Privacy Policy

Document ID: WST-POL-PRIV-v1.0 · Effective Date: 2 May 2026 · Governing Law: Delaware, USA

This Privacy Policy explains how Workestra LLC ("Workestra", "we", "us") collects, uses, shares, and protects personal data when you use the Workestra platform at workestra.app (the "Service"). It covers both data processed about visitors and account holders ("you") and personal data uploaded into a workspace by our customers about their own end users.

Workestra serves customers internationally. The Service is operated from the United States; EU-based customers benefit from the additional safeguards described below, including the Standard Contractual Clauses and our Data Processing Agreement.

1. Roles: Controller vs. Processor

Scenario	Workestra's Role	Customer's Role
Visitor uses workestra.app	Controller	n/a
Account holder signs up, manages billing	Controller	n/a
Customer uploads CRM contacts, deals, tickets, candidates, time entries, etc. into a workspace	Processor	Controller
Workestra processes workspace data on the customer's instructions	Processor	Controller

Where Workestra acts as a Processor, processing is governed by our Data Processing Agreement.

2. Who We Are


Legal entity	Workestra LLC
Registered office	[Registered office — to be confirmed before launch]
Privacy contact	privacy@workestra.app
Data Protection Officer (EU customers)	dpo@workestra.app
Security disclosures	security@workestra.app

3. Data We Collect

3.1 Account and Workspace Setup

Category	Examples
Account data	Name, email, password hash, organization name, role, locale, time zone
Workspace metadata	Workspace name, plan, modules enabled, admin assignments
Billing data	Billing contact, invoicing address, tax ID, last four digits of payment method (full card data is held by our payment processors)

3.2 Workspace Content (Customer Data)

When you use the Service, your workspace stores content you create or import:

Module	Examples of personal data processed
CRM	Contacts, deals, leads, communications
Recruiting	Candidates, applications, interview notes
Projects	Tasks, comments, time entries, mentions
Support	Tickets, customer correspondence, attachments
Finance	Invoices, payment records, banking transaction metadata (when banking integrations are enabled)
People	Employee records, time-off requests
Knowledge Base	Articles, attachments
Inbox / Inbound	Emails, voice transcripts, SMS messages

Workestra does not access workspace content except as necessary to operate, secure, and support the Service.

3.3 Usage and Technical Data

Category	Examples	Purpose
Product analytics	Pages viewed, features used, session duration, performance timings	Improving the Service
Audit logs	Authentication events, admin actions, API and MCP calls	Security, compliance
Device and connection	IP address, browser, OS, device type	Security and abuse prevention
Cookies	See our Cookie Policy	Session, preferences, analytics

3.4 AI Conversation Logs

When workspace users interact with Workestra's AI features (Cmd+K hybrid search, the conversational AI panel, or AI tools through the API/MCP server), conversation prompts and responses may be stored in your workspace for context, history, and audit purposes. The actual model inference is performed by the AI provider configured for your workspace (see Section 8).

4. Why We Process Personal Data and Legal Bases

For European Economic Area, UK, and Swiss data subjects, the legal bases under the GDPR are:

Processing Purpose	Legal Basis
Providing the Service to a workspace owner	Contract performance
Onboarding, billing, and support	Contract performance and legal obligation
Security, fraud prevention, abuse mitigation	Legitimate interest
Product analytics and improvement (aggregated)	Legitimate interest
Marketing communications to administrators	Legitimate interest with right to object, or consent where required
Compliance with tax, accounting, and other laws	Legal obligation
Processing workspace content on customer instructions	Customer's legal basis (we are Processor)

5. How We Use Personal Data

We process personal data to:

Provision workspaces, authenticate users, and deliver the Service
Process payments and issue invoices
Provide customer support and communicate operational notices
Detect and prevent fraud, abuse, and security incidents
Improve product features, performance, and reliability
Comply with legal, regulatory, and audit obligations
Send relevant product and security announcements (you can opt out of marketing email)

6. Data Retention

Category	Retention	Reason
Active workspace content	Duration of subscription + 30 days after cancellation	Service provision and grace period
Cancelled workspace content	Permanently deleted at end of 30-day grace period	Customer instruction
Billing records	7 years after the relevant transaction	Tax and accounting law
Audit and security logs	12 months rolling	Security investigations
Marketing consent records	Until withdrawn + a reasonable proof-of-consent period	Compliance
Backups	Up to 35 days rolling	Disaster recovery

If a customer requests earlier deletion, we honor it subject to legal-hold obligations.

We do not sell personal data. We share data only with vetted sub-processors that help us run the Service. The current list, including purpose and region, is published at /legal/subprocessors.

We may also disclose data:

To comply with applicable law, court order, or legal process
To enforce our Terms of Service or Acceptable Use Policy
To protect the rights, property, or safety of Workestra, our customers, or others
In connection with a corporate transaction (merger, acquisition, sale of assets), subject to confidentiality

8. AI Provider Disclosure

When a workspace activates AI features, the AI provider configured for that workspace (e.g., OpenAI, Anthropic, Moonshot, xAI, DeepSeek, or a custom endpoint) receives the data necessary to fulfill the request: typically the user's prompt, selected entity context, and relevant search results.

The AI provider acts on the customer's behalf — they are not a Workestra sub-processor by default and are governed by their own terms with you as the API key holder. Workestra does not train models on customer data and does not use customer data to improve our own models. See our AI Use & Data Policy for the full data flow.

9. International Data Transfers

The Service is operated primarily from the United States, with edge infrastructure across multiple regions. Personal data may therefore be transferred to and processed in countries other than your own.

For transfers from the EEA, UK, or Switzerland to the US or other third countries, we rely on:

Standard Contractual Clauses (SCCs) issued by the European Commission (Decision 2021/914), incorporated into our DPA;
The UK International Data Transfer Addendum to the SCCs;
The Swiss FDPIC safeguards;
Adequacy decisions where applicable.

Enterprise customers may opt for an EU-region database through Supabase EU. Contact privacy@workestra.app to discuss data-residency options.

If you are an individual in the EEA, UK, or Switzerland, you have the right to:

Right	What It Means
Access	Request a copy of personal data we hold about you
Rectification	Correct inaccurate or incomplete data
Erasure	Delete data we hold about you, subject to legal exceptions
Restriction	Restrict processing in certain circumstances
Portability	Receive data in a structured, machine-readable format
Object	Object to processing based on legitimate interest or for direct marketing
Withdraw consent	Withdraw consent without affecting prior lawful processing
Lodge a complaint	Complain to your local supervisory authority

To exercise these rights, contact privacy@workestra.app. We will respond within 30 days.

If your data is held in a customer's workspace, please direct your request to the workspace owner (the Controller). We will assist them in fulfilling the request as their Processor.

11. Your Rights — California Residents (CCPA / CPRA)

If you are a California resident, you have the right to:

Know what categories of personal information we collect, use, and share
Access the specific personal information we hold about you
Request deletion of personal information, subject to legal exceptions
Correct inaccurate personal information
Opt out of "selling" or "sharing" personal information — Workestra does not sell or share personal information as those terms are defined in the CCPA/CPRA
Limit the use of sensitive personal information
Be free from retaliation for exercising your rights

To exercise these rights, contact privacy@workestra.app.

12. Children

Workestra is a workplace tool intended for use by businesses. The Service is not directed at children, and we do not knowingly collect personal data from anyone under 16. If you believe a child has provided us with personal data, contact privacy@workestra.app and we will delete it.

13. Security

We protect personal data with technical and organizational measures including:

Encryption in transit (TLS 1.2+) and at rest
Multi-tenant isolation enforced at the database level (Supabase Row Level Security on workspace_id)
Role-based access control with optional MFA for workspace administrators
Audit logging of authentication, admin, and API events
Principle of least privilege for Workestra personnel
Vulnerability management and regular reviews
Incident response procedures with 72-hour breach notification to affected customers (in accordance with the DPA)

No system can guarantee perfect security, but we maintain industry-standard protections and review them continuously.

14. Cookies

For the cookies and similar technologies we use, see our Cookie Policy.

15. Changes to This Policy

We may update this Policy. Material changes will be communicated at least 30 days in advance via email to workspace administrators or via in-product notice. The version history is recorded in the changelog below.

16. Contact

Topic	Email
Privacy and data subject rights	privacy@workestra.app
EU customers — DPO	dpo@workestra.app
Security disclosures	security@workestra.app
General legal	legal@workestra.app

Postal: Workestra LLC, [Registered office — to be confirmed before launch].

Policy Changelog

Version	Date	Summary
v1.0	2026-05-02	Initial publication