Controller and Data Protection Officer
The controller within the meaning of Article 4(7) GDPR is Workheld GmbH, Rotensterngasse 5, 1020 Vienna, Austria, e-mail: hallo@workheld.com.
Data Protection Officer: Dipl.-Inf. Christine Geier, MBA, contactable via Workheld GmbH (postal address as above; e-mail hallo@workheld.com with the subject line “Data Protection”).
Last updated: 13 May 2026
This privacy policy covers the Workheld platform, including the web application, desktop application and mobile application. The privacy policy for the website workheld.com/en/ is published separately at workheld.com/en/imprint/.
Security and anonymity
The protection of personal data is a top priority for Workheld. Personal data collected when using the Workheld platform is processed in accordance with applicable data protection law. Workheld has implemented technical and organisational measures to comply with data protection rules and to safeguard the data entrusted to it.
General provisions and legal bases
Use of the Workheld platform requires registration, which is typically initiated by the customer’s company administrator. Processing of users’ personal data is mainly based on the following legal grounds:
- Art. 6(1)(b) GDPR – necessary for the performance of the contract between Workheld and the customer or for taking pre-contractual steps (e.g. provision of the platform, authentication, order handling).
- Art. 6(1)(f) GDPR – Workheld’s overriding legitimate interests, in particular in the stable, secure and user-friendly operation of the platform and in the detection and prevention of misuse.
- Art. 6(1)(c) GDPR – compliance with legal obligations to which Workheld is subject (e.g. commercial and tax retention obligations).
- Art. 6(1)(a) GDPR – consent, where this is expressly indicated (e.g. newsletter delivery). Consent given may be withdrawn at any time with effect for the future (Art. 7(3) GDPR); withdrawal does not affect the lawfulness of processing carried out before the withdrawal.
Where Workheld processes personal data of end users on behalf of a customer, this is done on the basis of a data processing agreement under Art. 28 GDPR; in those cases the customer is the controller within the meaning of the GDPR. This privacy policy describes the processing for which Workheld itself acts as controller.
Hosting in Microsoft Azure West Europe
The Workheld platform runs on the Microsoft Azure cloud platform in the West Europe region. The underlying data centres are located in the Netherlands. Further information: azure.microsoft.com; security information: microsoft.com/en-us/trust-center.
Collection, processing and use of personal data
The Workheld platform distinguishes between the following user groups:
Registered users: employees and authorised representatives of customers and partner companies. Registration is typically performed by the company administrator.
Website visitors: persons who visit the Workheld website without registering (see the website privacy policy at workheld.com/en/imprint/).
The following data is collected during registration: first name, last name, e-mail address, optional phone number, company affiliation as well as role or function within the company.
Processing purposes, legal bases and retention at a glance
| Processing | Data | Purpose | Legal basis | Retention |
|---|---|---|---|---|
| Account creation and platform use | Master data (name, e-mail, phone, company, role), login data | Provision of the platform, authentication, permission management | Art. 6(1)(b) GDPR | For the duration of the contract; data is deleted on account closure unless statutory retention obligations require otherwise |
| Invoicing and accounting | Invoice and contract data | Compliance with tax and commercial law obligations | Art. 6(1)(c) GDPR in conjunction with Section 132 BAO, Section 212 UGB | 7 years from the end of the relevant financial year |
| Server logs and mobile-client logs | See table in section “Anonymous and pseudonymous usage profiles” | Stable operation, error analysis, security monitoring | Art. 6(1)(f) GDPR (overriding legitimate interest in stability and security) | Server logs typically max. 30 days; security-relevant logs up to 12 months |
| Crash and error reporting (Sentry) | Device and session data, error logs, pseudonyms; sendDefaultPii: false | Detection and resolution of technical errors | Art. 6(1)(f) GDPR | Up to 90 days |
| Product analytics (Mixpanel) | Pseudonymous usage data | Improvement of the platform, feature prioritisation | Art. 6(1)(f) GDPR | Up to 12 months |
| Newsletter and marketing communication (HubSpot) | Real name, e-mail address, interaction data | Sending of newsletters, product information, event invitations | Art. 6(1)(a) GDPR in conjunction with Section 174 TKG 2021 (consent) | Until consent is withdrawn |
| Abuse detection and blocking | Inputs, login behaviour, device identifiers | Prevention, detection and remediation of prohibited or unlawful activities | Art. 6(1)(f) GDPR | Until the matter is resolved, no longer than 12 months |
Anonymous and pseudonymous usage profiles
Workheld creates anonymous and pseudonymous usage profiles to improve the platform. The following data is captured in server logs and mobile-client logs:
| Data type | Server log | Mobile-client log |
|---|---|---|
| Date / time | Yes | Yes |
| IP address | Yes | No |
| URL / path | Yes | Yes |
| HTTP status code | Yes | No |
| Browser type | Yes | No |
| Operating system | Yes | Yes |
| Device type | No | Yes |
| App version | No | Yes |
| Referrer URL | Yes | No |
| User ID (pseudonymous) | Yes | Yes |
In addition, the Workheld platform (web application, mobile application and backend services) integrates the crash and error reporting service “Sentry” operated by Functional Software, Inc. (EU hosting), which stores additional diagnostic data on top of the items listed above.
The web application additionally uses the following features:
- Session Replay: anonymised recording of user interactions (DOM snapshots) for error analysis. Text inputs and personal content are automatically masked. Recording is sampled (10% of sessions) and 100% of sessions in which an error occurs.
- Performance Tracing: capture of load times and performance data for platform optimisation (sampled at 20% of sessions).
- Browser Profiling: capture of technical browser performance profiles to identify performance bottlenecks (sampled at 20% of sessions).
The mobile application additionally captures the following device-specific data: Device-Type, Device-Id, Device-Language, Device-Network and StoreRegion.
Transmission of personal data (PII) to Sentry is disabled (sendDefaultPii: false). All data is processed on EU servers (ingest.de.sentry.io) and is not combined with personal data. The data does not allow conclusions to be drawn about the identity of the user.
Purpose limitation
Personal data is collected, processed and used exclusively for the purposes set out in this privacy policy. Any further processing only takes place where a separate legal basis exists.
Disclosure of personal data to third parties
Workheld does not sell personal data to third parties. Personal data is not disclosed to third parties for advertising or marketing purposes.
By registering, the user authorises Workheld to grant the customer’s company administrator access to the data generated through use of the platform. The company administrator may inspect and manage that data within the scope of their authorisation.
Where Workheld engages third parties to process data on Workheld’s behalf, those parties are subject to the same data protection standards as Workheld itself (see section “Third-party providers and sub-processors”).
For sending newsletters, information e-mails and marketing communications, Workheld uses the CRM and marketing platform HubSpot operated by HubSpot, Inc. HubSpot processes the data exclusively for and on behalf of Workheld; it does not process the data for its own purposes. When a user registers on the Workheld platform or subscribes to the newsletter, the registration data (real name and e-mail address) is transmitted to HubSpot and stored there. HubSpot offers extensive analytics on how newsletters are opened and used. Further information: legal.hubspot.com/privacy-policy.
Third-party providers and sub-processors
To deliver the Workheld platform and related services, Workheld engages the following third-party providers as processors. Data processing agreements pursuant to Art. 28 GDPR or equivalent contractual safeguards are in place with all listed providers.
| Provider | Purpose | Data processed | Location | Transfer mechanism |
|---|---|---|---|---|
| Microsoft Ireland Operations Limited (Azure) | Cloud hosting of the platform | All platform data | EU (West Europe, Netherlands) | Art. 28 GDPR; for any access from third countries SCCs under Art. 46(2)(c) GDPR |
| Okta, Inc. (Auth0) | Authentication and user management | Login data, e-mail addresses, session data | EU hosting; US parent | EU-U.S. Data Privacy Framework (DPF); SCCs under Art. 46(2)(c) GDPR |
| Functional Software, Inc. (Sentry) | Crash and error reporting | Device data, pseudonymous user IDs, session information, error logs | EU hosting (ingest.de.sentry.io); US parent | EU-U.S. Data Privacy Framework (DPF); SCCs under Art. 46(2)(c) GDPR |
| Twilio Ireland Limited (SendGrid) | Transactional e-mails (e.g. notifications) | E-mail addresses, names | EU; US parent Twilio Inc. | EU-U.S. Data Privacy Framework (DPF); SCCs under Art. 46(2)(c) GDPR |
| HubSpot, Inc. | Newsletter and marketing communication | Real name, e-mail address, usage behaviour | EU hosting; US parent | EU-U.S. Data Privacy Framework (DPF); SCCs under Art. 46(2)(c) GDPR |
| Mixpanel, Inc. | Product analytics | Pseudonymous usage data | EU hosting; US parent | EU-U.S. Data Privacy Framework (DPF); SCCs under Art. 46(2)(c) GDPR |
| 84codes AB (CloudAMQP) | Message queue service | Technical message data between services | EU (Sweden) | Art. 28 GDPR |
| Microsoft Ireland Operations Limited (Azure OpenAI Service) | AI chatbot within the platform; model invocations without using transmitted data for training | User prompts in the chat context | EU; OpenAI models are hosted within Microsoft’s tenant in the same region; data is not passed on to OpenAI Inc. | Art. 28 GDPR; for any access from third countries SCCs under Art. 46(2)(c) GDPR |
| HiveMQ GmbH | MQTT broker for IIoT telemetry (Workheld Sense / Luna) | No personal data | EU (Microsoft Azure West Europe, self-hosted by the Processor) | Licensed software, self-hosted; HiveMQ GmbH has no access to the processed data |
| TigerData Inc. (TimescaleDB) | Storage of time-series data | No personal data | EU (Microsoft Azure West Europe, self-hosted by the Processor) | Licensed software, self-hosted; TigerData Inc. has no access to the processed data |
Note on classification: HiveMQ GmbH and TigerData Inc. are listed in the table above for transparency, although they do not legally constitute sub-processors within the meaning of Art. 28 GDPR. Both provide licensed software only, which the Processor operates exclusively within its own Microsoft Azure environment (West Europe); no data processing by these vendors takes place.
Notice pursuant to Art. 50(1) EU AI Act
When using the Workheld AI functionality — in particular the in-platform chatbot based on Microsoft Azure OpenAI Service — you are interacting with an AI system within the meaning of Regulation (EU) 2024/1689 (AI Act). AI-generated results may contain errors and do not replace expert review by authorised personnel. Inputs are not used to train the underlying language models. Processing takes place exclusively within Workheld’s Microsoft Azure tenant in the West Europe region.
Data flows in Workheld Sense
For the Workheld Sense component, machine and plant data from the customer’s OT network are transmitted via the edge component Luna to the Workheld cloud. The data flow is exclusively outbound from Luna, over a TLS-secured MQTT connection, to the HiveMQ MQTT broker operated within Microsoft Azure (West Europe). No inbound connection from Workheld to the customer network exists.
These machine and plant data are generally non-personal. To the extent operator identifiers, RFID authentications or shift assignments are processed, those components are subject to the data processing agreement (see workheld.com/en/dpa).
Central storage takes place in the Workheld cloud (Microsoft Azure West Europe). Luna stores only temporary buffers and configuration data locally; no persistent storage of personal data takes place on the edge hardware.
Where providers are established outside the EEA or have a US parent, Workheld bases the transfer on a European Commission adequacy decision (in particular the EU-U.S. Data Privacy Framework, Decision (EU) 2023/1795) or on Standard Contractual Clauses pursuant to Art. 46(2)(c) GDPR, supplemented by appropriate additional measures (Schrems II, CJEU C-311/18).
External development partners
Workheld engages external development partners for the further development and maintenance of the platform. They operate under strict instructions, non-disclosure agreements (NDAs) and the requirements of Workheld’s information security management system (ISMS). Access to personal data is limited to what is necessary and is subject to the same security standards that apply to Workheld’s own staff.
Use of cookies
Within the Workheld platform only strictly necessary cookies and comparable technologies (e.g. session cookies, localStorage for authentication tokens) are used. Consent under Section 165(3) TKG 2021 is not required, since the use is strictly necessary to provide the platform (Section 165(3) last sentence TKG 2021).
Your rights as a data subject
You have the following rights with regard to the processing of your personal data by Workheld:
- Right of access (Art. 15 GDPR)
- Right to rectification (Art. 16 GDPR)
- Right to erasure (Art. 17 GDPR)
- Right to restriction of processing (Art. 18 GDPR)
- Right to data portability (Art. 20 GDPR)
- Right to object to processing based on legitimate interests (Art. 21 GDPR)
- Right to withdraw a given consent at any time with effect for the future (Art. 7(3) GDPR)
- Right not to be subject to a decision based solely on automated processing (Art. 22 GDPR)
- Right to lodge a complaint with a supervisory authority (Art. 77 GDPR)
To exercise these rights, an informal e-mail to hallo@workheld.com is sufficient, or a letter to: Workheld GmbH, attn. Data Protection Officer, Rotensterngasse 5, 1020 Vienna, Austria. Where Workheld has reasonable doubts about your identity, additional information may be requested for identification (Art. 12(6) GDPR). Workheld will respond to requests as a rule within one month; in complex cases this period may be extended by a further two months in accordance with Art. 12(3) GDPR.
Where Workheld processes personal data on behalf of a customer, please address your request directly to that customer as the controller; in this case Workheld supports the customer in handling data subject requests in accordance with Art. 28(3)(e) GDPR.
The competent supervisory authority in Austria is the Austrian Data Protection Authority (DSB), Barichgasse 40-42, 1030 Vienna, www.dsb.gv.at.
State of the art
Workheld implements technical and organisational security measures to protect personal data against accidental or intentional manipulation, loss, destruction or access by unauthorised persons. Security measures are continuously developed in line with the state of the art.
Updates to this privacy policy
Workheld will update this privacy policy when this is required by changes in processing activities, new service providers or legal requirements. The version published on this page applies. Workheld will inform users of material changes – in particular changes that affect existing consents or the structure of processing – in an appropriate manner (e.g. by e-mail or in-app notice) before they take effect.
Newsletter
If a user subscribes to the Workheld newsletter, the registration data (real name and e-mail address) is used to deliver the newsletter. Delivery is based exclusively on the user’s consent (Art. 6(1)(a) GDPR in conjunction with Section 174 TKG 2021). The user can unsubscribe at any time; an unsubscribe link is included in every newsletter. Alternatively, unsubscription can be requested by e-mail to hallo@workheld.com.
Data Processing Agreement (DPA)
Where Workheld processes personal data on behalf of a customer, this is done on the basis of a data processing agreement pursuant to Art. 28 GDPR. Our DPA template is publicly available at workheld.com/en/dpa and can also be downloaded there as a Word document. The legally binding German wording is published at workheld.com/auftragsverarbeitung.