Privacy

Last updated: May 8, 2026

What we collect

Only what's needed to run your Workcard and keep it safe.

  • Account email. The email you sign in with.
  • Sign-in codes. The 6-digit code you enter expires after 5 minutes. The verification record persists per Better Auth's retention until your account is permanently deleted, or — for accounts that never complete email verification — until the unverified-account sweep runs (see Retention).
  • Profile fields. Whatever you enter in setup or edit later — name, services, areas, contact info, credentials, work history, photos.
  • Setup drafts. If you start setting up your Workcard but don't finish, we save what you've typed so you can pick up later. Stored alongside your account; deleted when you finish setup or when your account is deleted.
  • Photos. Stored in Cloudflare R2.
  • Contact-form submissions. Name, email, phone, and message from someone using your contact button. We also see the IP address and browser user-agent of the request, hashed into a fingerprint to limit spam.
  • Bot-verification data. When someone submits the contact form, we send their IP and a Turnstile challenge token to Cloudflare to verify they're not a bot.
  • Rate-limit state. A short-lived key in Cloudflare KV (profile + email + fingerprint) that prevents repeat submissions from the same source.
  • Sessions. A session row stores the token, expiry, and the IP and user-agent of the device that signed in.
  • Quality-curation signals. If someone submits a private signal about a Workcard, we record the target Workcard, the category (e.g. unreliable, unsafe work), a description, and optionally the submitter's email and phone.
  • Operator audit log. When we take an action (review a signal, change a profile, purge an account), we log the action, a note, and metadata. On permanent purge, identifiers pointing to the affected worker are removed from the log; the action description and metadata are kept. Operators can also prune the log directly to manage volume and clean up testing artifacts — the audit log is an operational tool, not a record we promise to retain.

Why

Email is for sign-in. Profile fields, photos, and contact submissions are the product. Fingerprints, Turnstile, and rate-limit state stop spam. Sessions keep you signed in. Signals and audit logs let us remove bad actors without exposing the system to public review pressure.

Retention

How long each piece of data lives:

  • While your account is active, data is retained.
  • If you start signing up but never confirm your email, your unverified account record is cleared after 7 days. After that, the email is released for fresh signup.
  • If you have an unfinished setup draft, it's retained as long as your account is. It's deleted automatically when you finish setup or when your account is permanently deleted.
  • If you deactivate, your Workcard and contact form go dark. Your data is retained, so reactivation is a flag flip — nothing has to be restored.
  • If you delete, a 30-day grace period starts. During grace, everything is retained and you can still come back.
  • After grace, permanent purge runs: profile, photos, contact submissions, and most child rows are deleted. Audit-log entries about your account are kept, but identifiers pointing to you are removed. The token your Workcard URL used is recorded as burned so it can't be reused.

Account lifecycle

  • Active. Your Workcard is published or in setup. Data is retained.
  • Deactivated. Your Workcard is hidden and the contact form is paused. Your data is retained. You can reactivate any time.
  • Delete-pending. A 30-day grace period before permanent purge. You can still cancel and return. Sessions are invalidated.

Subprocessors

Two service providers hold your data on our behalf:

  • Cloudflare — hosting, database (D1, where account and content rows live), photo storage (R2), rate-limit storage (KV), bot verification (Turnstile), and inbound mail routing for our privacy contact address. DPA and subprocessor list.
  • Resend — transactional email (sign-in codes, contact-form forwards). DPA, subprocessor list.

If we add another subprocessor, we'll update this list before the change takes effect.

What we don't do

  • No behavioral analytics, no cross-site tracking.
  • No advertising network of any kind.
  • No sale or rental of your data.
  • No marketing email — only transactional (sign-in codes, contact-form forwards, account-lifecycle notices).
  • No public reviews, ratings, or testimonials. Trust on a Workcard comes from the worker's own content, not aggregated public opinion.

Cookies

We set only what's needed to run the site: a sign-in session cookie and Cloudflare's standard infrastructure cookies. No tracking cookies, no consent banner — there's nothing to consent to.

Your rights

  • Access. Your dashboard shows your Workcard profile and the content you've put on it. For other records — contact submissions, sign-in history, audit log — email privacy@workcard.me.
  • Correction. Edit your profile any time from the dashboard.
  • Deletion. Use the deactivate-then-delete flow on the dashboard. After the 30-day grace period, the purge is complete and irreversible.
  • Other requests. Email privacy@workcard.me.

Contact

Privacy questions: privacy@workcard.me.

Changes

The Last updated date at the top of this page reflects the current version. Continued use after a material change means you accept the change.