Privacy Policy
Last updated: 11 May 2026 · v1.0
1. Introduction
This Privacy Policy explains how Web rješenja d.o.o. ("Workspace Sync", "we", "our", "us") collects, uses, and protects personal data when you or your organization uses our service.
Workspace Sync is a business service that synchronizes your organization's Google Workspace contact directory to your team members' mobile devices, so they always have an up-to-date company contact list.
We are committed to protecting your privacy and processing personal data in accordance with the EU General Data Protection Regulation (GDPR) and the Croatian Personal Data Protection Act.
2. Who We Are (Data Controller)
The data controller responsible for your personal data is:
Web rješenja d.o.o.
Markuševečka cesta 115
10040 Zagreb
Croatia
Company registration number (OIB): 97669668809
For privacy-related questions or to exercise your rights under this policy, contact us at: hello@ws.agency
3. Who This Policy Applies To
This Privacy Policy applies to the following groups of people:
Workspace Administrators — individuals who sign up for Workspace Sync on behalf of their organization and manage the service through the admin dashboard at admin.workspace-sync.com.
Team Members — employees or members of an organization whose contact information is synchronized from Google Workspace into Workspace Sync, and who may install and use the Workspace Sync mobile app to view their organization's contact directory.
Website Visitors — anyone who visits our public marketing website at workspace-sync.com without signing in.
A note on roles
For data that flows from Google Workspace into our service:
- Your organization (acting through its workspace administrator) is the data controller of your contact information. Your organization decides which data to share with us and for what purpose.
- Workspace Sync acts as a data processor, processing that data on behalf of your organization in line with our Data Processing Agreement.
If you are an employee or team member and have questions about how your personal data is processed within your organization's Workspace Sync instance, please contact your organization's administrator first.
4. Information We Collect
4.1 Information from Workspace Administrators
When you sign up for Workspace Sync as an administrator using Google Sign-In, we receive: your email address, full name, profile photo URL, and Google Workspace domain. We may also store additional profile information from your Google Workspace profile (job title, department).
When you sign in or take administrative actions, we automatically collect: sign-in events (timestamps), your IP address, and your browser/device user-agent.
When you become a paying customer, our payment processor (Stripe) handles your payment card information directly — we never receive or store full card details. We only store: a Stripe customer reference, your billing email, your country (for VAT), a masked card preview (e.g., "Visa ending 4242"), and your subscription status and history.
4.2 Information from Team Members (synced from Google Workspace)
When your organization connects Workspace Sync to its Google Workspace, we synchronize directory information about its members from the Google Workspace Directory API. This typically includes: full name, given name, family name, primary email address, profile photo, phone numbers (work, mobile, and other types as configured), postal addresses (where set in the Google Workspace profile), and organizational information (department, job title, manager).
The exact data set depends on what your organization has populated in Google Workspace and which fields the administrator enables.
For reliability, we may temporarily store the raw response returned by the Google Workspace Directory API. This raw response is kept only as long as needed to keep your directory in sync and is not displayed in the app beyond the fields listed above.
We also keep operational records: sync timestamps and status, and a security audit log recording which authenticated user viewed which contact record (with IP address and user-agent). This audit log helps us detect unauthorized access and is retained for 90 days.
4.3 Information from the Mobile App
Sign-in. You sign in to the mobile app using Google Sign-In. We receive your email, name, and profile photo from Google.
Push notification tokens. If you enable push notifications, the app generates a device-specific push token (via Apple Push Notification service on iOS or Google Firebase Cloud Messaging on Android) and sends it to our backend (via Expo Push) so we can deliver notifications. The token is stored alongside your user record. We delete it when you sign out, uninstall the app, or your organization's subscription ends.
Device information. The app may include basic device information (operating system, app version, language, time zone) with requests to our servers. This is used for technical support and to serve the right content for your platform.
App activity logs. Contact-access events are recorded in the same security audit log described in section 4.2 (retained for 90 days). We do not use third-party analytics products in the mobile app and we do not track which screens you view or how long you spend in the app.
Cached data on your device. The mobile app stores a local copy of your organization's contact directory on your device so it works offline. This local copy is cleared when you sign out or your organization's subscription ends.
4.4 Information from Website Visitors
When you visit workspace-sync.com, we automatically collect: your IP address, browser/user-agent, pages visited and time of visit, and referring website. This is collected by our hosting infrastructure as standard server logs and is used to operate and secure the website. Server logs are retained for 30 days.
We currently do not use third-party analytics tools (such as Google Analytics) and we do not place non-essential cookies. If this changes, we will update this Privacy Policy and request your consent where required.
Contact forms. If you submit a contact form, we collect the information you provide (name, email, company, message) and use it to respond. Contact form submissions are retained for up to 12 months.
4.5 Communications and Support
When you contact us by email or through other support channels, we collect your name, email address, the content of your message, and any attachments. Support communications are retained for up to 2 years.
5. How We Use the Information
- Providing and operating the service — syncing your directory, displaying contacts, delivering push notifications, keeping your data current.
- Managing your account — authenticating you, applying permissions, maintaining your profile.
- Billing and payments — processing subscriptions, calculating charges, sending payment-related notifications.
- Security and abuse prevention — detecting unauthorized access, auditing contact access, investigating incidents.
- Customer support — responding to inquiries, troubleshooting.
- Service notifications — sending transactional emails (sign-in confirmations, payment failures, renewals, important service changes). These cannot be opted out of while you remain a customer.
- Legal compliance — meeting our obligations under Croatian and EU law.
We do not use your personal data for advertising or to sell to third parties. We do not profile you for marketing.
6. Legal Basis for Processing
- Performance of a contract — to deliver the service you or your organization signed up for.
- Legitimate interests — to secure our service, prevent abuse, improve and maintain the product, and manage customer relationships. You can object to this basis at any time (see section 10).
- Legal obligation — to meet legal requirements (e.g., Croatian tax law).
- Consent — for any optional processing beyond what is needed for the service (currently none). You may withdraw consent at any time.
For data synchronized from your organization's Google Workspace, your organization is the data controller and determines the legal basis; we process it as data processor on its behalf.
7. Sharing Data and Subprocessors
We do not sell your personal data. We share it only with the third-party service providers ("subprocessors") that help us deliver Workspace Sync:
| Subprocessor | Purpose | Location |
|---|---|---|
| Google LLC | Google Sign-In (SSO) and Google Workspace Directory API | United States; EU-US Data Privacy Framework certified |
| Supabase Inc. | Database, authentication, serverless functions | EU (Ireland) |
| Stripe, Inc. | Payment processing and subscription billing | United States; EU-US Data Privacy Framework certified |
| Apple Inc. | Push notifications on iOS | United States |
| Google LLC | Push notifications on Android (Firebase Cloud Messaging) | United States; EU-US Data Privacy Framework certified |
| Expo | Push notification delivery layer | United States |
| Nebion AG | Web hosting (marketing site, admin dashboard) | Switzerland (EU adequacy decision) |
Each subprocessor processes personal data on our instruction and is bound by contractual data protection terms. If we add, remove, or replace a subprocessor, we will update this list.
We may also disclose personal data when required by law, to protect our rights, property, or safety, or in connection with a corporate transaction.
8. International Data Transfers
Most personal data is stored and processed within the European Economic Area (EEA). Our primary database (Supabase) is in the EU (Ireland), and our web hosting (Nebion) is in Switzerland, covered by an EU adequacy decision.
Some subprocessors are based in the United States. Transfers to these providers are protected by either the EU-US Data Privacy Framework (where the provider is certified) or Standard Contractual Clauses approved by the European Commission. You can request a copy of the safeguards by contacting us at hello@ws.agency.
9. Data Retention
| Data | Retention period |
|---|---|
| Administrator account data | While account active + 90 days after cancellation |
| Synchronized contact directory | While subscription active; deleted within 90 days after cancellation or on request |
| Contact access audit logs | 90 days |
| Server logs | 30 days |
| Sync logs | 1 year |
| Push notification tokens | Until sign-out, app uninstall, or subscription end |
| Support communications | Up to 2 years from last interaction |
| Contact form submissions | Up to 12 months |
| Invoicing and billing records | 11 years (Croatian tax law) |
After the retention period, data is automatically deleted or anonymized. You can request earlier deletion (see section 10), subject to legal retention obligations.
10. Your Rights
Under the GDPR, you have:
- Right of access — request a copy of personal data we hold about you.
- Right to rectification — request correction of inaccurate or incomplete data.
- Right to erasure — request deletion (subject to legal obligations).
- Right to restriction of processing.
- Right to data portability — receive a machine-readable copy of data you provided.
- Right to object — to processing based on legitimate interests.
- Right to withdraw consent — where processing is based on consent.
To exercise any of these rights, email hello@ws.agency. We respond within 30 days. No fee unless requests are manifestly unfounded or excessive.
You may also lodge a complaint with the Croatian data protection authority:
Agencija za zaštitu osobnih podataka (AZOP)
Selska cesta 136, 10000 Zagreb
Email: azop@azop.hr
Web: azop.hr
11. Security
- Encryption in transit — TLS (HTTPS) on all connections.
- Encryption at rest — data stored in our databases is encrypted at rest.
- Access controls — only authorized personnel with a business need can access customer data; access is logged.
- Audit logging — administrative actions and contact access are logged for security review.
- Regular security reviews.
No system is 100% secure. In the event of a personal data breach, we will notify you and the supervisory authority in line with GDPR requirements.
12. Cookies and Tracking
Workspace Sync uses a minimal set of cookies that are strictly necessary for the service to function:
- Authentication / session cookies — set by Supabase to keep you signed in. Deleted at sign-out or session expiry.
- CSRF protection tokens — to prevent cross-site request forgery.
These are essential cookies and do not require consent under GDPR/ePrivacy rules. We do not currently use analytics, advertising, or other non-essential cookies. We do not use third-party tracking pixels.
If we add non-essential cookies in the future, we will introduce a cookie consent banner and require opt-in.
13. Children's Privacy
Workspace Sync is a business service intended for use by organizations and their adult employees. It is not directed at children and we do not knowingly collect personal data from anyone under 16.
If your organization enables Workspace Sync access for someone under 16, that is the responsibility of your organization. If we become aware that we hold personal data of a child without a valid legal basis, we will delete it.
14. Changes to This Policy
We may update this Privacy Policy from time to time. We update the "Last updated" date at the top of this page.
For material changes that significantly affect how we handle your data, we will notify you in advance — by email and/or via a prominent notice in the admin dashboard or mobile app — at least 30 days before the changes take effect.
Your continued use of the service after changes take effect constitutes acceptance of the updated policy.
15. Contact
If you have questions or concerns about this Privacy Policy or our processing of your personal data, contact us at:
Web rješenja d.o.o.
Markuševečka cesta 115, 10040 Zagreb, Croatia
Email: hello@ws.agency