Last Updated on April 28, 2023
Hey there! A big thanks from all of us at Workflow for choosing our products. We create them to help you achieve your best work. With many users relying on Workflow products daily, we need to set some Terms of Service to keep everything running smoothly.
In this document, when we mention "Company," "we," "our," or "us," we're referring to Workflow.
"Services" refers to our websites, including workflow.cm, and any products developed and maintained by Workflow.
When we say "You" or "your," we're talking about the people or organizations that own an account with one or more of our Services. We maintain specific ownership policies for our products, which you can find here.
We might update these Terms of Service ("Terms") in the future. Generally, we make updates to clarify terms by linking to related policies. When we introduce significant changes to our policies, we'll update the date at the top of this page and take other necessary steps to inform account holders.
By using our Services, now or later, you agree to the most recent Terms. There might be instances where we don't exercise or enforce a right or provision of the Terms; however, that doesn't mean we're waiving that right or provision.** Please note that these Terms include a limitation of our liability.**
If you breach any of the Terms, we may terminate your account. That's a broad statement, and it means you need to trust us a lot. We strive to earn that trust by being transparent about who we are, how we work, and maintaining an open line for your feedback.
We design our Services with care, based on our own experience and the experiences of customers who share their time and feedback. However, there is no such thing as a service that pleases everybody. We make no guarantees that our Services will meet your specific requirements or expectations.
We also test all of our features extensively before shipping them. As with any software, our Services inevitably have some bugs. We track the bugs reported to us and work through priority ones, especially any related to security or privacy. Not all reported bugs will get fixed and we don’t guarantee completely error-free Services.
We offer Application Program Interfaces (“API”s) for some of our Services (currently Workflow, and the Workflow Figma Plugin). Any use of the API, including through a third-party product that accesses the Services, is bound by these Terms plus the following specific terms:
Some third-party providers have created integrations between our Services and theirs. We are not liable or accountable for any of these third-party integrations.
We mention liability throughout these Terms but to put it all in one section:
You expressly understand and agree that Workflow shall not be liable, in law or in equity, to you or to any third party for any direct, indirect, incidental, lost profits, special, consequential, punitive or exemplary damages, including, but not limited to, damages for loss of profits, goodwill, use, data or other intangible losses (even if Workflow has been advised of the possibility of such damages), resulting from: (i) the use or the inability to use the Services; (ii) the cost of procurement of substitute goods and services resulting from any goods, data, information or services purchased or obtained or messages received or transactions entered into through or from the Services; (iii) unauthorized access to or alteration of your transmissions or data; (iv) statements or conduct of any third party on the service; (v) or any other matter relating to these Terms or the Services, whether as a breach of contract, tort (including negligence whether active or passive), or any other theory of liability.
In other words: choosing to use our Services means you are making a bet on us. If the bet does not work out, that’s on you, not us. We do our darnedest to be as safe a bet as possible through careful management of the business; investments in security, infrastructure, and talent; and in general we care about providing a long-lasting, stable and honest business. If you choose to use our Services, thank you for betting on us.
If you have a question about any of these Terms, please contact our Support team
Last Updated on May 2, 2023
Your data is yours, not ours! And privacy is a big deal to us. In this policy, we lay out: what data we collect and why; how your data is handled; and your rights with respect to your data. We promise we never sell your data: never have, never will.
Our guiding principle is to collect only what we need. Here’s what that means in practice:
When you sign up for a Workflow product, we ask for identifying information such as your name, email address, and maybe a company name. That’s so you can personalize your new account, and we can send you product updates and other essential information. We may also send you optional surveys from time to time to help us understand how you use our products and to make improvements. With your consent, we will send you our newsletter and other updates. We sometimes also give you the option to add a profile picture that displays in our products.
We’ll never sell your personal information to third parties, and we won’t use your name or company in marketing statements without your permission either.
If you sign up for a paid Workflow product, you will be asked to provide your payment information and billing address. Credit card information is submitted directly to our payment processor and doesn’t hit Workflow servers. We store a record of the payment transaction, including the last 4 digits of the credit card number, for purposes of account history, invoicing, and billing support. We store your billing address so we can charge you for service, calculate any sales tax due, send you invoices, and detect fraudulent credit card transactions. We occasionally use aggregate billing information to guide our marketing efforts.
We store on our servers the content that you upload or receive or maintain in your Workflow product accounts. This is so you can use our products as intended, for example, to create projects in Workflow. We keep this content as long as your account is active. If you delete your account, we’ll delete the content within 60 days.
For most of our products, we log the full IP address used to sign up a product account and retain that for use in mitigating future spammy signups. We also log all account access by full IP address for security and fraud prevention purposes, and we keep this login data for as long as your product account is active.
We collect information about your browsing activity for analytics and statistical purposes such as conversion rate testing and experimenting with new product designs. This includes, for example, your browser and operating system versions, your IP address, which web pages you visited and how long they took to load, and which website referred you to us. If you have an account and are signed in, these web analytics data are tied to your IP address and user account until your account is no longer active. The web analytics we use are described further in the Advertising and Cookies section.
We use CAPTCHA across our applications to mitigate brute force logins and as a means of spam protection. We have a legitimate interest in protecting our apps and the broader Internet community from credential stuffing attacks and spam. When you log into your Workflow accounts and when you fill in certain forms in HEY, the CAPTCHA service evaluates various information (e.g., IP address, how long the visitor has been on the app, mouse movements) to try to detect if the activity is from an automated program instead of a human. The CAPTCHA service then provides Workflow with the spam score results; we do not have access to the evaluated information.
Workflow runs contextual ads on various third-party platforms such as Google, Reddit, and LinkedIn. Users who click on one of our ads will be sent to the Workflow marketing site. Where permissible under law, we may load an ad-company script on their browsers that sets a third-party cookie and sends information to the ad network to enable evaluation of the effectiveness of our ads, e.g., which ad they clicked and which keyword triggered the ad, and whether they performed certain actions such as clicking a button or submitting a form.
We also use persistent first-party cookies and some third-party cookies to store certain preferences, make it easier for you to use our applications, and perform A/B testing as well as support some analytics.
A cookie is a piece of text stored by your browser. It may help remember login information and site preferences. It might also collect information such as your browser type, operating system, web pages visited, duration of visit, content viewed, and other click-stream data. You can adjust cookie retention settings and accept or block individual cookies in your browser settings, although our apps won’t work and other aspects of our service may not function properly if you turn cookies off.
When you email Workflow with a question or to ask for help, we keep that correspondence, including your email address, so that we have a history of past correspondence to reference if you reach out in the future.
We also store information you may volunteer, for example, written responses to surveys. If you agree to a customer interview, we may ask for your permission to record the conversation for future reference or use. We will only do so with your express consent.
We may offer optional desktop and mobile apps for some of our products. Because of how the platforms are designed, our apps typically must request your consent before accessing contacts, calendar, camera, and other privacy-sensitive features of your device. Consent is always optional and our apps will function without it, though some features may be unavailable. There are a few exceptions, for example:
To provide products or services you’ve requested. We use some third-party subprocessors to help run our applications and provide the Services to you. We establish GDPR-compliant data processing agreements with each subprocessor, extending GDPR safeguards everywhere personal data is processed.
The following is a list of personal data subprocessors we use. These subprocessors are all located in the United Kingdom or United States:
We may share your information at your direction if you integrate a third-party service into your use of our products. For example, we may allow you, at your option, to connect your Gmail account to your HEY account so that you can use HEY to receive and respond to your Gmail email. Email that you receive and respond to through HEY from your Gmail address will be stored by both HEY and Google and will be available to you from your Gmail account as well as your HEY account.
No Workflow human looks at your content except for limited purposes with your express permission, for example, if an error occurs that stops an automated process from working and requires manual intervention to fix. These are rare cases, and when they happen, we look for root cause solutions as much as possible to avoid them recurring. We may also access your data if required in order to respond to legal process (see “When required under applicable law” below).
To help you troubleshoot or squash a software bug, with your permission. If at any point we need to access your content to help you with a support case, we will ask for your consent before proceeding.
To investigate, prevent, or take action regarding restricted uses. Accessing a customer’s account when investigating potential abuse is a measure of last resort. We want to protect the privacy and safety of both our customers and the people reporting issues to us, and we do our best to balance those responsibilities throughout the process. If we discover you are using our products for a restricted purpose, we will take action as necessary, including notifying appropriate authorities where warranted.
Workflow is a U.K. company and all data infrastructure are located in the U.K.
Requests for user data. Our policy is to not respond to government requests for user data unless we are compelled by legal process or in limited circumstances in the event of an emergency request. However, if U.S. law enforcement authorities have the necessary warrant, criminal subpoena, or court order requiring us to share data, we must comply. Likewise, we will only respond to requests from government authorities outside the U.S. if compelled by the U.S. government through procedures outlined in a mutual legal assistance treaty or agreement. It is Workflow’ policy to notify affected users before we share data unless we are legally prohibited from doing so, and except in some emergency cases.
Preservation requests. Similarly, Workflow’ policy is to comply with requests to preserve data only if compelled by the U.S. Federal Stored Communications Act, 18 U.S.C. Section 2703(f), or by a properly served U.S. subpoena for civil matters. We do not share preserved data unless required by law or compelled by a court order that we choose not to appeal. Furthermore, unless we receive a proper warrant, court order, or subpoena before the required preservation period expires, we will destroy any preserved copies of customer data at the end of the preservation period.
If we are audited by a tax authority, we may be required to share billing-related information. If that happens, we will share only the minimum needed, such as billing addresses and tax exemption information.
Finally, if Workflow is acquired by or merges with another company — we don’t plan on that, but if it happens — we’ll notify you well before any of your personal information is transferred or becomes subject to a different privacy policy.
At Workflow, we strive to apply the same data rights to all customers, regardless of their location. Some of these rights include:
Right to Know. You have the right to know what personal information is collected, used, shared or sold. We outline both the categories and specific bits of data we collect, as well as how they are used, in this privacy policy.
Right of Access. This includes your right to access the personal information we gather about you, and your right to obtain information about the sharing, storage, security and processing of that information.
Right to Correction. You have the right to request correction of your personal information.
Right to Erasure / “To Be Forgotten”. This is your right to request, subject to certain limitations under applicable law, that your personal information be erased from our possession and, by extension, from all of our service providers. Fulfillment of some data deletion requests may prevent you from using Workflow services because our applications may then no longer work. In such cases, a data deletion request may result in closing your account.
Right to Complain. You have the right to make a complaint regarding our handling of your personal information with the appropriate supervisory authority.
Right to Restrict Processing. This is your right to request restriction of how and why your personal information is used or processed, including opting out of sale of personal information. (Again: we never have and never will sell your personal data.)
Right to Object. You have the right, in certain situations, to object to how or why your personal information is processed.
Right to Portability. You have the right to receive the personal information we have about you and the right to transmit it to another party. If you want to export data from your accounts, please contact us at hello@workflow.design.
Right to not Be Subject to Automated Decision-Making. You have the right to object to and prevent any decision that could have a legal or similarly significant effect on you from being made solely based on automated processes. This right is limited if the decision is necessary for performance of any contract between you and us, is allowed by applicable law, or is based on your explicit consent.
Right to Non-Discrimination. We do not and will not charge you a different amount to use our products, offer you different discounts, or give you a lower level of customer service because you have exercised your data privacy rights. However, the exercise of certain rights may, by virtue of your exercising those rights, prevent you from using our Services.
Many of these rights can be exercised by signing in and updating your account information.
If you have questions about exercising these rights or need assistance, please contact us at hello@workflow.design. or at Workflow, 1J Riverview Heights, 27 Bermondsey Wall West, London SE16 4TN. If an authorized agent is corresponding on your behalf, we will need written consent with a signature from the account holder before proceeding.
If you are in the EU or UK, you can contact your data protection authority to file a complaint or learn more about local privacy laws.
All data is encrypted via SSL/TLS when transmitted from our servers to your browser. The database backups are also encrypted. In addition, we go to great lengths to secure your data at rest. For more information about how we keep your information secure, please review our security overview.
With regard to products, except for your uploaded content, most data are not encrypted while they live in our database (since they need to be ready to send to you when you need them). With your uploaded content, we go further by encrypting the database at-work. Each piece of content is encrypted with its own key. The disks storing the data keys are encrypted as well. Our servers decrypt the data to send it to you when you need it.
In many of our applications, we give you the option to delete content. Anything you delete in your product accounts while they are active will be removed immediately. The deleted content cannot be accessed via the application and we are not able to retrieve it for you. The deleted content may remain on our active servers for another 30 days, and copies of the content may be held in backups of our application databases for up to another 30 days after that. Altogether, any content deleted in your product accounts should be purged from all of our systems and logs within 90 days.
If you choose to cancel your account, your content will become immediately inaccessible and should be purged from our systems in full within 60 days. This applies both for cases when an account owner directly cancels and for auto-canceled accounts.
Our products and other web properties are operated in the United Kingdom. If you are located in the US, or elsewhere outside of the United Kingdom,** please be aware that any information you provide to us will be transferred to and stored in the United Kingdom**. By using our websites or Services and/or providing us with your personal information, you consent to this transfer.
We may update this policy as needed to comply with relevant regulations and reflect any new practices. Whenever we make a significant change to our policies, we will refresh the date at the top of this page and take any other appropriate steps to notify users.
Have any questions, comments, or concerns about this privacy policy, your data, or your rights with respect to your information? Please get in touch by emailing us at hello@workflow.design and we’ll be happy to try to answer them!
Last Updated on April 28, 2023
We want satisfied customers, not hostages. That’s why we make it easy for you to cancel your account directly in all of our apps — no phone calls required, no questions asked.
Account owners can follow these instructions to cancel in-app:
Our legal responsibility is to account owners, which means we cannot cancel an account at the request of anyone else. If for whatever reason you no longer know who the account owner is, contact us. We will gladly reach out to any current account owners at the email addresses we have on file.
You won’t be able to access your excess content (above the free tier's limits) once you cancel, so make sure you download everything you want to keep beforehand.
We’ll permanently delete excess content in your account (above the free tier's limits) from our servers 30 days after cancellation, and from our backups within 60 days. Retrieving content for a single account from a backup isn’t possible, so if you change your mind you’ll need to do it within the first 30 days after cancellation. Content can’t be recovered once it has been permanently deleted.**
We won’t bill you again once you cancel. We don’t automatically prorate any unused time you may have left but if you haven’t used your account in months or just started a new billing cycle, contact us for a fair refund. We’ll treat you right.
We may cancel accounts if they have been inactive for an extended period:
For frozen accounts: 180 days after being frozen due to billing failures
For free accounts: after 60 days of inactivity. We will check with you multiple times via email before making any change.
We also retain the right to suspend or terminate accounts for any reason at any time, as outlined in our Terms of Service. In practice, this generally means we will cancel your account without notice if we have evidence that you are using our products to engage in abusive behavior.
Last Updated on May 2, 2023
Bad refund policies are infuriating. You feel like the company is just trying to rip you off. We never want our customers to feel that way, so our refund policy is simple: If you’re ever unhappy with our products* for any reason, just contact our support team and we'll take care of you.
At the end of the day, nearly everything on the edges comes down to a case-by-case basis. Send us a note, tell us what's up, and we'll work with you to make sure you’re happy.
**This policy applies to any product created and owned by Workflow. That includes Workflow, and The Workflow Figma Plugin.
Last Updated on May 2, 2023
Countless teams rely on Workflow products*, and we're thrilled to offer them a better way to work. We recognize that, despite good intentions, technology can amplify harmful actions. That's why we've set up this policy. We feel an ethical responsibility to counter such harm, addressing instances where Workflow is misused to further harm and asserting that our products are not safe havens for those with harmful intentions. If you have an account with any of our products, you cannot use them for any of the restricted purposes listed below. If we discover you are, we will take action.
Violence, or threats thereof: If an activity is considered a violent crime in the United States or your country, you may not use Workflow products to plan, commit, or threaten that activity.
Child exploitation, sexualization, or abuse: We don't tolerate activities that generate, distribute, or otherwise result in child abuse. Stay away and just stop.
Hate speech: You cannot use our products to advocate for the extermination, domination, or oppression of people.
Harassment: Targeting or intimidating people or groups through repeated communication, including racial slurs or dehumanizing language, is unwelcome at Workflow.
Doxing: If you're using Workflow products to share others' private personal information for harassment purposes, we want nothing to do with you.
Malware or spyware: Code for good, not evil. If you use our products to create or distribute malware or spyware, including remote user surveillance, leave now.
Phishing or attempting fraud: Misrepresenting your identity or affiliations to steal from, extort, or harm others is unacceptable.
Spamming: Unsolicited commercial emails are unwanted. We don't allow people (or their bots) to use Workflow products for spamming. If your emails don't comply with CAN-SPAM or other anti-spam laws, it's prohibited.
Cybersquatting: We dislike username extortionists. If you purchase an Workflow product account in someone else's name and try to sell it to them, you're cybersquatting. Cybersquatting accounts will be canceled immediately.
Infringing on intellectual property: You can't use Workflow products to create or share work that uses others' intellectual property beyond the scope of fair use.
While our use restrictions are comprehensive, they can't cover everything. It's possible that an offense could defy categorization, be a first-time occurrence, or raise a moral dilemma we hadn't considered. Nevertheless, the overall spirit is clear: Workflow is not to be used for harm, whether mental, physical, personal, or civic. Different perspectives—philosophical, religious, and political—are welcome, but ideologies like white nationalism or hate-fueled movements anchored in oppression, violence, abuse, extermination, or domination of one group over another will not be tolerated here.
For cases of suspected malware, spyware, phishing, spamming, and cybersquatting, please notify us at hello@workflow.design
For all other cases, please contact us by emailing hello@workflow.design
Last Updated on May 2, 2023
All data are written to multiple disks instantly, backed up daily, and stored in multiple locations. Files that our customers upload are stored on servers that use modern techniques to remove bottlenecks and points of failure.
Whenever your data are in transit between you and us, everything is encrypted, and sent using HTTPS. Within our firewalled private networks, data may be transferred unencrypted.
Any files which you upload to us are stored and are encrypted at rest. Our application databases are generally not encrypted at rest — the information you add to the applications is active in our databases and subject to the same protection and monitoring as the rest of our systems. Our database backups are encrypted using GPG.
Our servers — from power supplies to the internet connection to the air purifying systems — operate at full redundancy. Our systems are engineered to stay up even if multiple servers fail.
Our state-of-the-art servers are protected by biometric locks and round-the-clock interior and exterior surveillance monitoring. Only authorized personnel have access to the data center. 24/7/365 onsite staff provides additional protection against unauthorized entry and security breaches.
Our software infrastructure is updated regularly with the latest security patches. Our products run on a dedicated network which is locked down with firewalls and carefully monitored. While perfect security is a moving target, we work with security researchers to keep up with the state-of-the-art in web security.
All credit card transactions are processed using secure encryption—the same level of encryption used by leading banks. Card information is transmitted, stored, and processed securely on a PCI-Compliant network.
We have a team dedicated to maintaining your account’s security on our systems and monitoring tools we’ve set up to alert us to any nefarious activity against our domains. To date, we’ve never had a data breach.
We also audit internal data access. If an Workflow employee wrongly accesses customer data, they will face penalties ranging from termination to prosecution. Again, to our knowledge, this hasn’t happened.
We have processes and defenses in place to keep our streak of 0 data breaches going. But in the unfortunate circumstances someone malicious does successfully mount an attack, we will immediately notify all affected customers.
Our team have been around the block and worked at a number of enterprise and Government organisations. Security isn’t just about technology, it’s about trust. Longevity and stability is core to our mission at Workflow.
Have you noticed abuse, misuse, an exploit, or experienced an incident with your account? Please contact us at hello@workflow.design
Last Updated on May 2, 2023
Making original work is hard! As described in our Use Restrictions policy, you can’t use Workflow products* to make or disseminate work that uses the intellectual property of others beyond the bounds of fair use.
Are you a copyright owner? Under the Digital Millennium Copyright Act (17 U.S.C. § 512), you have the right to notify us (Workflow Design Limited) if you believe that an account user of any product we built and maintain has infringed on your work(s) as copyright owner. To be effective, the notification of claimed infringement must be written. Please include the following information:
On the flip-side, if you believe your material has been removed in error, you can file a written counter-notification. Please include the following information:
You can notify us of either copyright infringement claims or DCMA counter-notifications through either of the following channels:
By email: hello@workflow.design
By mail: Workflow 1J Riverview Heights, Bermondsey Wall West London SE16 4TN, UK
*This policy and process applies to any product created and owned by Workflow Design Limited. That includes Workflow, and the Workflow Figma Plugin.
Last Updated on May 2, 2023
Internet services often vanish due to various reasons, making it risky to trust and store your data. We want better for our customers.
Our products are a result of dedication, representing our journey and future direction. We're proud and grateful for the support we've received over the years.
We promise to support our products indefinitely, countering the impermanence of many online services. Workflow is built to last, and we're committed to supporting our legacy products and customers.