Privacy Policy

1. Introduction

Workly BV ("Workly", "we", "us") is committed to protecting your privacy and personal data. This Privacy Policy explains how we collect, process, store, and protect personal information when you use our Platform.

We act in accordance with the General Data Protection Regulation (GDPR — Regulation (EU) 2016/679), the Belgian Act of 30 July 2018 on the protection of natural persons with regard to the processing of personal data, and all other applicable Belgian and European privacy legislation.

2. Data Controller

Workly is the data controller for personal data processed in connection with managing your account and delivering our Services (B2B Client data).

For personal data of End Customers (order data, contact details, etc.), the Client acts as data controller and Workly acts as processor within the meaning of Article 28 GDPR. The General Terms and Conditions contain the data processing agreement.

3. What Data We Collect

3.1 Data you provide directly

• Account data: first name, last name, email address, password (hashed), phone number (optional).
• Business data: company name, VAT number, address, logo, brand color.
• Payment data: processed exclusively by Stripe, Inc. Workly does not store credit card or bank details.
• Communications: messages sent via the contact form or by email.
• Contractual registration data: when creating an account, we record the user's IP address, the timestamp of acceptance, the email address, and the version of the General Terms that were accepted. This data serves as legal proof of the formation of the agreement.

3.2 End Customer data (processed on behalf of the Client)

• Name, email address, and phone number (subject to opt-in consent).
• Order data, reservation data, gift voucher data.

3.3 Staff personal data (processed on behalf of the Client)

• Identification: first name, last name, email address, phone number.
• INSZ/NISS number: Social Security Identification Number, processed exclusively for submitting Dimona declarations to the RSZ/ONSS (see Article 13 of the General Terms and Conditions).
• Employment data: contract type, position, pay scale, work schedules, shift data, availability.
• Dimona data: declaration type, status, RSZ reference numbers, submission timestamps.

The Client acts as data controller for staff data. Workly processes this data exclusively as processor (Art. 28 GDPR).

3.4 Technical data

• IP address (for authentication, security, and legal obligations when accepting terms).
• Device and browser information (user agent) for optimal Platform operation.
• Authentication cookies (see our Cookie Policy).

3.5 What we do NOT collect

Workly does not use tracking cookies, analytics cookies, advertising cookies, or tracking pixels. We do not share data with social networks or advertising platforms. We do not profile you for marketing purposes.

4. Legal Basis for Processing

• Performance of contract (Art. 6(1)(b) GDPR): processing necessary to deliver our Services, manage your account, and process payments.
• Legal obligation (Art. 6(1)(c) GDPR): retention of financial records (7 years, Belgian accounting law — Art. 60 CEL), tax compliance. Processing of INSZ/NISS numbers for Dimona declarations to the RSZ/ONSS (Act of 24 January 2003 reforming the INSZ, RSZ legislation, and the Royal Decree concerning Dimona declarations).
• Consent (Art. 6(1)(a) GDPR): email campaigns and newsletters (explicit opt-in only, withdrawable at any time). Contact form consent.
• Legitimate interest (Art. 6(1)(f) GDPR): Platform security, fraud prevention, service improvement. The recording of your IP address, timestamp, and version upon acceptance of the General Terms is based on our legitimate interest in being able to provide legal proof of the formation of the agreement. This IP address is stored solely for this purpose and is not used for tracking or profiling.

5. Retention Periods

• Account data: duration of the Agreement + 30 days after termination (for data export).
• Financial data (invoices, transactions): 7 years after the fiscal year (legal obligation).
• End Customer data: maximum 24 months after last interaction, unless deleted earlier by the Client.
• Staff data (including INSZ/NISS numbers): for the duration of the Agreement + 30 days after termination (for data export). Dimona logs are retained for 5 years after submission (social security record-keeping obligations).
• Communications: 12 months after the last message.
• Log and security data: 6 months (rotating logs).
• Terms acceptance records (IP address, timestamp, version): duration of the Agreement + 10 years after termination (statutory limitation period for contractual claims under Belgian law — Art. 2262bis old Civil Code).

After the retention period, data is automatically and irreversibly deleted or anonymized.

6. Sharing with Third Parties

We share your personal data only with the following categories of recipients, and only to the extent necessary:

• Stripe, Inc. (US) — Payment processing. Data transfers to the US based on Standard Contractual Clauses (SCCs) and the EU-US Data Privacy Framework. Stripe Privacy Policy.
• Supabase, Inc. (US) — Database hosting. Data stored in the EU (Frankfurt). Transfers under SCCs. Supabase Privacy Policy.
• Vercel, Inc. (US) — Application hosting. Edge network with European nodes. Under SCCs. Vercel Privacy Policy.
• Resend, Inc. (US) — Email delivery. Under SCCs. Resend Privacy Policy.
• National Social Security Office (RSZ/ONSS) (Belgium) — Recipient of Dimona declarations submitted via the Platform on behalf of the Client. Transfer based on the Client's legal obligation as employer. www.rsz.be.

We never sell your personal data. We do not share data with advertisers or social networks.

7. International Transfers

Some of our sub-processors are based in the United States. For all transfers outside the EEA, we rely on:

• Standard Contractual Clauses (SCCs) approved by the European Commission (Implementing Decision (EU) 2021/914).
• Where applicable: the EU-US Data Privacy Framework (adequacy decision C(2023) 4745 of July 10, 2023).
• Supplementary technical measures: encryption in transit (TLS 1.3) and at rest (AES-256), access controls, pseudonymization where feasible.

8. Your Rights

Under the GDPR, you have the following rights:

• Right of access (Art. 15): request a copy of your personal data.
• Right to rectification (Art. 16): correct inaccurate data.
• Right to erasure (Art. 17): request deletion ("right to be forgotten"), unless a legal retention obligation applies.
• Right to restriction (Art. 18): restrict processing in certain circumstances.
• Right to data portability (Art. 20): receive your data in structured, commonly used, machine-readable format (JSON/CSV).
• Right to object (Art. 21): object to processing based on legitimate interest.
• Right to withdraw consent (Art. 7(3)): withdraw consent at any time without affecting the lawfulness of prior processing.

How to exercise your rights

You can exercise your rights via the Privacy Settings in your account dashboard (Settings → Privacy), or by sending an email to privacy@worklyhq.com.

We respond to every request within 30 calendar days. If the request is complex or we receive multiple requests, this period may be extended once by 60 days, of which you will be informed in advance.

9. Security

We implement appropriate technical and organizational measures to protect your personal data:

• Encryption in transit (TLS 1.3) and at rest (AES-256)
• Passwords hashed with bcrypt (cost factor ≥ 12)
• Row-Level Security (RLS) at database level for per-organization data isolation
• Two-factor authentication (2FA/TOTP) for administrator accounts
• Automatic session expiration and secure cookies (HttpOnly, Secure, SameSite=Lax)
• Regular security audits and vulnerability scans
• Principle of least privilege for all system access

10. Children

The Platform is not directed at children. In accordance with the Belgian Act of 30 July 2018, the age for digital consent in Belgium is 16 years. We do not knowingly collect personal data from persons under 16. If we discover that we have inadvertently collected data from a child, we will delete it immediately.

11. Cookies

We only use strictly necessary cookies for authentication and proper functioning of the Platform. We do not use analytics, advertising, or tracking cookies.

For full details, please refer to our Cookie Policy.

12. Automated Decision-Making

Workly does not make decisions based solely on automated processing, including profiling, that produce legal effects concerning you or similarly significantly affect you (Art. 22 GDPR).

13. Data Breach

In the event of a personal data breach likely to result in a risk to the rights and freedoms of data subjects, we will:

• Notify the Belgian Data Protection Authority (GBA/APD) within 72 hours of discovery (Art. 33 GDPR).
• Inform affected individuals without undue delay if the breach presents a high risk (Art. 34 GDPR).
• Document all relevant information in an internal data breach register.

14. Changes to This Policy

We may update this Privacy Policy from time to time. Material changes will be communicated by email at least 30 days before the effective date. The most recent version is always available on the Platform.

15. Filing a Complaint

If you believe we are not processing your personal data correctly, you may file a complaint with the Belgian Data Protection Authority:

16. Contact

For any privacy-related questions or to exercise your rights: