Data Access Policy
This Data Access Policy describes how Workalizer accesses, processes, and protects Google Workspace data when providing our analytics service. Workalizer is developed and operated by InfoHub Works Limited, a company registered in England and Wales (company number 11499103), with its registered office at 124 City Road, London, England, EC1V 2NX. This policy is intended to give your organization and technical teams a clear, accurate picture of our data practices so you can assess risk and meet your own compliance and governance obligations.
1. Our Role and Yours
Your organization is the data controller for the personal data in your Google Workspace. Workalizer acts as a data processor: we process that data only on your documented instructions and for the purposes of delivering the analytics service. We do not determine the purposes or means of processing beyond what is necessary to provide the service. This division of roles is consistent with the EU General Data Protection Regulation (GDPR) and other applicable data protection law.
2. How We Access Data (Technical)
We access Google Workspace data exclusively through official Google APIs (e.g. Admin SDK, Workspace APIs for Gmail, Drive, Meet, Chat). We do not scrape websites, intercept traffic, or use any mechanism other than the APIs and the OAuth or admin-delegated authorization your organization grants. The scopes we request are limited to what is needed to compute the analytics and insights we offer (e.g. read-only metadata and usage data). Your administrators control which APIs and scopes are enabled; you can revoke access at any time via your Google Workspace or Google Cloud project settings.
3. What We Do and Do Not Do With the Data
We do: Fetch data via the APIs (on a scheduled or on-demand basis), aggregate and derive metrics (e.g. counts, durations, trends), and generate dashboards, reports, and AI-generated insights for performance and productivity purposes. Processing is confined to what is necessary to deliver and operate the service.
We do not: Collect or retain raw activity logs; build our own logs of user actions; mine or analyze the content of emails, documents, or chats for purposes other than providing the agreed analytics; use your data for advertising or marketing to individuals; or sell, license, or share your data with third parties for their own purposes. We do not use your data to train AI models for use outside your organization's instance of the service.
4. Data Flow and Retention
Data is fetched from Google, processed (aggregated or otherwise derived) in our systems, and the results are presented in the service. We do not retain raw fetched data longer than necessary to produce the analytics and to operate the service (e.g. caching for performance). Retention of any stored metrics or derived data follows our contractual commitments and your instructions as controller. You can request deletion or return of data in line with your agreement with us and applicable law.
5. Security Measures
We implement technical and organizational measures designed to protect the data we process, including:
- Encryption: Data in transit is protected using TLS. Data at rest is encrypted using industry-standard methods.
- Access control: Access to systems that process your data is restricted to authorized personnel and is governed by role-based and need-to-know principles.
- Infrastructure and operations: We use infrastructure and operational practices that support security, availability, and integrity of the service.
- Development and change management: We follow secure development and change-management practices to reduce the risk of vulnerabilities and unauthorized changes.
We can provide further detail on request or as set out in a Data Processing Agreement or security appendix.
6. Subprocessors and International Transfers
We may use subprocessors (e.g. hosting providers, support tools) to provide the service. Any subprocessor that processes personal data on our behalf is bound by contract to protect that data in line with our commitments and applicable law. If we transfer personal data outside the European Economic Area (EEA) or the UK, we use appropriate safeguards such as standard contractual clauses or other mechanisms recognized under GDPR and UK data protection law. You may request a list of subprocessors and information about transfer safeguards via our Contact page or your agreement.
7. Compliance and Your Obligations
We process personal data in accordance with applicable data protection law and our contractual obligations. We assist you, as controller, in meeting your obligations under GDPR and similar laws, including by supporting responses to data subject requests (access, rectification, erasure, restriction, portability, objection), cooperating with supervisory authorities, and, where agreed, assisting with data protection impact assessments and audits. You remain responsible for establishing a lawful basis for the processing (e.g. legitimate interest, contract, or consent), informing data subjects, and ensuring that your use of the service complies with employment and other applicable law.
8. Changes and Contact
We may update this Data Access Policy from time to time. Material changes will be communicated as set out in your agreement or by notice on our website. For questions about data access, processing, or security, or to request a Data Processing Agreement or subprocessor list, please use the Contact page or write to InfoHub Works Limited, 124 City Road, London, England, EC1V 2NX.