Effective date: November 11, 2025

Privacy Policy

At WorkTiles, your privacy is our priority. This Privacy Policy explains how we handle your personal data. By using or accessing our Services, you acknowledge acceptance of the practices and policies described herein and consent to the collection, use, and sharing of your information as outlined. Your use of WorkTiles’ Services is always subject to our Terms of Service. Any terms used here without explicit definitions are as defined in the Terms of Service. For alternative formats of this Privacy Policy, please contact support@worktiles.app.

What this Privacy Policy Covers

This Privacy Policy describes how we handle “Personal Data” gathered when you access or use our Services. “Personal Data” means any information that identifies or relates to an identifiable individual, as defined under applicable data privacy laws (including the GDPR). This policy does not cover the practices of companies we do not own or control, nor people we do not manage.

Depending on context:

  • For organizational customers using the WorkTiles platform, your organization is typically the data controller and WorkTiles acts as a data processor.
  • For our public website and our own account management, WorkTiles acts as the data controller.

Personal Data We Collect

The categories of Personal Data we collect (and have collected in the past 12 months) may include:

  • Profile or contact data (e.g., name, email address)
  • Account and organization data (e.g., organization name, team memberships, role)
  • Device/IP and technical data (e.g., IP address, browser, device identifiers)
  • Usage and log data (e.g., actions in the app, timestamps)
  • Support communications (e.g., emails, chat, tickets)
  • File uploads and content you choose to store in the Service
  • Payment/billing data where applicable (processed by our payment providers)

We share this data only as needed with service providers and authorized parties to deliver and improve the Services, meet legal requirements, and protect our rights and users.

Categories of Sources

We collect Personal Data:

  • Directly from you (e.g., when creating an account, using features, contacting support)
  • From your organization (e.g., provisioned accounts, assigned roles)
  • Automatically through your use of the Services (e.g., logs, device data)
  • From third parties that help us operate the Services (e.g., authentication)

Purposes and Legal Bases (GDPR)

We process Personal Data for:

  • Providing and securing the Services (performance of contract; legitimate interests; legal obligations)
  • Customizing and improving the Services (legitimate interests; consent where required)
  • Communicating with you (performance of contract; legitimate interests; consent where required)
  • Billing and account administration (performance of contract; legal obligations)
  • Compliance, fraud prevention, and safety (legal obligations; legitimate interests)

Where required, we will obtain your consent (e.g., for certain cookies or communications). You may withdraw consent at any time.

Data Location and Hosting

WorkTiles is hosted and operated in the European Union on Google Cloud Platform:

  • Primary region: europe-north1 (Finland)
  • Redundancy: europe-west1 (Belgium)
  • Cloud SQL backups: stored within the EU (“eu” backup location)
  • File uploads: stored in EU-located Google Cloud Storage

Data is encrypted in transit and at rest. Deleted files may be retained for up to 90 days to enable recovery, in line with our storage soft-delete policy.

International Data Transfers

WorkTiles stores and processes all customer data exclusively within the European Union. All infrastructure, backups, and subprocessors operate in EU regions only. No customer data is transferred or processed outside the EU/EEA.

Subprocessors

We use a small number of trusted subprocessors to operate specific parts of the WorkTiles Service. All subprocessors listed below store and process data exclusively within the European Union.

  • Google Cloud Platform (GCP) – primary hosting and storage for all application data (Compute/Cloud Run, Cloud SQL Postgres, Cloud Storage, Logging/Monitoring). All infrastructure and backups are located in EU regions (europe-north1 in Finland and europe-west1 in Belgium).
  • Cloudflare – DNS, CDN, and Web Application Firewall services. Cloudflare processes only transient, encrypted traffic to secure and accelerate delivery. No customer content is persistently stored. Cloudflare Regional Services are configured to process traffic within the EU.
  • Clerk Europe – user authentication and account management. All identity data is processed and stored in Clerk’s EU data region under GDPR-compliant terms (DPA and SCCs in place).
  • Svix (EU region) – secure webhook delivery for authentication and related events. Configured for EU data residency under GDPR-compliant DPA and SCCs.

All subprocessors have executed Data Processing Agreements (DPAs) with WorkTiles and operate under GDPR-compliant terms. No customer data is transferred or stored outside the EU/EEA.

In addition to the subprocessors listed above, certain integrations authorized by users or their organizations may involve external services acting as independent data controllers:

  • Microsoft Entra ID (Azure Active Directory) – used when users or organizations choose to sign in with Microsoft 365 accounts or authorize calendar access. Microsoft acts as an independent data controller for identity data under its own terms. WorkTiles processes only the limited profile and calendar data necessary to provide the Service.

Cookies and Similar Technologies

We use necessary cookies to operate the Service and may use functional cookies to improve user experience. Where required by law, we request consent for non-essential cookies and provide controls to manage preferences via your browser or in-product settings.

Data Security

We implement technical and organizational measures to protect Personal Data, including encryption in transit and at rest, least-privilege access controls, logging/monitoring, and regular backups. No method of transmission or storage is entirely secure; however, we continuously improve our safeguards to mitigate risk.

Data Retention

We retain Personal Data for as long as necessary to provide the Services, comply with legal obligations, resolve disputes, and enforce agreements. Where feasible, we apply shorter retention for logs and implement soft-delete windows (e.g., up to 90 days for file recovery) to balance reliability and privacy.

Children’s Privacy

We do not knowingly collect Personal Data from children under 16. If we learn that we have collected such data, we will delete it promptly. For inquiries, please contact support@worktiles.app.

Your Rights (GDPR and Applicable Laws)

Depending on your location and role:

  • Access, rectification, and erasure
  • Restriction or objection to processing
  • Data portability
  • Withdrawal of consent (where processing is based on consent)
  • Complaint to a supervisory authority

If your account is managed by your organization, please contact your administrator to exercise rights where WorkTiles acts as processor; otherwise contact us at support@worktiles.app.

State Law Privacy Rights (where applicable)

Certain U.S. state laws provide additional rights (e.g., to opt out of certain disclosures). If applicable, contact support@worktiles.app. We do not sell Personal Data.

Changes to this Privacy Policy

We may update this Privacy Policy from time to time. Material changes will be communicated via the Service or by email, and the “Effective date” will be updated.

Contact Information

Questions or requests regarding this Privacy Policy or your Personal Data:

Email: support@worktiles.app
Address: Sturegatan 6, 114 35 Stockholm, Sweden

WorkTiles logo
Copyright © 2025 WorkTiles AB