Privacy Policy

• Account data: email, password hash, full name, optional business name, tax ID, address, contact phone.
• Workspace data you enter: clients, projects, tasks, time entries, expenses, invoices, and any uploaded files (logos, expense receipts, task attachments). This may include personal data of your own clients - you are the controller of that data.
• Authentication metadata: sign-in timestamps, session tokens, IP address used during sign-in (handled by our authentication provider).
• Cookies / local storage: only what is required for your session and theme preference. We do not use advertising cookies.

• To provide the service (legal basis: performance of contract).
• To keep the service secure and prevent abuse (legitimate interest).
• To respond to support requests you send us (legitimate interest).

We do not sell your data and we do not use it to train AI models.

We rely on the following sub-processors to operate the service:

• Lovable Cloud / Supabase - database, authentication, file storage.
• Google - optional Google sign-in (only if you choose it).
• Cloudflare - hosting and edge runtime.

Hosting region: EU - Stockholm, Sweden (database, authentication, and file storage).

Workspace data is kept for as long as your account is active. When you delete your account from Settings, all rows you own and your uploaded files are removed within 30 days, and your authentication record is deleted immediately. Encrypted off-site backups are rotated within 30 days.

You have the right to access, rectify, export, restrict, or delete your personal data:

• Access / portability: use "Export my data" in Settings to download a JSON copy.
• Rectification: edit your profile and workspace data at any time.
• Erasure: use "Delete account" in Settings.
• For anything else, contact us.

Workspace rows are isolated per user via row-level security on the database. Files are stored in private buckets and served via short-lived signed URLs. Passwords are hashed by our authentication provider. Despite reasonable safeguards, no system is perfectly secure - report suspected vulnerabilities via our contact form.

When you store personal data of third parties (your clients, contacts) in Workpilot, you are the controller and we are the processor under GDPR. The terms below apply.

• Subject matter and duration: we process the personal data you upload only to provide the service, for the duration of your account and until 30 days after deletion.
• Categories of data: name, email, phone, address, tax ID, free-text notes, attachments you upload.
• Data subjects: your end-clients, contacts, and people referenced in your tasks/expenses.
• Sub-processors: as listed in section 3 above. We will notify you in advance of any change.
• International transfers: where data is transferred outside your region, we rely on the EU Standard Contractual Clauses (or equivalent UK addendum) flowing from our agreements with our sub-processors.
• Security measures: row-level security per tenant, private storage buckets with short-lived signed URLs, TLS in transit, encryption at rest, limited internal access on a need-to-know basis.
• Assistance and audits: we will help you respond to data-subject requests via the Settings export/delete tools, and provide reasonable cooperation for audits to the extent required by law.
• Deletion: on termination, your data is deleted as described in section 4.

We will post material changes here and update the "Last updated" date.