Privacy Policy

Last updated: April 2026 (v2 — App data processing added)

1. Data Controller

Ulrich Diedrichsen
Kippingstraße 27
20144 Hamburg
Germany
Email: [email protected]
VAT ID: DE299425124

2. Scope of This Policy

This privacy policy applies to:

  • The website workbrief.app and its sub-pages (Sections 3–4)
  • The WorkBrief App for iOS, Android, and Web at app.workbrief.app (Sections 5–11)

WorkBrief is an AI-assisted tool for converting work documents into mobile, executable task packages. The app is a B2B product: workers are invited exclusively by their organization; standalone end-user sign-up is not possible.

3. Website Data Processing

We do not use tracking cookies, analytics software, or advertising trackers on the website. The only active data processing occurs in connection with the early access form.

Email Address (Early Access)
When you register for early access, we collect your email address. It is used exclusively to notify you about WorkBrief's availability. Storage location: Cloudflare KV (EU). Retention: until general availability, max 24 months.

IP Address
When you access the website, your IP address is transmitted to Cloudflare for technical reasons. It is not stored permanently.

Theme and Language Preferences
Your preferred language (German/English) and color scheme (light/dark) are stored locally in your browser (localStorage). This data does not leave your device.

4. Third-Party Services — Website

Cloudflare (Hosting + KV)
The website is hosted via Cloudflare Pages. Cloudflare processes your IP address to protect the website. A Data Processing Agreement (DPA) is in place.

5. Data Processing in the WorkBrief App

The app processes data exclusively for coordinating work within your organization. We follow our Trust Charter (available in the app and at workbrief.app): no tracking of workers, no scoring, no comparisons, no covert data collection.

5.1 Personal Identification Data

  • Name — for display in task assignments. Required.
  • Email address — as login identifier and for account recovery. Required.
  • User ID — internal identifier (Firebase Auth UID), used only for app function. Required.
  • Preferred language — for app localization. Optional.
  • Role and team membership — set by Org-Admin for permission control. Required.

5.2 Task-Related Data

  • Uploaded source documents (PDF, DOCX, text) — for creating AI-generated task drafts. Uploaded by supervisors, not by workers.
  • Photos — as triggers for quick-capture tasks or as completion evidence. Selected by the user via camera or photo library; explicit permission required.
  • Voice recordings / transcripts — in quick-capture tasks the supervisor can record voice that is transcribed to text. Microphone permission required. On mobile, transcription happens on-device (Apple Speech / Google SpeechRecognition); the web version uses native browser speech recognition.
  • Text contributions — captions, comments, answers to questions, safety confirmations. Entered by the user.
  • App interactions — when a task was opened, completed, or a checklist item ticked. Required for traceability of a task and for the audit log.

5.3 What We Explicitly Do NOT Collect

  • No location data (neither continuous nor point-in-time)
  • No motion or sensor data
  • No contacts, calendar, messages, or other on-device app data
  • No advertising IDs (IDFA / GAID)
  • No browsing history
  • No worker profiles or rankings
  • No time- or speed-based work measurement

6. Purpose of App Data Processing

Data is processed exclusively for the following purposes:

  • Providing app functions for your organization
  • Account management and authentication
  • AI-assisted conversion of source documents into structured task drafts (initiated by the supervisor)
  • Push notifications for assigned tasks or replies
  • Audit log for traceability of state changes (task approved, completed, etc.)
  • Error diagnostics in case of technical issues

Data is never used for advertising, profiling, automated scoring, or sale to third parties.

7. Storage Location and App Subprocessors

We use the following data processors. Data Processing Agreements (DPA / SCC) are in place with all of them.

Google Firebase / Google Cloud Platform — authentication, database, file storage, push notifications, cloud functions. Primary controller: Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland.

  • Database (Cloud Firestore): region eur3 (Multi-Region Europe, primarily Frankfurt + Belgium)
  • File storage (Cloud Storage): region EU Multi-Region
  • Authentication (Firebase Auth): Google's global infrastructure, data stored in EU
  • Push notifications (FCM): Google's global infrastructure
  • AI inference (Vertex AI / Gemini): region us-central1 (USA, Iowa) — see Section 8 on data transfer

Apple iCloud / Apple Push Notification — on iOS devices for push delivery. Primary controller: Apple Distribution International Limited, Cork, Ireland.

Cloudflare — providing the web app domain (app.workbrief.app), DNS, DDoS protection. Data processed primarily in EU data centers.

Stripe (for paid tiers, from Q3/2026) — handling subscription payments by the Org-Admin. Stripe processes NO data from app end-users, only payment data of the Org-Admin. Primary controller: Stripe Payments Europe Limited, Dublin, Ireland.

8. International Data Transfer — Vertex AI

AI processing of source documents and quick-capture content happens via Google Vertex AI (model: Gemini 2.5 Flash) in region us-central1 (Iowa, USA). A transfer to the USA therefore takes place.

Safeguards:

  • EU-US Data Privacy Framework (DPF): Google is certified, valid adequacy decision in force.
  • Standard Contractual Clauses (SCC) of the EU Commission as additional safeguard.
  • Google Vertex AI does NOT use your data to train its own or any third-party models (contractually guaranteed via Google Cloud Customer Data Protection Addendum).
  • Data is processed only for the respective inference request and immediately discarded afterwards. There is no permanent storage of your content at Google Vertex AI.

9. Retention Period (App Data)

  • Active data (tasks, evidence photos, comments): for as long as your organization is a WorkBrief customer.
  • Audit log: 365 days (Starter), 730 days (Professional), individually negotiable (Enterprise).
  • Voice recording transcripts: persisted as text caption on the task. The original audio file is not stored.
  • At end of contract: full data export available at the click of a button; followed by deletion of all data within 30 days, including backups.
  • On individual worker account deactivation: personal data is anonymized; task-related data remains pseudonymized for traceability of org activity.

10. Legal Basis

Processing of your data is based on:

  • Art. 6(1)(b) GDPR (contract performance) — for providing app functions to your organization.
  • Art. 6(1)(f) GDPR (legitimate interests) — for security, audit log, error diagnostics.
  • Art. 6(1)(a) GDPR (consent) — for the website early access registration.
  • Art. 28 GDPR — when WorkBrief acts as a data processor for your employer (standard case for worker data within the org).

11. Your Rights

Under GDPR you have the following rights:

  • Right of access (Art. 15)
  • Right to rectification (Art. 16)
  • Right to erasure (Art. 17)
  • Right to restriction of processing (Art. 18)
  • Right to data portability (Art. 20)
  • Right to object (Art. 21)
  • Right to withdraw consent (Art. 7(3)) — only where processing is consent-based

In the app: Profile screen → "Export my data". We prepare your export and send it via email within 24 hours.

By email: send requests to [email protected]. We respond within 30 days, usually within 5 business days.

Note for workers: if your data is processed as part of an org subscription, your employer is the data controller. We forward your request to your Org-Admin if required.

12. Security

  • Encryption in transit: TLS 1.2+ for all connections (HTTPS).
  • Encryption at rest: all database content and files are encrypted at Google Cloud.
  • Role and organization separation: Firestore Security Rules prevent cross-organization access.
  • Audit log for all important state changes.
  • Trust Charter contractually binding from org activation.

13. Right to Lodge a Complaint

If you believe that the processing of your personal data violates the GDPR, you have the right to lodge a complaint with a data protection supervisory authority (Art. 77 GDPR).

The supervisory authority responsible for us is:
The Hamburg Commissioner for Data Protection and Freedom of Information
Ludwig-Erhard-Str. 22, 7th floor
20459 Hamburg
Phone: +49 40 / 428 54 - 4040
Email: [email protected]

14. Changes to This Privacy Policy

We reserve the right to amend this privacy policy to adapt it to changed legal situations or changes to the service. For material changes that restrict your rights, we will inform you at least 30 days in advance via email. The current version is always available on this page.

Version history: v1 (April 2026) — initial. v2 (April 2026) — App data processing added after first app release.