— the legal stuff.

// // privacy notice

Privacy.

Plain-English summary of how Workhand handles your data and your customers' data. Full UK GDPR compliance terms are in the formal Data Processing Agreement at /legal/dpa.

Effective 1 May 2026

Draft · awaiting solicitor review before binding use

What we collect

From you (the Workhand customer): name, email, phone, business details, payment information (handled by Stripe — we never see card numbers), the OAuth credentials you grant us for your connected channels (Gmail, Calendar, GBP, Metricool), and the knowledge-base content you author for Workhand.

From your customers (people who interact with Workhand on your behalf): the content of their interactions — call recordings, email bodies, SMS messages, review text — plus the metadata Workhand needs to handle them (timestamps, contact identifier, booking details, payment receipts).

What we do with it

We use your data exclusively to operate the Workhand service for you. That means: routing inbound interactions through the AI prompts to draft replies, storing the audit log so you can see what happened, sending you summaries, billing you for the service. We don't use your data to train AI models. We don't sell or share data outside the named sub-processors.

How long we keep it

Active customer data: kept for as long as you're a customer. After cancellation: 30-day grace period to download your export, then permanent deletion. Call recordings: 90 days from the call, then deleted automatically. Audit log: 7 years (regulatory requirement). Payment records: 7 years (HMRC).

Your rights

Under UK GDPR you can request a copy of your data, ask us to correct anything wrong, or ask us to delete it. We respond within 30 days; the in-app form is the fastest path because the request lands in the audit log directly.

Sub-processors + transfers

We use a small set of named sub-processors (Anthropic, Twilio, Retell, Supabase, Vercel, Stripe, Resend, Metricool, Sentry, Axiom). The full list with country and purpose is at /legal/sub-processors. Some sub-processors are based outside the UK / EEA — those transfers run on Standard Contractual Clauses or equivalent adequacy basis. We notify you 30 days before adding any new sub-processor.

How to contact us

Workhand Ltd, Stone, Staffordshire (full registered office TBD). ICO registration: TBD. Email felix@workhand.co.uk for any privacy queries.

Questions on this page? Email felix@workhand.co.uk — Felix reads everything. For DSAR submissions specifically, use the in-app DSAR form so the request lands in the audit log directly.