Worql
See a sampleAssemble free

Trust

Privacy Policy

Effective:
Last updated:

1. Who we are

Worql, Inc. ("Worql," "we," "us," or "our") operates the website at worql.app and the SOW-generation services available on it. Worql, Inc. is a corporation incorporated in Delaware, United States.

For any privacy-related matter, contact us at privacy@worql.app. For data-subject requests in India under the Digital Personal Data Protection Act, 2023 ("DPDPA"), contact our Grievance Officer (Section 11 below).

2. Scope of this policy

This policy describes how Worql collects, uses, stores, and shares personal information when you visit the Site, sign up for an account, or use the service to draft, store, or export Statements of Work ("SOWs").

It applies to data we control as a "controller" (registrations, account billing, marketing). For data you process through the service about your own counterparties — clients, vendors, employees, contractors — Worql acts as a processor under your written instructions; see our Data Processing Addendum at /dpa.

3. What we collect

We collect only what we need to deliver the service and run the company.

a. Account data. When you sign up, your authentication provider (Clerk, Inc.) collects your email address, name where provided, and an identifier used to associate your sessions. We receive the same fields and store them against your Worql user record. If you authenticate with a third-party identity provider (Google, GitHub), Clerk additionally receives the standard OAuth profile claims (sub, email, name).

b. Project data. Anything you type into the workspace — project briefs, intake answers, generated SOW bodies, comments, vendor comparisons, milestone reviews, supporting notes. This may include personal data about your counterparties (legal names, contact information, jurisdiction of incorporation). You are responsible for ensuring you have a lawful basis to provide that data to us and for executing our DPA before processing personal data about EU, UK, or Indian data subjects.

c. Billing data. When you upgrade to a paid plan, Stripe, Inc. handles the payment flow and stores your card information. We receive only the subscription status, plan tier, current period end, and a Stripe customer identifier. We never see, store, or log your card number.

d. Technical data. Standard request logs (IP address, user-agent, request path, response status, timing). We retain these for up to 90 days for security and abuse prevention. We do not build behavioral profiles from them.

e. Cookies and similar technologies. We use a small number of strictly necessary cookies for authentication and security. We use Vercel Analytics and Vercel Speed Insights, which are cookieless and do not place identifying cookies on your device or track individual users across sessions. See our Cookie Policy at /cookies for the full list.

f. Contact and marketing data. If you submit the contact form, we store the fields you submit (name, email, company, project type, role, budget band, source) to respond. You can request deletion at any time.

We do not collect special-category data (health, biometric, sexual orientation, religious belief, etc.) and we do not knowingly collect data about children under 16. The service is not directed at children.

4. Sub-processors

The following sub-processors process personal data on our behalf to deliver the service. Each is bound to confidentiality and security obligations by contract. The full, version-stamped list with hosting region, purpose, and data category is published at /sub-processors.

| Sub-processor | Purpose | Hosting region | |---|---|---| | Clerk, Inc. | Authentication, session management | United States | | Stripe, Inc. | Subscription billing | United States | | Anthropic PBC | AI clause generation (Claude API) | United States | | Neon, Inc. | Application database (PostgreSQL) | AWS us-east-1 (United States) | | Upstash, Inc. | Rate limiting (Redis) | AWS us-east-1 (United States) | | Resend, Inc. | Transactional and notification email | United States | | Vercel, Inc. | Application hosting, cookieless analytics | United States |

We notify customers of additions or replacements at least 30 days in advance via the sub-processors page and by email to billing contacts on paid plans. You may object in writing to a proposed change for material privacy or security reasons; if we can't resolve the objection, you may terminate the affected plan and receive a pro-rata refund of any prepaid fees.

5. How we use the data

We process the data above for the following purposes, on the legal bases indicated. The bases are stated for the GDPR / UK GDPR / DPDPA framework where applicable — if you do not fall under any of these, the equivalent legitimate-interest analysis applies.

  • Providing the service — to authenticate you, render the workspace, generate SOWs, store your records, and process exports. Basis: performance of the contract you have with us.
  • Billing and tax compliance — to charge for paid plans, issue invoices, and meet tax-reporting obligations. Basis: performance of the contract and compliance with a legal obligation.
  • Service-related communications — to send account, security, billing, and product-update notices. Basis: performance of the contract and legitimate interest in keeping users informed.
  • Marketing communications — to send newsletters and product announcements to people who opted in via the contact form. Basis: consent. You can unsubscribe at any time using the link in any marketing email.
  • Security, abuse prevention, and rate limiting — to detect, prevent, and respond to abuse, fraud, or attacks against the service. Basis: legitimate interest in protecting the service and our users.
  • Aggregate analytics and product improvement — to understand which features are used and where users encounter friction. We use only cookieless, non-identifying analytics (Vercel Analytics and Speed Insights). Basis: legitimate interest.

We do not sell personal information. We do not use your project data to train AI models. The clauses used by the service come from our own hand-authored clause library; the Claude API processes your inputs to draft language within that library and does not retain them for training (see Anthropic's commercial terms).

6. Cross-border transfers

The service is hosted in AWS us-east-1 (United States). If you are located in the European Economic Area, the United Kingdom, Switzerland, or India, your personal data will be transferred to and processed in the United States.

For transfers from the EEA, UK, or Switzerland we rely on the European Commission's Standard Contractual Clauses (2021/914) supplemented by the UK International Data Transfer Addendum where applicable, and we maintain a transfer impact assessment available on request.

For transfers from India, we comply with the DPDPA's cross-border transfer framework, and where the Indian government issues a list of restricted countries, we will update our practices accordingly.

7. Retention

We retain personal data for as long as your account is active and for a limited period afterwards:

  • Account and project data — until you delete the workspace, plus up to 30 days of safety buffer before purge from backups.
  • Billing records — seven years from the end of the fiscal year of the transaction, to meet US tax-record requirements.
  • Request logs — up to 90 days.
  • Marketing list entries — until you unsubscribe, after which we retain only a hashed identifier to honor the unsubscribe choice.

You may close your account at any time from the account settings or by emailing privacy@worql.app.

8. Your rights

Depending on where you live, you have some or all of the following rights:

  • Access — request a copy of the personal data we hold about you.
  • Correction — ask us to correct inaccurate or incomplete data.
  • Deletion — ask us to delete your data, subject to retention obligations.
  • Restriction or objection — ask us to limit or stop certain processing.
  • Portability — receive your data in a structured, machine-readable format.
  • Withdraw consent — withdraw consent for any processing based on it, without affecting the lawfulness of prior processing.
  • Lodge a complaint — with your local data protection authority. EEA users may complain to the supervisory authority of their habitual residence; UK users to the Information Commissioner's Office; Indian users to the Data Protection Board of India (and see Section 11 below).

To exercise any right, email privacy@worql.app from the address associated with your account. We respond within 30 days, or sooner where required by law.

9. Security

We protect personal data with the following controls:

  • TLS 1.2+ for all transport between client, application, and database.
  • Authentication delegated to Clerk, with MFA available to all users on all plans.
  • Database hosted on Neon in AWS us-east-1, encrypted at rest, with point-in-time recovery for paid plans.
  • Application infrastructure on Vercel; deployments require code review.
  • Anthropic API keys, Stripe secret keys, and database credentials are scoped to least privilege and stored only in our hosting provider's secret manager — never in source control.
  • Production access requires SSO with the founder account; activity is logged.

No system is perfectly secure. If you discover a vulnerability, please report it to security@worql.app; we acknowledge receipts within two business days.

10. California residents (CCPA / CPRA)

If you are a California resident, you have the rights described above plus the right to know the specific pieces of personal information we hold, the right to opt out of "sharing" or "selling," and the right to limit the use of sensitive personal information. We do not "sell" personal information as defined by the CCPA and we do not engage in cross-context behavioral advertising. To exercise California rights, email privacy@worql.app with "California rights request" in the subject line.

11. Indian users (DPDPA 2023)

For Indian Data Principals, our Grievance Officer is:

  • Name: Aayush Chopra
  • Email: grievance@worql.app
  • Office: Worql, Inc.

You may also contact the Data Protection Board of India at the address published on its official website. We respond to DPDPA grievances within the statutory period.

12. Changes

We will update this policy from time to time. The "Last updated" date at the top of this page reflects the most recent revision. Material changes will be notified by email to active account holders at least 14 days before they take effect.

13. Contact

Questions or requests: privacy@worql.app. Legal notices: legal@worql.app. Security reports: security@worql.app. Abuse reports: abuse@worql.app. General support: support@worql.app.