Contents
1. Who we are
Workara is operated by NORD FERON OÜ, an Estonian private limited company registered at Narva mnt 5, 10117 Tallinn, Estonia (registry code 17438195). In this policy, "Workara", "we", "us", and "our" refer to NORD FERON OÜ.
For data protection law (the EU General Data Protection Regulation 2016/679, "GDPR"), NORD FERON OÜ is the data controller for personal data described in this policy.
2. Scope of this policy
This policy applies to personal data we collect through:
- The Workara website at workara.eu and related subdomains (e.g. app.workara.eu);
- Our customer-facing application that staffing agencies, contractors, clients and workers log into;
- Email, phone, and WhatsApp conversations you have with us.
When our customers (e.g. staffing agencies) use Workara to manage data about their own workers and clients, they are the controller of that data, and we are the processor. The terms of that processing are governed by our Data Processing Agreement, not this policy. If you are a worker or client managed in Workara by an agency, contact that agency directly for questions about the data they hold about you.
3. What data we collect
We collect personal data in several ways:
3.1 Data you provide directly
| Category | Examples |
|---|---|
| Account data | Name, email, password (hashed), preferred language, role. |
| Business data | Company name, VAT number, business address, contact details, banking details for invoicing. |
| Contact form data | Name, company, email, phone, message content, topic of enquiry. |
| Communications | Emails, WhatsApp messages, support tickets, in-app chat content. |
3.2 Data we collect automatically
| Category | Examples |
|---|---|
| Technical data | IP address, browser type and version, device type, operating system, time zone, pages visited, referring URL. |
| Usage data | Login times, features used, actions taken (e.g. invoice generated), error logs. |
| Cookie data | See our Cookie Policy for details. |
3.3 Data customers process through Workara
When our customers use Workara to manage their workforce, they upload personal data about their workers, sub-contractors and clients. This may include: passport numbers, work permits, residence permits (TRC), visas, tax/social-security numbers, banking details, timesheets, salary calculations, ratings, document scans, and chat messages. We process this data only as instructed by our customer, in their capacity as controller.
4. How and why we use it
We process personal data to:
- Provide the service — create accounts, authenticate logins, deliver features, generate PDFs, send transactional emails.
- Respond to enquiries — answer your messages, schedule demos, follow up.
- Operate our business — invoicing, accounting, fraud prevention, security monitoring.
- Comply with legal obligations — VAT verification (VIES), tax records retention, responding to lawful requests from authorities.
- Improve the service — analyse aggregated usage, fix bugs, develop new features.
- Marketing — only with your consent or as permitted by law, e.g. customer newsletters with opt-out.
5. Legal bases
We rely on the following GDPR lawful bases:
- Performance of a contract (Art. 6(1)(b)) — providing the Workara service to you as a customer.
- Legitimate interests (Art. 6(1)(f)) — operating, securing and improving our service; responding to enquiries; pursuing or defending legal claims. Our legitimate interests are balanced against your rights and freedoms.
- Legal obligation (Art. 6(1)(c)) — tax records retention, responding to authorities.
- Consent (Art. 6(1)(a)) — cookies that aren't strictly necessary, marketing communications. You can withdraw consent at any time.
6. Who we share data with
We do not sell your personal data. We share it only with:
- Sub-processors who provide infrastructure or services on our behalf (see section 7).
- Professional advisors — accountants, lawyers, auditors — bound by confidentiality.
- Public authorities when legally required (e.g. tax authorities, courts).
- Acquirers if our business is sold or restructured — we will notify you and give you choices where required by law.
7. Sub-processors
We use a small number of carefully selected sub-processors to deliver Workara. Each is bound by a data processing agreement with appropriate safeguards.
| Sub-processor | Purpose | Location |
|---|---|---|
| DigitalOcean, LLC | Cloud hosting, file storage (DO Spaces), backups | EU (Frankfurt region) |
| Brevo (Sendinblue SAS) | Transactional emails (signup, password reset, invoices, notifications) | EU (France) |
| Anthropic, PBC | Translation of chat messages between platform users (Claude API) | USA (with EU SCCs in place) |
We may add or replace sub-processors in the future (for example, Cloudflare for content delivery, or Stripe for payments). We will update this page when that happens. Material changes will be notified to customers in advance.
8. International transfers
Most data stays in the EU. Where data is transferred outside the EU/EEA (notably to Anthropic in the United States for chat translation), we rely on the European Commission's Standard Contractual Clauses and additional technical and organisational measures (encryption in transit and at rest, access controls, no long-term retention of translated content). You can request a copy of the SCCs by contacting us.
9. Retention
We keep personal data only as long as needed:
- Account data — for as long as your account is active, plus up to 12 months after closure for legal claims and accounting (longer where law requires).
- Tax and invoicing records — 7 years, as required by Estonian law.
- Contact form submissions — up to 24 months for customer-service purposes, then deleted.
- Marketing data — until you unsubscribe.
- Server logs — typically 90 days.
- Customer-uploaded data (processed on customers' behalf) — per the customer's instructions and Data Processing Agreement.
10. Your rights
Under GDPR, you have the right to:
- Access the personal data we hold about you;
- Rectify inaccurate data;
- Erase data ("right to be forgotten") subject to legal retention requirements;
- Restrict processing in certain circumstances;
- Portability — receive your data in a structured, machine-readable format;
- Object to processing based on legitimate interests, including direct marketing;
- Withdraw consent at any time where consent is our legal basis;
- Lodge a complaint with a supervisory authority. In Estonia, the supervisory authority is the Estonian Data Protection Inspectorate (Andmekaitse Inspektsioon — aki.ee). You may also complain to the authority in your own country.
To exercise any of these rights, email us at info@workara.eu. We will respond within 30 days. If you are a worker or client managed inside Workara by an agency, please contact your agency first — they are the controller of your data.
11. Security
We take security seriously. Our measures include:
- Encryption in transit (HTTPS / TLS) across all services;
- Encryption at rest for stored documents and backups;
- Password hashing (bcrypt) for all accounts;
- Role-based access control;
- EU-hosted infrastructure in DigitalOcean's Frankfurt region;
- Regular backups and security updates;
- Limited staff access on a need-to-know basis.
No system is perfectly secure. If you become aware of a security issue, please contact info@workara.eu.
12. Cookies
We use cookies and similar technologies on workara.eu and in the Workara application. See our Cookie Policy for full details and how to manage your preferences.
13. Children
Workara is a B2B service and not directed at children under 16. We do not knowingly collect personal data from children. If you believe a child has provided personal data to us, please contact us and we will delete it.
14. Changes to this policy
We may update this policy from time to time. When we do, we will update the "Last updated" date at the top. Material changes will be notified to customers by email or through the application before they take effect.
15. Contact
Privacy questions or requests:
NORD FERON OÜ
Narva mnt 5, 10117 Tallinn, Estonia
Registry code: 17438195
Email: info@workara.eu
Phone: +370 666 54199