Data categories and subjects
The distinct categories of data in Eddy, who controls each, the data subjects covered by the DPA, and sensitive data tiers.
COUNTER-DRAFT — Eddy Works, 11 June 2026. Published here for review — not yet approved by counsel and not yet in force.
1. Data categories
"Data" across the Eddy policies refers to the following distinct categories, each carrying different rights.
| Category | Description | Controller |
|---|---|---|
| Customer Content | Data typed, uploaded, or decided by users in Map stages | Customer |
| Map Configuration | Process designs — Maps, Stages, Blocks, Transitions, Roles | Customer (author org) |
| Process Execution State | Live state of a run — Session assignments, stage state, routing | Customer |
| Process Metadata | Operational trace — timestamps, durations, handoff timing, path taken | Generated by Eddy Works |
| Usage Telemetry | Product analytics events — page views, feature events, audit logs | Eddy Works |
| Analytical Data | De-identified / aggregated statistics and trends | Eddy Works |
| Template IP | Map blueprints in Private, Partner, or Public tier | Tier-dependent — see clause 11 |
| AI Inputs/Outputs | Prompts submitted to and results returned from AI features | Customer Content in nature |
The Controller column determines who can request, export, or delete each category — and who is legally responsible for it. Categories where the Customer is controller are processed by Eddy Works as Processor under the DPA. Categories where Eddy Works is controller are governed by the Privacy Policy.
2. Data subjects
The Data Processing Agreement covers the following categories of data subject.
| Category | Description |
|---|---|
| Organisation Owners, Admins, and Members | Employees or contractors of the Customer using the Service under the Customer's Organisation |
| Guests / External Participants | Individuals invited to participate in a Session via a link; hold independent Eddy accounts; co-own access to Session stages they participated in |
| Contacts | Individuals named in Customer Content (form responses, comments) who are not Eddy users; no FK link to user record; Customer is controller |
Eddy Works processes Personal Data to: provide the Service (Map execution, Session routing, Table storage); send transactional notifications; provide support; maintain platform security and integrity; and generate anonymised operational analytics. Processing is carried out for the duration of the Customer's subscription and as described in clause 12 of the DPA on termination.
3. Sensitive data
The following categories may be processed where the Customer (as controller) has confirmed an appropriate lawful basis under Article 9 GDPR:
- Health and safety incident data
- Equality and diversity data
- Educational records
- Employment-related performance and disciplinary data
Payment card data, biometric data for identification, HIPAA-regulated health data, and other Tier 1 categories (as defined in the AUP) may not be processed via Eddy without a separate written agreement.
Definitions
Shared defined terms used across the Eddy Works Terms of Use, Acceptable Use Policy, Privacy Policy, and Data Processing Agreement.
Acceptable Use Policy
Eddy Works Acceptable Use Policy — counter-draft applying the redraft guide (Kindrik draft set, 27 May 2026). British spelling per legal-pack register.