data at any time by contacting privacy@letworkflow.io.

3.7 Data You Process Through the Service

As a work management platform, you may use our Service to process Personal Data of your own clients, employees, and contacts. You are the Data Controller for this data, and our processing of it is governed by our Data Processing Agreement. We process this data solely on your instructions and for the purpose of providing the Service.

4. Legal Basis for Processing

Under the GDPR, we process your Personal Data based on the following legal grounds (Article 6(1) GDPR):

4.1 Performance of a Contract (Article 6(1)(b))

We process your Personal Data as necessary to perform our contractual obligations to you, including:

• Creating and maintaining your account
• Providing access to the Service and its features
• Processing payments and managing subscriptions
• Providing customer support
• Sending transactional communications (e.g., billing confirmations, service updates)

4.2 Legitimate Interests (Article 6(1)(f))

We process certain Personal Data based on our legitimate interests, where those interests are not overridden by your data protection rights. Our legitimate interests include:

• Improving, maintaining, and securing the Service
• Analyzing usage patterns to enhance user experience
• Detecting, preventing, and addressing fraud, security threats, and technical issues
• Conducting aggregate analytics and benchmarking (using anonymized data)
• Marketing our Service to existing customers (with opt-out available)
• Enforcing our Terms of Service and protecting our legal rights

4.3 Consent (Article 6(1)(a))

Where required by law, we process your Personal Data based on your explicit consent, including:

• Setting non-essential cookies and analytics tracking (e.g., Google Analytics)
• Sending marketing communications and newsletters to prospective customers
• Processing optional data such as wellbeing check-in responses

You may withdraw your consent at any time without affecting the lawfulness of processing carried out prior to withdrawal. See Section 9 for how to exercise this right.

4.4 Legal Obligation (Article 6(1)(c))

We process Personal Data where necessary to comply with our legal obligations, including tax and accounting requirements, regulatory compliance, and responding to lawful requests from public authorities.

5. How We Use Your Information

We use the Personal Data we collect for the following purposes:

• Service Delivery: To provide, operate, maintain, and improve the Service, including processing your data, managing your account, and enabling collaboration features.
• Payment Processing: To process subscription payments, generate invoices, manage billing, and handle refunds.
• Communication: To send transactional emails (account confirmations, billing receipts, service notifications), respond to support requests, and communicate important updates about the Service.
• Marketing: To send promotional communications about our Service, new features, and relevant content, where you have opted in or where we rely on legitimate interests (with opt-out available).
• Analytics and Improvement: To analyze usage patterns, monitor Service performance, identify trends, and improve the functionality and user experience of the Service.
• Security: To detect, prevent, and respond to fraud, unauthorized access, security incidents, and other harmful or illegal activities.
• Legal Compliance: To comply with applicable laws, regulations, legal processes, and enforceable government requests.
• Audit and Accountability: To maintain audit logs for security, compliance, and troubleshooting purposes.

6. Data Sharing and Disclosure

We do not sell, rent, or trade your Personal Data to third parties. We may share your Personal Data only in the following limited circumstances:

6.1 Sub-Processors and Service Providers

We share Personal Data with trusted third-party service providers who assist us in operating the Service. These sub-processors are contractually bound to process Personal Data only on our instructions and in compliance with the GDPR. Our current sub-processors include:

• Google Cloud Platform / Firebase (Google LLC, USA) — Cloud infrastructure, database hosting (Firestore), file storage (Cloud Storage), authentication (Firebase Auth), serverless computing (Cloud Functions). Data hosted in the EU (europe-west1 region). Google participates in the EU-U.S. Data Privacy Framework.
• Stripe, Inc. (USA) — Payment processing, subscription management, invoicing. Stripe is PCI DSS Level 1 certified. Stripe participates in the EU-U.S. Data Privacy Framework.
• Google Analytics (Google LLC, USA) — Website analytics and usage tracking, activated only with your consent. IP anonymization is enabled.
• ConvertKit / Kit (USA) — Email newsletter delivery, waitlist management, and ROI Calculator result delivery for marketing and transactional communications. ConvertKit’s DPA is available at kit.com/privacy.

A complete and current list of our sub-processors is available upon request by contacting privacy@letworkflow.io. We will notify you of any material changes to our sub-processor list.

6.2 Legal Requirements

We may disclose your Personal Data if required to do so by law or in the good faith belief that such disclosure is necessary to: (a) comply with a legal obligation, court order, or regulatory requirement; (b) protect and defend the rights, property, or safety of Creative Digital, our users, or the public; (c) detect, prevent, or address fraud, security, or technical issues; or (d) respond to a lawful request from a public authority.

6.3 Business Transfers

In the event of a merger, acquisition, corporate reorganization, bankruptcy, or sale of all or a portion of our assets, your Personal Data may be transferred as part of that transaction. We will notify you via email and/or a prominent notice on our website of any change in ownership or uses of your Personal Data, as well as any choices you may have regarding your Personal Data.

6.4 With Your Consent

We may share your Personal Data with third parties when you give us explicit consent to do so.

7. International Data Transfers

Creative Digital is based in the Netherlands, and your Personal Data is primarily stored and processed within the European Economic Area (EEA). However, some of our sub-processors are located in the United States or other countries outside the EEA.

When we transfer Personal Data outside the EEA, we ensure that appropriate safeguards are in place as required by Chapter V of the GDPR, including:

• Adequacy Decisions: Transfers to countries that the European Commission has determined provide an adequate level of data protection.
• EU-U.S. Data Privacy Framework: Transfers to US-based sub-processors that have been certified under the EU-U.S. Data Privacy Framework (e.g., Google, Stripe).
• Standard Contractual Clauses (SCCs): Where no adequacy decision or framework certification exists, we rely on the European Commission's Standard Contractual Clauses as the basis for transfer, supplemented by additional technical and organizational measures where necessary.

You may request information about the specific safeguards applied to transfers of your Personal Data by contacting privacy@letworkflow.io.

8. Data Retention

We retain your Personal Data only for as long as necessary to fulfill the purposes for which it was collected, as described in this Privacy Policy, or as required by applicable law. Our specific retention periods are:

• Account Data: Retained for the duration of your active account. Upon account deletion or termination, account data is deleted within thirty (30) days, unless retention is required by law.
• Customer Data: Retained for the duration of your Subscription. Upon cancellation or termination, Customer Data is available for export for thirty (30) days and permanently deleted thereafter, unless retention is required by law.
• Billing and Financial Data: Retained for seven (7) years after the end of the relevant financial year, as required by Dutch tax and accounting legislation (Algemene wet inzake rijksbelastingen).
• Communication Data: Support correspondence is retained for three (3) years from the date of last interaction for quality assurance and legal compliance purposes.
• Technical and Analytics Data: Retained for twenty-six (26) months from the date of collection (aligned with Google Analytics default retention settings).
• Marketing Data: Retained until you unsubscribe or withdraw consent, plus a suppression record to ensure we honor your opt-out preference.
• Calculator Data: Email-linked calculator results are retained for twelve (12) months from the date of submission, then automatically deleted. Browser session data (sessionStorage) is cleared automatically when you close the tab.
• Audit Logs: Retained for three (3) years for security, compliance, and troubleshooting purposes.

When Personal Data is no longer needed, it is securely deleted or anonymized in accordance with our data destruction procedures.

9. Your Rights Under the GDPR

As a Data Subject under the GDPR, you have the following rights regarding your Personal Data. You may exercise these rights at any time by contacting us at privacy@letworkflow.io or by using the tools provided within the Service.

9.1 Right of Access (Article 15)

You have the right to request confirmation of whether we process your Personal Data and to obtain a copy of the Personal Data we hold about you. We will respond to your request within thirty (30) days.

9.2 Right to Rectification (Article 16)

You have the right to request the correction of inaccurate Personal Data and the completion of incomplete Personal Data. You can update most of your information directly through your Account settings.

9.3 Right to Erasure (Article 17)

You have the right to request the deletion of your Personal Data when: (a) it is no longer necessary for the purposes for which it was collected; (b) you withdraw your consent and no other legal basis exists; (c) you object to the processing and no overriding legitimate grounds exist; or (d) the data has been unlawfully processed. This right is subject to our legal obligations to retain certain data (e.g., financial records).

9.4 Right to Restriction of Processing (Article 18)

You have the right to request restriction of processing of your Personal Data when: (a) you contest the accuracy of the data; (b) the processing is unlawful and you oppose erasure; (c) we no longer need the data but you need it for legal claims; or (d) you have objected to processing pending verification.

9.5 Right to Data Portability (Article 20)

You have the right to receive your Personal Data in a structured, commonly used, and machine-readable format, and to transmit that data to another controller. The Service provides built-in data export functionality to facilitate this right.

9.6 Right to Object (Article 21)

You have the right to object to the processing of your Personal Data based on legitimate interests or for direct marketing purposes. Where you object to processing for direct marketing, we will cease processing without exception. For objections based on other grounds, we will cease processing unless we demonstrate compelling legitimate grounds that override your interests.

9.7 Right to Withdraw Consent (Article 7(3))

Where processing is based on your consent, you have the right to withdraw that consent at any time. Withdrawal of consent does not affect the lawfulness of processing carried out before the withdrawal. You can withdraw consent by:

• Adjusting your cookie preferences via our cookie consent banner;
• Clicking the "unsubscribe" link in any marketing email;
• Updating your communication preferences in your Account settings;
• Contacting us at privacy@letworkflow.io.

9.8 Right Not to Be Subject to Automated Decision-Making (Article 22)

You have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects or similarly significantly affects you. Creative Digital does not currently engage in solely automated decision-making that produces legal or similarly significant effects on individuals.

9.9 Right to Lodge a Complaint

You have the right to lodge a complaint with a supervisory authority if you believe that our processing of your Personal Data violates the GDPR. The lead supervisory authority for Creative Digital BV is:

Autoriteit Persoonsgegevens (Dutch Data Protection Authority)
Bezuidenhoutseweg 30
2594 AV The Hague, the Netherlands
Website: autoriteitpersoonsgegevens.nl
Phone: +31 (0)70 888 85 00

You may also lodge a complaint with the supervisory authority in the EU member state where you reside or work, or where the alleged infringement occurred.

9.10 How to Exercise Your Rights

To exercise any of the rights described above, please contact us at privacy@letworkflow.io. We may need to verify your identity before fulfilling your request. We will respond to your request within thirty (30) days. If the request is complex or we receive a large number of requests, we may extend this period by an additional sixty (60) days, in which case we will notify you of the extension and the reasons for it.

There is no fee for exercising your rights, unless your request is manifestly unfounded or excessive, in which case we may charge a reasonable fee or refuse to act on the request.

10. Additional Rights for United States Residents

10.1 California Residents (CCPA/CPRA)

If you are a California resident, the California Consumer Privacy Act (CCPA) and the California Privacy Rights Act (CPRA) provide you with additional rights regarding your Personal Information:

• Right to Know: You have the right to request disclosure of the categories and specific pieces of Personal Information we have collected about you, the purposes for collection, and the categories of third parties with whom we share it.
• Right to Delete: You have the right to request deletion of your Personal Information, subject to certain exceptions.
• Right to Correct: You have the right to request correction of inaccurate Personal Information.
• Right to Opt-Out of Sale/Sharing: We do not sell or share your Personal Information for cross-context behavioral advertising purposes. Therefore, there is no need to opt out.
• Right to Non-Discrimination: We will not discriminate against you for exercising any of your CCPA/CPRA rights.

To exercise your CCPA/CPRA rights, contact us at privacy@letworkflow.io. We will verify your identity and respond within forty-five (45) days.

10.2 Other US State Privacy Laws

Residents of other US states with comprehensive privacy legislation (including Virginia, Colorado, Connecticut, Utah, and others) may have similar rights. Please contact us at privacy@letworkflow.io to exercise any applicable rights under your state's privacy law.

11. Cookies and Tracking Technologies

11.1 What Are Cookies

Cookies are small text files placed on your device when you visit a website. They are widely used to make websites work efficiently and to provide information to website owners.

11.2 Cookies We Use

We use the following categories of cookies:

• Strictly Necessary Cookies: These cookies are essential for the operation of our website and Service. They enable core functionality such as security, session management, and accessibility. These cookies do not require your consent.
• Analytics Cookies: We use Google Analytics (with IP anonymization enabled) to understand how visitors interact with our website. These cookies are only placed with your explicit consent. You can opt out at any time through our cookie consent banner.
• Functional Cookies: These cookies remember your preferences (e.g., language, region) and provide enhanced, personalized features.

We do not use advertising or targeting cookies. We do not engage in cross-site tracking or behavioral advertising.

11.3 Managing Your Cookie Preferences

When you first visit our website, you are presented with a cookie consent banner that allows you to accept or reject non-essential cookies. You can change your preferences at any time by:

• Clicking the cookie preferences link in the website footer;
• Adjusting your browser settings to block or delete cookies;
• Using browser extensions that manage cookie consent.

Please note that disabling certain cookies may affect the functionality of our website.

12. Data Security

Creative Digital implements comprehensive technical and organizational security measures to protect your Personal Data against unauthorized access, alteration, disclosure, destruction, and loss. Our security measures include:

12.1 Technical Measures

• Encryption in Transit: All data transmitted between your browser and our servers is encrypted using TLS/HTTPS (Transport Layer Security).
• Encryption at Rest: Data stored in our databases and file storage is encrypted at rest using industry-standard encryption provided by Google Cloud Platform.
• Authentication Security: Session tokens are stored in session storage (not local storage) to mitigate XSS risks. Firebase ID tokens are validated on every API request.
• Access Controls: Role-based access control (RBAC) is enforced at both the application level and the infrastructure level. Access to production systems is restricted to authorized personnel.
• Infrastructure Security: Our infrastructure is hosted on Google Cloud Platform, which maintains ISO 27001, SOC 1/2/3, and other certifications.
• Secrets Management: Sensitive configuration and API keys are stored in Google Cloud Secret Manager, not in application code.

12.2 Organizational Measures

• SOC 2 Type II Compliance: Creative Digital maintains security practices aligned with SOC 2 Type II standards covering security, availability, and confidentiality.
• Audit Logging: Comprehensive audit logs are maintained for all access to and modifications of sensitive data.
• Account Isolation: Multi-tenant architecture with strict account boundary enforcement ensures that customer data is isolated between organizations.
• Incident Response: We maintain an incident response plan for prompt detection, response, and notification of security incidents.
• Vendor Assessment: All third-party sub-processors are evaluated for security and compliance before engagement.

While we take extensive measures to protect your data, no method of electronic transmission or storage is completely secure. We cannot guarantee absolute security, but we commit to promptly notifying affected parties and the relevant supervisory authority in the event of a Personal Data breach, as required by the GDPR.

13. Data Breach Notification

In the event of a Personal Data breach, Creative Digital will:

• Notify the relevant supervisory authority (Autoriteit Persoonsgegevens) without undue delay and, where feasible, within seventy-two (72) hours of becoming aware of the breach, as required by Article 33 of the GDPR, unless the breach is unlikely to result in a risk to the rights and freedoms of natural persons;
• Notify affected Data Subjects without undue delay where the breach is likely to result in a high risk to their rights and freedoms, as required by Article 34 of the GDPR;
• Where Creative Digital is acting as a Data Processor, notify the Data Controller (you) without undue delay upon becoming aware of a breach involving your Customer Data;
• Document all breaches, including the facts, effects, and remedial actions taken, regardless of whether notification is required.

14. Children's Privacy

Our Service is designed for business use and is not intended for children. We do not knowingly collect Personal Data from children under the age of sixteen (16), which is the applicable age of digital consent under the Dutch GDPR Implementation Act. If you are a parent or guardian and believe that your child has provided us with Personal Data, please contact us at privacy@letworkflow.io. If we discover that we have collected Personal Data from a child under 16 without appropriate parental consent, we will take steps to delete that information promptly.

15. Third-Party Links and Services

Our website and Service may contain links to third-party websites, services, or applications that are not operated by Creative Digital. We are not responsible for the privacy practices, content, or security of these third-party sites. We encourage you to review the privacy policies of any third-party services you access through our website or Service. This Privacy Policy applies solely to information collected by Creative Digital through our website and Service.

16. Data Processing Agreement

Where you use our Service to process Personal Data and Creative Digital acts as your Data Processor, the terms of our Data Processing Agreement (DPA) apply in addition to this Privacy Policy. The DPA addresses:

• The scope, nature, and purpose of data processing;
• The types of Personal Data processed and categories of Data Subjects;
• The obligations and rights of the Data Controller and Data Processor;
• Sub-processor management and notification procedures;
• Data security measures and breach notification obligations;
• Audit rights and cooperation with supervisory authorities;
• Data return and deletion upon termination.

To request a copy of our DPA, please contact legal@letworkflow.io.

17. Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors. When we make changes:

• Material Changes: We will provide at least thirty (30) days' prior notice via email to the address associated with your Account and by posting the updated policy on this page. Material changes include changes to the types of data collected, purposes of processing, data sharing practices, or your rights.
• Non-Material Changes: We will update this page and change the "Last updated" date.
• Continued Use: Your continued use of the Service after the effective date of any change constitutes your acceptance of the updated Privacy Policy. Where changes require your consent under the GDPR, we will obtain that consent before the changes take effect.

We encourage you to review this Privacy Policy periodically to stay informed about how we protect your data.

18. Contact Us

If you have any questions, concerns, or requests regarding this Privacy Policy or our data processing practices, please contact us:

Creative Digital BV
Attn: Data Protection
Amsterdam, the Netherlands
Chamber of Commerce (KvK): 94498156

• Data Protection Inquiries: privacy@letworkflow.io
• General Legal: legal@letworkflow.io
• Data Subject Requests: privacy@letworkflow.io
• Security Concerns: security@letworkflow.io

We aim to respond to all privacy-related inquiries within thirty (30) days of receipt.