What we hold, what we don't, what we share.

The vocabulary of the file.

• Personal Data. Any information relating to an identified or identifiable natural person. Where a regional regime uses a different formulation ("personal information," "individually identifiable information"), the broader formulation governs.
• Processor (also service provider, sub-processor). A third party that processes Personal Data on our behalf, on documented instructions, under a contract that mirrors our obligations to you.
• Controller. The party that determines the purposes and means of processing. Workin is the controller for account, billing, and operational telemetry. Where you supply Personal Data about third parties to a correspondent, you are the controller and we are your Processor with respect to that data.
• Founder Profile. The structured summary of you and your business derived from your onboarding interview.
• Wire. The append-only event log of correspondent activity.
• Telemetry. Operational data we collect about how the Service runs (token counts, latencies, error codes, screenshots of correspondent desktops, IP-derived country) — not the content of your conversations or deliverables.
• De-identified. Stripped of direct identifiers and aggregated such that re-identification is not reasonably possible by us with the resources we have.

Seven categories, no more.

If you supply Personal Data about a third party (a co-founder's name, a customer's e-mail, a candidate's resume), we process it as your Processor and treat it with the same security as your own data. You remain the controller and are responsible for having a lawful basis to share it with us.

The deliberate blanks.

We do not collect, even where it would be technically possible:

• Your contacts list, calendar, or other phone-resident data.
• Your location beyond country (no city, no GPS, no IP-to-address mapping retained).
• Your browsing history outside Workin.
• Your data from any other service you use, unless you explicitly hand it to a correspondent as input.
• Biometric identifiers (we do not voiceprint your onboarding call; the audio is processed for transcription and then deleted per §09).
• Special-category data under GDPR (race, religion, political opinion, health, sexual orientation, trade-union membership) — unless you volunteer it as input, in which case we process it only as necessary to perform the service and we delete it on request.
• Children's data (see §16).

From you, almost entirely.

The overwhelming majority of Personal Data we hold is supplied directly by you, voluntarily, in the course of subscribing and using the Service. Specifically: phone number (you, at sign-up), voice (you, on the interview call), profile (you, derived from the interview), inputs and outputs (you and the correspondents acting on your instructions), telemetry (automatic, on your sessions).

We do not buy, license, or scrape Personal Data from data brokers, social networks, public records, or marketing lists. We do not enrich your profile with third-party signals. The Founder Profile contains exactly what you told the editor-in-chief and nothing else.

To run the press, full stop.

Each datum exists to make the Service work, and to no other end. We do not use your data for advertising, ad targeting, behavioural profiling beyond the Service itself, model training, list rental, or marketing of unrelated products.

Contract, consent, legitimate interest.

For subscribers in jurisdictions where a stated legal basis is required (notably the EU/UK under GDPR), our bases are:

• Performance of a contract (GDPR 6(1)(b)) — for everything necessary to provide the Service: authentication, profile, correspondent operation, deliverable storage, billing, support.
• Legal obligation (GDPR 6(1)(c)) — for tax record retention, response to lawful government requests, and breach notification.
• Legitimate interests (GDPR 6(1)(f)) — for security telemetry, abuse detection, and product analytics on de-identified data. Balanced against your rights and freedoms; you may object under §12.
• Consent (GDPR 6(1)(a)) — for the recording of the onboarding voice call (obtained in-call, in your language, before recording starts) and for any optional feature that requires it. Withdrawable at any time without affecting the lawfulness of prior processing.

For special-category data you may volunteer (e.g. you mention a health condition during the interview), we process under GDPR 9(2)(a) explicit consent, and you may withdraw the consent without losing access to the rest of the Service.

A short list of processors.

We do not sell Personal Data, ever, in any sense — neither the GDPR sense (no transfer for unrelated commercial benefit) nor the CCPA sense (no exchange for monetary or other valuable consideration). We do not share Personal Data with advertisers, data brokers, marketing networks, analytics resellers, or social platforms. We do not use cross-context behavioural advertising.

The current list is canonical at workin.press/privacy/processors and is updated within seven (7) days of any change. Material additions (a new Processor in a new category, a new Processor in a new region) trigger an in-product notice in the wire.

The data leaves and returns.

Workin is a U.S. company; primary storage and primary processing are in the United States. If you are in the EU/UK, Korea, Japan, Canada, or another jurisdiction with cross-border restrictions, your Personal Data is transferred to the U.S. for processing. We rely on:

• EU/UK → U.S. Standard Contractual Clauses (2021 Commission decision; UK IDTA addendum where applicable). For Processors certified under the EU-U.S. Data Privacy Framework (Stripe, Cloudflare, others as added), we additionally rely on the framework as a transfer mechanism.
• Korea (PIPA) → U.S. Cross-border transfer consent obtained at sign-up, with the categories and recipient list disclosed in this policy.
• Japan (APPI) → U.S. Equivalent-protection assurance and contractual obligations.
• Other jurisdictions. Reliance on the lawful basis available locally; consent where required.

You may request a copy of the transfer-mechanism documentation by writing to privacy@workin.press.

Until you tell us to stop.

San Francisco, at rest.

Primary storage is in U.S. data centres operated by our hosting Processors (Fly.io, Railway, Cloudflare R2 for object storage of deliverables). The correspondent virtual machines are likewise U.S.-resident. Foundation-model Processors operate globally; data in transit may briefly route through their infrastructure outside the U.S.

All transit is over TLS 1.2 or higher with modern cipher suites (TLS 1.3 preferred). Data at rest is encrypted with AES-256-GCM. Database backups are encrypted, retained 30 days, and stored in a separate region from the primary.

Defence in depth, honestly described.

• Authentication. Phone-OTP via Vonage; no password reuse risk. Session tokens are HTTP-only-cookie or bearer with rotation on privilege change.
• Authorisation. Per-account row-level isolation in the database; per-correspondent VM isolation at the runtime layer.
• Network. TLS-only ingress; egress restricted to the named Processor allow-list per environment; no inbound SSH except via short-lived bastion sessions.
• Secrets. Stored in a managed vault (Fly Secrets / Railway Secrets); never committed to source; rotated quarterly and on personnel change.
• Code. Mandatory peer review on every change; SAST scanning in CI; dependency vulnerabilities tracked and patched on a SLA tied to severity.
• People. Background checks where lawful; least-privilege access to production; SSO with hardware-key 2FA for engineers; quarterly access review.
• Incident response. 24×7 on-call; incident-commander rotation; post-incident reviews published publicly within 7 days.

No system is impregnable. We have no encryption at rest in foundation-model providers' temporary memory during inference, and we cannot guarantee the absence of bugs in our or our Processors' software. If we discover a breach affecting your Personal Data, we will follow §18.

Access, export, delete, and more.

Subject to your jurisdiction's law, you may at any time:

• Access. Receive a copy of all Personal Data we hold on you, in a portable format (JSON archive of profile, transcripts, deliverables; CSV of telemetry). Email privacy@workin.press; we respond within 30 calendar days (extensible by 60 days for complex requests, with notice).
• Correct. Have inaccurate Personal Data corrected. Most fields are editable in the dashboard; for the rest, write to us.
• Delete. Erase your account and all associated data. Self-service in the dashboard; confirmation by phone-OTP. Deletion is irreversible after the 14-day soft-hold described in the Terms.
• Portability. Receive Personal Data you supplied to us in a structured, commonly used, machine-readable format, and have it transmitted to another controller where technically feasible.
• Restrict. Restrict processing to storage only, while a dispute or request is pending.
• Object. Object to processing based on legitimate interests (telemetry, abuse detection, product analytics). We will stop unless we demonstrate compelling overriding grounds or the processing is required for legal claims.
• Withdraw consent. For processing based on consent (notably the onboarding recording), withdraw at any time. Withdrawal does not affect the lawfulness of prior processing.
• Not be subject to solely-automated decisions with legal or similarly significant effect — see §15.
• Lodge a complaint with your data protection authority. We hope you'll write to us first; the relevant authority for most U.S. subscribers is the California Attorney General, for EU subscribers the supervisory authority of your member state, for Korean subscribers the PIPC, for UK subscribers the ICO.

We do not charge a fee for the first request in a calendar year; for repeated or manifestly excessive requests we may charge a reasonable administrative fee or refuse, with reasons.

The same rights, local accent.

California (CCPA / CPRA). Categories of Personal Information collected are listed in §02; categories disclosed for a business purpose are listed in §07; we do not sell or share Personal Information for cross-context behavioural advertising; we do not knowingly collect Personal Information of consumers under 16. You have the right to know, delete, correct, opt out of sale/sharing (not applicable since we do neither), limit use of sensitive Personal Information, and non-discrimination. Authorised agents may submit requests with written authorisation. Submit at privacy@workin.press.

EU / UK (GDPR / UK GDPR). Workin is the controller for processing described in §05. For requests, contact privacy@workin.press. We have not appointed an EU representative under Article 27 because we do not have an establishment in the EU and our processing is occasional with respect to EU subscribers; we will appoint one if and when scale or law requires. UK subscribers may contact the ICO; EU subscribers their national DPA.

Korea (PIPA). The personal information manager is privacy@workin.press. Cross-border transfer to the U.S. is consented to at sign-up. Categories, purpose, retention, and rights are as set out in §02–§09 and §12. Requests may be submitted in Korean; we will respond in Korean within statutory windows.

Canada (PIPEDA). Workin is accountable for Personal Information under our control; the privacy officer is reachable at privacy@workin.press. Complaints may be brought to the OPC after we have had a reasonable opportunity to respond.

Japan (APPI), Brazil (LGPD), and other regimes. Equivalent rights apply per local law; the same e-mail address is the contact point.

One session token, no third parties.

The dashboard stores a single authentication token in your browser's localStorage (key: workin_token), plus a small JSON blob with your phone-of-record and account id (key: workin_user). We do not set tracking cookies, do not run analytics scripts (no Google Analytics, no Mixpanel, no Segment, no Hotjar, no Heap, no LinkedIn Insight, no Meta Pixel, no TikTok pixel), and do not embed third-party advertising or social pixels.

Server-side, we log request metadata: timestamp, anonymised IP (last octet zeroed within 24 hours), user-agent, path, status code, latency. Raw access logs are retained for 24 hours; aggregated counts are retained for capacity planning.

The "Do Not Track" header is observed where set; "Global Privacy Control" is observed and treated as an opt-out of any sale/share that we do not engage in anyway.

The correspondents decide; you ratify.

The correspondents make automated decisions in the course of work — what to draft, which option to recommend, which task to schedule next. These decisions are not, by themselves, decisions with legal or similarly significant effect on you within the meaning of GDPR Article 22. The legally significant decision is yours, made when you adopt or reject the correspondent's output.

One narrow exception: account-level abuse detection can result in automated suspension under §16 of the Terms. Where an automated suspension materially affects your access, you have the right to an explanation, to express your view, to contest the decision, and to obtain human review by writing to appeals@workin.press.

Not for minors.

Workin is not directed at, and not intended for, persons under the age of legal majority in their jurisdiction (16 in the EU under Article 8 GDPR unless a member state has set a lower age within 13–16; 13 in the U.S. under COPPA; 14 in Korea under PIPA; etc.). We do not knowingly collect Personal Data from children. If you believe a child has signed up, please write to privacy@workin.press and we will delete the account and associated data without delay.

Lawful, narrow, logged.

We disclose Personal Data to a government authority only where compelled by valid legal process applicable to us, where necessary to protect life, or where you have specifically authorised the disclosure. We require subpoenas, court orders, and search warrants to be valid on their face, narrowly tailored, and served on our designated process agent. We push back, in court where necessary, on requests we believe are unlawful, overbroad, or fishing.

Where lawfully permitted, we notify you of a government request before producing data, so that you have an opportunity to challenge it. Where notification is prohibited (gag order, national-security letter), we maintain a "warrant canary" practice in our annual transparency report.

We publish an annual transparency report disclosing aggregate counts of requests received, by jurisdiction and by type, and the rate at which we produced data versus pushed back.

Within 72 hours, where required.

If we become aware of a Personal Data breach that is likely to result in a risk to your rights and freedoms, we will notify the relevant supervisory authority within 72 hours where required by law (e.g. GDPR Article 33), and notify you without undue delay where the breach is likely to result in a high risk to you (Article 34, equivalent provisions in CCPA, PIPA, etc.). Notification will describe the nature of the breach, the categories and approximate number of data subjects affected, the likely consequences, and the measures we have taken or propose to take.

For low-risk incidents that do not trigger statutory notification, we will still post a summary in the wire and on our public status page.

Notified, not buried.

Material changes to this policy — anything affecting categories collected, Processors, retention, rights, or legal basis — will be communicated to the e-mail and phone on your account at least thirty (30) days before they take effect, with a redline accessible at workin.press/privacy/changes. Non-material changes (clarifications, formatting, adding a new Processor in an existing category) take effect on posting, and the prior version is preserved at the same archive URL.

Write to a human.

Privacy questions, data-subject requests, or complaints: privacy@workin.press. We aim to acknowledge within three (3) business days and substantively reply within the statutory window applicable to your jurisdiction (30 days under GDPR; 45 days under CCPA, extensible to 90; 30 days under PIPEDA; etc.). For everything else: hello@workin.press. For security vulnerabilities: security@workin.press.

Postal: Self-Driving Companies, Inc., Attn: Privacy Officer, San Francisco, California, U.S.A. (full street address available on request).

What changed, and when.

• v1.0 — Spring 2026. Initial publication. Seven categories, ten Processors, 7-year billing retention, GDPR / CCPA / PIPA / PIPEDA / APPI / LGPD coverage, no model training on subscriber data.

Future revisions will be appended here with a one-line summary and a link to the redline.