Privacy Policy
Last updated: [DATE] · Version [VERSION]
This policy explains how Workshopmatic (the service) collects, uses, stores, and protects personal data when you use the hosted version of the service. It is written to align with the EU General Data Protection Regulation (GDPR) and the German Federal Data Protection Act (BDSG).
1. Who is responsible (controller)
For the hosted (SaaS) version of the service, the controller responsible for processing your personal data is:
- [OPERATOR LEGAL NAME]
- [STREET ADDRESS], [POSTCODE CITY], [COUNTRY]
- Email: [CONTACT EMAIL]
- Responsible person: [RESPONSIBLE PERSON NAME]
If you have appointed or are required to appoint a data protection officer, add their contact details here: [DPO NAME AND CONTACT, IF APPLICABLE].
2. Self-hosted deployments
If you run the service in your own cloud, you are the controller, not us.
The service can be self-hosted by a customer in their own infrastructure. In that case the hosting customer is the sole controller of all personal data processed by their deployment. [OPERATOR LEGAL NAME] does not receive, host, or process any personal data from a self-hosted deployment, and this policy does not govern that processing. The self-hosting customer is responsible for its own privacy notice, legal bases, sub-processor agreements, and data-subject requests.
3. What data we collect
| Category | What it includes | Where it comes from |
|---|---|---|
| Account data | Email address, display name, authentication identifiers, password hash or Google sign-in identifier | You, at sign-up |
| Workshop content | Agendas, methods, notes, board entries, participant inputs, and AI-generated summaries you create or upload | You and your participants, in use |
| Usage data | Feature usage, session counts, the AI-call counter, error logs, approximate technical metadata (browser, device type) | Automatically, while you use the service |
| Payment data | Subscription tier, billing status, and a customer reference. Card details are handled by Stripe and are never stored on our servers | You, via Stripe at checkout |
4. Why we process it and on what legal basis
We process personal data on the following legal bases under Article 6(1) GDPR:
- Performance of a contract (Art. 6(1)(b)): creating and managing your account, providing the service, running workshops, storing your content, and processing your subscription.
- Legitimate interests (Art. 6(1)(f)): securing the service, preventing abuse, basic product analytics, and operating the AI-call counter to enforce plan limits. We balance these against your rights and you may object (see section 9).
- Legal obligation (Art. 6(1)(c)): retaining invoices and tax records as required by law.
- Consent (Art. 6(1)(a)): any optional processing that requires it, such as non-essential communications. You may withdraw consent at any time.
5. AI processing
The AI co-facilitation features process the workshop content you submit to generate suggestions, summaries, and recommendations. This processing runs on Google Vertex AI (Gemini or Claude models served on Vertex) within an EU region. Your content is sent to Vertex AI only to produce the requested output. We do not send your data to any third-party AI API outside Google Cloud, and there is no data egress to external model providers.
6. Sub-processors
We use the following sub-processors to deliver the service. Each is bound by a data processing agreement and processes data only on our instructions.
| Sub-processor | Purpose | Region |
|---|---|---|
| Google Cloud / Firebase (Hosting, Firestore, Firebase Authentication) | Application hosting, database storage, user authentication | EU region |
| Google Vertex AI | AI co-facilitation (Gemini or Claude on Vertex) | EU region, in-region inference |
| Stripe | Payment processing and subscription billing | EU / global, GDPR safeguards in place |
Add or remove sub-processors here as your stack changes: [ADDITIONAL SUB-PROCESSORS, IF ANY].
7. International transfers
The service is hosted in the EU and we keep personal data inside the EU wherever the service permits it. Where a sub-processor (for example Stripe) may process limited data outside the EU or EEA, that transfer is covered by appropriate safeguards under Chapter V GDPR, such as the European Commission Standard Contractual Clauses. You can request details of these safeguards using the contact above.
8. How long we keep data
- Account and workshop data: for as long as your account is active. After you close your account, we delete or anonymise it within [RETENTION PERIOD, e.g. 30 days], except where law requires longer retention.
- Billing and invoice records: retained for the statutory period (in Germany, generally up to 10 years).
- Logs and usage data: retained for [LOG RETENTION PERIOD, e.g. 90 days], then deleted or aggregated.
9. Your rights
Under the GDPR you have the right to:
- Access the personal data we hold about you (Art. 15).
- Rectification of inaccurate or incomplete data (Art. 16).
- Erasure of your data, the right to be forgotten (Art. 17).
- Restriction of processing in certain cases (Art. 18).
- Data portability, to receive your data in a structured, machine-readable format (Art. 20).
- Object to processing based on legitimate interests (Art. 21).
- Withdraw consent at any time, without affecting prior lawful processing.
To exercise any of these rights, contact [CONTACT EMAIL]. We respond within one month. You also have the right to lodge a complaint with a supervisory authority, in Germany your competent state data protection authority: [SUPERVISORY AUTHORITY NAME AND CONTACT].
10. Security
We apply technical and organisational measures appropriate to the risk, including encryption in transit, access controls, and EU-region storage. No method of transmission or storage is completely secure, so we cannot guarantee absolute security.
11. Changes to this policy
We may update this policy as the service or the law changes. We will post the new version here with an updated date, and notify you of material changes by email or in-app where appropriate.
12. Contact
Questions about this policy or your data: [CONTACT EMAIL].