WorqenBack to app

Privacy Policy

Effective: 2026-04-26Version: 1.0

This document is provided for general information. While drafted to comply with applicable EU, UK, Brazilian, Indian and Ukrainian law, it is not legal advice and does not replace independent counsel. Worqen OÜ recommends consulting a qualified lawyer before relying on this document for any purpose.

1. Introduction

This Privacy Policy explains how Worqen OÜ, a private limited company incorporated in Estonia (registry code [REGISTRATION NUMBER], registered address [REGISTERED ADDRESS], Tallinn, Estonia) ("Worqen", "we", "us"), collects, uses, shares and protects personal data when you use the Worqen marketplace, mobile applications, smart contracts and APIs (the "Service").

We are the data controller for personal data we process about Users. This Policy applies in addition to the EU General Data Protection Regulation (GDPR), the Ukrainian Law on Personal Data Protection, the Brazilian Lei Geral de Proteção de Dados (LGPD), the Indian Digital Personal Data Protection Act 2023 (DPDP), and other applicable local laws — see Section 13 for region-specific rights.

2. Data Protection Officer and Contact

Privacy queries, requests to exercise your rights, and complaints can be addressed to our Data Protection Officer at dpo@worqen.com or by post to Worqen OÜ — DPO, [REGISTERED ADDRESS], Tallinn, Estonia.

3. Personal Data We Collect

CategoryExamplesSource
IdentificationEmail, password (hashed), name, username, avatarYou, at registration
ProfileBio, professional title, hourly rate, availability, skills, education, employment history, certifications, languages, portfolio entries, video introduction, linked social accounts (LinkedIn / GitHub)You
KYC and identity verificationLegal name, date of birth, nationality, address, government-issued ID document image, proof of address, selfie / facial biometrics, verification statusYou, via our processor Sumsub
GeolocationCity, country, timezone; precise latitude/longitude when you opt in to job-radius matchingYou; your device (with permission)
CommunicationsChat messages, dispute messages, attachments, reactions, read receiptsYou
Transactions and walletsSolana wallet addresses, escrow records, transaction signatures, USD/SOL amounts, commission, Sparks balance and historyYou; the Solana blockchain
TechnicalIP address, approximate location derived from IP, browser, device, operating system, language, referrer, session identifiers, timestamps, error logsAutomatically
Cookies / similarSee our Cookie PolicyAutomatically, with your consent where required

Sensitive data: KYC processing involves biometric data (selfie matched to an ID document) and government-issued identifiers. We process this category of data only with your explicit consent and on the basis of compliance with our legal obligations under anti-money-laundering and counter-terrorist-financing law.

4. Purposes and Lawful Bases

PurposeLawful basis (GDPR Art. 6)
Creating and managing your accountPerformance of a contract
Identity verification, sanctions/PEP screening, fraud prevention and AML/CTF complianceLegal obligation; legitimate interest in fraud prevention
Matching Workers and Employers; powering search and discoveryPerformance of a contract; legitimate interest
Operating chat, notifications and dispute resolutionPerformance of a contract
Processing escrow deposits, releases and commissionPerformance of a contract
Geolocation for radius-based job matchingConsent (you can withdraw at any time)
Sending transactional emails (verification, password reset, escrow updates)Performance of a contract
Sending marketing communications (newsletters, feature announcements, promotions)Consent — opt-in; you can opt out at any time
Product analytics and A/B testing (when enabled)Consent (analytics cookies)
Securing the Service, detecting abuse, protecting UsersLegitimate interest; legal obligation
Defending legal claims, complying with court orders and lawful requestsLegal obligation; legitimate interest

5. Service Providers and Recipients

We share personal data only with the following categories of recipients, each under written data-processing terms where applicable:

  • Sumsub (Sum and Substance Ltd, UK) — KYC and identity verification. Receives ID documents, selfies, biometrics, name, DOB, address.
  • Mailgun (Sinch / Mailgun Technologies, USA) — transactional and marketing email delivery. Receives email address and email content.
  • Object storage provider (S3-compatible) — file storage for avatars, job photos, CVs and message attachments. Files are stored under URLs that can be guessed only with knowledge of the upload key.
  • Privy (Privy Technologies Inc., USA) — embedded wallet provisioning, when you choose this option. Receives email and wallet addresses.
  • Sentry (Functional Software, Inc., USA) — error monitoring. Receives stack traces, request metadata and a pseudonymous user identifier.
  • Solana RPC providers — used to broadcast and read on-chain transactions. Receives wallet addresses and transaction data (which is, by design, public on the blockchain).
  • Hosting and infrastructure providers — operate the servers that run the Service.
  • Professional advisers — lawyers, auditors, accountants, on a confidential basis as needed.
  • Authorities — courts, law-enforcement and regulators, where we are legally required to disclose data.
  • Buyers and successors — in the event of a merger, acquisition, reorganisation or insolvency, subject to appropriate confidentiality obligations.

Public profile. Information you choose to put on your public profile, listings or reviews is visible to other Users and, where listings are public, to anyone on the internet.

On-chain data. Transactions you sign with your Solana wallet — including wallet addresses, amounts, escrow program interactions and timestamps — are recorded on a public blockchain. We cannot delete or alter on-chain data. You should not transact on- chain with information you wish to remain private.

6. International Data Transfers

Worqen is established in the European Economic Area. Some of our service providers (such as Mailgun, Privy, Sentry) are established outside the EEA, primarily in the United States. To protect your data when it is transferred outside the EEA, the United Kingdom, Brazil or India, we rely on:

  • European Commission adequacy decisions where available;
  • EU Standard Contractual Clauses (SCCs) and the UK International Data Transfer Addendum;
  • Supplementary measures, including encryption in transit and at rest where appropriate;
  • For Brazil, ANPD-approved contractual safeguards under LGPD; for India, the notifications issued under the DPDP Act in respect of cross-border transfer.

You can request a copy of the safeguards in place by contacting our DPO.

7. Retention

DataRetention period
Account data while account is activeUntil you delete the account
Account data after deletionAnonymised within 30 days, except as below
Chat messages2 years after the last activity in the chat
Dispute records7 years (tax, audit and limitation periods)
KYC: ID-document image, selfie, biometric template (held by Sumsub)30 days from verification decision, then deleted
KYC: verification result, applicant ID, decision metadata, sanctions screening outcome5 years from the end of the business relationship (AML)
Server logs (security, error monitoring)30 days
Escrow transaction recordsPermanent (also recorded on the public Solana blockchain)
Marketing-consent recordsUntil consent is withdrawn + 3 years (proof of consent)

8. Security

We use technical and organisational measures designed to protect personal data against accidental or unlawful destruction, loss, alteration or unauthorised access. These include TLS encryption in transit, encryption of sensitive credentials at rest (AES-256/Fernet), role-based access control, audit logging, multi-factor authentication for our staff, vendor due diligence, and a documented incident response plan.

No system is perfectly secure. You are responsible for keeping your account credentials and any self-custodial wallet keys safe. If you suspect your account or wallet has been compromised, contact us immediately at security@worqen.com.

9. Breach Notification

If a personal data breach is likely to result in a risk to your rights and freedoms, we will notify the competent supervisory authority within 72 hours where required, and we will inform affected Users without undue delay where the breach is likely to result in a high risk to those Users.

10. Your Rights

Subject to local law, you have the right to:

  • access the personal data we hold about you and obtain a copy;
  • have inaccurate or incomplete data corrected;
  • have your data deleted, subject to retention required for AML, tax, audit, on-chain immutability and the establishment, exercise or defence of legal claims;
  • receive your data in a portable, machine-readable format and request transmission to another controller where technically feasible;
  • restrict or object to processing, including processing based on legitimate interest and direct marketing;
  • withdraw consent at any time without affecting the lawfulness of processing carried out before withdrawal;
  • not be subject to a decision based solely on automated processing that produces legal or similarly significant effects on you (we do not currently engage in such automated decision-making);
  • lodge a complaint with a supervisory authority (see Section 13).

To exercise any of these rights, contact our DPO at dpo@worqen.com. We will respond within one month and without undue delay; the period may be extended by two further months where the request is complex or numerous.

11. Children

The Service is intended for users 18 years and older, or 16 and older with verifiable parental consent where local law permits. We do not knowingly collect personal data from younger children. If you believe a child has provided us with personal data, please contact us and we will delete it.

12. Cookies and Similar Technologies

See our Cookie Policy for full details. You can manage cookie preferences at any time through the cookie banner or your browser settings.

13. Region-Specific Information

13.1 European Economic Area, United Kingdom and Switzerland

The lead supervisory authority for cross-border processing is the Estonian Data Protection Inspectorate (Andmekaitse Inspektsioon) aki.ee. You may also lodge a complaint with the supervisory authority of your habitual residence or place of alleged infringement. UK users may complain to the Information Commissioner's Office (ICO) ico.org.uk.

13.2 Ukraine

Processing complies with the Law of Ukraine "On Personal Data Protection". Complaints may be made to the Ukrainian Parliament Commissioner for Human Rights (Verkhovna Rada Commissioner) at ombudsman.gov.ua.

13.3 Brazil

Processing complies with the Lei Geral de Proteção de Dados (Law No. 13.709/2018). The national authority is the Autoridade Nacional de Proteção de Dados (ANPD) gov.br/anpd. Brazilian Users have the rights of confirmation, access, correction, anonymisation, blocking, deletion, portability, information about sharing, withdrawal of consent and review of automated decisions, in addition to the rights set out in Section 10.

13.4 India

Processing complies with the Digital Personal Data Protection Act 2023. Indian Data Principals have rights to access, correction, completion, updating, erasure of personal data, and grievance redressal. Grievances should first be raised with our DPO at dpo@worqen.com; you may then escalate to the Data Protection Board of India established under the DPDP Act.

14. Changes to this Policy

We may update this Policy from time to time. If changes are material, we will provide notice in the Service and, where appropriate, by email at least 14 days before the changes take effect.

15. How to Contact Us

Worqen OÜ — Tallinn, Estonia
Data Protection Officer: dpo@worqen.com
General privacy enquiries: privacy@worqen.com
Postal address: [REGISTERED ADDRESS], Tallinn, Estonia