Privacy Policy

WorkWise Software Ltd ("WorkWise", "we", "us", or "our") is committed to protecting your privacy and personal data. This Privacy Policy explains how we collect, use, process, disclose, and safeguard your information when you use our AI-powered career services platform and related services.

1. Legal Basis and Controller Information

WorkWise Software Ltd is the data controller for your personal information. We process your personal data under the following legal bases:

• Contract Performance: To provide our services, process payments, and manage your account
• Legitimate Interests: To improve our services, conduct analytics, and ensure platform security
• Consent: For marketing communications, cookies (where required), and certain AI processing features
• Legal Obligation: To comply with applicable laws, regulations, and legal processes

2. Information We Collect

2.1 Information You Provide Directly

We collect personal information that you voluntarily provide when you:

• Create and maintain your account (name, email address, password)
• Upload professional documents (CVs, resumes, cover letters)
• Use our AI-powered services (job descriptions, personal statements, career information)
• Process payments (billing information, payment method details)
• Contact our support team (correspondence, support requests)
• Participate in surveys or feedback (voluntary responses and opinions)

2.2 Automatically Collected Information

When you use our services, we automatically collect:

• Technical Data: IP address, browser type and version, operating system, device information
• Usage Data: Pages visited, features used, time spent, click-through rates, service interactions
• Authentication Data: Login sessions, security tokens, account access patterns
• Performance Data: System performance metrics, error logs, diagnostic information

2.3 Professional and Sensitive Information

Our services process professional and potentially sensitive personal information including:

• Employment history and career progression
• Educational qualifications and achievements
• Professional skills and competencies
• Salary expectations and compensation history
• Career objectives and personal statements

3. How We Use Your Information

3.1 Service Provision

• Provide and maintain our AI-powered career services
• Process and optimize your CVs, cover letters, and professional documents
• Generate personalized career advice and job application materials
• Manage your account, subscriptions, and service preferences
• Process payments and manage billing

3.2 AI Processing and Machine Learning

Important: Your personal documents and data are processed by AI systems to provide our services. We use OpenRouter AI services with Google Gemini models. Your data:

• Is processed solely to provide you with personalized services
• Is NOT used to train AI models or improve third-party systems
• Is processed with appropriate technical and organizational safeguards
• May be temporarily cached for performance optimization (deleted within 24 hours)

3.3 Communication and Support

• Send service-related notifications and account updates
• Provide customer support and respond to inquiries
• Send marketing communications (with your consent)
• Conduct user surveys and gather feedback

3.4 Legal and Security

• Comply with legal obligations and regulatory requirements
• Detect, prevent, and investigate fraud, abuse, and security incidents
• Enforce our terms of service and protect our rights
• Respond to legal processes and requests from authorities

4. Information Sharing and Third-Party Processors

We do not sell your personal information. We may share your information in the following circumstances:

4.1 Service Providers and Processors

• Payment Processing: Stripe Inc. processes payment information under strict data protection agreements
• AI Services: OpenRouter AI processes document content for optimization and generation services
• Cloud Infrastructure: Hosting and storage providers for platform operations
• Email Services: Communication and transactional email providers
• Analytics: Service usage analytics (anonymized where possible)

4.2 Legal Requirements

We may disclose information when required to:

• Comply with applicable laws, regulations, or legal processes
• Respond to valid government requests or court orders
• Protect our rights, property, or safety, or that of our users
• Investigate and prevent fraud, security incidents, or illegal activities

4.3 Business Transfers

In the event of a merger, acquisition, or sale of assets, your information may be transferred as part of the business transaction, subject to the same privacy protections.

5. International Data Transfers

Your personal data may be processed in countries outside the UK/EEA, including the United States. We ensure appropriate safeguards are in place:

• Standard Contractual Clauses (SCCs) approved by the European Commission
• Adequacy decisions for countries with adequate data protection laws
• Binding Corporate Rules and certification schemes where applicable
• Additional safeguards for transfers to countries without adequate protections

6. Data Retention

We retain your personal information for as long as necessary to provide our services and comply with legal obligations:

• Account Data: Retained while your account is active, plus 3 years after closure
• Professional Documents: Retained while your account is active, deleted upon account deletion
• AI Processing Data: Temporary processing data deleted within 24 hours
• Payment Information: Retained for 7 years for tax and accounting purposes
• Marketing Data: Until you withdraw consent or 3 years of inactivity
• Legal Hold Data: Retained as required by law or legal proceedings

7. Data Security and Limitations

We implement comprehensive technical and organizational measures to protect your personal information:

• Encryption: Data encrypted in transit (TLS 1.3) and at rest (AES-256)
• Access Controls: Role-based access, multi-factor authentication, and principle of least privilege
• Infrastructure Security: Secure cloud hosting, regular security assessments, and vulnerability management
• Data Minimization: Collecting only necessary data and pseudonymization where possible
• Incident Response: Procedures for detecting, responding to, and reporting security incidents
• Staff Training: Regular privacy and security training for all personnel

7.1 Security Limitations and Disclaimers

Important Notice: While we implement industry-standard security measures, no method of transmission over the internet or electronic storage is 100% secure. You acknowledge and accept that:

• Data transmission over the internet carries inherent security risks
• We cannot guarantee absolute security of your information
• You use our services at your own risk regarding data security
• We are not liable for security breaches caused by third parties, force majeure, or circumstances beyond our reasonable control
• You are responsible for maintaining the security of your account credentials

7.2 Monitoring and Compliance

To ensure security and compliance, we reserve the right to:

• Monitor and log user activities for security and compliance purposes
• Investigate suspicious account behavior or potential policy violations
• Preserve data necessary for legal proceedings or regulatory compliance
• Restrict access during security investigations
• Cooperate with law enforcement agencies when legally required

8. Your Rights and Choices

Under GDPR and UK data protection law, you have the following rights:

8.1 Access and Portability

• Right of Access: Obtain confirmation of processing and copies of your personal data
• Data Portability: Receive your data in a structured, machine-readable format

8.2 Correction and Deletion

• Rectification: Correct inaccurate or incomplete personal data
• Erasure ("Right to be Forgotten"): Request deletion of your personal data
• Restriction: Limit processing in certain circumstances

8.3 Consent and Objection

• Withdraw Consent: Withdraw consent for processing based on consent
• Object to Processing: Object to processing based on legitimate interests
• Object to Marketing: Opt-out of direct marketing communications

8.4 Exercising Your Rights

To exercise these rights, contact us at contact@workwise-ai.com with the subject line "PRIVACY REQUEST - [Your Request Type]". We will respond within one month and may request verification of your identity.

8.5 Limitations on Rights

Important: Your data protection rights are subject to certain limitations and exceptions under applicable law, including:

• Legal Obligations: We may be required to retain data to comply with legal, regulatory, or tax obligations
• Legitimate Interests: Processing may continue where our legitimate interests override your rights
• Contract Performance: Certain data is necessary to fulfill our contractual obligations to you
• Technical Limitations: Some requests may not be technically feasible or may compromise system security
• Third-Party Rights: Requests that would affect the rights of other individuals may be limited
• Frivolous Requests: We may charge reasonable fees for excessive, repetitive, or manifestly unfounded requests
• Time Limitations: Requests are subject to strict time limitations at our discretion

9. Cookies and Tracking Technologies

We use cookies and similar technologies to enhance your experience. Our Cookie Policy provides detailed information about:

• Types of cookies we use (essential, analytics, marketing, functional)
• Purposes for each cookie category
• How to manage your cookie preferences
• Third-party cookies and their purposes

10. Children's Privacy

Our services are intended for individuals aged 16 and over. We do not knowingly collect personal information from children under 16. If we become aware that we have collected such information, we will take steps to delete it promptly.

11. Marketing Communications

We may send you marketing communications about our services, features, and special offers. You can:

• Opt-out using the unsubscribe link in any marketing email
• Update your communication preferences in your account settings
• Contact us directly to modify your preferences

12. Data Breach Notification and Limitations

In the unlikely event of a data breach that poses a risk to your rights and freedoms, we will:

• Notify the relevant supervisory authority within 72 hours
• Inform affected individuals without undue delay where required
• Provide clear information about the breach and remedial actions

12.1 Liability Limitations for Data Breaches

Important Notice: While we take data security seriously, you acknowledge and agree that:

• Data breaches can occur despite best efforts and industry-standard security measures
• Our liability for data breaches is limited to the maximum extent permitted by law
• We are not liable for breaches caused by third parties, force majeure, or circumstances beyond our reasonable control
• You assume the risk of using internet-based services and acknowledge the inherent security limitations
• Our maximum liability for any data breach shall not exceed £100
• We disclaim liability for indirect, consequential, or special damages arising from data breaches

13. Law Enforcement and Legal Compliance

13.1 Cooperation with Authorities

We may disclose your personal information to law enforcement, government agencies, or other third parties when:

• Required by law, court order, or legal process
• Requested by government agencies for national security or law enforcement purposes
• Necessary to investigate, prevent, or prosecute suspected illegal activities
• Required to protect our rights, property, or safety, or that of our users or the public
• Needed to enforce our Terms of Service or other legal agreements
• Requested by regulatory authorities for compliance monitoring

13.2 Data Retention for Legal Purposes

We may retain your information longer than our standard retention periods when:

• Required to comply with legal obligations or regulatory requirements
• Necessary for the establishment, exercise, or defense of legal claims
• Subject to litigation hold or investigation requirements
• Needed for tax, accounting, or audit purposes as required by law

14. Supervisory Authority

You have the right to lodge a complaint with the Information Commissioner's Office (ICO) if you believe your data protection rights have been violated:

ICO: ico.org.uk | Tel: 0303 123 1113

15. Changes to This Privacy Policy

We may update this Privacy Policy to reflect changes in our practices, technology, legal requirements, or other factors. We will:

• Post the updated policy on our website with a new "Last updated" date
• Notify you of material changes via email or prominent website notice
• Maintain previous versions for your reference

15.1 Continued Use Constitutes Acceptance

Important: Your continued use of our services after any changes to this Privacy Policy constitutes your acceptance of the updated terms. If you do not agree with the changes, you must discontinue use of our services and may request deletion of your account.

16. Contact Information

For privacy-related questions, requests, or concerns, please contact us:

Document Version: 2.0 | Effective Date: January 2025