Privacy Policy
Effective Date: January 1, 2026
Last Updated: February 11, 2026
1. Introduction
This Privacy Policy describes how TDF Labs GmbH ("TDF Labs", "we", "us", or "our") collects, uses, stores, discloses, and otherwise processes personal data in connection with Workfold and related services (collectively, the "Services").
Workfold is a modular business operating system for professional services organizations.
2. Controller Information
Controller: TDF Labs GmbH
Address: Rosa-Bavarese-Str. 3, D-80639 Munich, Germany
Support Email: [email protected]
Privacy Contact: [email protected]
Phone: +49 160 1282559
3. Scope
This Privacy Policy applies to:
- Workfold web applications and product experiences
- Workfold integrations, including Google Workspace integrations
- Customer support and operational communications related to the Services
This Privacy Policy does not apply to third-party websites, services, or products that are not controlled by TDF Labs.
4. Categories of Personal Data
Depending on your use of the Services, we may process the following categories of personal data:
- Account data (name, email address, login/session metadata, role, workspace membership)
- Workspace and operational data (tasks, calendar entries, CRM records, audit events)
- Integration data from connected providers (for example, Google Calendar and Gmail data)
- Technical and device data (IP address, browser type, diagnostics, error events, timestamps)
- Support and communication data (support requests and related correspondence)
5. Google Workspace Integration Data
If you connect Google Workspace, we request and process scopes required for the configured integration, including:
openidhttps://www.googleapis.com/auth/userinfo.emailhttps://www.googleapis.com/auth/userinfo.profilehttps://www.googleapis.com/auth/calendar.readonlyhttps://www.googleapis.com/auth/gmail.readonly
For this MVP integration phase:
- Google Calendar access is read-only.
- Gmail access is read-only.
- We do not send email through Gmail APIs.
- We do not write to Google Calendar.
We use this data to:
- Sync communications context into user workspaces
- Link relevant records to CRM entities
- Enable user-triggered follow-up actions, such as tasks
- Operate, secure, and troubleshoot the integration
OAuth tokens are stored in encrypted form. We do not use Google Workspace data for advertising purposes.
6. Purposes of Processing and Legal Bases
Where applicable under the EU GDPR and related law, we process personal data on one or more of the following legal bases:
- Performance of a contract
- Legitimate interests
- Consent (where required)
- Compliance with legal obligations
7. Disclosures and Recipients
We do not sell personal data.
We may disclose personal data to:
- Infrastructure and hosting providers
- Storage and email delivery providers
- Integration providers enabled by the user (for example, Google)
- Professional advisors, auditors, and authorities where legally required
8. International Data Transfers
Where personal data is transferred outside the jurisdiction in which it was collected, we apply appropriate safeguards as required by applicable law, including contractual transfer mechanisms where necessary.
9. Data Retention
We retain personal data only for as long as necessary for the purposes described in this Privacy Policy, unless a longer period is required by law.
| Data Category | Standard Retention |
|---|---|
| Account and workspace profile data | Retained while account is active; deleted or de-identified within 30 days after account/workspace deletion request, unless legal obligations require longer retention. |
| Google OAuth tokens | Retained while integration is active; revoked/deleted on disconnect where possible and purged within 30 days. |
| Synced Google Calendar and Gmail integration data | Retained while integration/account is active; deleted or de-identified within 30 days after valid deletion request, unless legal obligations apply. |
| Security, audit, and access logs | Up to 12 months, unless longer retention is required for incident response or legal obligations. |
| Support communications | Up to 24 months after case closure. |
| Backups and disaster recovery copies | Rolling backup retention of up to 90 days. |
| Financial and tax records | Retained as required by applicable law (which may extend up to 10 years). |
10. Security Measures
We implement technical and organizational measures designed to protect personal data, including encryption in transit, least privilege access controls, tenant-scoped data controls, and security monitoring.
11. User Rights
Subject to applicable law, individuals may have rights to access, correct, delete, restrict or object to processing, request data portability, and withdraw consent where processing is based on consent.
To exercise these rights, contact [email protected]. You may also have the right to lodge a complaint with your competent data protection supervisory authority.
12. Children's Data
The Services are intended for business use and are not directed to children.
13. Changes to This Policy
We may update this Privacy Policy from time to time to reflect legal, technical, or business developments. We will update the "Last Updated" date and provide additional notice where required by law.
14. Google API Services User Data Policy
Workfold's use and transfer of information received from Google APIs adheres to the Google API Services User Data Policy, including the Limited Use requirements.