1. Introduction
This Privacy Policy explains how Workraft Ltd. (together with its subsidiaries and affiliates, “Workraft”, “we”, “us”, or “our”) collects, uses, shares, and protects personal data in connection with the Workraft website at workraft.ai (the “Website”) and the Workraft workforce management platform (the “Service”).
Workraft is incorporated in Israel. Our registered office is in Tel Aviv, Israel.
This policy applies to:
- Visitors to the Website, including people who fill out the contact form, request a demo, or subscribe to the blog
- Customers, including employees and administrators of organizations that use the Service
- End users whose data is uploaded by customers — such as field workers whose shifts, attendance, or documents are managed through the Service — in which case Workraft acts as a processor on behalf of the customer, not as a controller
We encourage you to read this policy in full. If you have any questions, contact us at legal@workraft.ai.
2. Our two roles: controller and processor
Key distinction
Workraft plays two different roles depending on whose data is involved. Understanding the distinction is how we stay compliant and how you know what your rights are.
When Workraft is the controller: We determine the purpose and means of processing. This covers personal data of Website visitors, marketing leads, trial signups, customer account administrators, and anyone who interacts with Workraft directly. The full set of rights described in this policy applies to you in this context.
When Workraft is the processor: Our customers upload personal data about their end users (workers, supervisors, patients in caregiving contexts, and so on) into their Workraft tenant. Workraft processes that data only on the documented instructions of the customer, under the terms of our Data Processing Agreement. If you are an end user and want to exercise rights over your data, you generally need to contact the customer who uploaded it. We will assist that customer in responding to your request.
Workraft is not a HIPAA-covered entity or Business Associate. The Service is not designed to store protected health information as defined by HIPAA, and customers must not upload PHI to Workraft without a separate written agreement.
3. Information we collect
3.1 Information you provide directly
- Account information: name, email address, phone number, company name, job title, and the credentials you use to sign in to the Service
- Contact form submissions: the content you send us via the contact form, along with the email address and phone number you provide
- Customer content: the data you upload to the Service on behalf of your organization, including worker profiles, shift schedules, attendance records, documents, photos, and other operational information
- Payment information (when the Service moves to paid tiers): billing address, tax identifiers, and payment method details, which are processed by our future payment processor and not stored directly by Workraft
- Support communications: messages you send to our support team and any information you voluntarily share to help us resolve an issue
3.2 Information we collect automatically
- Device and technical information: IP address, browser type and version, operating system, language preferences, and the referring URL
- Usage data: the pages you visit, features you interact with, session duration, and the time and date of your visits
- Cookies and similar technologies: see Section 4 below for the full list and information about how to manage them
- Location data from customer end users: when a customer enables GPS features of the Service, Workraft processes location events on behalf of that customer. The customer remains the controller for this data and must comply with applicable labor-law notice and consent obligations in their jurisdiction
3.3 Information from third parties
- Payment processors: when we introduce paid tiers, our payment processor will send us the information necessary to process your subscription
- Analytics providers: aggregated usage information from analytics services, subject to your consent
- Public sources: in limited cases, information from public business directories to improve our sales and support outreach
We do not purchase personal data from data brokers.
4. Cookies and similar technologies
Cookies are small text files that websites place on your device when you visit them. They are widely used to make websites work more efficiently, remember your preferences, and provide information to the site owner. This section explains which cookies Workraft uses, why, and how you can manage your choices.
Opt-in by default
Except for strictly necessary cookies, we do not load any cookies or similar tracking technologies until you have given your consent through our cookie banner. You can change your choices at any time by clicking “Cookie settings” in the footer of any page.
We respect the Global Privacy Control (GPC) signal. If your browser sends a GPC signal, we treat it as an opt-out of analytics and marketing cookies by default. We will ask for your consent again if we make a material change to the categories of cookies we use.
4.1 Strictly necessary (always on)
These cookies are required for the Website to function and cannot be switched off. They are only set in response to actions you take, such as setting your language preference or saving your accessibility preferences. The legal basis is that they are strictly necessary for the service you have requested.
| Name | Purpose | Duration | Provider |
|---|---|---|---|
workraft_lang | Remembers your language preference (EN or HE) across the main site and the Workraft app, and redirects you to the matching locale on return visits | 1 year | Workraft (first-party) |
workraft-consent | Stores your cookie consent choices so we do not have to ask again on every page | 1 year | Workraft (first-party) |
workraft-a11y | Stores your accessibility preferences (larger text, reduced motion, high contrast) so they persist across pages | 1 year | Workraft (first-party) |
4.2 Functional
These cookies would enable optional features that enhance the experience but are not strictly necessary. They are only loaded if you give consent. At the time of writing, Workraft does not use any functional cookies. This category is reserved for future use and will be documented here before any cookie is activated in it.
4.3 Analytics
These cookies help us understand how visitors interact with the Website. They are only loaded if you give consent.
| Name | Purpose | Duration | Provider |
|---|---|---|---|
| Vercel Analytics | Aggregated, privacy-friendly page-view and performance metrics. No IP address storage, no cross-site tracking, no shared profiles. | Session | Vercel Inc. (third-party) |
Vercel Analytics is designed with privacy in mind — it does not use cookies for identification, does not build cross-site profiles, and does not sell data to third parties. When you opt out, no analytics script is loaded at all.
4.4 Marketing
These cookies would allow us to measure the effectiveness of marketing campaigns and deliver more relevant advertising. They are only loaded if you give consent. At the time of writing, Workraft does not use any marketing or advertising cookies. This category is reserved for future use and will be documented here before any cookie is activated in it.
4.5 Managing your preferences
You can manage your cookie preferences in several ways:
- Workraft’s preference center: click “Cookie settings” in the footer of any page to reopen the consent modal
- Your browser: most browsers allow you to block or delete cookies through their settings. Note that blocking strictly necessary cookies may prevent parts of the Website from working correctly
- Global Privacy Control: enable GPC in your browser or install a browser extension that sends a GPC signal
A list of third parties that may process data through cookies is available in Annex B of the Data Processing Agreement.
5. How we use information
We use personal data for the following purposes, each with a corresponding legal basis as described in Section 5:
- Provide and operate the Service: create accounts, authenticate users, provision features, store data securely, and maintain the integrity of the Service
- Communicate with you: send operational notifications, security alerts, billing messages, and responses to your support requests
- Improve the Service: diagnose bugs, analyze aggregated usage patterns, and develop new features
- Marketing communications: with your opt-in consent, send product updates, newsletters, and occasional offers
- Security and abuse prevention: detect fraud, unauthorized access, and abuse of the Service
- Legal and regulatory compliance: comply with applicable law, court orders, and legitimate governmental requests
- AI features: operate our AI Shift Manager, AI Shift Analyzer, and AI View Builder features. Customer tenant data is processed strictly within the customer’s tenant boundary and is never mixed with other customers’ data or used to train shared models
6. Legal bases for processing (EU/UK/EEA)
Under the EU General Data Protection Regulation (GDPR) and the UK GDPR, we process personal data under the following legal bases:
- Performance of a contract (Art. 6(1)(b)): to provide the Service to you and fulfill our obligations under the Terms of Service
- Consent (Art. 6(1)(a)): for marketing communications, non-essential cookies, and any processing that is not necessary for the core Service. You may withdraw consent at any time
- Legitimate interests (Art. 6(1)(f)): to secure the Service, prevent fraud, improve product quality, and understand how the Service is used. We conduct balancing tests to ensure our interests do not override your rights
- Legal obligation (Art. 6(1)(c)): to comply with tax, accounting, employment, and other applicable laws
- Vital interests (Art. 6(1)(d)): in rare emergency situations where processing is necessary to protect the life of a person
Where special category data is processed (for example, in caregiving use cases where a customer uploads health-adjacent information), we rely on the customer’s documented consent or other Art. 9 conditions, and we process such data only as a processor on the customer’s behalf.
7. Sharing and disclosure
We do not sell your personal data. We share personal data only in the following circumstances:
- Sub-processors: we engage trusted third-party service providers who process personal data on our behalf under written agreements that comply with Art. 28 GDPR. The current list is maintained in Annex B of our Data Processing Agreement
- Professional advisors: accountants, auditors, and lawyers, under confidentiality obligations
- Legal and regulatory disclosures: where we are legally required to disclose data, including in response to a valid court order, subpoena, or lawful request from a governmental authority
- Corporate transactions: in connection with a merger, acquisition, reorganization, or sale of assets, subject to standard privacy protections for any transferred data
- With your consent: where you have explicitly directed us to share data with a third party (for example, an integration partner)
8. International data transfers
Workraft operates globally, and your personal data may be transferred to and processed in countries outside the European Economic Area, the United Kingdom, and Israel. When we transfer personal data internationally, we rely on one of the following mechanisms:
- Adequacy decisions: the European Commission has recognized Israel as providing an adequate level of data protection. Transfers between the EEA and Israel rely on this decision
- Standard Contractual Clauses (SCCs): for transfers to jurisdictions without an adequacy decision (such as the United States), we use the European Commission’s SCCs, Module 2 (controller to processor) or Module 3 (processor to processor), as applicable
- Supplementary measures: encryption in transit and at rest, access controls, and contractual commitments to limit data-access requests from public authorities
The current list of where customer data is hosted is available in Annex B of the DPA.
9. Data retention
We retain personal data only for as long as necessary for the purposes described in this policy and to comply with applicable law. Our default retention schedule is:
- Active accounts: retained for the life of the account
- Cancelled accounts: retained for 90 days after cancellation to allow recovery, then permanently deleted (except for data we are legally required to keep longer)
- Billing and tax records: retained for 7 years, as required by Israeli and other applicable tax law
- Security logs: retained for 1 year
- Marketing consent records: retained until consent is withdrawn, then deleted promptly
- Contact form submissions: retained for up to 2 years for sales follow-up, then deleted
Customers can request earlier deletion by contacting legal@workraft.ai. End users should contact the customer who controls their data.
10. Your rights
10.1 Universal rights we honor
Regardless of where you live, we honor the following rights on request:
- Right of access: you can ask us to confirm whether we process your personal data and request a copy
- Right of rectification: you can ask us to correct inaccurate or incomplete data
- Right of erasure: you can ask us to delete your data, subject to legal retention requirements
- Right of portability: you can ask us to export your data in a structured, commonly used format
- Right of objection: you can object to processing that relies on legitimate interests
- Right to withdraw consent: where processing relies on consent, you can withdraw that consent at any time
To exercise any of these rights, contact legal@workraft.ai. We will respond within 30 days.
10.2 European Union, UK, and EEA residents (GDPR)
In addition to the universal rights above, you have the right to lodge a complaint with the supervisory authority in the member state of your habitual residence, place of work, or place of the alleged infringement, under Art. 77 GDPR.
Workraft does not currently have an EU representative appointed under Art. 27 GDPR. [TBD — pending appointment before public launch]
10.3 California residents (CCPA / CPRA)
If you are a California resident, the California Consumer Privacy Act and California Privacy Rights Act give you specific rights with respect to your personal information. These include:
- Right to know the categories and specific pieces of personal information we have collected, the sources from which we collected it, the business purpose for collecting it, and the categories of third parties with whom we share it
- Right to delete personal information we have collected, subject to certain exceptions
- Right to correct inaccurate personal information
- Right to opt out of the sale or sharing of personal information for cross-context behavioral advertising
- Right to limit the use and disclosure of sensitive personal information
- Right to non-discrimination for exercising your privacy rights
No sale of personal information
Workraft does not sell or share personal information as those terms are defined under the CCPA and CPRA. We do not engage in cross-context behavioral advertising.
To exercise your California privacy rights, contact legal@workraft.ai with “California Privacy Request” in the subject line. We will verify your identity before responding. You may designate an authorized agent to make a request on your behalf in accordance with CCPA requirements.
10.4 Other US states
Residents of Virginia, Colorado, Connecticut, Utah, Texas, Oregon, Montana, Delaware, Iowa, Indiana, New Jersey, and Tennessee have substantially similar rights under their respective state privacy laws. We honor access, correction, deletion, portability, and opt-out-of-targeted-advertising requests from residents of these states. Contact legal@workraft.ai to exercise these rights.
10.5 Israeli residents
Under the Privacy Protection Law, 5741-1981, as amended by Amendment 13 (in force August 2025), Israeli residents have rights of access, correction, portability, and erasure of their personal data, as well as protections in relation to database management and data security.
You may contact our Data Protection Officer at legal@workraft.ai. If you believe we have processed your data unlawfully, you may lodge a complaint with the Israeli Privacy Protection Authority (PPA) (רשות להגנת הפרטיות).
11. Security
We implement technical and organizational measures designed to protect personal data against unauthorized access, disclosure, alteration, and destruction. These measures include:
- Encryption of data in transit (TLS 1.2 or higher) and at rest
- Access controls based on the principle of least privilege
- Authentication and session management with secure password hashing and optional multi-factor authentication
- Network segmentation and firewall protections
- Regular security reviews of our code, dependencies, and infrastructure
- Incident response procedures for detecting, investigating, and reporting security events
- Staff training on data protection, confidentiality, and secure development practices
A full description of our technical and organizational measures is available in the appendix to our Data Processing Agreement.
Breach notification
In the event of a personal data breach that is likely to result in a risk to the rights and freedoms of data subjects, we will notify the competent supervisory authority without undue delay and, where feasible, within 72 hours of becoming aware of the breach, in line with GDPR Art. 33 and the equivalent provisions of Israeli Amendment 13. Where the breach is likely to result in a high risk, we will also notify affected individuals.
12. Children’s privacy
The Service is not directed at children under the age of 16. We do not knowingly collect personal data from children. If you become aware that a child has provided us with personal data without parental consent, contact us at legal@workraft.ai and we will delete the data.
13. Automated decision-making and AI features
The Service includes automated and AI-driven features, including the AI Shift Manager (which proposes or executes shift assignments), the AI Shift Analyzer (which surfaces patterns and risks), and the AI View Builder (which generates custom dashboards on request).
Under GDPR Art. 22, data subjects have the right not to be subject to decisions based solely on automated processing that produce legal or similarly significant effects. Where our AI features support a significant decision (for example, a shift assignment that affects a worker’s income), customers remain responsible for ensuring meaningful human oversight. Workraft provides tools to support that oversight but does not itself make binding decisions about any data subject.
Customer tenant data is processed strictly within the customer’s tenant boundary and is never mixed with other customers’ data or used to train shared AI models.
14. Changes to this policy
We may update this Privacy Policy from time to time. When we make material changes, we will notify you by email (if you have an account) or by prominent notice on the Website at least 30 days before the changes take effect, unless a shorter notice is required by law. Continued use of the Service after the effective date constitutes acceptance of the revised policy.
The current version, effective date, and a link to the prior version (where available) appear at the top of this document.
15. Contact us
For any question, concern, or request relating to this Privacy Policy or your personal data, contact:
Workraft Ltd. Tel Aviv, Israel Email: legal@workraft.ai
EU representative: [TBD — pending appointment before public launch]