Privacy Policy

Effective date: 18th October, 2024

1. Introduction

WorkFlawless ("WorkFlawless", "we", "us", or "our") provides a workflow, SOP (standard operating procedure), onboarding-path and process- management platform delivered as software-as-a-service (the "Services"), together with our website at workflawless.com and related subdomains (the "Site").

This Privacy Policy explains what personal information we collect, how and why we use it, who we share it with, how we protect it, and the rights and choices you have. It applies to visitors to our Site, individuals who register for or use the Services, and people whose information we receive through our customers' use of the Services.

The data controller responsible for your personal information is Flawless Digital FZ-LLC, Compass Building, Al Hulaila Industrial Zone-FZ, Ras Al Khaimah, United Arab Emirates. For any privacy question, or to exercise your rights, contact us at [email protected].

If you do not agree with this Privacy Policy, please do not use the Site or the Services.

2. Our role: controller and processor

WorkFlawless plays two different roles depending on the data:

  • As a controller — for personal information we determine the purposes and means of processing for: website visitors, account registration and administration, billing, marketing, support, and security. This Privacy Policy governs that processing.
  • As a processor (service provider) — for the content and personal data that our business customers and their administrators put into the Services about their team members and operations ("Customer Content", e.g. workflows, SOPs, onboarding paths, uploaded documents, assignments, and team-member records). We process Customer Content on behalf of, and under the instructions of, the customer organization, which is the controller for that data. Our processing of Customer Content is governed by our agreement with that customer, including our Data Processing Addendum (DPA) (see Section 14).

If you are an end user invited to WorkFlawless by your employer or another organization, that organization is the controller of your information within the Services, and you should direct privacy requests to them in the first instance; we will assist them as required.

3. Information we collect

We collect the following categories of personal information:

A. Account and profile information. Name, email address, password (stored hashed), job title/role, company name, profile photo, language and nationality where provided, and identity data received from a single sign-on provider when you log in via Google, Microsoft, GitHub or GitLab (typically your name, email, and profile identifier).

B. Customer Content. Workflows, SOPs, onboarding paths, steps, comments, versions, assignments, reading confirmations, approvals, and any documents, images or videos you upload. This content may contain personal data about you and your colleagues that you choose to include.

C. Team and organizational data. Department/team structure, roles and permissions, org-chart placement, and team-member details used for assignments and collaboration.

D. Billing information. Plan, subscription and trial status, billing cycle, and transaction records. Card payments are processed by our payment provider (a third-party payment processor); we do not store full card numbers on our systems.

E. Integration data. If you connect a third-party service, we store the data necessary to operate that integration: - Google Drive / Microsoft SharePoint & OneDrive — your account email, metadata about files you choose to embed (file name, ID, type, link), and an OAuth refresh token, which we store encrypted at rest. We request the minimum scopes needed and access only files you explicitly select. - Slack — a workspace bot token (stored encrypted at rest), your Slack workspace and member identifiers, and the mapping between your WorkFlawless email and your Slack account (resolved via Slack's email-lookup) so we can deliver notifications. We send notification content (e.g. assignment and publishing messages) to Slack at your organization's direction.

F. Usage, device and log data. Pages and features used, actions taken within the Services, timestamps, IP address, browser and device type, operating system, and referring/exit pages. We use this to operate, secure and improve the Services.

G. Marketing and attribution data. UTM parameters and advertising click identifiers (e.g. gclid), and the analytics client identifier, where you have consented to such cookies. See Section 6.

H. Communications. Records of your support tickets, feedback, and correspondence with us, and your email and notification preferences.

I. Cookies and similar technologies. See Section 6 and our Cookie Policy.

4. How we use your information, and our legal bases

We use personal information for the purposes below. Where the GDPR or UK GDPR applies, the relevant legal basis is shown in brackets.

  • Provide and operate the Services — create and manage your account, authenticate you, deliver features, run integrations you enable, and provide support. (Performance of a contract.)
  • Notifications — send in-app, email and (where your organization has enabled it and you have opted in) Slack notifications about assignments, reminders, reviews, approvals and content updates. (Contract; legitimate interests; consent for Slack direct messages.)
  • Billing and administration — manage subscriptions, trials, and payments through our payment provider. (Contract; legal obligation.)
  • Security, fraud prevention and abuse mitigation — including bot protection on sign-up and reset forms (reCAPTCHA), rate limiting, and logging. (Legitimate interests; legal obligation.)
  • Improve and develop the Services — analytics, troubleshooting, performance and error monitoring. (Legitimate interests; consent where cookies require it.)
  • Marketing — send you product updates and offers and measure the effectiveness of our advertising. You can opt out at any time. (Consent and/or legitimate interests, depending on your location and the channel.)
  • Legal compliance — comply with applicable law and respond to lawful requests. (Legal obligation.)

Where we rely on legitimate interests, we have balanced those interests against your rights and freedoms. You may object to such processing (see Section 11).

5. AI features

Some features use artificial intelligence — for example, generating draft workflows and SOPs, the in-app assistant that answers questions grounded in your knowledge base, and "magic import" conversion of uploaded documents.

To provide these features, the relevant input — such as your prompt, the content you are working on, or retrieved excerpts of your organization's SOPs and workflows — is sent to a third-party AI provider that processes it on our behalf to generate the output. Under our agreement, that provider does not use your data to train its models. Semantic-search embeddings used by the assistant are generated by a model we run on our own infrastructure and are not sent to any external AI provider. The specific AI sub-processor we use is identified in our sub-processor list, available to business customers (see Section 8).

We do not use AI to make decisions producing legal or similarly significant effects about you without human involvement.

6. Cookies, analytics and advertising

We and our partners use cookies and similar technologies to run the Site, remember your preferences, measure performance, and (with consent) support analytics and advertising. Strictly necessary cookies (e.g. session and CSRF cookies) are always active; analytics and advertising technologies load only where you have consented.

We present a consent banner to visitors in the EEA, the UK, Switzerland, and other regions where required, and we apply Google Consent Mode so that tags respect your choices. Visitors elsewhere can manage choices through the same controls. We also honor the Global Privacy Control (GPC) signal where legally required.

Subject to your consent, we use: Google Analytics 4 and Google Tag Manager (analytics), Google Ads, Meta (Facebook) Pixel and Microsoft Advertising (UET) (advertising and measurement), and Microsoft Clarity (product analytics / session insights). For full details of each cookie, its purpose and duration, and to change your choices, see our Cookie Policy and the cookie banner.

7. How we share information

We do not sell your personal information for money. We share personal information only as described here:

  • With service providers / sub-processors who process data on our behalf under contract (see Section 8).
  • With your organization — if you use WorkFlawless through an employer or other organization, your administrators can access your account and Customer Content associated with that organization.
  • With third parties you direct us to — e.g. when you connect Google Drive, SharePoint/OneDrive or Slack, or follow links to third-party services.
  • For legal reasons — to comply with law, enforce our terms, protect the rights, safety and security of WorkFlawless, our users and the public, and detect or prevent fraud or security issues.
  • In a business transfer — in connection with a merger, acquisition, financing, reorganization, or sale of assets, subject to this Privacy Policy.
  • For advertising — where you consent, advertising partners may receive online identifiers via cookies/pixels to measure and serve ads. Under certain U.S. state laws this may be considered "sharing" (see Section 12); you can opt out.

8. Sub-processors

We engage third-party service providers ("sub-processors") to help us deliver the Services. We maintain agreements with each requiring appropriate safeguards. We use the following categories of sub-processors:

Category Purpose Data involved Cloud hosting (EU) Hosting of the application, database and file storage All hosted Service data Transactional email Sending account and notification emails Recipient email, name, message content Payments Payment, subscription and tax processing Billing contact, transaction and subscription data Marketing email Lifecycle and marketing messaging Email, name, company, subscription/segment data AI provider AI generation and assistant features Prompts and content you submit to AI features Messaging / notifications Outbound notifications where your organization enables them Email (for member lookup), member/channel IDs, notification content Identity & content integrations SSO sign-in and the file integrations you connect Identity data; metadata for files you select Analytics & advertising Site analytics and advertising measurement (consent-gated) Online identifiers (with consent) Error monitoring Diagnosing errors and performance Diagnostic/telemetry data, which may include limited identifiers Abuse prevention Bot/abuse protection on forms IP address, interaction signals Scheduling Booking sales/demo calls Name, email and details you submit when booking

The specific named sub-processors in each category, and notice of changes, are provided to business customers in our Data Processing Addendum (Annex 3) and are available on request at [email protected].

Enterprise customers may also configure SCIM provisioning from their own identity provider; in that case identity data flows from the customer's provider to WorkFlawless under the customer's control.

9. International data transfers

Our primary hosting infrastructure is located in the European Union (Germany). WorkFlawless is established in the United Arab Emirates, and our personnel may access and process personal information from the UAE in order to operate, support and secure the Services. In addition, some of our sub-processors are located in, or transfer data to, countries outside the EEA, the UK and Switzerland, including the United States.

Where we transfer personal information to a country that has not been recognized as providing an adequate level of protection (including the United Arab Emirates and the United States), we rely on an appropriate transfer mechanism, such as the European Commission's Standard Contractual Clauses (together with the UK International Data Transfer Addendum and the Swiss addendum, as applicable), and/or certification under the EU-US Data Privacy Framework where the recipient participates, in each case with supplementary measures where appropriate. We do not rely on the former EU-US Privacy Shield, which is no longer a valid transfer mechanism. You may request more information about these safeguards using the contact details in Section 18.

10. Data retention

We keep personal information only for as long as necessary for the purposes described in this Policy:

  • Account and Customer Content — for the life of your (or your organization's) account, and then deleted or anonymized within 30 days of account closure, unless we must retain it longer for legal, accounting or security reasons. Backups are purged on a rolling cycle.
  • Billing records — retained as required by applicable UAE law (generally 5 years).
  • Marketing data — until you unsubscribe or object, and then suppressed as needed to honor your request.
  • Logs and security data — retained for a limited period for security and troubleshooting.

When business customers offboard, Customer Content is handled per our DPA and the customer's instructions.

11. Your rights

Depending on where you live, you may have some or all of the following rights:

  • Access — obtain a copy of the personal information we hold about you.
  • Rectification — correct inaccurate or incomplete data.
  • Erasure — ask us to delete your data ("right to be forgotten").
  • Restriction — ask us to limit processing in certain circumstances.
  • Portability — receive your data in a portable format.
  • Objection — object to processing based on legitimate interests, and to direct marketing at any time.
  • Withdraw consent — where we rely on consent, withdraw it at any time (without affecting prior processing).
  • Complaint — lodge a complaint with your supervisory authority. In the EEA this is your local Data Protection Authority; in the UK, the Information Commissioner's Office (ICO).

You can exercise many choices directly in the app (e.g. update your profile, manage notification and email preferences, disconnect integrations, or delete content). To make a rights request, email [email protected]. We will verify your identity and respond within the time required by law (generally one month under the GDPR). If your data is processed on behalf of an organization that uses WorkFlawless, we will refer your request to that organization.

12. U.S. state privacy rights (California and others)

If you are a California resident, the CCPA/CPRA gives you the right to: know the categories and specific pieces of personal information we collect, use and disclose; request correction; request deletion; and opt out of the "sale" or "sharing" of personal information and certain targeted advertising. Similar rights apply under other U.S. state privacy laws.

We do not sell personal information for money. However, our use of advertising cookies/pixels (Google, Meta, Microsoft) may constitute "sharing" of online identifiers for cross-context behavioral advertising under California law. You can opt out by:

  • using the cookie banner / "Your Privacy Choices" control on our Site;
  • enabling the Global Privacy Control (GPC) in your browser; or
  • emailing [email protected].

We do not discriminate against you for exercising these rights. You may use an authorized agent to submit a request on your behalf.

13. Security

We use technical and organizational measures designed to protect personal information, including: encryption in transit (TLS); encryption at rest of sensitive secrets such as OAuth and bot tokens; access controls and the principle of least privilege; signed, time-limited URLs for private file access; network and application security controls; and monitoring and logging. No method of transmission or storage is completely secure, and we cannot guarantee absolute security. If we become aware of a personal data breach, we will notify affected parties and regulators as required by law.

14. Business customers and the DPA

Where we act as a processor of Customer Content, our processing is governed by our Data Processing Addendum (DPA), which forms part of our customer agreement and includes GDPR Article 28 terms, our list of sub-processors, international-transfer safeguards, and security commitments. Business customers can request our current DPA and sub-processor list at [email protected].

15. Children's privacy

The Services are intended for business use and are not directed to children. We do not knowingly collect personal information from children under 16 (or under 13 where permitted by local law). If you believe a child has provided us personal information, contact us and we will delete it.

16. Third-party links and services

The Site and Services may link to or integrate with third-party websites and services that we do not control. This Privacy Policy does not apply to those services, and we are not responsible for their privacy practices. Review their privacy policies before providing them personal information.

17. Changes to this Privacy Policy

We may update this Privacy Policy from time to time. If we make material changes, we will update the "Last updated" date and, where appropriate, notify you (for example, by email or an in-app notice). Your continued use of the Services after an update constitutes acceptance of the revised Policy.

18. Contact us

Questions, requests or complaints about this Privacy Policy or our data practices:

  • Email: [email protected]
  • Postal: Flawless Digital FZ-LLC, Compass Building, Al Hulaila Industrial Zone-FZ, Ras Al Khaimah, United Arab Emirates