CCampaign Collaboration OS
Draft. This text is a working draft and is not a substitute for legal advice. Have it reviewed by counsel before any commercial use.

Privacy Policy

Last updated: [DD Mon YYYY]

1. Controller

The controller responsible for the processing of personal data on this platform is:

[Legal entity name] [Address, see Imprint] Email: [privacy@newworkation.com]

2. What data we process and why

Data category Purpose Legal basis Retention
Email address, full name Account identification, contact Contract, Art. 6 (1) (b) GDPR until account deletion
Hashed password Authentication Contract, Art. 6 (1) (b) as above
Login and audit events (IP, user agent, actions) Security, traceability Legitimate interest, Art. 6 (1) (f) 24 months (planned — see Stage 3 roadmap)
Campaigns, briefings, assets, reporting rows, comments Provision of the SaaS service Contract, Art. 6 (1) (b) until deleted by the customer
Error reports (Sentry) Stability, debugging Legitimate interest, Art. 6 (1) (f) 90 days. Email and full name are stripped before transit.
hCaptcha token + IP Bot detection on password reset Legitimate interest, Art. 6 (1) (f) transient only

3. Processors / sub-processors

We use the following processors. Each has, or will have, a data-processing agreement (DPA / AVV) under Art. 28 GDPR:

  • Supabase Inc. (database, auth, storage). Region: [EU (Frankfurt)]. DPA: [TBD]
  • Functional Software, Inc. dba Sentry (error tracking, optional). Region: [EU]. DPA: [TBD]
  • hCaptcha (IntuitionMachines, Inc.) (bot protection). Region: EU per SCCs. DPA: vendor standard.
  • Anthropic (AI Insights, from Stage 2.1 — opt-in per workspace). Region: USA. DPA: [TBD — to be concluded before activation].

4. International transfers

Where data is transferred to the United States (Anthropic; possibly Sentry depending on configuration), the transfer is based on the EU Standard Contractual Clauses (SCCs) and supplementary measures.

5. Your rights

You have the following rights regarding personal data concerning you:

  • Access (Art. 15 GDPR)
  • Rectification (Art. 16 GDPR)
  • Erasure (Art. 17 GDPR)
  • Restriction of processing (Art. 18 GDPR)
  • Data portability (Art. 20 GDPR)
  • Objection to processing based on legitimate interest (Art. 21 GDPR)
  • Complaint to the competent supervisory authority (Art. 77 GDPR). The German [Berliner Beauftragte für Datenschutz und Informationsfreiheit] is among the authorities you may contact.

Direct requests to [privacy@newworkation.com]. We respond within the statutory one-month period.

6. Cookies and similar technologies

We only use strictly necessary cookies, in particular to maintain the login session. No consent is required for these under § 25 (2) TTDSG. We currently do not set tracking or marketing cookies.

7. No automated decision-making

There is no automated decision-making with legal effect concerning you within the meaning of Art. 22 GDPR. AI Insights (once enabled) are explicitly advisory; the numbers shown elsewhere in the UI are the authoritative basis for decisions.

8. Security

We implement appropriate technical and organisational measures within the meaning of Art. 32 GDPR. Details are available on request via security@newworkation.com. Vulnerabilities are handled per our disclosure policy (SECURITY.md).

9. Changes

We may update this notice to reflect changes in law or feature scope. We will notify users of material changes by email to the address on file.