Privacy Policy
Last updated: April 7, 2026
1. Introduction
Workweaver ("we," "us," or "our") is committed to protecting your privacy. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our AI-powered automation services, including voice calls, messaging, and workflow automation.
Your Privacy Matters: We comply with GDPR, CCPA, and UAE Data Protection Law (Federal Decree-Law No. 45 of 2021). We collect only what's necessary to provide our services and never sell your personal data to third parties.
2. Data We Collect
2.1. Information You Provide
We collect the following information when you register and use our services:
- Account Information: Name, email address, phone number, company name
- Business Information: CRM data, customer lists, product/service details, pricing information
- Payment Information: Payment method details processed securely through third-party payment processors
- Configuration Data: Transfer numbers, business hours, AI voice preferences, routing rules
- Documents: UAE business documents (Emirates ID, Trade License) for regulatory compliance
2.2. Automatically Collected Information
We automatically collect certain information when you interact with our services:
- Usage Data: Call logs, message logs, interaction timestamps, feature usage
- Device Information: IP address, browser type, device type, operating system
- Call Metadata: Call duration, caller ID, call outcome, routing decisions
- Performance Data: Response times, error rates, service availability metrics
2.3. Third-Party Data
We may receive data from third-party services you connect, such as:
- CRM systems (customer contact information, interaction history)
- Twilio (call recordings, message logs)
- WhatsApp (message metadata, conversation logs)
- Google Workspace services (see Section 2.4 and Section 13 below)
- Zoho services (email, CRM, books, calendar when explicitly connected)
- Microsoft 365 services (Outlook, Calendar when explicitly connected)
2.4. Data from Connected Google Services
When you connect a Google account to Workweaver, we access specific user data through Google's OAuth 2.0 APIs. Workweaver requests only the minimum scopes necessary for each feature. The data we access depends entirely on which scopes you authorize:
| Google Scope | Data Accessed | How Workweaver Uses It |
|---|---|---|
openid, email, profile |
Your email address, display name, profile picture, Google account ID | Identify your connected account and display it in the Workweaver dashboard |
.../auth/calendar.events |
Calendar events you authorize the agent to read, create, modify, or delete | Create meetings on your behalf, check availability, schedule with contacts, generate Google Meet links via the conferenceData field |
.../auth/gmail.send |
Permission to send email as you (does NOT grant read access to your inbox) | Send outbound emails, reply drafts, and automated follow-ups composed by the AI agent with your explicit approval |
.../auth/drive.file |
Only files the Workweaver app created OR files you explicitly share with the app through Google's file picker. Workweaver CANNOT see or access any other Drive files. | Read, edit, and manage Docs, Sheets, Slides, and uploaded files scoped to your agent workspace |
What Workweaver does NOT do with Google user data:
- We do not train AI models on your Google user data. No generalized machine learning, fine-tuning, or foundation model training uses your data.
- We do not sell or transfer your Google user data to data brokers, advertisers, or third parties.
- We do not serve advertisements of any kind. Workweaver has no advertising business.
- We do not allow humans to read your Google user data except (a) with your explicit consent, (b) for security investigations where required by law, or (c) to comply with applicable law.
- We do not combine your Google user data with data from other Workweaver tenants.
Storage: OAuth access tokens and refresh tokens are encrypted at rest in AWS Secrets Manager + DynamoDB using AES-256 and transmitted over TLS 1.2+. No raw Google user data (emails, files, calendar events) is persisted to long-term Workweaver storage beyond the minimum required to complete the requested agent operation. Transient copies used during operation are deleted within 24 hours unless you explicitly ask Workweaver to store a summary or transcript.
Retention: Google user data is retained only while your Google connector is active. When you disconnect your Google account (via the Workweaver dashboard or by revoking access at myaccount.google.com/permissions), Workweaver purges the associated tokens and any transient cached data within 24 hours.
Deletion: You can delete all Google user data stored by Workweaver at any time by:
- Disconnecting the Google connector from your Workweaver dashboard (immediate effect)
- Revoking Workweaver's access at myaccount.google.com/permissions
- Emailing privacy@bitfoundry.ai with a data deletion request (completed within 30 days)
3. How We Use Your Data
We use your information for the following purposes:
| Data Category | Purpose |
|---|---|
| Account Information | Service delivery, account management, communication |
| Business Data | AI training, workflow automation, CRM integration |
| Call Data | Service delivery, quality assurance, analytics |
| Call Recordings | Quality monitoring, training, dispute resolution (with consent) |
| Usage Data | Service improvement, troubleshooting, analytics |
| Payment Data | Billing, payment processing, subscription management |
4. Call Recording and Transcription
Explicit Consent Required: We record calls and generate transcripts only when you explicitly enable this feature and obtain caller consent. Callers must opt-in before recording begins. You can disable recording at any time.
Recording and transcription details:
- Audio recordings are stored securely in encrypted form
- Transcripts are generated using AI speech-to-text
- Both recordings and transcripts are linked to consent records
- Recordings are retained according to your retention settings
- You can access, download, or delete recordings at any time
- Callers can request deletion of their recordings
5. Data Storage and Security
5.1. Data Storage
We store your data securely using:
- AWS S3: Primary storage for recordings, documents, and files
- AWS DynamoDB: Structured data storage for transactions and records
- AWS ElastiCache: Caching for performance optimization
- Encryption: All data encrypted at rest and in transit
- Region: Primary storage in us-east-1 (US East)
5.2. Security Measures
We implement industry-standard security practices:
- TLS/SSL encryption for all data in transit
- AES-256 encryption for data at rest
- Multi-factor authentication for administrative access
- Regular security audits and penetration testing
- Strict access controls and principle of least privilege
- Incident response procedures for data breaches
6. Data Sharing and Disclosure
We do not sell your personal data. We may share data only in the following circumstances:
- Service Providers: Third-party services necessary for service delivery (AWS, Twilio, payment processors)
- Legal Requirements: When required by law, court order, or government request
- Business Transfers: In connection with mergers, acquisitions, or asset sales
- With Your Consent: When you explicitly authorize sharing
All third-party data processors are bound by strict confidentiality agreements and data protection obligations.
7. Your Privacy Rights
Under GDPR and applicable laws, you have the following rights:
- Right to Access: Request a copy of your personal data
- Right to Rectification: Request correction of inaccurate data
- Right to Erasure: Request deletion of your personal data
- Right to Portability: Receive your data in a structured format
- Right to Restrict Processing: Limit how we use your data
- Right to Object: Object to certain data processing activities
- Right to Withdraw Consent: Revoke consent at any time
- Right to Complain: File a complaint with supervisory authorities
To exercise these rights, contact us at privacy@bitfoundry.ai.
8. Data Retention
We retain your data for different periods depending on its purpose:
- Account Data: Retained while your account is active, then deleted upon request
- Call Recordings: Retained according to your settings (default: 90 days)
- Call Logs: Retained for 12 months for analytics and troubleshooting
- Transcripts: Retained for 12 months when enabled
- Financial Records: Retained for 7 years as required by UAE tax law
- Consent Records: Retained indefinitely for audit purposes
You can request deletion of your data at any time, subject to legal and regulatory requirements.
9. International Data Transfers
Your data may be transferred and processed outside your country of residence:
- Primary storage is in US East (us-east-1 region)
- Backup storage is in US West (us-west-2 region)
- Third-party services may process data in other jurisdictions
- Appropriate safeguards are in place for international transfers
We ensure all international transfers comply with GDPR, UAE law, and other applicable regulations.
10. Children's Privacy
Workweaver services are not intended for children under 16 years of age. We do not knowingly collect personal data from children. If we discover we have collected data from a child, we will promptly delete it.
13. Google API Services User Data Policy (Limited Use Disclosure)
Limited Use Disclosure: Workweaver's use and transfer to any other app of information received from Google APIs will adhere to the Google API Services User Data Policy, including the Limited Use requirements.
This means that when you connect a Google account to Workweaver, we handle the data accessed through Google APIs as follows:
- Approved use cases only: Workweaver uses Google user data exclusively to provide the agent features you explicitly request. We do not repurpose the data for other features, analytics, or partnerships.
- No secondary use: We do not use Google user data to improve or train generalized or non-personalized AI/ML models, even if such training would benefit you indirectly.
- No transfer: We do not transfer Google user data to third parties except (a) to provide or improve user-facing features that are prominent from the requesting application's user interface; (b) to comply with applicable law; or (c) as part of a merger, acquisition, or sale of assets with user notice.
- No human access: We do not allow humans to read Google user data except (a) with your explicit consent for specific content; (b) for security purposes such as investigating abuse; (c) to comply with applicable law; or (d) where the data has been aggregated and anonymized for internal operations in accordance with this policy.
- No advertising: We do not use Google user data to serve advertisements. Workweaver has no advertising business.
Workweaver requests the following Google API scopes, each with a specific and narrowly scoped purpose:
openid,.../auth/userinfo.email,.../auth/userinfo.profile— identify your Google account in the Workweaver dashboard after you click "Connect Google".../auth/calendar.events— read, create, modify, and delete calendar events you authorize the agent to manage, including creating Google Meet links via theconferenceData.createRequestfield.../auth/gmail.send— send outbound email on your behalf with your approval. This scope does NOT grant access to read your inbox..../auth/drive.file— access only files the Workweaver app itself created, OR files that you explicitly share with the app by clicking "Share" and entering the agent's email address, OR files opened via Google's file picker. Workweaver cannot see or access any other Drive files.
You can review and revoke Workweaver's access to your Google account at any time via Google's security dashboard: https://myaccount.google.com/permissions. Revoking access there, or disconnecting the Google connector within the Workweaver dashboard, will cause all tokens to be purged within 24 hours.
For questions specifically about how Workweaver handles data received through Google APIs, contact privacy@bitfoundry.ai with "Google API Data Request" in the subject line. We will respond within 30 days.
14. Changes to This Privacy Policy
We may update this Privacy Policy periodically to reflect changes in our practices, legal requirements, or services. We will notify you of significant changes by:
- Email notification (if you provided an email address)
- Posting updated policy on our website
- In-app notifications
Continued use of our services after changes constitutes acceptance of the updated policy.
15. Contact Us
If you have questions about this Privacy Policy or our data practices, please contact us:
- Privacy Email: privacy@bitfoundry.ai
- Support Email: contact@bitfoundry.ai
- Phone (UAE): +971 58 216 5031
- Website: www.bitfoundry.ai
We will respond to your privacy inquiries within 30 days of receipt.
This Privacy Policy was last updated on April 7, 2026. Changes in this version: added Section 2.4 and Section 13 covering Workweaver's handling of user data received through Google API Services, including the Limited Use disclosure required by the Google API Services User Data Policy. We may update the policy periodically to reflect changes in our services, legal requirements, or data practices. Your continued use of our services constitutes acceptance of the updated policy.