workbayBack

Legal

Privacy & Security

Last updated: April 16, 2025

We take your privacy seriously. Your data and your clients' data will never be sold, shared, or pirated. Here is exactly what we collect, how we protect it, and what rights you have over it.

Data we collect

  • Account information you provide — name, email address, and password (stored as a bcrypt hash, never plaintext).
  • Work data you create — clients, projects, issues, comments, and attachments.
  • Usage metadata — timestamps, IP addresses for security logs, and browser type for compatibility.
  • We do not collect advertising identifiers, sell data to third parties, or use tracking pixels.

How we store it

  • All data is persisted in a PostgreSQL database with automated daily backups and point-in-time recovery.
  • Passwords are hashed with bcrypt before storage — we cannot recover your password, only reset it.
  • Uploaded files are stored server-side with access restricted to authenticated users within the correct tenant.
  • Database backups are encrypted at rest and retained for 30 days.

How we secure it

  • All traffic is encrypted over HTTPS. WebSocket connections use WSS exclusively in production.
  • Access tokens live in memory only — never localStorage or sessionStorage. Refresh tokens are httpOnly cookies invisible to JavaScript.
  • Every API endpoint validates your role from the JWT. Client-scoped data is always filtered server-side — never on the frontend alone.
  • Auth routes (login, token refresh) are rate-limited to defend against brute-force and credential-stuffing attacks.

Who can see your data

  • Only you and the team members you invite can access your account data.
  • Client users are strictly scoped — they can only view projects and issues linked to their own account.
  • Workbay staff do not access your data except when required to resolve a support request you have explicitly raised.
  • We never share your data or your clients' data with advertisers, data brokers, or any third party.

Data retention & deletion

  • Your data is retained for as long as your account is active.
  • You may request full account deletion at any time by contacting support. Deletion is permanent and completed within 30 days.
  • Backup copies are purged on a 30-day rolling window following deletion.
  • You can export your data (clients, projects, issues) at any time from your account settings.

Breach notification

  • In the unlikely event of a data breach, affected users will be notified by email within 72 hours of discovery.
  • Notifications will describe what data was accessed, what we have done to contain it, and what steps you should take.
  • We maintain an incident response plan and conduct regular security reviews.

Questions about your data? Contact us and we'll respond within one business day.