Privacy Policy

Last updated: March 30, 2026

Overview

WorkApps ("we," "our," or "us") is committed to protecting your privacy. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our platform (the "Service"), including workapps.tech, app.workapps.tech, docs.workapps.tech, workapps.run, and associated subdomains. By using the Service, you agree to the collection and use of information as described in this policy.

Information We Collect

Information you provide directly:

  • Account information: Your name and email address when you register. Authentication is handled via third-party sign-in providers (Google, Microsoft), email-based magic link, or enterprise SSO — WorkApps does not collect or store passwords.
  • Organization information: Your organization or company name, if provided.
  • Payment information: When you add a payment method, your billing details (card number, expiry, CVV) are collected and processed directly by our payment processor, Stripe. WorkApps does not store raw card data — we store only a tokenized reference and the last four digits of your card for display purposes. Stripe's privacy policy governs their handling of payment data.
  • Tool content: The files you upload (HTML, CSS, JavaScript, and related assets) when publishing tools to the Service, as well as files uploaded as record attachments via the Data API.
  • Application data: Structured data records stored via the WorkApps Data API, including entity schemas, field values, and JSONB record content created by your workflow applications.
  • Communications: Messages you send to us via email or support channels.

Information collected automatically:

  • Usage data: Pages visited, features used, actions taken, and timestamps of your interactions with the Service.
  • Device and browser information: IP address, browser type and version, operating system, and device identifiers.
  • Log data: Server logs including access times, referring URLs, and error logs.
  • Cookies and similar technologies: See the Cookies section below.

How We Use Your Information

We use the information we collect to:

  • Provide, operate, maintain, and improve the Service
  • Process and host the tools you publish and serve them to your authorized team members
  • Process payments and manage your subscription
  • Send transactional and product communications including receipts, security alerts, account notifications, onboarding reminders, trial status updates, and upgrade suggestions related to your account and service usage
  • Respond to your support requests and communications
  • Monitor usage patterns and analyze trends to improve the Service
  • Detect, investigate, and prevent abuse, fraud, impersonation, and violations of our Terms of Service
  • Comply with legal obligations and respond to lawful requests from authorities
  • Enforce our Terms of Service and protect the rights and safety of WorkApps and its users

We do not use your content (uploaded tools, file attachments, and application data records) for any purpose other than hosting, serving, and enforcing our Terms of Service.

Data Sharing and Disclosure

We do not sell your personal information. We may share your information only in the following circumstances:

  • Service providers: We share data with third-party vendors who help us operate the Service. These include:
    • Hosting and infrastructure: DigitalOcean (application servers and primary database), Cloudflare (content delivery, DNS, R2 object storage for uploaded tools and file attachments)
    • Payments: Stripe (payment processing and billing)
    • Email: Postmark (transactional email delivery for account and system notifications)
    • Analytics: PostHog (product analytics and usage tracking on the WorkApps platform at workapps.tech and app.workapps.tech)
    • Enterprise SSO: WorkOS (SAML/SSO authentication for Enterprise accounts; processes authentication identity data on our behalf)
    • Compliance data planes: DigitalOcean (managed PostgreSQL clusters provisioned for Enterprise accounts with isolated data plane requirements; data stored in these clusters is processed under DigitalOcean's data processing terms)
    • Uptime monitoring: OhDear (external availability monitoring of platform components)
    • Error monitoring: Laravel Nightwatch (application error tracking and performance monitoring)
    All service providers are contractually bound to use your data only for the purposes of providing services to us and to protect it appropriately.
  • Legal process and law enforcement: We may disclose your information — including account details, content, and access logs — in response to valid legal requests such as subpoenas, court orders, or government investigations. We may also proactively share information with law enforcement where we believe it is necessary to prevent or respond to illegal activity, fraud, abuse, or threats to safety. Where permitted by law, we will notify affected users of legal requests.
  • Abuse and impersonation reports: Where a user's content or conduct is found to impersonate or harm a third party, we may disclose relevant account information and content to the affected organization or individual, or their legal representatives, as part of our abuse remediation process.
  • Business transfers: If WorkApps is involved in a merger, acquisition, or sale of assets, your information may be transferred as part of that transaction. We will notify you before your data is transferred and becomes subject to a different privacy policy.
  • With your consent: We may share information in any other circumstance where you have given us explicit consent to do so.

Data Retention

We retain your personal information for as long as your account is active or as needed to provide the Service. Specifically:

  • Active accounts: Account and content data is retained for the duration of your subscription.
  • Account deletion: When you delete your account, we will delete or anonymize your personal information within 30 days, except where retention is required by law or legitimate business necessity (e.g., billing records, dispute resolution).
  • Terminated accounts (for cause): Where an account is terminated due to a violation of our Terms of Service — including abuse, impersonation, or illegal activity — we may retain relevant account data, content, and logs for up to 7 years for legal, compliance, and law enforcement purposes.
  • Billing records: Payment and transaction records are retained for a minimum of 7 years as required by applicable financial regulations.
  • Legal holds: Data subject to a legal hold (e.g., in connection with a subpoena or ongoing investigation) will be retained until the hold is lifted.
  • Audit logs: Platform activity records are maintained as an immutable audit log for security and compliance integrity. These records may reference your account identifier even after account deletion and are not subject to erasure requests, as deletion would compromise the integrity of the audit chain. Personal identifying information within audit logs is minimized, and audit logs are not used for any purpose other than security, compliance, and legal obligations.

Data Storage and Security

We implement appropriate technical and organizational measures to protect your personal information against unauthorized access, alteration, disclosure, or destruction. Your published tools are stored securely and are only accessible to members of your team through authenticated access. Authorized WorkApps personnel may access your account session for support, debugging, or investigation purposes. All such access is recorded in an immutable audit log. However, no method of transmission over the internet or electronic storage is 100% secure. While we strive to use commercially acceptable means to protect your data, we cannot guarantee absolute security.

Data Breach Notification

In the event of a data breach that affects your personal information, we will notify you without undue delay and within the timeframes required by applicable law. Where feasible, we will provide notification within 72 hours of becoming aware of the breach. Notification will describe the nature of the breach, the data affected, likely consequences, and the measures we are taking to address it.

Cookies

We use the following categories of cookies:

  • Essential cookies: Required for the Service to function, including session authentication and security tokens. These cannot be disabled.
  • Preference cookies: Store your settings such as theme preference (light/dark mode).
  • Analytics cookies: PostHog is used to understand how the Service is used. PostHog may collect event data, session information, and device details. You can review PostHog's privacy policy at posthog.com/privacy. Analytics are collected on the WorkApps platform (workapps.tech, app.workapps.tech). Analytics data is routed through a WorkApps-operated proxy (e.workapps.tech) before reaching PostHog's servers. The developer documentation portal (docs.workapps.tech) collects anonymous page view events using memory-only storage — no cookies or persistent identifiers are used. The runtime domain (workapps.run) where hosted apps are served does not load third-party analytics on behalf of app end-users. We honor the Do Not Track (DNT) browser signal. When DNT is enabled, analytics tracking is disabled.

You can control non-essential cookie settings through your browser preferences. Disabling essential cookies will prevent the Service from functioning correctly.

Children's Privacy

The Service is not intended for use by children under the age of 16. We do not knowingly collect personal information from children under 16. If we become aware that we have collected personal information from a child under 16 without parental consent, we will take steps to delete that information promptly. If you believe we may have collected information from a child under 16, please contact us at [email protected].

Your Rights

Subject to applicable law, you have the following rights regarding your personal data. To exercise any of these rights, contact us at [email protected]. We will respond within 30 days.

  • Access: Request a copy of the personal information we hold about you.
  • Correction: Request correction of inaccurate or incomplete information.
  • Deletion: Request deletion of your account and associated personal data, subject to retention obligations described above.
  • Export: Export your personal data at any time through your account settings. Organization administrators on Enterprise and Compliance plans may additionally export full organization data — including members, apps, schemas, and records.
  • Objection: Object to processing of your personal data for certain purposes.
  • Opt-out of communications: Unsubscribe from non-essential marketing communications at any time. Transactional and security communications cannot be opted out of while your account is active.

Please note that certain data — specifically immutable audit log records maintained for security and compliance integrity — cannot be erased even upon request. See the Data Retention section for details.

GDPR — European Users

If you are located in the European Economic Area (EEA), United Kingdom, or Switzerland, the following additional rights and protections apply under the General Data Protection Regulation (GDPR) and equivalent legislation:

  • Legal basis: We process your data on the following legal bases: performance of a contract (to provide the Service), legitimate interests (security, fraud prevention, service improvement), legal obligation (compliance with law), and consent (where explicitly obtained).
  • Data portability: You have the right to receive your personal data in a structured, commonly used, machine-readable format.
  • Restriction: You may request that we restrict processing of your data in certain circumstances.
  • Supervisory authority: You have the right to lodge a complaint with your local data protection authority.

Data transfers outside the EEA are subject to appropriate safeguards including Standard Contractual Clauses where required.

CCPA — California Residents

If you are a California resident, the California Consumer Privacy Act (CCPA) grants you the following additional rights:

  • Know: The right to know what personal information we collect, use, disclose, and sell.
  • Delete: The right to request deletion of your personal information, subject to certain exceptions.
  • Opt-out of sale: We do not sell personal information. There is nothing to opt out of.
  • Non-discrimination: We will not discriminate against you for exercising your CCPA rights.

To exercise your California privacy rights, contact us at [email protected]. We will respond within 45 days as required by law.

Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of material changes by posting the updated policy on this page, updating the "Last updated" date, and where practicable, by email or in-app notification. Continued use of the Service after changes constitutes acceptance of the revised policy.

Contact Us

For questions or requests regarding this Privacy Policy or your personal data, contact us at [email protected].

To report a privacy violation, data breach concern, or abuse, contact us at [email protected].