1. Who we are
WorkOfficially Pte. Ltd. ("we", "our", or "WorkOfficially") is the data controller for personal information processed through the WorkOfficially marketplace. This policy explains what we collect, why we collect it, who we share it with, and the rights you have over it.
2. What we collect
Information you provide. Name, email, phone, profile fields (headline, bio, portfolio, skills, hourly rate, location, languages), uploaded files and attachments, messages you send through the platform, job posts and proposals, dispute evidence.
Identity verification. When you start KYC, our regulated partners (Sumsub, Veriff, or similar) collect government ID, selfie video, address proof. We receive only the pass/fail verdict and a few demographic fields needed to determine sanctions risk; the underlying documents are held by the partner.
Payment data. Card details are tokenised by Stripe or PayPal and never touch our servers. We retain the last 4 digits and brand for receipts.
On-chain wallet data. If you link a BSC wallet, we store the public address. We never receive or hold your private keys.
Usage data. IP address, browser user-agent, login times, request URLs, error logs. These are retained for security and abuse detection.
Cookies. See Section 5.
2b. Reputation Bridge data
If you submit a Reputation Bridge import (Upwork, Fiverr, Toptal, Freelancer.com, Guru, PeoplePerHour, etc.), we fetch the public contents of the source profile URL you provide. We extract: your displayed name on that platform, your composite star rating, the count of reviews, each review's text, each reviewer's first name + initial, and each review's posted date. We do not request, store, or use any private data from the source platform.
A WorkOfficially Reputation team member reviews the import by hand against your live source profile before approving it. The verified data is stored on your WorkOfficially profile. You can remove any imported source at any time; removed data is retained for 90 days for fraud investigation and then permanently deleted.
3. How we use it
- To operate the marketplace - match talent to jobs, enforce contracts, process payments and escrow, settle in WRK or fiat, run EOR payroll.
- To verify identities and screen for sanctions and fraud.
- To send transactional emails: signups, password resets, milestone events, disputes, reviews. You cannot opt out of essential transactional email while you have an active account.
- To improve the platform: aggregated, de-identified analytics.
- To respond to legal process and protect our users.
4. Sharing & disclosure
We share your data only with:
- Service providers - hosting (AWS), email (SMTP), payments (Stripe, PayPal), KYC (Sumsub or Veriff), EOR (Deel or Remote), analytics, error tracking. Each is bound by a data-processing agreement.
- Counterparties on the platform - your public profile is visible to other users. Inside an active contract, the other party sees your name, identity-verification status, and messages.
- Legal authorities - when required by valid legal process.
We do not sell personal data, ever.
4b. Current subprocessors
The following third parties process data on our behalf. Each is bound by a data-processing agreement and is named here so you know who can see what.
| Subprocessor | Purpose | Data | Region |
|---|---|---|---|
| Amazon Web Services | Hosting, file storage (S3) | All | Frankfurt (eu-central-1) |
| Stripe | Card payments | Payment metadata | US / EU |
| PayPal | PayPal payments + payouts | Payment metadata | US / EU |
| Sumsub or Veriff | KYC / identity verification | Government ID, selfie, address | EU |
| Deel or Remote | Embedded EOR & payroll | Name, address, tax info | Per local payroll jurisdiction |
| OpenAI / Anthropic | AI features (suggestions only) | Prompt text, no training | US |
| Vonage / OpenTok | Video calls (signalling only) | Call metadata | US / EU |
| PHPMailer / SMTP provider | Transactional email | Email, name, message content | EU |
We update this list when subprocessors change. Material additions are announced 14 days in advance via email and on this page.
5. Cookies & tracking
We use the following cookies:
wrk_session- HttpOnly, Secure, SameSite=Lax. Required to keep you signed in._csrf- double-submit token for form protection.- Optional analytics cookies (only if you opt in). We do not use Google Analytics or Facebook Pixel.
6. Retention
We keep your account data while your account is active. After closure, we retain transaction records for 7 years to satisfy tax and AML obligations. Message attachments and uploaded files are retained for 3 years after the last related contract closes.
7. Security
We protect your data with:
- Argon2id password hashing with HMAC-SHA256 pepper.
- TLS in transit; AES-256 at rest for sensitive columns.
- Two-factor authentication, WebAuthn-ready, backup codes.
- Least-privilege database users.
- An on-chain treasury that is operated by an external signer - the PHP application never holds a plaintext private key.
- Independent security audits and a published responsible-disclosure policy.
8. Your rights
Subject to applicable law (GDPR, CCPA, PDPA, etc.) you can:
- Access your personal data - request a copy.
- Correct inaccurate data.
- Delete data we no longer need to retain.
- Port your data to another service in a structured format.
- Object to processing that is not required to run the marketplace.
- Withdraw consent at any time for processing that is consent-based.
Send requests to [email protected]. We respond within 30 days.
8b. Automated decisions
You have a right under GDPR Article 22 and similar laws not to be subject to a decision based solely on automated processing that produces legal or similarly significant effects. WorkOfficially does not make significant account decisions by automated processing alone. Sanctions screening, fraud signals, and AI suggestions may flag an account for review - a human on our team makes the final call before any restrictive action (suspension, KYC denial, dispute resolution, Reputation Bridge approval).
9. International transfers
WorkOfficially is operated from Singapore. Our servers are in the EU (Frankfurt). Some of our processors operate globally. When we transfer your data outside your jurisdiction, we rely on Standard Contractual Clauses (SCCs), the UK International Data Transfer Addendum, the EU-US Data Privacy Framework where applicable, or an equivalent valid transfer mechanism.
9b. Data-breach notification
If we suffer a personal-data breach that is likely to result in a risk to your rights and freedoms, we will notify the relevant supervisory authority within 72 hours of becoming aware, in line with GDPR Article 33. If the breach is likely to result in a high risk to you specifically, we will also notify you directly without undue delay, in line with GDPR Article 34. The notification will describe what happened, what data was affected, what we are doing about it, and what you can do.
10. Children
WorkOfficially is not intended for anyone under 18. We do not knowingly collect personal data from children.
11. Changes to this policy
We may update this policy. Material changes are announced by email and on this page at least 14 days before they take effect.
12. Contact
Privacy questions: [email protected]
Data Protection Officer: [email protected]
© WorkOfficially Pte. Ltd. · Effective May 30, 2026