Workzi Forge

Privacy Policy

Effective: May 17, 2026

This Privacy Policy explains how Workzi (“we”) processes personal data when you use Workzi Forge. We comply with the GDPR (EU/EEA, UK), the California Consumer Privacy Act, and applicable laws in our launch markets (Türkiye KVKK, Russian Federal Law 152-FZ, Uzbekistan Law on Personal Data, Kazakhstan Personal Data Law).

1. Data we collect

  • Account: email, name, hashed password or OAuth identifier, locale.
  • Workspace & project data: the projects, prompts, knowledge sources, and outputs you create.
  • Usage: AI calls, tokens, latency, cost, error events, IP address, user agent.
  • Billing: plan entitlement, quota state, and invoices when beta paid access is explicitly enabled. Live checkout is disabled during controlled beta.

2. How we use it

To provide the Service, enforce quotas and security, send transactional emails, generate invoices, detect abuse, and improve the product. We do not sell personal data. We do not use Customer Content to train foundation models.

3. Legal bases (GDPR)

  • Performance of contract — to deliver the Service.
  • Legitimate interests — security, fraud prevention, product analytics.
  • Consent — optional marketing emails (revocable at any time).
  • Legal obligation — tax records and lawful requests.

4. Sub-processors

  • Cloudflare — hosting and edge runtime (global).
  • Supabase — managed Postgres, auth, and object storage (EU/US regions).
  • OpenAI & Google Gemini — AI model inference (zero-retention API tier).
  • Email provider — transactional email delivery when configured for Forge.
  • Payment provider — payment processing only after beta paid access is approved.

An up-to-date list is maintained at forge.workzi.org/legal/dpa.

5. International transfers

Where data leaves your jurisdiction, we rely on Standard Contractual Clauses (EU), the UK Addendum, and equivalent safeguards. EU customers can request EU-only data residency on Team plans.

6. Retention

  • Account data: until you delete the account, then 30 days for recovery.
  • AI usage logs: 90 days (raw), aggregated indefinitely.
  • Error events: 30 days.
  • Backups: 35 days encrypted.
  • Invoices: 7 years (tax compliance).

7. Your rights

You can access, export, rectify, restrict, or delete your personal data, and object to processing, from your account settings or by emailing forge@workzi.org. We respond within 30 days.

8. Security

TLS everywhere, encryption at rest, least-privilege database access via Row-Level Security, SOC 2-aligned controls on sub-processors, prompt redaction before logging, and IP-based rate limiting on public endpoints.

9. Children

The Service is not directed to children under 16. We do not knowingly collect their data.

10. Contact & complaints

Data protection contact: forge@workzi.org. You may also complain to your local data protection authority.