Privacy Policy

Effective date: 11 March 2026  ·  Last updated: 11 March 2026

WorkAid Solutions ("we", "us", "our") operates WorkAid Dunning. This Privacy Policy explains how we handle personal data in connection with the Service. We are committed to protecting your privacy and complying with applicable data protection laws, including the UK GDPR and Data Protection Act 2018.

1. Who This Policy Applies To

This policy covers two groups of people:

• Account holders ("you"): businesses and individuals who register and use WorkAid Dunning directly.
• End customers: your customers whose payment events are processed through the Service on your behalf.

For end customers, you (the account holder) are the data controller and we act as your data processor. This policy describes our processor obligations.

2. Data We Collect About You (Account Holders)

• Account information: email address, company name, and billing details collected at registration.
• Stripe account data: your Stripe account ID and OAuth connection metadata obtained when you connect your Stripe account.
• Usage data: logs of your interactions with the dashboard, API calls, and configuration changes.
• Payment data: billing information for your WorkAid Dunning subscription is handled by Stripe — we do not store card numbers.

3. Data We Process on Your Behalf (End Customers)

To deliver the dunning service, we process the following data about your customers:

• Stripe customer IDs and subscription IDs
• Email addresses (fetched from Stripe at the time of sending, not stored long-term)
• Payment event metadata: amount, currency, status, and timestamps
• Email delivery and open events (for analytics purposes)

We do not process card numbers, bank account details, or any other sensitive payment instrument data.

4. How We Use Your Data

We use account holder data to:

• Provide, operate, and improve the Service
• Process your subscription payment
• Send you service notifications, updates, and support responses
• Comply with legal obligations

We process end customer data exclusively to send dunning emails on your behalf and to provide you with recovery analytics. We do not use end customer data for our own marketing or share it with third parties for their own purposes.

5. Legal Basis for Processing

• Contract: processing your account data is necessary to fulfil our contract with you.
• Legitimate interests: service improvement, fraud prevention, and security.
• Legal obligation: compliance with applicable laws.
• Your instructions: end customer data is processed on the basis of your documented instructions as controller.

6. Data Retention

• Account data is retained for the duration of your subscription plus 90 days after termination, then deleted unless legal obligations require longer retention.
• Payment event logs are retained for 12 months for analytics purposes, then deleted.
• Raw Stripe event payloads (stored temporarily for debugging) are automatically deleted after 24 hours.
• Email delivery records are retained for 6 months.

7. Data Sharing

We do not sell your data or your customers' data. We share data only with:

• Stripe: to create billing portal sessions and retrieve customer information. Governed by Stripe's privacy policy.
• Postmark (ActiveCampaign): our email delivery provider. Email addresses are transmitted to send dunning emails. Postmark does not use this data for their own purposes.
• Cloudflare: our infrastructure provider. All data transits and is stored on Cloudflare's network.
• Legal authorities: where required by law or to protect our rights.

8. International Transfers

Data may be processed in the United States and European Union via Cloudflare and Postmark infrastructure. Both providers participate in appropriate data transfer mechanisms (Standard Contractual Clauses) ensuring adequate protection.

9. Security

We implement industry-standard security measures including:

• TLS encryption for all data in transit
• Stripe webhook signature verification to prevent spoofed events
• Session-based authentication with secure token storage
• Access controls limiting data access to authorised personnel only

10. Your Rights

As a UK/EU data subject, you have the right to:

• Access the personal data we hold about you
• Rectification of inaccurate data
• Erasure of your data ("right to be forgotten")
• Restriction of processing in certain circumstances
• Data portability in a machine-readable format
• Object to processing based on legitimate interests

To exercise any of these rights, email info@workaidsolutions.com. We will respond within 30 days.

You also have the right to lodge a complaint with the UK Information Commissioner's Office (ICO) at ico.org.uk.

11. Cookies

We use only essential session cookies required for authentication. We do not use tracking cookies, advertising cookies, or third-party analytics cookies.

12. Children

The Service is not directed at individuals under 18. We do not knowingly collect data from children.

13. Changes to This Policy

We will notify you of material changes by email and via your dashboard at least 14 days before they take effect.

14. Contact & Data Controller Details

WorkAid Solutions is the data controller for account holder data.
Email: info@workaidsolutions.com
Contact: workaid.solutions/contact