What is Workerflow.ai?

Workerflow.ai is a no-code AI workflow and agent automation platform. It lets businesses build, test, and deploy intelligent automations for customer support, revenue recovery, and sales operations - with full execution logs on every run and human approval steps for sensitive actions.

What is the difference between Workflows and Agents in Workerflow?

Workflows follow a fixed sequence of steps you define - ideal for repeatable processes where the logic is known upfront, such as invoice processing, lead routing, or email triage. Agents receive a goal and decide their own steps using available tools like web search, Jira, Gmail, Google Sheets, and your Data Stores - best for tasks where the number of steps is not predictable.

How does Workerflow.ai handle data privacy?

All data is stored and processed in EU-based infrastructure in the Belgium region. No cross-border data transfers occur outside the EEA. Workflow content, execution logs, and conversation data are never used to train AI models - by Workerflow or by any of its model providers. Data deletion is processed within 30 days on request.

What triggers can start a workflow in Workerflow.ai?

There are multiple trigger types: REST API (HTTP request from any external system), Gmail (process incoming emails automatically), Stripe (react to payment events like failed charges, new subscriptions, or disputes), Telegram (receive messages via a Telegram bot), Shopify (react to order and customer events), Jira (react to issue events), and Web Chat (embeddable chat widget). All triggers are configured directly in the workflow editor with no code required.

What AI models does Workerflow.ai support?

Workerflow.ai supports multiple AI model providers including OpenAI (GPT-4 and variants), Anthropic (Claude), and Google (Gemini). The specific model powering each agent node is visible in the execution log so teams always know what processed their data.

Can we review and approve AI actions before they execute?

Yes. Human approval steps are built into the platform. You can configure workflows so that sensitive actions pause execution until a human reviews and signs off. This is commonly used for outbound communications, financial actions, and customer-facing responses.

How is Workerflow.ai different from Zapier or Make?

Unlike Zapier and Make, which execute fixed automation sequences, Workerflow.ai includes autonomous AI Agents that reason through goals and decide their own steps. Every run produces a full execution log with reasoning traces and tool call records. Workerflow also includes built-in semantic search Data Stores, human approval steps, and supports multiple AI model providers in the same platform.

Is there an audit log our compliance team can review?

Yes. Every workflow execution creates a detailed session record - timestamped, with full inputs, AI responses, condition evaluations, state changes, and outcomes. These logs are retained and can be exported. Nothing the AI does is hidden or unaccountable.

Privacy Policy

Name: Workerflow.ai
Author: Workerflow.ai

Last Updated: March 14, 2026

Effective Date: March 14, 2026

This Privacy Policy ("Policy") describes how Workerflow.ai ("Workerflow.ai", "we", "us", or "our") collects, uses, stores, shares, and protects information in connection with the Workerflow.ai platform, website, APIs, integrations, and all related services (collectively, the "Service" or "Platform"). This Policy applies to all users of the Service, including visitors, registered users, organization administrators, team members, and API consumers.

By accessing or using the Service, creating an account, or otherwise providing information to us, you acknowledge that you have read, understood, and agree to the practices described in this Policy. If you are acting on behalf of an organization, you confirm that you have the authority to bind that organization to this Policy.

If you do not agree to this Policy, you must not access or use the Service.

1. Definitions

"Account" means the user account you create to access and use the Service.

"AI Features" means the artificial intelligence and machine learning capabilities integrated into the Service, including but not limited to agent nodes, guardrails evaluation, spreadsheet generation, data structuring, and any other AI-powered processing.

"AI Sub-Processor" means any third-party artificial intelligence or machine learning service provider that processes data on behalf of Workerflow.ai to deliver AI Features, including but not limited to OpenAI.

"Content" means any data, text, files, information, workflows, configurations, instructions, inputs, outputs, or other materials that you submit, upload, transmit, or otherwise make available through the Service.

"Customer Data" means all data, content, and information that you or your authorized users submit to, store in, or transmit through the Service, including but not limited to workflow definitions, execution inputs, execution outputs, session data, conversation histories, state variables, uploaded files, and any data processed through your workflows.

"Organization" means a group account within the Service that may have multiple members with varying access levels.

"Personal Data" means any information relating to an identified or identifiable natural person, as defined under applicable data protection laws including the GDPR and CCPA/CPRA.

"Third-Party Services" means external applications, APIs, platforms, and services that you connect to or access through the Service, including but not limited to Google Gmail, Google Drive, and any other integrations.

"Workflow" means an automated process configured by you within the Service, consisting of interconnected nodes that process data according to your defined logic and instructions.

"Workflow Session" means a single execution instance of a Workflow, including all inputs, outputs, intermediate processing steps, logs, and state changes.

2. Information We Collect

2.1 Information You Provide Directly

We collect information that you voluntarily provide to us, including:

Account Registration Information:

Full name
Email address
Password (stored only in hashed form using bcrypt)

Organization Information:

Organization name
Team member email addresses (including invited but not yet registered members)
Member roles and permissions

Payment and Billing Information:

Payment transactions are processed by Stripe, Inc. ("Stripe"), our third-party payment processor. We do not directly collect, store, or process your credit card numbers, debit card numbers, or bank account details. Stripe collects and processes your payment information in accordance with its own privacy policy available at https://stripe.com/privacy.
We receive and store from Stripe: payment intent identifiers, transaction amounts, credits purchased, price per credit, transaction status (pending, succeeded, failed, canceled), failure messages (if applicable), and transaction timestamps.

Workflow and Configuration Data:

Workflow definitions (node configurations, connections, logic)
Global instructions and agent prompts
Response schemas and state variable definitions
Trigger configurations

Communication Data:

Contact form submissions (name, email, company name, position, message)
Support requests and correspondence

Newsletter Subscription:

Email address provided for newsletter subscription

2.2 Information Collected Automatically

When you access or use the Service, we may automatically collect:

Usage and Log Data:

Workflow execution logs (structured log entries including trigger data, agent inputs/outputs, condition evaluations, state changes, errors, and output data)
Token usage metrics (input tokens, output tokens, AI model identifiers)
Session data (timestamps, state variables, conversation message histories)
API request logs

Device and Technical Data:

IP address
Browser type and version
Operating system
Device identifiers
Referring URLs
Pages visited and features used
Date and time of access

Cookies and Similar Technologies:

See Section 10 (Cookies and Tracking Technologies) for details.

2.3 Information from Third-Party Services

When you connect Third-Party Services to the Platform, we may receive information from those services as authorized by you:

Google Gmail Integration:

Gmail account email address
Email metadata (sender, subject line, thread identifiers)
Email content (message body) as processed through your configured workflows
Gmail history identifiers for change tracking
OAuth refresh tokens (encrypted at rest using AES-256-GCM)

Google Drive Integration:

Google account email address
Drive folder identifiers
File identifiers for files created or accessed by the Service
OAuth refresh tokens (encrypted at rest using AES-256-GCM)

Google reCAPTCHA:

We use Google reCAPTCHA v3 to protect against automated abuse. Google may collect hardware and software information, such as device and application data, and send it to Google for analysis. Your use of reCAPTCHA is subject to Google's Privacy Policy and Terms of Service.

2.4 Information from Other Sources

We may receive information about you from other sources, including:

Organization administrators who invite you to join their Organization
Public databases and data aggregators (for fraud prevention)
Third-party identity verification services

3. How We Use Your Information

We use the information we collect for the following purposes:

3.1 Service Delivery and Operations

To create and manage your Account
To authenticate your identity and authorize access
To execute Workflows as configured by you
To process data through AI Features as directed by your workflow configurations
To connect and interact with Third-Party Services on your behalf
To maintain Workflow Session histories and conversation logs
To manage Organization memberships, roles, and permissions

3.2 Payment Processing

To process credit purchases and top-ups
To calculate and deduct credits based on usage (AI token consumption, web search queries)
To maintain payment and billing history
To detect and prevent payment fraud

3.3 Communications

To send transactional emails (account verification, password reset, organization invitations)
To respond to contact form submissions and support requests
To send newsletter communications (only with your consent; you may unsubscribe at any time)

3.4 Security and Fraud Prevention

To verify user identity through reCAPTCHA and email verification
To detect, prevent, and investigate security incidents, fraud, and abuse
To enforce our Terms of Use and other policies
To protect the rights, property, and safety of Workerflow.ai, our users, and the public

3.5 Service Improvement and Analytics

To monitor and analyze usage trends and preferences
To diagnose technical issues and improve Service performance
To develop new features and functionality
To conduct internal research and analytics

3.6 Legal Compliance

To comply with applicable laws, regulations, and legal processes
To respond to lawful requests from public authorities
To establish, exercise, or defend legal claims

4. Legal Bases for Processing (EEA/UK Users)

If you are located in the European Economic Area (EEA) or the United Kingdom (UK), we process your Personal Data based on the following legal bases under the General Data Protection Regulation (GDPR):

Purpose	Legal Basis
Account creation and Service delivery	Performance of a contract (Art. 6(1)(b))
Payment processing	Performance of a contract (Art. 6(1)(b))
Transactional communications	Performance of a contract (Art. 6(1)(b))
Security and fraud prevention	Legitimate interests (Art. 6(1)(f))
Service improvement and analytics	Legitimate interests (Art. 6(1)(f))
Newsletter communications	Consent (Art. 6(1)(a))
Legal compliance	Legal obligation (Art. 6(1)(c))
Workflow execution and AI processing	Performance of a contract (Art. 6(1)(b))
Google API integrations	Consent (Art. 6(1)(a))

Where we rely on legitimate interests, we have assessed that our interests do not override your fundamental rights and freedoms. You may contact us at any time to obtain further information about this balancing assessment.

5. AI Features and Third-Party AI Processing

5.1 How AI Features Work

The Service includes AI Features that process your Content through third-party AI models. When you configure and execute Workflows containing AI-powered nodes (Agent nodes, Guardrails nodes, Spreadsheet Write/Read nodes), the following data may be transmitted to our AI Sub-Processors:

Agent instructions and prompts (as configured by you)
Global workflow instructions
User inputs and messages
Conversation history (for multi-turn sessions)
State variable context
Response schemas for structured outputs
Content being evaluated by guardrails

5.2 AI Sub-Processors

We currently use the following AI Sub-Processors:

Provider	Purpose	Data Processed
OpenAI, Inc.	AI agent processing, guardrails evaluation, data structuring	Workflow inputs, prompts, instructions, conversation context

We may update our list of AI Sub-Processors from time to time. Material changes to AI Sub-Processors will be communicated through updates to this Policy.

5.3 No Training on Your Data

Workerflow.ai does not use your Content, Customer Data, or Workflow execution data to train, improve, or fine-tune any AI or machine learning models. Your data is processed solely for the purpose of delivering the Service as configured by you.

We contractually require our AI Sub-Processors to not use your data for training their models. However, you should review the privacy policies and terms of service of our AI Sub-Processors for their specific data handling practices. As of the effective date of this Policy, our use of the OpenAI API is subject to OpenAI's API data usage policies, which state that API inputs and outputs are not used to train OpenAI's models.

5.4 AI Output Disclaimer

AI-generated outputs, including text, structured data, evaluations, and decisions made by AI Features, are produced by third-party machine learning models and may be inaccurate, incomplete, or inappropriate. Workerflow.ai does not guarantee the accuracy, reliability, completeness, or suitability of any AI-generated output. You are solely responsible for reviewing, validating, and using AI outputs in accordance with applicable laws and your own judgment.

5.5 Token Tracking

We track the number of input and output tokens consumed by AI Features for each Workflow Session for the purposes of credit calculation and billing. Token counts are stored in association with your Workflow Session records.

6. Email and Third-Party Service Integration Data

6.1 Gmail Integration

When you connect your Gmail account to the Service for email-triggered Workflows:

Scope of Access: We request gmail.readonly access (read-only; we cannot send, modify, or delete your emails) and userinfo.email access (to identify your connected account).
Data Accessed: Email metadata (sender, subject, thread ID) and email content (message body) for emails that trigger your configured Workflows.
Data Processing: Email data is processed only as directed by your Workflow configuration. Email content flows through the nodes you have configured and may be processed by AI Features if your Workflow includes AI-powered nodes.
Token Storage: OAuth refresh tokens are encrypted at rest using AES-256-GCM encryption and stored in our database. These tokens are used solely to maintain your authorized connection to Gmail.
Google API Compliance: Our use of information received from Google APIs adheres to the Google API Services User Data Policy, including the Limited Use requirements. We only use Google user data to provide and improve user-facing features apparent to the user. We do not transfer Google user data to third parties except as necessary to provide the Service, as required by law, or with your explicit consent. We do not use Google user data for advertising. We do not use Google user data to train AI models.

6.2 Google Drive Integration

When you connect your Google Drive account to the Service:

Scope of Access: We request drive.file access, which limits our access to files that the Service creates or that you explicitly open with the Service. We cannot access your other Drive files.
Data Accessed: File identifiers, folder identifiers, and file content for spreadsheets created or read by the Service.
Token Storage: OAuth refresh tokens are encrypted at rest using AES-256-GCM encryption.

6.3 Web Search Integration

When your Workflows include web search nodes:

Search Provider: We use the Brave Search API to perform web searches.
Data Sent: Search queries (which may contain content derived from your workflow inputs).
Data Received: Search result titles, URLs, and descriptions.
Caching: Search results are cached for 15 minutes to reduce redundant API calls. Cached results do not incur additional credit charges.
Brave's Privacy Policy: Brave Search has its own privacy practices. Search queries sent to Brave are subject to Brave's Privacy Policy.

6.4 Responsibility for Third-Party Service Data

You are solely responsible for:

Ensuring that you have all necessary rights, permissions, and consents to connect Third-Party Services and process data from those services through your Workflows.
Complying with the terms of service and privacy policies of any Third-Party Services you connect.
Ensuring that your use of Third-Party Service data through the Platform complies with all applicable laws and regulations.

Workerflow.ai is not responsible for the privacy practices, data handling, security, or availability of Third-Party Services. The use of data received from Third-Party Services is governed by the policies of those services.

7. How We Share Your Information

We do not sell, rent, or trade your Personal Data. We share your information only in the following circumstances:

7.1 Service Providers and Sub-Processors

We share information with third-party service providers who perform services on our behalf, including:

Category	Provider(s)	Purpose	Data Shared
AI Processing	OpenAI, Inc.	Workflow AI features	Prompts, inputs, conversation context
Payment Processing	Stripe, Inc.	Credit purchases	Transaction details (Stripe handles card data directly)
Email Delivery	SMTP provider	Transactional emails	Recipient email, email content
Web Search	Brave Software	Workflow search functionality	Search queries
Bot Protection	Google (reCAPTCHA)	Abuse prevention	Device/browser signals, interaction data
Cloud Infrastructure	Cloud hosting provider	Service hosting and data storage	All Service data (encrypted at rest and in transit)
Domain and DNS	Domain/DNS provider	Service availability	N/A (infrastructure only)

All service providers are contractually obligated to process data only as instructed by us and to implement appropriate security measures.

7.2 Within Your Organization

If you are part of an Organization on the Platform:

Organization administrators can view your name, email, role, and membership status.
Organization members may have access to Workflows, Workflow Sessions, execution logs, and API keys created within the Organization, subject to their assigned role (Admin, Editor, or Viewer).
All linked Third-Party Services and Workflow data are accessible to Organization members based on their permissions.

7.3 Legal Requirements

We may disclose your information if required to do so by law or in the good faith belief that such action is necessary to:

Comply with a legal obligation, court order, subpoena, or other legal process
Protect and defend the rights, property, or safety of Workerflow.ai, our users, or the public
Detect, prevent, or address fraud, security issues, or technical problems
Enforce our Terms of Use and other agreements

7.4 Business Transfers

In the event of a merger, acquisition, reorganization, bankruptcy, asset sale, or similar transaction, your information may be transferred as part of the transaction. We will notify you via email and/or a prominent notice on the Service of any change in ownership or use of your Personal Data, as well as any choices you may have regarding your Personal Data.

7.5 With Your Consent

We may share your information with third parties when you have given us explicit consent to do so.

8. Data Retention

We retain your information for as long as necessary to fulfill the purposes described in this Policy, unless a longer retention period is required or permitted by law.

8.1 Retention Periods

Data Category	Retention Period	Basis
Account data (name, email, password hash)	Duration of active account + 30 days after deletion request	Contract performance; legal obligations
Organization data	Duration of active Organization + 30 days after deletion	Contract performance
Workflow definitions	Duration of active account; deleted with account or on user request	Contract performance
Workflow Sessions and message histories	Duration of active account; deleted with parent Workflow or on user request	Contract performance
Execution logs (flow logs)	Duration of active account; deleted with parent Workflow Session	Contract performance
Payment records and transaction history	7 years after transaction	Legal obligation (tax/accounting)
Gmail OAuth refresh tokens	Until disconnected by user or account deletion	Consent
Google Drive OAuth refresh tokens	Until disconnected by user or account deletion	Consent
API keys (hashed)	Until revoked by user or account deletion	Contract performance
Newsletter subscriber emails	Until unsubscription request	Consent
Contact form submissions	Not stored persistently in database; forwarded via email only	Legitimate interest
Email verification and password reset tokens	Automatically expire (verification: until used; password reset: 1 hour)	Contract performance
Organization invitation tokens	Until accepted, expired, or revoked	Contract performance
reCAPTCHA data	Not stored by us; processed by Google in real-time	Legitimate interest

8.2 Deletion

When you delete your Account:

Your Personal Data will be deleted or anonymized within 30 days, except where retention is required by law.
Workflow data, Sessions, and associated logs are deleted through cascading deletion.
Payment records may be retained for up to 7 years for tax and accounting compliance.
Backup copies may persist for up to 90 days after deletion from primary systems before being purged.

When a Workflow is deleted:

All associated Workflow Sessions, messages, and execution logs are automatically deleted through cascading deletion.

9. Data Security

We implement appropriate technical and organizational measures to protect your information against unauthorized access, alteration, disclosure, or destruction. These measures include but are not limited to:

9.1 Technical Measures

Encryption in Transit: All data transmitted between your device and our servers is encrypted using TLS (Transport Layer Security).
Encryption at Rest: Sensitive credentials (Gmail OAuth tokens, Google Drive OAuth tokens) are encrypted using AES-256-GCM before storage.
Password Hashing: User passwords are hashed using bcrypt with a cost factor of 10. Plaintext passwords are never stored or logged.
API Key Hashing: API keys are hashed using SHA-256 before storage. The full key is displayed only once at creation.
Token Security: Email verification tokens and password reset tokens are stored with select: false flags, preventing exposure through normal API queries. Password reset tokens expire after 1 hour.
Webhook Verification: Stripe payment webhooks are verified using cryptographic signatures to prevent tampering.

9.2 Organizational Measures

Access to user data is restricted to authorized personnel on a need-to-know basis.
Service providers and sub-processors are subject to contractual data protection obligations.
We conduct regular security reviews of our infrastructure and codebase.

9.3 Role-Based Access Control

Organization members are assigned roles (Admin, Editor, Viewer) that control their level of access to Organization resources.
API keys are scoped to individual Organizations and can be revoked at any time.

9.4 Limitations

While we strive to protect your information, no method of electronic transmission or storage is 100% secure. We cannot guarantee absolute security. You are responsible for maintaining the confidentiality of your Account credentials, API keys, and any access tokens associated with your connected Third-Party Services.

10. Cookies and Tracking Technologies

10.1 What We Use

We use cookies and similar technologies to operate the Service, maintain your session, remember your preferences, and analyze usage patterns.

Essential Cookies: Required for the Service to function properly, including authentication session tokens and security cookies. These cannot be disabled.

Analytics Cookies: Help us understand how users interact with the Service, which pages are most visited, and how we can improve the user experience.

Third-Party Cookies: Certain third-party services integrated into the Service (such as Google reCAPTCHA and Stripe) may set their own cookies. These cookies are governed by the respective third party's cookie and privacy policies.

10.2 Managing Cookies

Most web browsers allow you to control cookies through their settings. You may choose to block or delete cookies, but doing so may affect the functionality of the Service, including your ability to log in or use certain features.

10.3 Do Not Track

Some browsers offer a "Do Not Track" (DNT) signal. We currently do not respond to DNT signals, as there is no industry-wide standard for compliance. We will update this Policy if a standard is established.

11. International Data Transfers

11.1 Transfer Mechanisms

Your information may be transferred to, stored in, and processed in countries other than your country of residence, including the United States, where our servers and service providers may be located.

If you are located in the EEA, UK, or Switzerland, we ensure that any transfer of your Personal Data to countries outside of these regions is protected by appropriate safeguards, including:

Standard Contractual Clauses (SCCs): We use EU-approved Standard Contractual Clauses for data transfers to countries that have not received an adequacy decision from the European Commission.
Data Privacy Framework: Where applicable, we rely on service providers who have certified their compliance with the EU-U.S. Data Privacy Framework, the UK Extension to the EU-U.S. Data Privacy Framework, and/or the Swiss-U.S. Data Privacy Framework.
Adequacy Decisions: Where applicable, we transfer data to countries that have been deemed to provide an adequate level of data protection by the European Commission.

11.2 Sub-Processor Locations

Our sub-processors may process data in various jurisdictions. We ensure all sub-processors maintain appropriate data protection standards through contractual obligations and regular assessment.

12. Your Privacy Rights

12.1 Rights Under GDPR (EEA/UK Residents)

If you are located in the EEA or UK, you have the following rights under the GDPR:

Right of Access (Art. 15): You have the right to request a copy of the Personal Data we hold about you.
Right to Rectification (Art. 16): You have the right to request correction of inaccurate or incomplete Personal Data.
Right to Erasure (Art. 17): You have the right to request deletion of your Personal Data ("right to be forgotten"), subject to certain exceptions (e.g., legal obligations, defense of legal claims).
Right to Restrict Processing (Art. 18): You have the right to request that we restrict the processing of your Personal Data in certain circumstances.
Right to Data Portability (Art. 20): You have the right to receive your Personal Data in a structured, commonly used, and machine-readable format and to transmit it to another controller.
Right to Object (Art. 21): You have the right to object to the processing of your Personal Data based on legitimate interests or for direct marketing purposes.
Right to Withdraw Consent (Art. 7(3)): Where we rely on consent as the legal basis for processing, you have the right to withdraw your consent at any time, without affecting the lawfulness of processing based on consent before its withdrawal.
Right to Lodge a Complaint: You have the right to lodge a complaint with a supervisory authority in your member state of habitual residence, place of work, or place of the alleged infringement.

12.2 Rights Under CCPA/CPRA (California Residents)

If you are a California resident, you have the following rights under the California Consumer Privacy Act (CCPA) as amended by the California Privacy Rights Act (CPRA):

Right to Know: You have the right to request that we disclose:

The categories of Personal Data we have collected about you
The categories of sources from which we collected your Personal Data
The business or commercial purpose for collecting your Personal Data
The categories of third parties with whom we share your Personal Data
The specific pieces of Personal Data we have collected about you

Right to Delete: You have the right to request that we delete your Personal Data, subject to certain exceptions permitted by law.

Right to Correct: You have the right to request that we correct inaccurate Personal Data that we maintain about you.

Right to Opt-Out of Sale/Sharing: We do not sell your Personal Data. We do not share your Personal Data for cross-context behavioral advertising purposes.

Right to Non-Discrimination: We will not discriminate against you for exercising any of your privacy rights, including by:

Denying you the Service
Charging you different prices or rates
Providing you a different level or quality of Service
Suggesting you will receive a different price, rate, level, or quality of Service

Categories of Personal Information Collected (per CCPA categories):

CCPA Category	Examples	Collected
Identifiers	Name, email address, IP address, account ID	Yes
Commercial information	Payment history, credits purchased, subscription details	Yes
Internet or electronic network activity	Log data, usage data, pages visited, features used	Yes
Professional or employment-related information	Company name, position (contact form only)	Yes (optional)
Inferences	Usage patterns, preferences derived from activity	Yes
Sensitive Personal Information	Account login credentials (email + password hash)	Yes

We do not sell or share (as defined by the CCPA) your Personal Data.

12.3 Rights Under Other Jurisdictions

We respect privacy rights under applicable laws worldwide, including but not limited to:

Brazil (LGPD): Data subjects have rights of access, correction, deletion, portability, and information about data sharing.
Canada (PIPEDA): Individuals have the right to access, correct, and challenge compliance with privacy principles.
Australia (Privacy Act): Individuals have rights to access, correct, and complain about handling of personal information.

12.4 Exercising Your Rights

To exercise any of the rights described above, please contact us at:

Email: [email protected]

We will respond to verifiable requests within the timeframes required by applicable law (generally within 30 days for GDPR requests and 45 days for CCPA requests). We may request additional information to verify your identity before processing your request.

If you are an Organization member, certain requests related to Organization data may need to be directed to your Organization administrator, as they may be the data controller for that information.

13. Data Controller and Data Processor Roles

13.1 When Workerflow.ai is the Data Controller

Workerflow.ai acts as the data controller for:

Account registration and profile information
Payment and billing information
Contact form submissions
Newsletter subscriptions
Usage analytics and log data
Any information we collect directly from you to provide the Service

13.2 When Workerflow.ai is the Data Processor

Workerflow.ai acts as the data processor for:

Customer Data processed through your Workflows (including data from connected Third-Party Services such as Gmail and Google Drive)
Content submitted as workflow inputs and processed through AI Features
Data flowing between nodes in your workflow configurations

In these cases, you (or your Organization) are the data controller, and you determine the purposes and means of processing. You are responsible for ensuring that you have a lawful basis for processing any Personal Data that flows through your Workflows.

13.3 Data Processing Agreement

If you require a Data Processing Agreement (DPA) for compliance purposes, please contact us at [email protected].

14. Children's Privacy

The Service is not directed to individuals under the age of 16 (or the applicable age of digital consent in your jurisdiction). We do not knowingly collect Personal Data from children under 16. If we become aware that we have collected Personal Data from a child under 16, we will take steps to promptly delete such information. If you believe that a child under 16 has provided us with Personal Data, please contact us at [email protected].

15. Third-Party Links and Services

The Service may contain links to third-party websites, services, or applications that are not operated by us. This Policy does not apply to third-party services. We are not responsible for the privacy practices, content, or security of any third-party services. We encourage you to review the privacy policies of any third-party services before providing them with your information or connecting them to the Platform.

The integration of Third-Party Services within Workflows is initiated and configured by you. Workerflow.ai acts solely as a conduit for data flowing between your configured integrations and is not responsible for how Third-Party Services collect, use, store, or disclose your data.

16. Automated Decision-Making

16.1 AI-Powered Processing

The Service includes AI Features that may produce automated outputs, evaluations, or decisions based on your configured Workflows. These include:

Agent Nodes: Generate text or structured data based on AI processing
Guardrails Nodes: Automatically evaluate content against criteria and route workflow execution based on pass/fail determination
Condition Nodes: Evaluate expressions to determine workflow branching

16.2 Human Oversight

Workerflow.ai is a tool that executes Workflows as configured by you. All AI-powered processing is initiated and directed by your workflow configurations. You maintain control over:

Which AI Features are used in your Workflows
What instructions and prompts are provided to AI nodes
How AI outputs are used downstream in your Workflows
Whether to act on AI-generated outputs

16.3 Your Rights Regarding Automated Processing

If you are located in the EEA or UK, you have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning you or similarly significantly affects you (Art. 22 GDPR). If you believe that an automated decision has had a significant effect on you, you may contact us to request human review of the decision.

17. Data Breach Notification

In the event of a personal data breach that is likely to result in a risk to the rights and freedoms of natural persons, we will:

Notify the relevant supervisory authority within 72 hours of becoming aware of the breach, where required by applicable law (Art. 33 GDPR)
Notify affected individuals without undue delay where the breach is likely to result in a high risk to their rights and freedoms (Art. 34 GDPR)
Document all breaches, including the facts, effects, and remedial actions taken

We maintain incident response procedures designed to detect, assess, and respond to data breaches promptly.

18. Email Communications and Marketing

18.1 Transactional Emails

We send transactional emails that are necessary for the operation of the Service, including:

Email verification confirmations
Password reset links
Organization invitation notifications
Payment confirmations

These emails are essential for Service delivery and cannot be opted out of while maintaining an active Account.

18.2 Marketing Communications

If you subscribe to our newsletter, we will send you marketing communications about updates, features, and news related to the Service. You may unsubscribe from marketing communications at any time by:

Clicking the "unsubscribe" link in any marketing email
Contacting us at [email protected]

Unsubscribing from marketing communications will not affect transactional emails.

19. Credit System and Usage Tracking

19.1 What We Track

To operate the credit-based billing system, we track:

Token usage per Workflow Session (input tokens and output tokens consumed by AI Features)
The AI model used for each execution
Web search queries executed (for credit deduction; 1 credit per live search)
Credit balance changes (top-ups and deductions)

19.2 Purpose

Usage tracking is necessary to:

Calculate credit consumption accurately
Provide usage transparency through your dashboard
Prevent abuse and enforce usage limits (e.g., insufficient credit balance prevents workflow execution)
Generate billing records

20. API Access and Programmatic Use

20.1 API Key Security

When you create API keys for programmatic access to the Service:

The full API key is displayed only once at creation. We store only a SHA-256 hash of the key.
API keys are scoped to your Organization and inherit Organization-level permissions.
You are solely responsible for securing your API keys. Do not share API keys in public repositories, client-side code, or unsecured locations.

20.2 API Data Processing

Data submitted through the API is subject to the same processing, retention, and security practices described in this Policy. Workflow executions triggered via the API are logged and tracked identically to executions triggered through the web interface.

21. Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technologies, legal requirements, or other factors. When we make material changes:

We will update the "Last Updated" date at the top of this Policy.
We will provide notice through the Service (such as a banner or notification) or by sending you an email to the address associated with your Account.
Material changes will become effective 30 days after notice, unless stated otherwise or unless applicable law requires a different notice period.

Your continued use of the Service after the effective date of a revised Policy constitutes your acceptance of the updated terms. If you do not agree to the revised Policy, you must stop using the Service and may request deletion of your Account.

We encourage you to review this Policy periodically to stay informed about our data practices.

22. Governing Law

This Privacy Policy and any disputes arising out of or related to it shall be governed by and construed in accordance with the laws specified in our Terms of Use, without regard to conflict of law principles.

23. Severability

If any provision of this Policy is found to be unenforceable or invalid by a court of competent jurisdiction, that provision shall be limited or eliminated to the minimum extent necessary so that this Policy shall otherwise remain in full force and effect and enforceable.

24. Contact Us

If you have any questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us:

Workerflow.ai Privacy Team

Email: [email protected]

For data protection inquiries specific to GDPR, you may also contact our designated point of contact for data protection matters at the email address above.

25. Supplemental Notices

25.1 Notice to European Union and United Kingdom Residents

In addition to the rights described in Section 12.1, you may have additional rights under local implementing legislation of the GDPR. If there is a conflict between this Policy and applicable EU/UK data protection law, the applicable law shall prevail.

25.2 Notice to California Residents

This section supplements the information contained in this Policy and applies solely to California residents. In the preceding 12 months, we have collected the categories of Personal Information identified in Section 12.2. We collect Personal Information for the business and commercial purposes described in Section 3. We do not sell or share Personal Information as those terms are defined under the CCPA/CPRA.

25.3 Notice Regarding Google API Services

Our use of information received from Google APIs adheres to the Google API Services User Data Policy, including the Limited Use requirements. Specifically:

We only use Google user data to provide and improve user-facing features of the Service that are apparent to you.
We do not transfer Google user data to third parties except as necessary to provide or improve user-facing features, as required by law, or in aggregated and anonymized form.
We do not use or transfer Google user data for serving advertisements.
We do not allow humans to read Google user data unless (a) we have your affirmative agreement, (b) it is necessary for security purposes, (c) it is necessary to comply with applicable law, or (d) the data has been aggregated and anonymized for internal operations.