GDPR Compliant

Privacy Policy

Last updated: March 2026 • Weorc Limited

Weorc Limited ("WeorcOS", "we", "us", or "our") is committed to protecting your privacy. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our comprehensive business management platform, including invoicing, scope management, client risk assessment, payment reminders, and AI-powered features.

1. Data Controller

Weorc Limited is the data controller responsible for your personal data.

Registered Address: 86-90 Paul Street, London, EC2A 4NE
Company Number: 15924291
Data Protection Contact: privacy@weorc.co.uk

2. Information We Collect

We collect information from three categories of data subjects:

Class 1: Account Holders (You)

  • Name, email address, phone number
  • Company details, trading name, and billing information
  • Invoice data, scope documents, and client records you create
  • Payment reminder schedules and communication preferences
  • Accounting software connections (Xero, QuickBooks, FreeAgent)
  • Open Banking connections and bank account data (via GoCardless)
  • Usage data, platform interactions, and feature preferences

Class 2: Client Contacts

Contact details of your clients that you add to invoices, scopes, and payment reminders (names, emails, phone numbers, company names, payment history). These individuals can exercise their GDPR rights by contacting privacy@weorc.co.uk.

Class 3: CRA & PRI Subjects

When you run a Client Risk Assessment (CRA) or Payment Risk Indicator (PRI), we process publicly available data from Companies House, Payment Practices Reporting, and other public registries about the target company and its officers.

3. How We Use Your Information

We process your data under the following legal bases:

  • Contract Performance: To provide your subscription services including invoice management, scope creation, payment reminders, credit risk assessments, AI-powered insights, and accounting integrations
  • Legitimate Interest: To improve our platform, detect fraud, provide customer support, and send you service communications
  • Consent: For marketing communications and optional AI features (you can opt out anytime)
  • Legal Obligation: To comply with UK laws, tax regulations, and financial services requirements

4. Automated Decision-Making (GDPR Art. 22)

Our Client Risk Assessment (CRA) and Payment Risk Indicator (PRI) features use automated profiling to calculate risk scores based on Companies House data, Payment Practices Reporting, public registry information, and your questionnaire responses.

AI-Powered Features: Our AI assistant processes your invoices and business data to provide insights, draft communications, and suggest improvements. All AI processing is clearly marked and you control what data is shared.

Your rights: You always have final control over any recommendations. Before applying automated terms (deposits, payment schedules, risk classifications), you will see a confirmation dialog explaining what's being applied. You can request human review of any automated decision by contacting privacy@weorc.co.uk.

5. Data Sharing & Transfers

We share your data with trusted sub-processors to provide our services:

Google LLC

Authentication (Sign-In)

US (SCCs)

Supabase Inc.

Database & Authentication

EU (Frankfurt)

Vercel Inc.

Hosting & CDN

EU

Stripe Inc.

Payment Processing

EU/US

Anthropic PBC

AI Processing

US

Brevo (Sendinblue)

Email & SMS Communications

EU

GoCardless Ltd.

Open Banking / Direct Debit

UK

Xero Limited

Accounting Integration

EU/NZ

Intuit Inc.

QuickBooks Integration

US

FreeAgent

Accounting Integration

UK

HMRC

Regulatory Recipient (CIS/MTD)

UK

All sub-processors have signed Data Processing Agreements (DPAs) compliant with UK GDPR Article 28. For US-based processors, we rely on Standard Contractual Clauses (SCCs) or the EU-US Data Privacy Framework.

6. Data Retention

  • Account data: Retained while your account is active + 30 days after deletion request
  • Invoice records: 7 years (UK Companies Act legal requirement)
  • CRA assessments: 3 years from creation
  • Marketing preferences: Until you opt out or delete your account

7. Your Rights (UK GDPR)

You have the right to:

Access

Request a copy of all your personal data

Rectification

Correct inaccurate personal data

Erasure

Request deletion of your data

Restriction

Limit how we process your data

Portability

Receive your data in a portable format

Object

Object to processing based on legitimate interest

Account holders: Exercise your rights in Settings → Security → Privacy.
Client contacts & CRA subjects: Email privacy@weorc.co.uk with your request.

8. Security

We implement appropriate technical and organisational measures including:

  • Encryption in transit (TLS 1.3) and at rest (AES-256)
  • Row-level security on all database tables
  • Webhook signature validation for all integrations
  • Regular security audits and penetration testing
  • Separate development, staging, and production environments

9. Contact Us

If you have any questions about this Privacy Policy or wish to exercise your rights:

Email: privacy@weorc.co.uk
Address: Weorc Limited, 86-90 Paul Street, London, EC2A 4NE
ICO: If you're not satisfied with our response, you can complain to the Information Commissioner's Office at ico.org.uk

This policy is effective as of March 2026 and may be updated periodically.

Terms of ServiceCookie Policy