Last updated: 17 April 2026
This Privacy Policy explains how WhoWorked (“we”, “us”, the “Service”) collects, uses and shares information when you visit whoworked.com, use the WhoWorked web app, browser extension, or MCP server, or otherwise interact with us.
We aim to comply with the EU General Data Protection Regulation (GDPR) and Hungarian Act CXII of 2011 on the Right of Informational Self-Determination and on Freedom of Information (“Info Act”).
The data controller responsible for your personal data is:
We have not appointed a Data Protection Officer because we are not required to do so under Article 37 GDPR. The owner listed above is the point of contact for all privacy matters.
WhoWorked is a time-tracking platform for human teams and AI agents. It records work sessions, project budgets, agent contributions, and produces billing-ready reports. The Service includes:
When you create an account we collect your email address, display name, and, where you sign in via an identity provider, a provider-issued user ID and (optionally) your profile photo. We use this to authenticate you, operate your workspace, and communicate service notices.
Legal basis: performance of a contract (Art. 6(1)(b) GDPR).
When you use the Service you create content that may include project and client names, task descriptions, time entries, budgets, invoices, uploaded logos, and notes. This content is stored on your behalf and under the direction of the workspace owner.
Legal basis: performance of a contract (Art. 6(1)(b) GDPR); where you are a member of a workspace operated by a third party, that third party acts as the controller of your time-tracking data and we act as processor for them.
The WhoWorked browser extension runs locally in your browser and, when authenticated, syncs time entries with your workspace. Specifically, the extension:
The extension does not take screenshots, record keystrokes, read page content, or transmit the URLs of tabs you visit.
Legal basis: performance of a contract (Art. 6(1)(b) GDPR).
If you purchase a paid plan, payment is processed by Stripe. We receive a Stripe customer ID, the subscription status, invoice metadata, and billing address; we do not receive or store your full card number. Invoices we issue include your legally required billing identifiers.
Legal basis: performance of a contract (Art. 6(1)(b) GDPR) for the purchase; legal obligation (Art. 6(1)(c) GDPR) for invoicing and accounting records under Hungarian Act C of 2000 on Accounting.
We use PostHog(hosted in the EU) for product analytics and server-side error tracking. PostHog receives an anonymous distinct ID stored in a first-party cookie, a description of the event (page viewed, button clicked, error thrown), technical metadata (browser, device, approximate location derived from IP), and—once you sign in—a link between the distinct ID and your account.
Legal basis: legitimate interest (Art. 6(1)(f) GDPR) in measuring, securing and improving the Service. You can opt out at any time using the controls described in section 7.
We use Resend to send transactional email (verification, invitations, receipts, password resets, service notices). If you sign up for the waitlist, your email may be added to a Resend audience so we can notify you about launch.
Legal basis: performance of a contract (Art. 6(1)(b) GDPR) for service email; consent (Art. 6(1)(a) GDPR) for waitlist notifications, which you can withdraw using the unsubscribe link in any message.
When you generate a client report, we may send a small amount of aggregate metadata (project names, hours consumed, budgets, utilisation percentages) to Anthropic (US) to produce a plain-English summary. We do not send email addresses, time-entry descriptions, or identifying user data to Anthropic. This feature can be disabled by the workspace owner.
Legal basis: legitimate interest (Art. 6(1)(f) GDPR) in providing helpful reporting.
We use Logo.devto fetch a client’s logo from its domain when you request branding for a client record or report. We send the client name or domain you entered.
Legal basis: legitimate interest (Art. 6(1)(f) GDPR) in providing a usable workspace UI.
Our hosting providers (Vercel, Neon) generate short-lived operational logs that include IP addresses, user-agent strings, and request paths. We use these to detect abuse, diagnose outages, and defend the Service.
Legal basis: legitimate interest (Art. 6(1)(f) GDPR) in keeping the Service secure and available.
We rely on the following sub-processors. Each is bound by a data processing agreement with appropriate safeguards for any international transfer.
| Sub-processor | Purpose | Region |
|---|---|---|
| Vercel Inc. | Web hosting, CDN, PDF blob storage | EU & US (global edge) |
| Neon Inc. (AWS Frankfurt) | Primary database | EU (eu-central-1) |
| PostHog Inc. | Product analytics, error tracking | EU |
| Stripe, Inc. | Payment processing | US / EU |
| Resend (Plusten, Inc.) | Transactional email | EU (AWS Ireland) |
| Anthropic, PBC | AI summaries (if enabled) | US |
| Logo.dev | Client logo lookup | US |
Transfers to US-based processors are covered by the EU-US Data Privacy Framework or Standard Contractual Clauses (2021/914/EU), as applicable.
The Service uses a small number of first-party cookies:
whoworked-) set by our authentication layer to keep you signed in. Strictly necessary.last_workspace and your theme choice. Strictly necessary for a functional UI.ph_) set by PostHog to attach an anonymous distinct ID to your events. You can opt out in the cookie banner or by enabling your browser’s “Do Not Track”/Global Privacy Control signal.We do not use advertising cookies or third-party tracking pixels (no Meta, Google Ads, LinkedIn, TikTok, or X pixel).
Under the GDPR and the Info Act you have the right to:
To exercise any of these rights, email privacy@whoworked.com. We respond within one month and may ask for proof of identity where reasonably necessary.
To opt out of analytics, you can either (a) decline analytics in the cookie banner, (b) turn on Global Privacy Control or “Do Not Track” in your browser, or (c) email us to have your distinct ID suppressed.
We do not use your personal data to make decisions about you that produce legal effects or similarly significant effects through automated processing alone.
We use industry-standard measures to protect your data, including TLS in transit, encryption at rest provided by our hosting sub-processors, scoped OAuth tokens, and workspace- level access controls. No system is perfectly secure; if we become aware of a personal data breach that poses a risk to your rights, we will notify you and the NAIH in accordance with Articles 33–34 GDPR.
The Service is not directed to children under 16, and we do not knowingly collect personal data from children. If you believe a child has provided us with personal data, contact us and we will delete it.
We may update this policy to reflect changes in the Service or the law. We will update the “Last updated” date at the top and, for material changes, notify account holders by email at least 14 days before the change takes effect.
Questions, concerns, or requests regarding this policy: privacy@whoworked.com.