Privacy Policy
Your privacy matters to us. Here we explain how we collect, use, and protect your data.
Last updated: 2026-02-08
Introduction
Worqs, reg. no. 559515-4526 ("we", "us" or "Worqs") is the data controller responsible for processing your personal data. We respect your privacy and are committed to protecting your personal data in accordance with the EU General Data Protection Regulation (GDPR), the Swedish supplementary GDPR act (2018:218), and the Swedish Electronic Communications Act (LEK).
Data Controller
The controller responsible for processing your personal data is:
- Company: Worqs
- Reg. No.: 559515-4526
- Address: Örebro, Sverige
- Email: [email protected]
Information We Collect
We collect the following categories of personal data:
Account Information
- Name and contact details
- Email address
- Company information and organizational affiliation
- Phone number (if provided)
Usage Data
- Access logs, IP addresses, and timestamps
- Device information, browser type, and operating system
- How you interact with the service (features used, page views)
Business Data
Content and data you create in the platform (business objects, documents, workflows) belongs to you. We store this data exclusively to provide and maintain our service.
How We Use Your Information
We process your personal data for the following purposes:
- Provide, operate, and maintain our service
- Provide technical support and customer service
- Improve the service's performance, security, and functionality
- Send service-related communications (outages, security alerts, account notifications)
- Fulfill legal obligations under Swedish and European law
Legal Basis for Processing
We process your personal data based on the following legal grounds under GDPR Article 6:
- Performance of Contract (Art. 6.1b): Processing necessary to provide the service under our agreement with you or your organization
- Consent (Art. 6.1a): When you have explicitly consented to processing, e.g., when using SSO via Microsoft
- Legitimate Interest (Art. 6.1f): To improve, secure, and troubleshoot our service, after balancing our interest against your rights
- Legal Obligation (Art. 6.1c): When required by Swedish or European law, e.g., accounting obligations
Information Sharing
We may share your personal data with:
- Data Processors: Service providers that process data on our behalf, under data processing agreements (DPA)
- Authorities: When required by law, court order, or request from a competent authority
We never sell, rent, or trade your personal data. We only share it to the extent necessary to provide the service.
Data Processors (Sub-processors)
We have entered into data processing agreements (DPA) with all sub-processors that process personal data on our behalf:
| Provider | Purpose | Data Location | Safeguard |
|---|---|---|---|
| Supabase (Fly.io) | Database, authentication, and file storage (PostgreSQL) | Stockholm, EU (eu-north-1) | Data stored in EU, no third-country transfer |
| Vercel | Application hosting and serverless functions (edge runtime) | Stockholm, EU (functions in arn1 region) | DPA and EU-based functions |
| Stripe | Payment processing and subscription management | EU / USA | Standard Contractual Clauses (SCCs) approved by the European Commission |
| Resend | Transactional emails and notifications | USA | Standard Contractual Clauses (SCCs) approved by the European Commission |
| Google (Gemini AI) | AI-assisted features (document generation, schema design) | EU / USA | Standard Contractual Clauses (SCCs) approved by the European Commission |
| Microsoft Azure | Single sign-on (SSO) via Microsoft Azure AD / Entra ID | EU | Standard Contractual Clauses (SCCs) approved by the European Commission |
| Inngest | Background jobs and scheduled tasks | USA | Standard Contractual Clauses (SCCs) approved by the European Commission |
International Data Transfers
Your primary data (database, files, authentication) is stored within the EU/EEA (Stockholm, Sweden). Some sub-processors are based in the USA. In those cases, we ensure adequate protection through:
- All primary data storage is in Supabase on servers in Stockholm (eu-north-1). The application runs on Vercel with functions in the Stockholm region.
- Transfers to US-based providers (Stripe, Resend, Inngest) rely on Standard Contractual Clauses (SCCs) under GDPR Article 46.2c, approved by the European Commission.
- We conduct regular Transfer Impact Assessments to ensure the level of protection in the receiving country is adequate.
Data Retention
We retain your personal data for as long as necessary for the purpose for which it was collected:
- Account and business data: retained as long as you have an active account. Upon termination, data is deleted within 30 days unless longer retention is required by law.
- Access logs and usage data: automatically deleted after 90 days
- Billing and transaction data: retained for 7 years under the Swedish Bookkeeping Act (BFL)
Your Rights Under GDPR
You have the following rights regarding your personal data. We respond to requests within 30 days:
- Right of Access (Art. 15): Request a copy of the personal data we process about you
- Right to Rectification (Art. 16): Request correction of inaccurate or incomplete data
- Right to Erasure (Art. 17): Request deletion of your personal data when it is no longer needed
- Right to Restriction (Art. 18): Request temporary restriction of processing your data
- Right to Data Portability (Art. 20): Receive your personal data in a structured, machine-readable format
- Right to Object (Art. 21): Object to processing based on legitimate interest
Contact us at [email protected] to exercise your rights. We may verify your identity before processing requests.
Automated Decision-Making
We do not make decisions based solely on automated processing that produce legal effects concerning you or similarly significantly affect you (GDPR Article 22). Our AI features (e.g., document generation) are tools to assist you — final decisions are always made by the user.
Children
Our service is not directed at children under 16. We do not knowingly collect personal data from children. If we become aware that we have collected data from a child under 16, we will delete it immediately.
Security Measures
We implement appropriate technical and organizational measures to protect your personal data against unauthorized access, loss, or destruction:
- All data encrypted in transit (TLS 1.3) and at rest (AES-256)
- Row Level Security (RLS) in the database ensures strict data isolation between organizations
- Secure authentication with JWT tokens, SSO via Microsoft Azure, and two-factor authentication support
- Automated daily backups with point-in-time recovery
- Continuous monitoring of security threats and access patterns
Data Breach Handling
In the event of a personal data breach that is likely to result in a risk to the rights and freedoms of individuals, we will notify the Swedish Authority for Privacy Protection (IMY) without undue delay and no later than 72 hours. If the breach is likely to result in a high risk to you, we will also inform you directly.
Changes to This Policy
We may update this privacy policy as needed. For material changes that affect how we process your personal data, we will notify you at least 30 days in advance via email and/or in the platform. Continued use of the service after changes constitutes acceptance of the updated policy.
Contact and Complaints
For questions about this privacy policy or how we process your personal data, contact us. You also have the right to file a complaint with the supervisory authority:
- Email: [email protected]
- Supervisory Authority (IMY): www.imy.se