Privacy Policy

Last updated: April 16, 2026

This Privacy Policy describes how WorkFirst ("we", "us", "our") processes your personal data when you use our platform. We process data in accordance with the EU General Data Protection Regulation (GDPR, Regulation (EU) 2016/679) and the Finnish Data Protection Act (Tietosuojalaki 1050/2018), as well as other applicable EU and Finnish law.

1. Data Controller

WorkFirst is the data controller for the personal data we collect through the Service. You can contact us via the Contact page.

2. Personal Data We Collect

We may collect:

• Account data: name, email address, phone number, password (hashed), account type (workforce/company).
• Company data (if applicable): company name, business ID.
• Usage data: log data, IP address, device information, and how you use the Service.
• Content you provide: task submissions, messages, profile information, and other content you upload or submit.
• Authentication data: if you sign in via Google or similar, we receive identifiers and basic profile data from the provider.

3. Legal Basis and Purposes (GDPR Art. 6)

We process your data on the following bases:

• Contract (Art. 6(1)(b)): to create and manage your account, provide the Service, and communicate with you about the Service.
• Legitimate interests (Art. 6(1)(f)): to improve the Service, ensure security, prevent fraud, and enforce our terms, where our interests are not overridden by your rights.
• Legal obligation (Art. 6(1)(c)): where we must retain or disclose data under EU or Finnish law.
• Consent (Art. 6(1)(a)): where we ask for your consent (e.g. optional marketing, non essential cookies). You may withdraw consent at any time.

4. How Long We Keep Your Data

We retain personal data only as long as necessary for the purposes above or as required by law. Account data is kept while your account is active and for a reasonable period after closure for legal and operational purposes. You may request erasure subject to our legal obligations.

5. Your Rights (GDPR)

Under the GDPR and Finnish Data Protection Act, you have the right to:

• Access (Art. 15): obtain a copy of your personal data.
• Rectification (Art. 16): have inaccurate data corrected.
• Erasure (Art. 17): request deletion where applicable.
• Restriction (Art. 18): request limited processing in certain cases.
• Data portability (Art. 20): receive your data in a structured, machine readable format.
• Object (Art. 21): object to processing based on legitimate interests or for direct marketing.
• Withdraw consent: where processing is based on consent.

To exercise these rights, contact us via the Contact page. You also have the right to lodge a complaint with a supervisory authority. In Finland, the supervisory authority is the Office of the Data Protection Ombudsman (tietosuoja.fi).

6. Sharing and Recipients

We may share data with:

• Service providers (e.g. hosting, email) who act as processors under our instructions and under data processing agreements.
• Other users as necessary to provide the Service (e.g. companies viewing workforce submissions).
• Authorities when required by EU or Finnish law.

We do not sell your personal data. Where data is transferred outside the EEA, we ensure appropriate safeguards (e.g. adequacy decision or standard contractual clauses) in line with the GDPR.

7. Security

We implement appropriate technical and organisational measures to protect your data against unauthorised access, loss, or alteration, in line with GDPR Article 32.

8. Children

The Service is not directed at individuals under 16. We do not knowingly collect data from children under 16. If you believe we have collected such data, please contact us so we can delete it.

9. Changes

We may update this Privacy Policy from time to time. We will post the updated version on the Service and update the "Last updated" date. Where changes are material, we will notify you as required by applicable law.

10. Contact

For privacy related requests or questions, contact us via Contact Us.