WorkKits360 Privacy Policy

Last Updated: January 2025

What This Policy Is For (In Plain Language)

You deserve to understand how your information is used. This Privacy Policy explains our practices as clearly as possible, and we avoid unnecessary legal jargon. We explain what data we collect, why we collect it, how we protect it, and what choices you have.

The short version: We collect information to provide and improve WorkKits360. We don't sell your data. Your wellbeing content is private to you. Company content belongs to your company. You remain in control of your personal information.

Introduction
Information We Collect
How We Use Your Information
How We Share Your Information
Wellbeing Data Protection
AI and Data Processing
Data Security
Your Rights and Choices
Data Retention and Deletion
Children's Privacy
International Users
You're in Control
Changes to This Policy
Contact Us

1. Introduction

WorkKits360 ("we," "our," or "us") is a multi-tenant software-as-a-service platform that helps companies manage workflows, training, and daily operations. This Privacy Policy describes how we collect, use, share, and protect information when you use our platform.

Our Commitment: We are committed to protecting your privacy and being transparent about our data practices. We believe you should understand what happens to your information, especially when it comes to sensitive content like wellbeing reflections.

2. Information We Collect

2.1 Information You Provide Directly

Account Information:

Email address (required for authentication)
Full name (optional, but helpful for personalization)
Password (for admin/owner accounts; stored securely and never visible to us)

Company Information:

Company name and details
Business type and description
Company values and communication preferences
Location information (physical addresses, location names)

Content You Create:

Kits (training, project, and wellbeing workflows)
Playbooks (reference documentation and procedures)
Tasks (personal and company-wide)
Library items (product information, scanned labels)
Training responses and progress
Notes and reflections (including wellbeing content)

Product Scan Data:

Images of product labels you upload
Extracted product information (name, brand, ingredients, etc.)
Confirmed product data (after your review)
AI-generated interpretations (sales points, training notes, etc.)

2.2 Information Collected Automatically

Authentication Data:

Login timestamps
Session information
Device and browser information
IP address (for security and fraud prevention)

Usage Data:

Features you access
Actions you take within the platform
Time spent on different sections
AI usage metrics (request counts, token usage for cost tracking)

Technical Data:

Browser type and version
Operating system
Screen resolution
Referrer URLs

2.3 Information from Third-Party Services

Authentication Providers:

If you use OAuth (Google, Microsoft, Apple), we receive basic profile information (email, name) from those providers
We do not receive passwords or access tokens from OAuth providers

Payment Processing:

Billing metadata (subscription status, plan type, payment dates)
We do NOT store or process credit card numbers (handled by Stripe)
We do NOT have access to full payment card information

Email Services:

Email delivery status (via Resend)
Email open/click tracking (if enabled)

3. How We Use Your Information

3.1 To Provide the Service

We use your information to:

Authenticate you and maintain your account
Store and organize your company's content (Kits, Playbooks, Tasks, Library items)
Process product scans and generate interpretations
Deliver training content and track progress
Enable AI-assisted content generation
Send you important service notifications

3.2 To Improve the Service

We use aggregated, anonymized data to:

Understand how features are used
Identify areas for improvement
Monitor system performance and reliability
Track AI usage and costs (for billing and optimization)

Important: We do NOT use your wellbeing content, personal reflections, or private notes for analytics or improvement. These remain private to you.

3.3 To Communicate with You

We use your email address to:

Send magic link login emails
Send important service updates
Respond to support requests
Send billing-related communications (if applicable)

You can opt out of marketing emails at any time (service emails cannot be opted out of).

3.4 To Ensure Security

We use technical data (IP addresses, device information) to:

Detect and prevent fraud
Protect against unauthorized access
Monitor for security threats
Comply with legal obligations

Limited members of our internal team may access certain customer data strictly for debugging, security investigations, or resolving support requests. Access is logged and restricted to essential personnel.

4. How We Share Your Information

4.1 We Do NOT Sell Your Data

We do not sell, rent, or trade your personal information to third parties. This is a core commitment.

4.2 Within Your Company

Company-Owned Content:

Kits, Playbooks, Tasks, and Library items are visible to authorized users within your company based on their roles
Company owners and admins can see all company content
Location admins can see content for their assigned locations
Staff can see content assigned to them

Important: Wellbeing content is NOT shared with your company. See Section 5 for details.

4.3 Service Providers

We share information with trusted service providers who help us operate the platform:

Supabase (Database & Authentication):

Stores your account information and content
Handles authentication and session management
Subject to Supabase's privacy policy and security standards

OpenAI (AI Processing):

Processes product scan images and text for content generation
Subject to OpenAI's data processing terms
We do NOT use your data to train OpenAI's models (we use their API, not training services)

Resend (Email Delivery):

Sends authentication and notification emails
Subject to Resend's privacy policy

Stripe (Payment Processing):

Processes subscription payments
We do NOT have access to your payment card information
Subject to Stripe's privacy policy

Vercel (Hosting):

Hosts our application
May have access to server logs and technical data
Subject to Vercel's privacy policy

4.4 Legal Requirements

We may share information if required by law, such as:

Responding to valid legal requests (subpoenas, court orders)
Protecting our rights and safety
Preventing fraud or security threats
Complying with applicable laws and regulations

4.5 Business Transfers

If WorkKits360 is acquired or merged, your information may be transferred to the new entity. We will notify you of any such change.

5. Wellbeing Data Protection

This section is critical and describes how we protect your private wellbeing content.

5.1 What Is Wellbeing Content?

Wellbeing content includes:

Reflections and notes you write in wellbeing Kits
Personal responses to wellbeing prompts
Private notes you save in wellbeing workflows
Any content you explicitly mark as private or personal

5.2 Privacy Guarantees

Your wellbeing content is private to you. Period.

What Your Company Can See:

That you were assigned a wellbeing Kit
That you started the Kit
That you completed the Kit (status only)
Completion date (if applicable)

What Your Company CANNOT See:

Your reflections or responses
Your notes or personal thoughts
Any content you write in wellbeing workflows
Your progress through wellbeing content (beyond "started" or "completed")

What We Can See:

We can see your wellbeing content for technical support purposes (if you request help)
We do NOT use wellbeing content for analytics, AI training, or product improvement
We do NOT share wellbeing content with your employer

5.3 AI Processing of Wellbeing Content

If you use AI features within wellbeing Kits:

Your input is sent to OpenAI for processing (to generate responses or suggestions)
OpenAI does NOT use this data to train their models (we use their API, not training services)
We do NOT store your wellbeing AI interactions unless you explicitly save them
Your employer has NO access to wellbeing AI interactions

5.4 Your Control

You can:

Delete your wellbeing content at any time
Choose not to use wellbeing features
Export your wellbeing content (if you want a copy)
Request that we delete all your wellbeing data

Where technically supported, wellbeing-related entries are encrypted at rest to strengthen user privacy.

6. AI and Data Processing

6.1 How We Use AI

WorkKits360 uses AI (OpenAI's GPT models) to:

Extract information from product label images
Generate interpretations and suggestions
Assist with content creation (Kits, Playbooks)
Classify user intents and suggest actions

6.2 Data Sent to AI Services

Product Scans:

Images you upload are sent to OpenAI's GPT-4.1 Vision model
Extracted data is processed by GPT-4o-mini for interpretation
Images are NOT stored by OpenAI beyond the API call (they are not used for training)

Content Generation:

Your prompts and existing content are sent to OpenAI for processing
Generated content is returned to you and stored in your account
OpenAI does NOT use your data to train their models (we use their API, not training services)
Some AI requests may be routed through Vercel Edge Functions as part of our infrastructure. These functions do not retain your data and exist only to securely forward requests to our AI providers.

6.3 AI Data Retention

We retain:

Product scan images (stored in Supabase Storage)
Product images are stored using Supabase Storage. These files are protected by authenticated access controls and encrypted in transit using HTTPS. Depending on the region and configuration, images may not be encrypted at rest, but access is restricted to authorized users only.
Extracted and confirmed product data (in our database)
AI-generated interpretations (in our database)

We do NOT retain:

Raw AI API request/response logs (beyond what's needed for billing)
Training data derived from your content
Wellbeing AI interactions (unless you save them)

6.4 AI Accuracy and Limitations

Important: AI-generated content may be imperfect at times. We encourage thoughtful human review to ensure accuracy, particularly for training, safety, or compliance-related materials. You are responsible for reviewing and validating AI-generated content before using it operationally.

See our Terms of Service for more details on AI limitations and your responsibilities.

7. Data Security

7.1 Security Measures

We implement industry-standard security measures to protect your information:

Technical Safeguards:

Encryption in transit (HTTPS/TLS)
Encryption at rest (database encryption)
Row-level security (RLS) for multi-tenant data isolation
Regular security audits and updates
Access controls and authentication requirements

Operational Safeguards:

Limited access to user data (only authorized personnel)
Regular security training for our team
Incident response procedures
Data backup and recovery systems

7.2 Your Responsibility

You are responsible for:

Keeping your password secure (if you use password authentication)
Not sharing your account credentials
Using strong, unique passwords
Logging out of shared devices
Reporting security concerns to us immediately

7.3 Data Breaches

In the unlikely event of a data breach, we will:

Notify affected users as soon as possible
Provide details about what information was compromised
Offer guidance on protective steps you can take
Comply with applicable breach notification laws

8. Your Rights and Choices

8.1 Access and Portability

You have the right to:

Access your personal information
Request a copy of your data (in a machine-readable format)
Correct inaccurate information
Update your account information

How to Exercise: Contact us at privacy@workkits360.com or through your account settings.

8.2 Deletion

You have the right to:

Delete your account
Delete specific content you created
Request deletion of your personal information

Important: Deleting your account will delete your personal information, but company-owned content (Kits, Playbooks, etc.) may remain accessible to your company's other users. Wellbeing content will be permanently deleted.

How to Exercise: Contact us at privacy@workkits360.com or use account deletion features in your settings.

8.3 Opt-Out Rights

You can:

Opt out of marketing emails (service emails cannot be opted out of)
Disable AI features (if your company allows)
Choose not to use certain features

California Residents (CCPA): We do not sell your personal information. You have the right to know what personal information we collect, request deletion, and opt out of the sale of personal information (which we do not do).

8.4 GDPR Rights (European Users)

If you are in the European Economic Area (EEA), you have additional rights:

Right to access your personal data
Right to rectification (correction)
Right to erasure ("right to be forgotten")
Right to restrict processing
Right to data portability
Right to object to processing
Right to withdraw consent (where processing is based on consent)

Note: We are working toward full GDPR compliance. While we may not be fully compliant yet, we respect these rights and will work with you to honor them.

How to Exercise: Contact us at privacy@workkits360.com.

9. Data Retention and Deletion

9.1 How Long We Keep Your Data

Active Accounts:

We retain your data as long as your account is active
Company content is retained as long as the company account is active

Deleted Accounts:

Personal information is deleted within 30 days of account deletion
Wellbeing content is deleted immediately upon account deletion
Company content may be retained if it belongs to an active company

Product Scans:

Images and data are retained until you delete them or your account is deleted
You can delete individual product scans at any time

Backups:

Deleted data may remain in backups for up to 90 days
Backups are securely stored and not accessible for normal operations

9.2 Legal Retention

We may retain certain information longer if required by law, such as:

Billing records (for tax and accounting purposes)
Security logs (for fraud prevention)
Legal compliance requirements

Billing and transactional records may be retained for up to seven (7) years to meet tax and financial reporting requirements.

10. Children's Privacy

WorkKits360 is not intended for children under 13 years of age. We do not knowingly collect personal information from children under 13.

If you believe we have collected information from a child under 13, please contact us immediately at privacy@workkits360.com, and we will delete that information.

For users 13-17: If you are a minor, please get permission from a parent or guardian before using WorkKits360.

11. International Users

11.1 Data Transfers

WorkKits360 is operated from the United States. If you are located outside the United States, your information may be transferred to, stored in, and processed in the United States.

By using WorkKits360, you consent to the transfer of your information to the United States and processing in accordance with this Privacy Policy.

11.2 International Compliance

We are working toward compliance with:

GDPR (European Union)
CCPA (California)
Other applicable privacy laws

While we may not be fully compliant with all international privacy laws yet, we respect your privacy rights and will work with you to honor them.

WorkKits360 is currently optimized for U.S.-based customers. Expanded GDPR support will be introduced over time.

12. You're in Control

You always remain in control of your data. We only collect the minimum information necessary to operate the service, and you can update or delete your account information at any time. We design our systems to give you agency, clarity, and confidence—not overwhelm or pressure you.

13. Changes to This Policy

We may update this Privacy Policy from time to time. If we make material changes, we will:

Notify you via email (if you have an account)
Post a notice on our website
Update the "Last Updated" date at the top of this policy

Your continued use of WorkKits360 after changes are posted constitutes acceptance of the updated policy.

We encourage you to review this policy periodically to stay informed about how we protect your information.

14. Contact Us

If you have questions, concerns, or requests regarding this Privacy Policy or your personal information, please contact us:

Email: privacy@workkits360.com

Mailing Address: WorkKits360 1301 Wright St Reno, NV 89509 USA

Response Time: We aim to respond to privacy inquiries within 30 days.

Summary

What we collect: Account information, company content, product scans, usage data, and technical information.

Why we collect it: To provide and improve WorkKits360, ensure security, and comply with legal obligations.

How we protect it: Encryption, access controls, security audits, and strict data handling procedures.

Your rights: Access, correction, deletion, portability, and opt-out rights (varies by jurisdiction).

Wellbeing privacy: Your wellbeing content is private to you. Your employer can only see status (assigned, started, completed), not content.

AI processing: We use OpenAI's API for content generation. OpenAI does not use your data for training. We retain AI-generated content but not raw API logs.

We do NOT sell your data. Ever.

Thank you for trusting WorkKits360 with your information. We are committed to protecting your privacy and being transparent about our practices.