Privacy Policy
Effective Date: January 1, 2026
Last Updated: April 24, 2026
WorkPerfect Co ("WorkPerfect," "we," "us," or "our") provides a vendor management system ("VMS") for contingent workforce management. This Privacy Policy explains how we collect, use, disclose, and protect personal information in connection with our website at work-perfect.com (the "Website") and the WorkPerfect platform (the "Service").
1. Scope of This Policy
This Policy describes our practices with respect to personal information we collect as a controller, including:
- Information we collect from visitors to our Website.
- Information we collect from prospective customers and individuals who contact us about the Service.
- Account and profile information of individuals authorized by our customers to access the Service ("Authorized Users").
- Information we collect from individuals who communicate with us for support, sales, or other business purposes.
This Policy does not apply to personal information that we process on behalf of our customers as a processor. When a customer uses the Service to manage information about its workers, contractors, vendors, candidates, suppliers, and other individuals (collectively, "Customer Data"), the customer is the controller of that information and WorkPerfect acts as a processor. Our processing of Customer Data is governed by the customer's agreement with WorkPerfect (the "Master Subscription Agreement" or "MSA") and any associated Data Processing Addendum ("DPA"), not this Policy. Individuals whose information is included in Customer Data should contact the relevant WorkPerfect customer to exercise their rights.
2. Information We Collect
We collect personal information in the following categories.
Information You Provide
- Account and profile information. When an Authorized User account is created, we collect name, business email address, and (where provided) phone number, job title, company name, and similar contact details. Authorized Users may add profile details such as department or team.
- Billing and payment information. When a customer subscribes to a paid plan, we collect billing contact information and billing address. Payment card details are submitted directly to our payment processor and are not stored on WorkPerfect systems.
- Communications. When you contact us for support, sales, or other purposes, we collect the contents of your communication, your contact details, and any documentation you provide.
Information Collected Automatically
- Usage and log data. When you use the Service or visit our Website, our servers automatically log information including IP address, browser type and version, operating system, referring URL, pages viewed, actions taken in the Service, timestamps, and device identifiers.
- Authentication and security data. We collect information necessary to authenticate Authorized Users and protect accounts, including session identifiers, hashed credentials, multi-factor authentication factors (including WebAuthn/passkey public keys), session fingerprint signals (such as user agent, approximate location derived from IP, and similar attributes), and records of authentication events.
- Cookies and similar technologies. We use a limited set of cookies and browser storage as described in our Cookie Policy.
Information from Other Sources
- Authorized User provisioning. When a customer provisions Authorized User accounts, the customer provides us with the information described above.
Sensitive Information
We do not intentionally collect "special category" personal data under the EU/UK GDPR (such as data revealing racial or ethnic origin, political opinions, religious beliefs, trade union membership, genetic data, biometric data for identification purposes, health data, or data concerning sex life or sexual orientation) or "sensitive personal information" under the California Privacy Rights Act ("CPRA"), other than account credentials necessary to authenticate users.
WebAuthn/passkey public keys are used solely for authentication and are not used for identification or any other purpose.
Automated Decision-Making
We do not use personal information to make solely automated decisions that produce legal effects or similarly significant effects concerning individuals. Where the Service provides analytical or scoring features, those features support human decision-making by our customers; WorkPerfect does not make decisions about individuals.
3. How We Use Personal Information
We use personal information for the following purposes:
- To provide and operate the Service, including authenticating Authorized Users, maintaining accounts, processing transactions, and providing the features of the Service.
- To communicate with you about the Service, including service announcements, security notices, billing notices, password resets, and responses to your inquiries. These communications are part of the Service and you cannot opt out of them while you have an active account.
- To provide support in response to your requests.
- To improve the Service, including analyzing usage patterns and diagnosing technical issues.
- To protect the Service and our users, including detecting and preventing fraud, abuse, and security incidents.
- To comply with legal obligations, including tax, accounting, and regulatory requirements, and to respond to lawful requests from authorities.
- To enforce our agreements and protect our rights and the rights of others.
We do not send marketing or promotional emails. If we begin sending marketing communications in the future, we will obtain consent where required by applicable law and provide an unsubscribe mechanism.
Lawful Bases for Processing (EU / UK)
Where the EU GDPR or UK GDPR applies, we process personal information on the following lawful bases:
- Performance of a contract — to provide the Service to customers and Authorized Users and to administer accounts and billing.
- Legitimate interests — to operate, secure, and improve the Service, to communicate with you, and to protect against fraud and abuse, where those interests are not overridden by your rights.
- Compliance with a legal obligation — to meet our regulatory and legal duties.
- Consent — where we ask for it, such as for non-essential cookies or any future marketing communications.
You may contact us at privacy@work-perfect.com for further information on the legitimate interests we rely on.
AI and Model Training
WorkPerfect uses Amazon Bedrock for limited features such as translation and notification drafting. We do not use personal information or Customer Data to train foundation models. Amazon Bedrock does not use customer inputs or outputs to train its underlying models.
4. How We Share Personal Information
We share personal information only as follows:
- Within a customer's workspace. Authorized Users' profile and activity information is visible to other Authorized Users of the same customer workspace as needed for the customer to use the Service.
- Sub-processors. We engage a limited set of sub-processors to support delivery of the Service. Our current sub-processor list is published at work-perfect.com/sub-processors. Sub-processors are bound by written agreements requiring confidentiality and appropriate data protection terms.
- Professional advisors. We may share information with our legal, accounting, and other professional advisors under duties of confidentiality.
- Business transfers. If WorkPerfect is involved in a merger, acquisition, financing, reorganization, sale of assets, or similar transaction, personal information may be transferred as part of that transaction. We will require the recipient to honor commitments made in this Policy or provide notice and choice where required by law.
- Legal requirements. We may disclose information when we reasonably believe it is necessary to comply with applicable law, legal process, or a lawful government request, or to protect the rights, property, or safety of WorkPerfect, our users, or others. Where we receive a request for Customer Data, we will redirect the requester to the relevant customer where lawful and reasonable.
- With your consent or at your direction.
We do not sell personal information, and we do not share personal information for cross-context behavioral advertising, as those terms are defined under the CPRA. We have not sold or shared personal information in the preceding 12 months.
We may use and disclose aggregated or de-identified information that cannot reasonably be used to identify an individual for any lawful business purpose.
5. International Data Transfers
WorkPerfect is established in the United States and processes personal information in the United States. If you access the Service from outside the United States, your personal information will be transferred to and processed in the United States.
For transfers of personal information from the European Economic Area, the United Kingdom, or Switzerland to the United States, we rely on:
- The European Commission's Standard Contractual Clauses ("SCCs"), including the UK International Data Transfer Addendum for transfers from the United Kingdom and the equivalent Swiss provisions for transfers from Switzerland, which we incorporate into our customer agreements and sub-processor agreements; and
- Where applicable, supplementary technical and organizational measures, including encryption in transit and at rest.
We are preparing to self-certify under the EU-US Data Privacy Framework, the UK Extension to the EU-US Data Privacy Framework, and the Swiss-US Data Privacy Framework. Until we publish our certification on dataprivacyframework.gov, we do not rely on those frameworks as a transfer mechanism, and SCCs (and the UK Addendum / Swiss provisions) remain our transfer mechanism.
For information about the transfer mechanism applicable to a specific transfer, contact privacy@work-perfect.com.
6. Data Retention
We retain personal information only as long as necessary for the purposes described in this Policy. Specific retention periods include:
- Account and profile information — for the duration of the customer's subscription, and for up to 90 days after termination, after which it is deleted or anonymized except where retention is required by law.
- Billing records — for 7 years following the end of the billing relationship, to comply with tax and accounting requirements.
- Application and access logs — for up to 13 months from the date of generation.
- Authentication and security event logs — for up to 13 months from the date of generation.
- Database backups — for up to 35 days from the date of the backup.
- Support communications — for 3 years from the date of the communication.
We may retain information for longer where required by law, where necessary to establish, exercise, or defend legal claims, or where retention is necessary to investigate or prevent fraud, abuse, or security incidents. When retention is no longer necessary, we delete or anonymize the information.
Customer Data retention is governed by the customer's agreement with WorkPerfect.
7. Security
We use technical and organizational measures designed to protect personal information against unauthorized access, disclosure, alteration, and loss. These measures include:
- Encryption of personal information in transit using TLS.
- Encryption of personal information at rest using AWS Key Management Service.
- Multi-factor authentication for administrative access.
- Role-based access controls and the principle of least privilege.
- Tenant isolation enforced through PostgreSQL row-level security.
- Logging and monitoring of access to production systems.
- Regular review of access rights.
- A Web Application Firewall and bot-control protection on the Service's public endpoints.
WorkPerfect maintains SOC 2 attestation; current attestations and reports are published in the Trust Center.
No system is perfectly secure. If you suspect that your account has been compromised or that personal information has been exposed, contact us immediately at security@work-perfect.com.
8. Data Breach Notification
If we experience a personal data breach that creates a risk to the rights and freedoms of individuals, we will:
- Notify the affected customer (where the breach involves Customer Data) without undue delay, consistent with our DPA;
- Notify affected individuals where we are the controller and the breach is likely to result in a high risk to their rights and freedoms, in accordance with applicable law (including UK GDPR and EU GDPR Article 34); and
- Notify the relevant supervisory authority within 72 hours of becoming aware of a notifiable breach, in accordance with UK GDPR and EU GDPR Article 33 and other applicable law.
Notifications will describe the nature of the breach, the categories and approximate number of records affected, the likely consequences, and the measures we have taken or propose to take to address the breach.
9. Sub-processors
We use a limited set of sub-processors to operate the Service. The current list is available at work-perfect.com/sub-processors.
We will provide customers with at least 30 days' notice of any addition of, or change to, our sub-processors. Customers may subscribe to sub-processor change notifications by emailing privacy@work-perfect.com. If a customer has a reasonable, documented objection to a new sub-processor on data protection grounds, the customer may exercise the objection rights set out in the DPA.
10. Your Rights
Depending on where you live, you may have the following rights with respect to personal information that we hold about you as a controller:
- Access — to request a copy of personal information we hold about you.
- Correction — to request correction of inaccurate or incomplete information.
- Deletion / erasure — to request deletion of your information, subject to legal retention requirements and applicable exceptions.
- Portability — to receive your information in a portable, machine-readable format, where applicable.
- Restriction — to request that we limit our processing in certain circumstances.
- Objection — to object to certain processing, including processing based on legitimate interests and any direct marketing.
- Withdrawal of consent — where processing is based on your consent.
- Opt out of sale or sharing — under US state privacy laws (we do not sell or share, but you have the right to confirm this).
- Limit use of sensitive personal information — under CPRA (we do not use sensitive personal information for purposes beyond those permitted).
- Appeal — to appeal our refusal to act on a rights request, where applicable law provides this right (including under Virginia, Colorado, Connecticut, Texas, Oregon, and Montana state privacy laws).
- Complaint — to lodge a complaint with your supervisory authority (see Section 13).
- Non-discrimination — we will not discriminate against you for exercising your rights.
To exercise these rights, contact privacy@work-perfect.com. We will respond within the time required by applicable law (generally 30 days under EU/UK GDPR, with one extension of up to 60 additional days where permitted; 45 days under CPRA, extendable by 45 days where permitted).
To verify your identity, we will request information that allows us to reasonably confirm you are the person about whom we hold information. Where you have an account, we will typically verify by reference to information associated with that account; in some cases we may require government-issued identification.
Authorized agents. California residents may submit requests through an authorized agent. The agent must provide a written, signed authorization, and we may contact you to verify your identity and that you have authorized the agent.
Customer Data. If your information is held by WorkPerfect as Customer Data on behalf of a customer, please direct your rights request to the relevant customer. We will assist that customer in responding to your request as required by our DPA.
11. US State Privacy Rights
This section provides additional disclosures for residents of US states with comprehensive privacy laws, including California (CCPA/CPRA), Virginia (VCDPA), Colorado (CPA), Connecticut (CTDPA), Texas (TDPSA), Oregon (OCPA), Montana (MCDPA), and other states whose laws apply to us.
California — Categories Collected and Disclosed
In the preceding 12 months, we have collected the following categories of personal information, as defined under the CPRA:
| Category | Examples | Sources | Business / Commercial Purpose | Disclosed for Business Purpose To |
|---|---|---|---|---|
| Identifiers | Name, business email, phone, IP address, device identifiers, account ID | You; your employer; automatic collection | Provide the Service; account administration; security | Sub-processors |
| Customer records (Cal. Civ. Code § 1798.80) | Name, business contact details, billing address | You; your employer | Account administration; billing | Sub-processors |
| Commercial information | Subscription history, transaction records | You; your employer | Account administration; billing | Sub-processors |
| Internet or other electronic network activity | Usage logs, pages viewed, feature interactions | Automatic collection | Provide and improve the Service; security | Sub-processors |
| Geolocation data | Approximate location derived from IP address | Automatic collection | Security; fraud prevention | Sub-processors |
| Professional or employment information | Job title, company, department | You; your employer | Provide the Service | Sub-processors |
| Audio / electronic information | Recordings of support or sales calls (where consented to) | You | Support; sales; quality assurance | Sub-processors |
Categories sold or shared in the preceding 12 months: None.
Categories of sensitive personal information sold or shared: None.
Categories disclosed for a business purpose: All of the above categories, disclosed only to sub-processors as described in Section 4.
Opt-Out Preference Signals
We honor the Global Privacy Control ("GPC") signal as an opt-out request from California consumers and from residents of other states whose laws require this. Because we do not sell or share personal information, the GPC signal does not change our practices, but it confirms our position.
Retention
Retention periods are described in Section 6.
Right to Limit Use of Sensitive Personal Information
We do not use sensitive personal information for any purpose other than those permitted under CPRA without an opt-out right (such as performing the Service requested, security, and short-term transient use).
12. Children's Privacy
The Service is intended for business use and is not directed to children. We do not knowingly collect personal information from anyone under 16 years of age. If we learn that we have collected information from a person under 16, we will delete it. Contact privacy@work-perfect.com if you believe we may hold information about a child.
We do not sell or share personal information of consumers under 16 years of age.
13. Supervisory Authority
If you are in the European Economic Area, the United Kingdom, or Switzerland, you have the right to lodge a complaint with your local data protection supervisory authority. Contact details for EEA authorities are available at edpb.europa.eu. The UK Information Commissioner's Office can be reached at ico.org.uk. The Swiss Federal Data Protection and Information Commissioner can be reached at edoeb.admin.ch.
We would appreciate the opportunity to address your concerns before you contact a supervisory authority. Please contact us first at privacy@work-perfect.com.
14. Privacy Contact
For questions about this Policy or about our handling of personal information, contact:
We have not appointed a Data Protection Officer because we are not currently required to do so under EU GDPR Article 37 or UK GDPR Article 37. The Privacy Contact above is responsible for privacy matters.
15. Accessibility
If you need this Policy in an alternative format, contact privacy@work-perfect.com and we will provide one within a reasonable time.
16. Changes to This Policy
We may update this Policy from time to time. The "Last Updated" date at the top reflects the most recent revision. If we make material changes, we will provide additional notice (such as by email to account contacts or a prominent notice in the Service) before the changes take effect. Your continued use of the Service after a change becomes effective constitutes acceptance of the updated Policy.