A readable summary of what we collect, why we collect it, and what control you keep.
Last updated: March 1, 2026
Workunit is built for collaboration and context, not surveillance. This page explains the practical privacy rules behind the product: what data we collect, how we use it, which providers we work with, and how export and deletion work.
Our privacy stance
Your data stays yours
We do not sell, rent, or monetize your workunits, assets, or decisions.
No surveillance features
No keystroke logging, no productivity scoring, and no hidden activity monitoring.
Transparent processing
We are transparent about what data we collect, why we collect it, and where it is processed.
Security is part of the product
Encryption, deletion, access controls, and storage transparency are built into the product.
What data we collect
Account information
Email address, name, and organization name for authentication, account management, and communication.
Workunit data
Problem statements, assets, tasks, comments, and attachments. This is the content you create and manage in Workunit.
Usage analytics
We use Cloudflare Web Analytics, a privacy-first analytics service that does not use cookies, does not track individual users, and does not collect personal data. It provides aggregate metrics (page views, visits, performance) to help us improve the product. We do not build advertising profiles.
Technical and security data
IP addresses and browser information collected during signup, login, and authentication for abuse prevention, rate limiting, debugging, and performance monitoring. Security logs are retained for 90 days.
Optional API keys
If you use cloud execution or similar BYOK features, you may provide credentials for services such as Sprites.dev and OpenRouter. We store them encrypted, along with minimal metadata needed to identify the credential.
How we use data
Provide the service
Run your workspace, enable collaboration, and deliver the features you use.
Improve the product
Analyze aggregated usage data to make the product clearer and more reliable.
Security and compliance
Prevent abuse, secure infrastructure, and meet legal obligations.
Communication
Send support replies, service notices, billing updates, and security messages. Marketing emails are optional — you can opt out anytime.
AI features and privacy
Context stays private
AI features process your workunit data to help you, not to train public models on your content.
No cross-organization learning
One organization's data is never used to train or improve suggestions for another organization.
Opt-out is available
You can disable AI features while keeping all core project management features.
Review still matters
AI output can be wrong or incomplete. You are responsible for reviewing and acting on it.
Sharing and providers
We do not sell data
Never have, never will.
Service providers
We rely on providers for hosting, billing, email, storage, key management, and analytics. Examples include Coolify, Resend, Stripe, Scaleway Key Manager, Cloudflare R2, and Cloudflare Web Analytics.
Payment processing
Stripe processes payments directly. We do not store your full card number.
Legal requirements
We may disclose data where legally required, and will notify you unless prohibited by law.
Cloud execution providers
If you run execution features, required credentials are sent to the third-party services you configured, such as Sprites.dev and OpenRouter, only when you start an execution.
Scaleway key management
Scaleway Key Manager in Paris handles cryptographic operations for our envelope encryption system. It does not receive plaintext API keys.
Cloudflare R2 attachments
Attachments are stored in Cloudflare R2 and served through unique, private URLs.
Sub-processor list
For a complete list of our sub-processors, their purposes, and DPA status, see our sub-processor list page.
View sub-processorsRetention and deletion
Active accounts
We retain data while your account is active and for a reasonable period afterward for legal and business purposes.
Account deletion
You can delete your account from settings. Data is permanently deleted within 30 days.
Backups
Backup copies are automatically deleted within 90 days of account deletion.
API keys
Encrypted API keys are deleted when you remove them, or when you delete your account or organization.
Exports
Requested export archives are kept for 7 days and then automatically removed.
Security measures
Encryption
Data is encrypted in transit with TLS. Sensitive values such as API keys use envelope encryption with per-organization DEKs and a master key in Scaleway Key Manager in Paris.
Access controls
Role-based permissions and access controls limit who can access your data.
Security monitoring
We monitor for suspicious behavior and platform issues.
Security logging
Authentication-related logs may contain IP addresses and browser metadata for fraud prevention and network security. Legal basis: legitimate interest under GDPR Article 6(1)(f) and Recital 49.
Cookies and transfers
Session cookies
Used to keep you signed in and preserve application state.
Security cookies
Used for CSRF protection and session integrity.
Preference cookies
Used to remember your UI preferences.
No third-party tracking cookies
We do not use ad pixels, retargeting tags, or social tracking widgets. Our analytics (Cloudflare Web Analytics) are entirely cookie-free.
International transfers
Primary product data is stored on EU-based infrastructure. Attachments may be served through a global CDN, and cloud execution can involve US-based providers when you choose to use those features.
Additional policies
Children's privacy
Workunit is not intended for children under 16, and we do not knowingly collect personal information from children.
Policy updates
We may update this policy when practices or legal obligations change. Material changes are communicated by email or in-product notice.
Restriction of processing
To request restriction of processing under GDPR Article 18, contact us at [email protected]. We will assess your request and respond within 30 days.
No data sales
Export available
Delete from settings
BYOK credentials are encrypted
Attachments use Cloudflare R2
Access
Rectification
Deletion
Portability
Objection
Restriction
Complaint
Email [email protected] if you have a privacy concern, export problem, or question about how a feature handles your data.