Privacy Policy

1. What We Collect

We collect and process the following categories of personal data:

• Account information: your name, email address, and role within your company
• Work data: logged hours, project assignments, expense reports, and approval status
• Uploaded files: receipt images, project photos, and documents stored in our system
• Device information: browser type, operating system, and IP address for security and troubleshooting
• Usage data: feature interactions and page visits to improve the product (no third-party analytics)

2. Google OAuth & Integrations

Worklogix offers optional Google integrations for email sending and calendar sync. When you connect your Google account, we request specific permissions:

• Gmail send access: allows you to send emails (e.g., project reports) from your own email address directly through Worklogix. We only send emails when you explicitly initiate the action. We never read your inbox.
• Google Calendar access: allows Worklogix to create and update calendar events for your projects. This is a one-way sync from Worklogix to your calendar.
• OAuth tokens are encrypted using AES-256-GCM before storage and are only decrypted at the moment of use.
• You can revoke Google access at any time from your profile settings or from your Google account security page.

3. How We Store Data

All data is stored in a PostgreSQL database hosted by Supabase, with servers located in the European Union. Data is encrypted at rest and in transit (TLS 1.2+). File uploads (receipts, photos) are stored in encrypted cloud storage buckets within the EU.

We apply Row-Level Security (RLS) at the database level to enforce strict tenant isolation, ensuring that each company's data is accessible only to its own members.

4. Who Sees Your Data

• Your company administrators and managers can view your work data (hours, projects, expenses) as part of normal business operations.
• WhatComesNext staff may access data solely for technical support, debugging, or legal compliance. We do not access data for any other purpose.
• We do not sell, rent, or share your personal data with third parties for marketing purposes.
• We use Stripe for payment processing. Stripe receives only the billing information necessary to process payments, subject to their own privacy policy.

5. Cookies

Worklogix uses only essential session cookies required for authentication and security. We do not use tracking cookies, advertising cookies, or any third-party analytics cookies. No consent banner is needed because we only set strictly necessary cookies.

6. Your Rights Under GDPR

As a data subject under the General Data Protection Regulation (GDPR), you have the following rights:

• Right of access: request a copy of the personal data we hold about you
• Right to rectification: request correction of inaccurate or incomplete data
• Right to erasure: request deletion of your personal data ("right to be forgotten")
• Right to data portability: receive your data in a structured, machine-readable format
• Right to restrict processing: request that we limit how we use your data
• Right to object: object to processing of your data in certain circumstances

To exercise any of these rights, contact us at support@worklogix.app. We will respond within 30 days.

7. Data Retention

We retain your personal data for as long as your account is active and your company maintains its subscription. If your account is deleted or your company terminates its subscription, all associated personal data is permanently purged within 30 days. Anonymized, aggregated data (which cannot identify you) may be retained for product improvement purposes.

8. Changes to This Policy

We may update this privacy policy from time to time to reflect changes in our practices or applicable law. When we make material changes, we will notify affected users via email. The "Last updated" date at the top of this page indicates when the policy was most recently revised.

9. Contact

If you have questions about this privacy policy or our data practices, contact us at: