Privacy Policy

1.1 From our Customers

• Account information: name, business name, email, billing details.
• Integration credentials: OAuth tokens and API keys for third-party services the Customer authorizes us to access (Jobber, Quo/OpenPhone, Twilio, Anthropic, etc.). Credentials are encrypted at rest.
• Configuration data: the Customer's business rules, pricing matrices, scripts, persona settings, and other content used to train the AI agent.

1.2 From end-users of our Customers

When you interact with a Workhiiv-powered agent (e.g. by texting our Customer's business number), we may collect:

• Your phone number, and any name, email, or address you provide.
• The content of your SMS messages and call metadata.
• Customer profile data the Customer captures (service preferences, address, scheduling history).
• Records of bookings, quotes, invoices, and other transactions you have with the Customer.

1.3 From the website

When you visit workhiiv.com we collect standard web logs (IP, user agent, referrer, pages viewed). We do not use third-party analytics or advertising trackers on the marketing site at the time of writing.

• To provide the Services to our Customers, including powering their AI agent's conversations and writing to their connected CRMs.
• To detect, prevent, and respond to fraud, abuse, security incidents, and policy violations.
• To improve the Services through aggregated, de-identified usage data.
• To bill Customers and manage their accounts.
• To communicate with Customers about their accounts, security, and product changes.

We do not sell personal information. We do not use end-user conversations to train third-party AI models. AI inference calls to providers such as Anthropic are subject to those providers' commercial data-use terms, which generally prohibit training on submitted content.

• With our Customer. If you are an end-user, your interactions are visible to the Customer whose agent you spoke with. They are the data controller; we are a service provider acting on their behalf.
• With service providers we use. Hosting (Railway), database, AI inference (Anthropic), telephony (OpenPhone/Quo, Twilio), CRM integrations (Jobber). Each receives only the data they need to perform their function.
• For legal reasons. If required by law, subpoena, or to protect rights, safety, or property.
• In a business transfer. If we are acquired or merge, your information may be transferred subject to the new owner honoring this Policy.

We retain Customer data for as long as the Customer maintains an account, plus a reasonable backup window. SMS and call logs are typically retained for 90 days unless a longer period is required by the Customer's configuration or by law.

When a Customer disconnects their integration or terminates their account, mirrored CRM data tied to that integration is deleted from our systems automatically. Customers may request export or deletion at any time by emailing shane@workhiiv.com.

• Credentials and tokens are encrypted at rest.
• All HTTP traffic is served over HTTPS with TLS.
• Webhook receivers verify HMAC signatures from third parties.
• Production database access is restricted to authorized personnel.

No system is completely secure. If we become aware of a security incident affecting your information, we will notify the affected Customer without undue delay.

If you are an end-user of one of our Customers: direct privacy requests (access, correction, deletion, opt-out) to the Customer whose agent you interacted with. They are the data controller. We will assist them in fulfilling valid requests.

If you are a Customer: you can export, edit, or delete your data from the dashboard or by emailing us. You may close your account at any time.

SMS opt-out. Reply STOP to any SMS from a Workhiiv-powered number to opt out of further messages from that sender. Standard message and data rates may apply.

Workhiiv is operated from Canada. Our infrastructure providers may process data in the United States and other regions. By using the Services you consent to the transfer of your information to those regions.

Depending on where you live, you may have additional rights under laws such as the California Consumer Privacy Act (CCPA), the EU General Data Protection Regulation (GDPR), and similar regimes. Where we act as a service provider for a Customer, please direct rights requests to that Customer first. Where we act as a data controller, exercise rights by contacting us at shane@workhiiv.com.

The Services are not directed to children under 16. If you believe we have collected information from a child, contact us and we will delete it.

We may update this Policy from time to time. Material changes will be communicated by email to Customers. The "Last updated" date at the top reflects the most recent revision.

1001039001 Ontario Inc. (operating as Workhiiv)
Ontario, Canada
shane@workhiiv.com