Privacy Policy

1. Introduction & Scope

This Privacy Policy describes how Autoworklet ("we," "our," or "us") collects, uses, shares, and protects your personal information when you use our website, applications, and services (collectively, the "Services"). By using our Services, you agree to the collection and use of information in accordance with this policy.

This policy applies to all users of Autoworklet's Services, including visitors to our website, registered users, and organizations using our automation platform.

Compliance Standards: Autoworklet is actively working toward SOC 2 Type II compliance and HIPAA compliance for healthcare customers. We comply with GDPR for EU/EEA residents. For more information about our compliance programs, see Section 7.1 (SOC 2 Compliance), Section 8.0 (GDPR Rights), and Section 11 (HIPAA Compliance and Protected Health Information).

2. Information We Collect

2.1 Information You Provide Directly

When you use our Services, you may provide us with:

• Account Information: Name, email address, username, password, and profile information
• Organization Information: Organization name, team member details, roles, and permissions
• Content and Data: Workflows, automation scripts, files, data processed through automations, and any other content you create or upload
• Communication Data: Messages sent through our contact forms, support requests, feedback, and other communications
• Payment Information: If applicable, billing details and payment information (processed securely through third-party payment processors)

2.2 Information Collected Automatically

When you visit or use our Services, we automatically collect certain information:

• Device Information: IP address, browser type and version, device type, operating system, and device identifiers
• Usage Data: Pages visited, features used, time spent on pages, click patterns, and interaction with our Services
• Log Data: Server logs, error reports, performance data, and system events
• Location Data: General location information derived from IP address (not precise GPS location)
• Cookies and Tracking Technologies: See Section 5 for details about cookies and similar technologies

2.3 Information from Third Parties

We may receive information about you from third-party services:

• Authentication Providers: If you sign in using third-party authentication services
• Analytics Services: Aggregated usage and performance data from analytics providers
• Integration Partners: Data from services you connect to Autoworklet through our platform

3. How We Use Your Information

We use the information we collect for the following purposes:

• Service Delivery: To provide, operate, maintain, and improve our Services, including processing your automations and workflows
• Account Management: To create and manage your account, authenticate users, and manage access permissions
• Communication: To send you service-related notifications, respond to your inquiries, provide customer support, and send important updates about our Services
• Analytics and Improvement: To understand how our Services are used, analyze trends, improve functionality, and develop new features
• Personalization: To customize your experience, provide relevant content, and tailor our Services to your preferences
• Security and Fraud Prevention: To detect, prevent, and address security issues, fraud, abuse, and other harmful activities
• Legal Compliance: To comply with applicable laws, regulations, legal processes, and enforce our terms of service
• Business Operations: To manage our business operations, conduct research, and for other legitimate business purposes

4. Information Sharing and Disclosure

We do not sell, rent, or trade your personal information. We may share your information in the following circumstances:

4.1 Third-Party Service Providers

We work with trusted third-party service providers who help us operate our Services. These providers may have access to your information only to perform services on our behalf and are obligated not to disclose or use it for other purposes:

• Cloud Infrastructure: Google Firebase (Firestore, Cloud Storage, Authentication, Cloud Functions) for hosting, database, and backend services. Google Privacy Policy
• Analytics: Google Analytics and Microsoft Clarity for website analytics and usage insights. Google Privacy Policy | Microsoft Privacy Statement
• AI Services: OpenAI, Anthropic (Claude), and Google (Gemini) for AI-powered features and automation capabilities. OpenAI Privacy Policy | Anthropic Privacy Policy | Google Privacy Policy
• Email Services: Third-party email service providers for sending transactional and service-related emails
• Customer Support: Support tools and platforms to assist with customer inquiries

4.2 Legal Requirements

We may disclose your information if required by law, regulation, legal process, or governmental request, including:

• Responding to subpoenas, court orders, or legal processes
• Complying with applicable laws and regulations
• Protecting our rights, privacy, safety, or property, or that of our users or others
• Investigating potential violations of our terms of service

4.3 Business Transfers

In the event of a merger, acquisition, reorganization, bankruptcy, or sale of assets, your information may be transferred as part of that transaction. We will notify you of any such change in ownership or control of your personal information.

4.4 With Your Consent

We may share your information with third parties when you explicitly consent to such sharing.

5. Cookies and Tracking Technologies

We use cookies and similar tracking technologies to collect and use information about your interaction with our Services.

5.1 Types of Cookies We Use

• Essential Cookies: Required for the Services to function properly (e.g., authentication, security)
• Analytics Cookies: Help us understand how visitors interact with our website (Google Analytics, Microsoft Clarity)
• Functional Cookies: Remember your preferences and settings to improve your experience
• Performance Cookies: Collect information about how you use our Services to help us improve performance

5.2 Managing Cookies

Most web browsers allow you to control cookies through their settings. You can set your browser to refuse cookies or alert you when cookies are being sent. However, disabling cookies may affect the functionality of our Services.

You can opt out of Google Analytics by installing the Google Analytics Opt-out Browser Add-on.

6. Data Retention

We retain your personal information for as long as necessary to provide our Services and fulfill the purposes outlined in this Privacy Policy, unless a longer retention period is required or permitted by law.

6.1 Retention Periods

• Account Data: Retained while your account is active and for a reasonable period after account closure to comply with legal obligations and resolve disputes
• Content and Workflows: Retained according to your account settings and until you delete them or close your account
• Usage and Analytics Data: Retained in aggregated and anonymized form for analytics purposes
• Legal and Compliance: Some information may be retained longer if required by law, regulation, or for legitimate business purposes

6.2 Deletion

You can request deletion of your personal information at any time by contacting us at support@autoworklet.com. We will delete your information in accordance with applicable law, subject to our retention obligations. Note that some information may remain in backup systems for a limited time after deletion.

7. Data Security

We implement appropriate technical and organizational measures to protect your personal information against unauthorized access, alteration, disclosure, or destruction. Our security measures include:

• Encryption: Data encryption in transit (using HTTPS/TLS) and at rest where applicable
• Access Controls: Restricted access to personal information on a need-to-know basis, with authentication and authorization controls
• Secure Infrastructure: Hosting on secure, industry-standard cloud infrastructure with regular security updates
• Monitoring: Regular monitoring for security vulnerabilities and threats
• Backup and Recovery: Regular backups and disaster recovery procedures
• Employee Training: Security awareness training for employees who handle personal information
• Security Audits: Regular security assessments, vulnerability scanning, and penetration testing
• Incident Response: Established procedures for detecting, responding to, and recovering from security incidents
• Change Management: Controlled processes for system changes to maintain security and integrity

While we strive to protect your information, no method of transmission over the internet or electronic storage is 100% secure. We cannot guarantee absolute security, but we are committed to maintaining reasonable safeguards.

7.1 SOC 2 Compliance

Autoworklet is actively working toward SOC 2 Type II compliance, demonstrating our commitment to security, availability, processing integrity, confidentiality, and privacy of customer data. We have implemented security controls and processes aligned with SOC 2 standards and are in the process of completing our formal audit and certification.

SOC 2 Trust Service Criteria

We have implemented controls aligned with SOC 2 Trust Service Criteria:

• Security: Our systems are protected against unauthorized access and security incidents through comprehensive controls including firewalls, intrusion detection, access controls, and encryption
• Availability: We maintain system availability through redundant infrastructure, monitoring, and disaster recovery procedures to ensure our Services are accessible when needed
• Processing Integrity: We ensure data processing is complete, valid, accurate, timely, and authorized through validation controls, error handling, and quality assurance processes
• Confidentiality: Information designated as confidential is protected through encryption, access controls, and confidentiality agreements with personnel and third parties
• Privacy: We collect, use, retain, disclose, and dispose of personal information in accordance with our privacy commitments and applicable privacy laws

SOC 2 Controls and Monitoring

Our SOC 2 compliance program includes:

• Implementation of security controls aligned with SOC 2 requirements
• Continuous monitoring of security controls and system operations
• Risk assessments and management processes
• Documented policies and procedures for security operations
• Regular training and awareness programs for personnel
• Vendor management and oversight of third-party service providers
• Ongoing work with certified third-party auditors toward formal certification

We are committed to achieving SOC 2 Type II certification and will make our report available to customers upon completion under appropriate confidentiality agreements. For questions about our SOC 2 compliance progress, please contact us at support@autoworklet.com.

8. Your Rights and Choices

Depending on your location, you may have certain rights regarding your personal information. These may include:

8.0 GDPR Rights (EU/EEA Residents)

If you are located in the European Union or European Economic Area, you have additional rights under the General Data Protection Regulation (GDPR):

• Right to Access: You can request a copy of your personal data we hold
• Right to Rectification: You can request correction of inaccurate or incomplete data
• Right to Erasure ("Right to be Forgotten"): You can request deletion of your personal data under certain circumstances
• Right to Restrict Processing: You can request that we limit how we use your data
• Right to Data Portability: You can receive your data in a structured, commonly used format
• Right to Object: You can object to processing based on legitimate interests or for direct marketing
• Right to Withdraw Consent: Where processing relies on consent, you can withdraw it at any time
• Right to Lodge a Complaint: You can file a complaint with your local data protection authority (e.g., your country's supervisory authority)

Legal Basis for Processing: We process your personal data based on: (1) your consent, (2) performance of a contract with you, (3) compliance with legal obligations, (4) protection of vital interests, (5) performance of a task in the public interest, or (6) legitimate interests pursued by us or third parties. You can contact us to learn the specific legal basis for any particular processing.

Data Protection Officer: For GDPR-related inquiries, you can contact us at support@autoworklet.com.

8.1 Access and Portability

You have the right to access the personal information we hold about you and to receive a copy of your data in a portable format.

8.2 Correction

You can update or correct your personal information through your account settings or by contacting us.

8.3 Deletion

You can request deletion of your personal information, subject to our legal and operational retention requirements.

8.4 Restriction and Objection

You may have the right to restrict or object to certain processing of your personal information.

8.5 Withdraw Consent

Where processing is based on consent, you have the right to withdraw your consent at any time.

8.6 How to Exercise Your Rights

To exercise any of these rights, please contact us at support@autoworklet.com with:

• Your name and email address associated with your account
• A clear description of the right you wish to exercise
• Any additional information that may help us verify your identity

We will respond to your request within 30 days (or as required by applicable law). We may need to verify your identity before processing your request. If you are not satisfied with our response, you may have the right to lodge a complaint with your local data protection authority.

9. International Data Transfers

Your information may be transferred to and processed in countries other than your country of residence. Our Services are hosted on Google Firebase infrastructure, which may store data in various locations, including the United States.

When we transfer your information internationally, we take steps to ensure appropriate safeguards are in place, including:

• Using service providers that comply with applicable data protection laws
• Implementing contractual safeguards where required
• Relying on adequacy decisions or other legal mechanisms for international transfers

9.1 GDPR Transfers (EU/EEA Residents)

If you are located in the EU/EEA, your personal data may be transferred to countries outside the EU/EEA, including the United States. We ensure such transfers comply with GDPR requirements through:

• Standard Contractual Clauses (SCCs): We use EU-approved standard contractual clauses with our service providers
• Adequacy Decisions: Where applicable, we rely on adequacy decisions by the European Commission
• Other Safeguards: Additional technical and organizational measures to protect your data

For EU/EEA residents, by using our Services, you acknowledge that your data may be transferred outside the EU/EEA with appropriate safeguards in place. You may contact us for more information about the specific safeguards applicable to your data.

10. Automated Decision-Making and AI

Our Services include AI-powered features and automated workflows that may process your data to provide automation capabilities, generate content, and perform automated tasks.

10.1 How We Use AI

We use artificial intelligence, including services provided by OpenAI, Anthropic (Claude), and Google (Gemini), to:

• Power automation workflows and intelligent task execution
• Provide code completion and suggestions
• Generate content and assist with automation development
• Analyze and process data within your automations

10.2 Your Rights Regarding Automated Processing

You have the right to:

• Understand when automated processing is being used
• Request human review of automated decisions that significantly affect you
• Opt out of certain automated features where technically feasible
• Control what data is processed through automated systems

If you have concerns about automated decision-making or wish to exercise these rights, please contact us at support@autoworklet.com.

11. HIPAA Compliance and Protected Health Information

If you are a healthcare provider, health plan, or healthcare clearinghouse (a "Covered Entity") using our Services to process Protected Health Information ("PHI") as defined by the Health Insurance Portability and Accountability Act ("HIPAA"), this section applies to you.

HIPAA Compliance Status: Autoworklet is actively working toward full HIPAA compliance. We have implemented HIPAA-aligned safeguards and controls and are in the process of completing our formal HIPAA compliance program. We can enter into Business Associate Agreements (BAAs) with Covered Entities, subject to our current compliance status and implementation timeline.

11.1 Business Associate Agreement

When Autoworklet processes PHI on behalf of a Covered Entity, we act as a Business Associate under HIPAA. We are prepared to enter into Business Associate Agreements ("BAAs") with Covered Entities that require us to:

• Use and disclose PHI only as permitted by the BAA and HIPAA
• Implement appropriate safeguards to prevent unauthorized use or disclosure of PHI
• Report any breaches of unsecured PHI to Covered Entities
• Ensure that subcontractors who receive PHI agree to the same restrictions and conditions
• Make PHI available for access, amendment, and accounting of disclosures as required by HIPAA
• Return or destroy PHI when the BAA terminates (if feasible)

If you are a Covered Entity and need a BAA, please contact us at support@autoworklet.com to discuss our BAA terms and HIPAA compliance timeline before using our Services to process PHI. We will work with you to ensure appropriate safeguards are in place.

11.2 HIPAA Safeguards

We have implemented administrative, physical, and technical safeguards aligned with HIPAA requirements to protect PHI:

Administrative Safeguards

• Security management processes, including risk analysis and risk management
• Assigned security responsibility with designated security officers
• Workforce security through background checks and access authorization
• Information access management with role-based access controls
• Security awareness and training programs for all personnel
• Contingency plans for data backup, disaster recovery, and emergency operations
• Business Associate agreements with all third parties who access PHI

Physical Safeguards

• Facility access controls to limit physical access to systems containing PHI
• Workstation security controls and use restrictions
• Device and media controls for disposal and reuse of hardware and electronic media
• Secure data centers with 24/7 monitoring and access controls

Technical Safeguards

• Access controls with unique user identification and authentication
• Audit controls to record and examine activity in systems containing PHI
• Integrity controls to ensure PHI is not improperly altered or destroyed
• Transmission security through encryption and secure communication protocols
• Encryption of PHI at rest and in transit

11.3 Minimum Necessary Standard

We follow the HIPAA "minimum necessary" standard, meaning we only use, access, and disclose the minimum amount of PHI necessary to accomplish the intended purpose. Our access controls and data handling procedures are designed to limit access to PHI to only those personnel who need it to perform their job functions.

11.4 Breach Notification

In the event of a breach of unsecured PHI, we will notify affected Covered Entities without unreasonable delay and in no case later than 60 days after discovery of the breach. Our breach notification will include:

• A description of what happened, including the date of the breach and discovery
• The types of PHI involved
• Steps individuals should take to protect themselves from potential harm
• What we are doing to investigate the breach, mitigate harm, and prevent future breaches
• Contact information for questions

Covered Entities are responsible for notifying affected individuals and, if applicable, the Department of Health and Human Services and media, in accordance with HIPAA breach notification requirements.

11.5 Patient Rights

As a Business Associate, we support Covered Entities in fulfilling their obligations regarding patient rights under HIPAA, including:

• Right to Access: Patients have the right to access their PHI. We will assist Covered Entities in providing access to PHI we maintain
• Right to Amendment: Patients may request amendments to their PHI. We will work with Covered Entities to process amendment requests
• Right to Accounting of Disclosures: We maintain logs of disclosures of PHI and will provide accounting information to Covered Entities upon request
• Right to Request Restrictions: We will honor reasonable requests from Covered Entities to restrict uses or disclosures of PHI
• Right to Confidential Communications: We support Covered Entities in providing confidential communications to patients

11.6 Use and Disclosure Limitations

We will not use or disclose PHI except:

• As necessary to perform our services for Covered Entities as specified in the BAA
• As required by law
• For our own management and administration, or to fulfill our legal responsibilities, provided that any disclosures are required by law or we obtain reasonable assurances from the person to whom the information is disclosed that it will be held confidentially and used or further disclosed only as required by law or for the purpose for which it was disclosed to us

11.7 Subcontractors

We may use subcontractors to provide services that involve access to PHI. All subcontractors that access PHI are required to sign Business Associate Agreements and comply with the same HIPAA requirements that apply to us. Our key subcontractors include cloud infrastructure providers (Google Firebase) and AI service providers, all of whom maintain appropriate security and compliance measures.

11.8 HIPAA Compliance Contact

For questions about our HIPAA compliance or to request a BAA, please contact our HIPAA Compliance Officer at support@autoworklet.com.

12. Children's Privacy

Our Services are not intended for individuals under the age of 18. We do not knowingly collect personal information from children. If you believe we have collected information from a child, please contact us immediately, and we will take steps to delete such information.

13. Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors. We will notify you of material changes by posting the updated policy on this page with a new "Effective Date."

We may also notify you via email or prominent notice on our website or within our Services for significant changes. We encourage you to review this Privacy Policy periodically. Your continued use of our Services after changes become effective constitutes acceptance of the updated policy.

14. Contact Us

If you have any questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us:

• Email: support@autoworklet.com
• Website: autoworklet.com

We are committed to addressing your privacy concerns and will respond to your inquiries in a timely manner.