Thank you for using Workd. This Privacy Policy explains how we collect, use, disclose, and protect personal information in connection with our websites, products, and services (collectively, the “Service”).
If you are a customer using the Service as an organization, this Privacy Policy should be read together with your agreement with us and our Data Processing Addendum (“DPA”). If there is a conflict, the DPA or your agreement controls with respect to Customer Data (defined below).
1) Who we are and scope
Workd, Inc. (“Workd”, “we”, “us”) provides CRM/ERP software to business customers. This policy applies to personal information we process as a controller (e.g., our website visitors, prospects, and users of our Service accounts) and to the extent applicable describes our role as a processor/service provider when we process Customer Data on behalf of customers.
Customer Data: Content and data a customer or its users submit to the Service (e.g., contacts, notes, order and payment history records, visit logs) that we process on the customer’s behalf per our agreement and DPA. The customer is the controller of Customer Data; Workd is a processor/service provider.
Personal information / personal data: Information that identifies or can be linked to an individual. This includes business contact details when linked to a person.
Sensitive Personal Information (SPI) / sensitive data / special categories: Certain categories of data defined by law (e.g., precise geolocation; account log-in credentials; government IDs; genetic/biometric; health; race/ethnicity; religion; union membership; sex life/sexual orientation; contents of communications where we are not the intended recipient).
3) What we collect
We collect personal information in ways that are aligned with our privacy objectives and applicable law:
Data minimization — We collect only the personal information that is reasonably necessary to provide, operate, and secure the Service and to meet legal requirements.
Fair and lawful collection — We obtain personal information by fair and lawful means. Before we introduce new collection methods (for example, a new telemetry event or a new cookie), we review them to confirm the collection is appropriate, our notices are accurate, and any required consents are in place.
Reliable sources — When we receive personal information from sources other than the individual (for example, an integration partner or a customer’s system of record), we take reasonable steps to confirm those sources collect and share information fairly and lawfully (including through contractual commitments).
Notice when additional information is acquired — If we develop or obtain additional information about you for our use (for example, enrichment from a reliable source), we provide notice at or before that use, or as soon as practical thereafter, and we honor your choices.
We collect the categories of personal information below, the purposes for which we use them, and our retention approach. We do not sell personal information. On our marketing websites (not inside the Service), we may share personal information for targeted advertising; see Do Not Sell or Share in Your privacy choices and rights below.
Retention: We retain personal information for as long as needed to provide the Service and fulfill the purposes described, which generally aligns with (a) the duration of an account or contract, (b) legal/financial recordkeeping and compliance periods, and (c) security and fraud-prevention needs. We apply deletion or de-identification when no longer needed. Customers may instruct us to delete Customer Data at any time in accordance with the DPA and the Service’s capabilities.
Category
Examples
Purpose(s)
Typical sources
Retention approach
Sold/Shared
Identifiers
Name, business email, business phone, postal address, user ID, IP address, device IDs
Create/manage accounts; provide the Service; communicate; security and fraud prevention; support; compliance
You; your organization; device/browser; integration partners
For life of account/contract plus backup & audit periods
No
Commercial information
Subscription details; purchase and order history; payment status (non-card tokens and limited billing metadata)
Provide and improve Service; billing; accounting; compliance
You; your organization; payment and accounting providers
Legal/accounting retention periods
No
Internet / electronic activity
Log and usage data, app events, pages viewed, referrers
Operate and secure the Service; analytics and product improvement
Your browser/device; our Service
For operational needs and security; then aggregated/de-identified
Shared (marketing websites only; not in product) — opt out via Global Privacy Control (GPC) or email info@workd.com
Precise geolocation (SPI)
GPS-level location when a user enables visit tracking in the mobile/web app
Provide requested features (e.g., visit tracking, routing, check-ins); security and fraud prevention; support
Your device (with permission)
Up to 24 months (2 years) by default; subject to customer deletion requests
No
Professional information
Employer, job title/role, team
Provide/administer the Service; role-based access; support
While the account is active; rotation/reset logs per security policy
No
Payment information: Workd uses third-party, PCI-compliant payment processors for ACH/credit card transactions. We do not collect, store, or have access to full payment card numbers, bank account numbers with security codes/passwords, or other sensitive payment data. We receive only limited billing metadata (e.g., last-4, token, status) for recordkeeping.
4) How we use information
Provide, operate, maintain, and secure the Service
Authenticate users and manage accounts
Process transactions and administer billing (via our payment processors)
Provide customer support and respond to inquiries
Analyze, improve, and develop the Service (including safety/security analytics)
Comply with law, enforce terms, and protect rights, safety, and property
Customer Data and AI/ML: We do not use Customer Data to train machine-learning or AI models unrelated to providing and improving the Service.
Advertising: We do not sell personal information. On our marketing websites (not inside the product), we may share personal information for targeted advertising; see Do Not Sell or Share in Your privacy choices and rights for opt-out methods.
5) Sensitive Personal Information & special-category data
We process limited SPI as necessary to provide the Service—specifically account log-in credentials (passwords stored using industry-standard hashing) and, where a user enables the feature, precise geolocation for visit tracking. We do not use SPI for secondary purposes that would require offering a separate “Right to Limit” under California law.
Geolocation controls: We collect precise location only when a user or customer enables location features and the device/OS permission is granted. Users can disable collection at the OS level. We do not use precise geolocation to infer home addresses or for general monitoring beyond the enabled feature. Visit-tracking location logs are retained for up to 2 years by default unless a customer requests earlier deletion. Visit-tracking records are visible to the user and to the customer organization’s authorized leadership (e.g., sales managers/administrators) per customer configuration. Workd personnel access is limited to support/security purposes, role-based, and logged.
Customer-entered content: Customers control the free-text content, notes, attachments, and other Customer Data they or their users choose to input. Such content may incidentally include SPI/special-category data (e.g., health information, racial/ethnic origin, religion, union membership, contents of communications). Where present, Workd processes that material solely as a processor/service provider under customer instructions and our DPA. We do not sell or share SPI and we instruct users not to include sensitive data in free-text fields unless necessary and authorized.
U.S. state consent: In jurisdictions that require opt-in consent for processing sensitive data (e.g., precise geolocation), we obtain that consent and provide an easy way to withdraw it.
6) Cookies and similar technologies
We use cookies and similar technologies to operate and secure the Service and to understand usage. Where required by law (e.g., EU/UK), non-essential cookies are used only with consent. Users can manage preferences through browser settings and our cookie controls (where provided). We honor Global Privacy Control (GPC) and similar universal opt-out signals for relevant state-law purposes.
7) Sharing and disclosure
Service providers/sub-processors that host our infrastructure, provide analytics, customer support tooling, email delivery, logging/security, payments, and other operational services—bound by contract to use data only to provide services to us.
Professional advisors (lawyers, accountants) and authorities where required by law.
Business transfers: In connection with a merger, acquisition, financing, or sale of assets, subject to appropriate safeguards.
Sub-processors: We maintain a current list of sub-processors in our Data Processing Addendum and notify customers of material changes per our agreement.
8) International transfers
Customer Data is primarily hosted in the United States. We may transfer personal information to countries other than where it was collected. Where required, we use appropriate safeguards (e.g., Standard Contractual Clauses) and implement supplementary measures as needed.
9) Security
We implement technical and organizational measures designed to protect personal information, including encryption in transit and at rest, role-based access controls, network and application security, vulnerability management, and employee security training. Passwords are stored using industry-standard hashing and never in plaintext. No method of transmission or storage is 100% secure; we maintain incident response processes and will notify affected parties as required by law.
10) Your privacy choices and rights
Your choices include:
Account & profile: Access, edit, or delete certain information in your account settings. Customers may manage user accounts directly in the admin console.
Location & device permissions: Enable/disable OS-level permissions (e.g., precise location) at any time.
Cookies: Adjust browser settings and our cookie controls (where provided).
U.S. state rights: Depending on where you live, you may have rights to access, correct, delete, obtain a portable copy, and opt out of certain processing (e.g., sale/sharing, targeted advertising, or profiling in furtherance of decisions producing legal or similarly significant effects). Where required, you may also opt in (and later withdraw consent) for processing sensitive data (e.g., precise geolocation). We honor Global Privacy Control (GPC) signals as opt-outs of sale/sharing and targeted advertising where applicable.
Do Not Sell or Share: We do not sell personal information. On our marketing websites (not inside the Service), we may share personal information for targeted advertising. To opt out: (i) use a browser that sends Global Privacy Control (GPC), which we honor, and/or (ii) email info@workd.com with “Do Not Sell/Share” in the subject. You may also mail a request to Workd Inc, 37000 Grand River Ave Ste 300, Farmington Hills, MI 48335.
How to exercise rights / appeals: Submit a request to info@workd.com with “Privacy Request” in the subject or by mail at the address above. We will verify your request and respond within the timeframe required by law. If we deny your request, you may appeal by replying with “Appeal” in the subject; we will respond with our decision and rationale. You may use an authorized agent where permitted; we may require proof of authorization and identity verification.
How we handle deletion requests: When we receive a verified deletion request, we log and track the request, identify and flag associated records for destruction or de-identification, and complete deletion in a manner designed to prevent unauthorized access or reconstruction. Where data must be retained for legal or security reasons, we restrict it to those purposes and place it beyond use until it is automatically purged.
EEA/UK rights: If applicable, you also have the right to lodge a complaint with a supervisory authority. Contact info@workd.com for the appropriate authority details for your location.
11) Children
The Service is not directed to children. We do not knowingly collect personal information from children under the age required by law. If you believe a child has provided personal information, contact info@workd.com and we will take appropriate action.
12) Data retention
We retain personal information consistent with the purposes described in this policy and our agreements, taking into account the amount, nature, and sensitivity of the data; potential risk of harm; legal, tax, accounting, and regulatory requirements; and customer instructions. We apply deletion or de-identification when retention is no longer necessary. Visit-tracking geolocation logs are retained for up to 2 years by default unless a customer requests earlier deletion.
Secure disposal: We delete or de-identify personal information using controls appropriate to the data and storage medium (for example, cryptographic erasure for encrypted systems, logical deletion with suppression, and backup expiry/rotation). Deletions applied to active systems propagate to backups in the ordinary course of our backup lifecycle.
13) Changes to this policy
We may update this Privacy Policy from time to time. We will post the updated version with its effective date and, if changes are material, we will provide additional notice (e.g., in-app or by email).
14) How to contact us
For questions or requests concerning this Privacy Policy or our privacy practices, contact info@workd.com.
Controller / Service Provider Roles Summary
Controller: We control and are responsible for personal information we collect about website visitors, prospects, and account administrators.
Processor/Service Provider: We process Customer Data solely to provide the Service, under customer instructions and our DPA. We do not sell or share Customer Data for cross-context behavioral advertising.
Change Log
We publish a brief summary of notable updates. Most edits are organizational (formatting, clearer wording) and do not change how we collect, use, or share information.
Added explicit details on precise geolocation for visit tracking and noted the default 2-year retention.
Confirmed no sale of personal information; clarified that any targeted-ads “sharing” applies to marketing websites only (not in-product) and that we honor Global Privacy Control (GPC).
Noted that payments are handled by PCI-compliant processors and that we do not store full card/ACH credentials.
Unified privacy contact to info@workd.com and added a postal method for requests.
These updates improve clarity and do not materially change our privacy practices.
— Structure & transparency refresh
Reorganized the policy for readability; added clearer headings and definitions.
Expanded cookie/consent information and state-privacy rights summaries.
Outlined security measures and our breach-notification approach.
Provided more detail on retention and disposal practices.
Added monitoring/enforcement and version-history language.
