Privacy Policy

Last updated: March 15, 2026

Workflow Scheduling ("Workflow", "we", "us", or "our") operates the scheduling platform at schedule.workflow.co.ke and the associated WhatsApp messaging service. This Privacy Policy explains how we collect, use, disclose, and safeguard your information. We are committed to protecting your privacy in compliance with applicable data protection laws, including the Kenya Data Protection Act, 2019 and the California Consumer Privacy Act (CCPA).

1. Information We Collect

We collect the following categories of personal information when your employer registers you on the platform:

• Identity information: Full name, email address, employee role, and position
• Contact information: Phone number (including WhatsApp number)
• Employment information: Hire date, work schedule, shift assignments, availability, and time-off requests
• Authentication data: A PIN used to access the web portal (stored securely)
• Usage data: Messages sent to our WhatsApp bot, timestamps, interaction logs, and activity audit logs

We do not collect sensitive personal information such as Social Security numbers, financial account information, biometric data, or precise geolocation data.

2. How We Use Your Information

We use your personal information to:

• Provide and manage employee scheduling services
• Send shift notifications, schedule updates, and announcements via WhatsApp
• Process time-off requests and shift swap requests
• Authenticate your access to the web portal
• Maintain audit logs of scheduling actions for accountability and dispute resolution
• Improve and maintain our platform

We do not sell your personal information. We do not use your personal information for advertising or marketing purposes unrelated to the scheduling service.

3. Legal Basis for Processing

We process your data based on:

• Contractual necessity: To provide scheduling services as agreed with your employer
• Legitimate interest: To operate, maintain, and improve our platform
• Consent: When you opt in to WhatsApp messaging by confirming activation

4. Data Sharing

We do not sell your personal data to third parties. We may share your information with:

• Your employer: Managers and administrators within your company can view scheduling data, time-off requests, availability, and activity logs related to their organization
• Service providers: We use Supabase (database hosting), Netlify (web hosting), Meta/WhatsApp (messaging), and Anthropic (AI-powered responses) to operate our platform. These providers process data on our behalf under strict contractual obligations
• Legal requirements: We may disclose information if required by law, regulation, or legal process in any applicable jurisdiction

5. AI-Powered Features

Our WhatsApp assistant uses artificial intelligence (provided by Anthropic) to process and respond to your messages. When you send a message to our WhatsApp bot:

• Your message content and scheduling data are sent to Anthropic's API for processing
• Anthropic does not use your data to train their models
• AI-generated responses may occasionally contain errors — always verify critical scheduling information through the web dashboard
• We do not store conversation history beyond the current interaction

6. Data Storage and Security

Your data is stored on secure cloud servers provided by Supabase, with infrastructure located in the United States. We implement appropriate technical and organizational measures to protect your personal data, including:

• Encrypted data transmission (HTTPS/TLS)
• Secure authentication mechanisms
• Role-based access controls
• Audit logging of administrative actions
• Regular security reviews

7. Data Retention

We retain your personal data for as long as your employer maintains an active account with us, or as required by law. When your employer's account is terminated or your employment record is removed:

• Your personal data will be deleted within 90 days
• Audit log entries may be retained in anonymized form for up to 12 months
• Data required by law may be retained for the legally mandated period

8. Your Rights

For all users: You have the right to:

• Access: Request a copy of the personal data we hold about you
• Correction: Request correction of inaccurate or incomplete data
• Deletion: Request deletion of your personal data, subject to legal obligations
• Objection: Object to the processing of your personal data
• Portability: Request transfer of your data in a structured, machine-readable format
• Opt-out of WhatsApp: Stop interacting with the bot at any time; contact your employer to remove your phone number

For Kenya residents: These rights are provided under the Kenya Data Protection Act, 2019. To lodge a complaint, contact the Office of the Data Protection Commissioner (ODPC) at www.odpc.go.ke.

For California residents: Under the CCPA, you have additional rights including the right to know what personal information is collected, the right to delete, and the right to non-discrimination for exercising your rights. We do not sell personal information. In the preceding 12 months, we have collected the categories of information described in Section 1 for the business purposes described in Section 2.

For all US residents: Depending on your state of residence, you may have additional privacy rights under state law (including but not limited to Virginia VCDPA, Colorado CPA, Connecticut CTDPA). Contact us to exercise any applicable rights.

To exercise any of these rights, contact us at privacy@workflow.co.ke. We will respond within 30 days.

9. WhatsApp Messaging and Consent

When your employer adds you to the platform, you will receive a one-time activation message via WhatsApp. You must confirm your participation before receiving scheduling messages. By confirming:

• You consent to receiving work-related WhatsApp messages (schedule notifications, shift updates, announcements)
• You can stop receiving messages at any time by contacting your manager
• We do not use your WhatsApp data for marketing purposes
• Message frequency depends on your employer's scheduling activity

10. Cookies and Tracking

Our web portal uses minimal local storage for session management. We do not use third-party tracking cookies, advertising cookies, or analytics services that track individual users.

11. Children's Privacy

Our service is intended for use by employed adults. We do not knowingly collect personal data from individuals under the age of 16 (or 18 in Kenya). If we learn we have collected data from a minor, we will delete it promptly.

12. International Data Transfers

Your data may be processed on servers located outside your country of residence (including the United States and European Union) through our cloud service providers. For transfers from Kenya, we ensure appropriate safeguards are in place in accordance with the Data Protection Act. For transfers involving US data, our service providers maintain appropriate security standards.

13. Data Breach Notification

In the event of a personal data breach that is likely to result in a risk to your rights and freedoms, we will:

• Notify the Office of the Data Protection Commissioner (ODPC) within 72 hours of becoming aware of the breach, as required by Section 43 of the Kenya Data Protection Act, 2019.
• Notify affected data subjects without unreasonable delay where the breach is likely to result in a high risk to their rights and freedoms.
• Document all breaches, including the facts, effects, and remedial actions taken.

14. Changes to This Policy

We may update this Privacy Policy from time to time. For material changes to how we process your data, we will notify you by email or through a prominent notice on the Service and obtain fresh consent where required under the Kenya Data Protection Act. Minor changes will be reflected by updating the "Last updated" date above.

15. Contact Us

If you have questions about this Privacy Policy or our data practices, contact us at:

Workflow Scheduling
Email: privacy@workflow.co.ke
Nairobi, Kenya