Privacy Policy

WorkLearn Labs Inc.

Effective Date: September 3, 2025

Last Updated: September 3, 2025

1. Introduction

WorkLearn Labs Inc. ("WLL," "we," "us," or "our") is committed to protecting your privacy and ensuring the security of your data. This Privacy Policy explains how we collect, use, disclose, and safeguard information when you use the WLL Platform, including our AI Enablement & Orchestration services.

Our Core Privacy Commitment: We do not use your data to train our AI models unless you explicitly opt in. Your strategic business information remains yours.

2. Information We Collect

2.1 Information You Provide

  • Account Information: Name, email address, company name, role, and authentication credentials
  • Customer Data: Any data you upload or input for processing by our AI Agents
  • Communication Data: Support requests, feedback, and correspondence with our team
  • Payment Information: Processed by our third-party payment providers (we do not store credit card details)

2.2 Automatically Collected Information

  • Usage Data: Features used, workflow patterns, and interaction metrics
  • Technical Data: IP address, browser type, device information, and access times
  • Performance Data: System performance metrics and error logs
  • AI Interaction Logs: Agent orchestration patterns and execution traces (without content details)
  • Analytics Data: Page views, click events, and feature engagement metrics (via PostHog and Google Analytics)

2.3 Information from Third-Party Integrations

When you connect external services (e.g., GitHub, Cursor, Supabase), we may receive:

  • Authentication tokens
  • Metadata about connected resources
  • Activity logs related to Platform operations

3. How We Use Your Information

3.1 Primary Purposes

  • Service Delivery: Operating the Platform and executing AI orchestration workflows
  • Account Management: Authentication, authorization, and user support
  • Performance Optimization: Improving Platform reliability and efficiency
  • Security: Detecting and preventing fraudulent or malicious activities

3.2 AI-Specific Uses

  • Multi-Agent Orchestration: Coordinating AI Agents to accomplish your requested tasks
  • Constitutional Framework Application: Ensuring quality and alignment of AI outputs
  • Workflow Optimization: Improving orchestration patterns (using anonymized metadata only)

3.3 Restricted Uses

We do NOT use your Customer Data for:

  • Training our AI models (unless you explicitly opt in)
  • Competitive intelligence or market analysis
  • Advertising or marketing to third parties
  • Any purpose beyond providing our Services

4. Data Processing in Multi-Agent Systems

4.1 Agent Communication

  • Inter-agent data flows are encrypted using TLS 1.3 minimum
  • Each agent operates under data minimization principles
  • Temporary processing data is automatically deleted after task completion

4.2 Data Segregation

  • Hierarchical access controls ensure agents only access necessary data
  • Multi-tenant isolation prevents cross-contamination between accounts
  • Automated conflict detection for users accessing multiple client accounts

4.3 Audit Trails

We maintain logs of:

  • Agent activation and task assignments
  • Data access patterns (metadata only)
  • System performance and errors
  • Security-relevant events

5. Legal Basis for Processing (GDPR)

We process personal data based on:

  • Contract Performance: To provide the Services you've requested
  • Legitimate Interests: For security, fraud prevention, and service improvement
  • Legal Compliance: When required by law or regulation
  • Consent: For optional features like AI model training or marketing

6. Data Sharing and Disclosure

6.1 Sub-Processors

We use the following sub-processors:

  • Supabase: Database and authentication services (Washington, USA)
  • Vercel: Hosting and edge functions
  • OpenRouter: AI model API services (with data processing agreements)
  • GitHub: Code repository and webhook services
  • Stripe: Payment processing
  • Langfuse: LLM observability and analytics
  • PostHog: Product analytics
  • Google Analytics: Website analytics
  • Sentry: Error tracking and performance monitoring

Current sub-processor list available at: www.worklearnlabs.com/sub-processors

6.2 Business Transfers

In case of merger, acquisition, or asset sale, your information may be transferred with appropriate privacy protections.

6.3 Legal Disclosure

We may disclose information when required by:

  • Court orders or legal process
  • Government requests (with transparency when permitted)
  • Protection of rights, property, or safety

6.4 Aggregate Information

We may share anonymized, aggregate data that cannot identify individuals.

7. International Data Transfers

7.1 Transfer Mechanisms

We use the following for international transfers:

  • Standard Contractual Clauses (EU/UK approved)
  • Adequacy decisions where applicable
  • Your explicit consent for specific transfers

7.2 Data Residency Options

Enterprise customers may choose:

  • Cloud Deployment: Data processed in Canada (AWS ca-central-1, Montreal)
  • EU Deployment: GDPR-compliant EU data centers (coming soon)
  • On-Premise: Complete local control for sensitive data

8. Data Security

8.1 Technical Measures

  • AES-256 encryption at rest
  • TLS 1.3 for data in transit
  • Multi-factor authentication
  • Role-based access controls
  • Regular security audits and penetration testing

8.2 Organizational Measures

  • Employee privacy training
  • Access on need-to-know basis
  • Incident response procedures
  • SOC 2 Type II certified practices

8.3 Breach Notification

We will notify affected users within 72 hours of discovering a data breach, as required by law.

9. Your Privacy Rights

9.1 Access and Portability

You can request a copy of your personal data in a machine-readable format.

9.2 Correction

You may update inaccurate or incomplete information through your account settings or by contacting us.

9.3 Deletion

You can request deletion of your personal data, subject to legal retention requirements.

9.4 Restriction and Objection

You may request we limit processing or object to certain uses of your data.

9.5 Automated Decision-Making

You have the right to opt out of purely automated decision-making with legal effects.

9.6 Withdraw Consent

Where processing is based on consent, you may withdraw it at any time.

10. California Privacy Rights (CCPA)

California residents have additional rights:

  • Right to Know: Categories and specific pieces of personal information collected
  • Right to Delete: Request deletion of personal information
  • Right to Opt-Out: Of the "sale" of personal information (we do not sell personal information)
  • Non-Discrimination: For exercising privacy rights

11. AI-Specific Privacy Protections

11.1 Constitutional Framework Privacy

Our Constitutional Framework operates as server-side intelligence without exposing proprietary methodologies to users or competitors.

11.2 No Training Default

Customer Data is NEVER used for AI model training without explicit opt-in consent. This includes:

  • Your uploaded data
  • AI interaction patterns
  • Business logic and workflows
  • Strategic planning information

11.3 Opt-In Training Program

  • Clear consent required for each data type
  • Ability to withdraw at any time
  • Enhanced privacy protections and anonymization
  • Potential service credits or benefits

12. Data Retention

12.1 Retention Periods

  • Active Account Data: Duration of service + 30 days
  • Backup Data: 90 days in secure cold storage
  • Security Logs: 2 years
  • Legal/Compliance Records: 7 years
  • AI Interaction Logs: 90 days (unless flagged for safety)

12.2 Deletion Process

Upon account termination or deletion request:

  • Immediate removal from production systems
  • Backup deletion within 90 days
  • Retention only as legally required

13. Children's Privacy

The Platform is not intended for users under 18. We do not knowingly collect information from children. If we discover such collection, we will promptly delete the information.

14. Privacy by Design

14.1 Development Practices

  • Privacy impact assessments for new features
  • Data minimization in system design
  • Privacy-preserving analytics
  • Regular privacy audits

14.2 Future Technologies

We're exploring advanced privacy technologies including:

  • Zero-knowledge proofs for sensitive operations
  • Homomorphic encryption for AI inference
  • Federated learning for distributed model improvement

15. Third-Party Links

The Platform may contain links to third-party services. We are not responsible for their privacy practices. Please review their policies before providing information.

16. Changes to Privacy Policy

We may update this Privacy Policy to reflect changes in our practices or legal requirements. Material changes will be notified:

  • Via email to registered users
  • Through Platform notifications
  • With 30 days notice before effectiveness

17. Jurisdiction-Specific Provisions

17.1 European Union (GDPR)

  • Data Controller: WorkLearn Labs Inc.
  • EU Representative: [To be appointed as we scale]
  • DPO Contact: privacy@worklearnlabs.com

17.2 Canada (PIPEDA)

We comply with PIPEDA principles including accountability, consent, and limiting collection.

17.3 United States

We comply with applicable state privacy laws including CCPA, Virginia CDPA, and Colorado CPA.

18. Contact Information

Privacy Officer
WorkLearn Labs Inc.
372 Bay St. Suite 200, Toronto, M5H 2W9, Ontario, Canada

Email: privacy@worklearnlabs.com

Data Subject Requests: dsr@worklearnlabs.com

Security Concerns: security@worklearnlabs.com

19. Data Protection Officer

For privacy-related inquiries, you may contact our Data Protection Officer at: dpo@worklearnlabs.com

20. Supervisory Authority

You have the right to lodge a complaint with your local data protection authority:

  • Canada: Office of the Privacy Commissioner of Canada
  • EU: Your local Data Protection Authority
  • California: California Privacy Protection Agency

Last Review Date: September 3, 2025

Version: 1.0