Privacy Policy
Last updated: 17 April 2026
This Privacy Policy explains how WhoWorked (“we”, “us”, the “Service”) collects, uses and shares information when you visit whoworked.com, use the WhoWorked web app, browser extension, or MCP server, or otherwise interact with us.
We aim to comply with the EU General Data Protection Regulation (GDPR) and Hungarian Act CXII of 2011 on the Right of Informational Self-Determination and on Freedom of Information (“Info Act”).
1. Data controller
The data controller responsible for your personal data is:
- Bodrácska Márk e.v. (Hungarian sole proprietor)
- Registered seat: 1148 Budapest, Adria sétány 10. H. ép. 3. em. 5. ajtó, Hungary
- Tax number (adószám): 49163744-2-42
- Registration number (nyilvántartási szám): 58933394
- General contact: hello@whoworked.com
- Privacy requests: privacy@whoworked.com
We have not appointed a Data Protection Officer because we are not required to do so under Article 37 GDPR. The owner listed above is the point of contact for all privacy matters.
2. What the Service is
WhoWorked is a time-tracking platform for human teams and AI agents. It records work sessions, project budgets, agent contributions, and produces billing-ready reports. The Service includes:
- The marketing site at whoworked.com.
- The web app at whoworked.com/app.
- The WhoWorked browser extension for capturing time entries.
- An MCP (Model Context Protocol) server that lets authorised AI assistants read and write your WhoWorked data on your behalf.
3. What we collect and why
3.1 Account data
When you create an account we collect your email address, display name, and, where you sign in via an identity provider, a provider-issued user ID and (optionally) your profile photo. We use this to authenticate you, operate your workspace, and communicate service notices.
Legal basis: performance of a contract (Art. 6(1)(b) GDPR).
3.2 Workspace and time-tracking data
When you use the Service you create content that may include project and client names, task descriptions, time entries, budgets, invoices, uploaded logos, and notes. This content is stored on your behalf and under the direction of the workspace owner.
Legal basis: performance of a contract (Art. 6(1)(b) GDPR); where you are a member of a workspace operated by a third party, that third party acts as the controller of your time-tracking data and we act as processor for them.
3.3 Browser extension data
The WhoWorked browser extension runs locally in your browser and, when authenticated, syncs time entries with your workspace. Specifically, the extension:
- Stores your access and refresh tokens, workspace ID, and local preferences in browser extension storage.
- Uses the browser’s idle-state API to detect periods of inactivity (approximately every 60 seconds) so it can pause running timers and prompt you to resume.
- Lets you right-click selected text to start a timer using that text as the description (you explicitly trigger this).
The extension does not take screenshots, record keystrokes, read page content, or transmit the URLs of tabs you visit.
Legal basis: performance of a contract (Art. 6(1)(b) GDPR).
3.4 Billing data
If you purchase a paid plan, payment is processed by Stripe. We receive a Stripe customer ID, the subscription status, invoice metadata, and billing address; we do not receive or store your full card number. Invoices we issue include your legally required billing identifiers.
Legal basis: performance of a contract (Art. 6(1)(b) GDPR) for the purchase; legal obligation (Art. 6(1)(c) GDPR) for invoicing and accounting records under Hungarian Act C of 2000 on Accounting.
3.5 Product analytics and error tracking
We use PostHog(hosted in the EU) for product analytics and server-side error tracking. PostHog receives an anonymous distinct ID stored in a first-party cookie, a description of the event (page viewed, button clicked, error thrown), technical metadata (browser, device, approximate location derived from IP), and—once you sign in—a link between the distinct ID and your account.
Legal basis: legitimate interest (Art. 6(1)(f) GDPR) in measuring, securing and improving the Service. You can opt out at any time using the controls described in section 7.
3.6 Transactional email
We use Resend to send transactional email (verification, invitations, receipts, password resets, service notices). If you sign up for the waitlist, your email may be added to a Resend audience so we can notify you about launch.
Legal basis: performance of a contract (Art. 6(1)(b) GDPR) for service email; consent (Art. 6(1)(a) GDPR) for waitlist notifications, which you can withdraw using the unsubscribe link in any message.
3.7 AI-generated report summaries
When you generate a client report, we may send a small amount of aggregate metadata (project names, hours consumed, budgets, utilisation percentages) to Anthropic (US) to produce a plain-English summary. We do not send email addresses, time-entry descriptions, or identifying user data to Anthropic. This feature can be disabled by the workspace owner.
Legal basis: legitimate interest (Art. 6(1)(f) GDPR) in providing helpful reporting.
3.8 Branding lookup
We use Logo.devto fetch a client’s logo from its domain when you request branding for a client record or report. We send the client name or domain you entered.
Legal basis: legitimate interest (Art. 6(1)(f) GDPR) in providing a usable workspace UI.
3.9 Server logs and security
Our hosting providers (Vercel, Neon) generate short-lived operational logs that include IP addresses, user-agent strings, and request paths. We use these to detect abuse, diagnose outages, and defend the Service.
Legal basis: legitimate interest (Art. 6(1)(f) GDPR) in keeping the Service secure and available.
4. Sub-processors
We rely on the following sub-processors. Each is bound by a data processing agreement with appropriate safeguards for any international transfer.
| Sub-processor | Purpose | Region |
|---|---|---|
| Vercel Inc. | Web hosting, CDN, PDF blob storage | EU & US (global edge) |
| Neon Inc. (AWS Frankfurt) | Primary database | EU (eu-central-1) |
| PostHog Inc. | Product analytics, error tracking | EU |
| Stripe, Inc. | Payment processing | US / EU |
| Resend (Plusten, Inc.) | Transactional email | EU (AWS Ireland) |
| Anthropic, PBC | AI summaries (if enabled) | US |
| Logo.dev | Client logo lookup | US |
Transfers to US-based processors are covered by the EU-US Data Privacy Framework or Standard Contractual Clauses (2021/914/EU), as applicable.
5. Cookies and similar technologies
The Service uses a small number of first-party cookies:
- Session cookies (prefixed
whoworked-) set by our authentication layer to keep you signed in. Strictly necessary. - Preference cookies such as
last_workspaceand your theme choice. Strictly necessary for a functional UI. - Analytics cookies (prefixed
ph_) set by PostHog to attach an anonymous distinct ID to your events. You can opt out in the cookie banner or by enabling your browser’s “Do Not Track”/Global Privacy Control signal.
We do not use advertising cookies or third-party tracking pixels (no Meta, Google Ads, LinkedIn, TikTok, or X pixel).
6. How long we keep your data
- Account and workspace data: for as long as your account is active, then deleted within 30 days of account closure, unless a longer period is required below.
- Invoices and accounting records: 8 years from issuance, as required by Hungarian Act C of 2000 on Accounting.
- Analytics events: up to 7 years in PostHog (default retention), linked to an anonymous distinct ID.
- Server logs: up to 30 days.
- Support email: up to 2 years from the last correspondence.
7. Your rights
Under the GDPR and the Info Act you have the right to:
- access your personal data;
- request correction of inaccurate or incomplete data;
- request erasure (“right to be forgotten”) where applicable;
- restrict or object to processing;
- request portability of the data you provided to us, in a machine-readable format;
- withdraw consent at any time where processing relies on consent;
- lodge a complaint with the Hungarian supervisory authority:
Nemzeti Adatvédelmi és Információszabadság Hatóság (NAIH)
H-1055 Budapest, Falk Miksa utca 9-11. · naih.hu
To exercise any of these rights, email privacy@whoworked.com. We respond within one month and may ask for proof of identity where reasonably necessary.
To opt out of analytics, you can either (a) decline analytics in the cookie banner, (b) turn on Global Privacy Control or “Do Not Track” in your browser, or (c) email us to have your distinct ID suppressed.
8. Automated decision-making
We do not use your personal data to make decisions about you that produce legal effects or similarly significant effects through automated processing alone.
9. Security
We use industry-standard measures to protect your data, including TLS in transit, encryption at rest provided by our hosting sub-processors, scoped OAuth tokens, and workspace- level access controls. No system is perfectly secure; if we become aware of a personal data breach that poses a risk to your rights, we will notify you and the NAIH in accordance with Articles 33–34 GDPR.
10. Children
The Service is not directed to children under 16, and we do not knowingly collect personal data from children. If you believe a child has provided us with personal data, contact us and we will delete it.
11. Changes to this policy
We may update this policy to reflect changes in the Service or the law. We will update the “Last updated” date at the top and, for material changes, notify account holders by email at least 14 days before the change takes effect.
12. Contact
Questions, concerns, or requests regarding this policy: privacy@whoworked.com.