Privacy Policy

Eddy Works Limited (Eddy Works, we, us, our) complies with the New Zealand Privacy Act 2020 (NZPA), the General Data Protection Regulation 2016/679 (GDPR), the Swiss Federal Act on Data Protection (Swiss DPA), the UK Data Protection Act 2018 and UK GDPR (together, UK Data Protection Laws, and together with the GDPR and the Swiss DPA, the EU/UK Data Protection Laws), and other applicable privacy and data protection laws (applicable privacy laws).

Personal information is information about an identifiable individual. Under the EU/UK Data Protection Laws, personal information is called personal data. We use these terms interchangeably in this Policy.

This Policy sets out how we collect, use, disclose, and protect your personal information when you access or use the Eddy platform (the Service). It also applies when you otherwise deal with us directly.

If you wish to seek further information on the applicable privacy laws:

• NZPA: www.privacy.org.nz
• GDPR: ec.europa.eu
• Swiss DPA: edoeb.admin.ch
• UK Data Protection Laws: ico.org.uk

Questions and correction requests should be sent to legal@eddy.works.

This Policy does not limit or exclude any of your rights under applicable privacy laws.

This Policy describes how we collect, use, disclose, and protect your personal information in connection with your use of the Service.

What it does not cover: the collection and use of personal information by Customers through their Maps, Sessions, and Tables. When a Customer uses the Service to collect and process personal information through their own processes, the Customer is the data controller under applicable privacy laws, and we are a data processor.

We only process Customer-controlled data as authorised in our agreements with that Customer. We will forward any request or question about Customer-controlled data to the relevant Customer, subject to our obligations under applicable law.

The remainder of this Policy does not apply to personal information that Customers collect, store, and process through their Maps and Sessions.

We may update this Policy from time to time. We will notify you of material changes by posting the revised Policy on the Service and, where required by law, by notifying you directly. Continued use of the Service after the change takes effect constitutes acceptance of the revised Policy.

This Policy was last updated on 11 June 2026.

The Service is not intended for children under 13. If you have reason to believe we have collected personal information from or about a child under 13, please contact us at legal@eddy.works.

For users between 13 and 18, we require verifiable guardian or school consent before account creation. Access for minors without appropriate consent is prohibited under the Terms of Use.

Directly. When you register an Eddy account, we collect your name, email address, and phone number. We may also collect your profile photo, job title, and organisation name if you provide them.

If you contact us for support, dispute resolution, or any other reason, we collect the information you provide in that communication.

If you subscribe to a paid plan, billing information is collected and processed by our payment processor (Stripe) on our behalf. We receive limited payment identifiers (e.g. a payment method token) but do not store full card details.

Some personal information is required to provide the Service; some is optional. We will indicate which at the point of collection.

Indirectly. When you are invited into an Organisation by a Customer, the Customer or their administrator may provide us with your name and email address to create your invitation or account.

When another user contacts us about a matter involving you (for example, a dispute), we collect information they provide in that context.

Automatically. When you use the Service, we collect:

• information about your device and usage, including your IP address, browser type, pages visited, and time spent in the Service
• product analytics events via PostHog (EU-hosted) — see Subprocessors for detail
• audit logs and access records for security and support purposes

Some of this data is collected through cookies and similar technologies. See clause 14.

We also capture process execution data when you participate in a Session — including your stage responses, timestamps, and participation history. As noted above, this data is controlled by the Customer who owns the Session, not by Eddy Works.

From third parties. We may receive information about you from authentication providers (currently Auth0) when you sign in. We may also receive limited information from public sources to the extent reasonably necessary to verify identity or comply with legal obligations.

No automated retention schedule is currently implemented. Data is retained indefinitely unless a deletion request is processed manually. Implementing a retention schedule is on the product roadmap.

We use personal information that we control for the following purposes:

• Account management: to create, maintain, and manage your Eddy account
• Service delivery: to provide the Service to you, to Organisations you are a member of, and to external participants in Sessions you initiate
• Communication: to send you service-related notices, updates to this Policy or the Terms of Use, and responses to your support requests
• Security and integrity: to detect fraud, prevent abuse, protect the Service, and enforce our Terms of Use
• Legal compliance: to comply with applicable laws, respond to lawful government requests, and fulfil our obligations under applicable privacy laws
• Disputes: to investigate and assist in resolving disputes between users
• Analytics and improvement: to understand how the Service is used and to improve it, using aggregated and de-identified data
• Marketing: to contact you about products and services that may interest you (you can unsubscribe from marketing emails at any time by following the unsubscribe link)
• Billing: to process payments and manage your subscription

We will not use Customer Content (personal information collected through your Maps and Sessions) for our own product development, marketing, or AI training purposes without your consent.

Use of data for AI development: Eddy Works is not training AI models today and does not claim a right to train on your data. If we introduce an AI training programme in the future, it will use anonymised data only, and you will have an opt-out option. See AI Transparency for our full AI stance.

We may transfer personal information in connection with a sale, merger, or reorganisation of our business. We will notify you of any such transfer where required by applicable law.

You may stop receiving marketing emails by following the unsubscribe instructions in those emails or by contacting us at legal@eddy.works.

We may disclose your personal information to:

• Other users, in the ordinary course of the Service (for example, your name is visible to members of Organisations you belong to and to other participants in shared Sessions you take part in)
• The Organisation's administrators, where you use the Service as a member of or participant in a Customer's Organisation
• Service providers and subprocessors — third-party companies we use to operate the Service. A list of our current subprocessors is published at Subprocessors. We require subprocessors to protect personal information to an equivalent standard
• AI service providers — only in the limited circumstance that an AI feature is active and you have not opted out, and only using anonymised data
• Dispute parties — where relevant to a dispute between users, we may share contact and context information with parties to that dispute
• Professional advisers — accountants, lawyers, auditors, and insurers as needed
• Regulatory and law enforcement authorities — where required by applicable law or in response to a lawful request
• Acquirers — in connection with a sale, merger, or reorganisation of our business

We do not sell your personal information to third parties.

The Service is operated from New Zealand, with infrastructure primarily located in the EU (Frankfurt) via our hosting provider (Vercel) and database provider (DigitalOcean). Some subprocessors operate in other regions:

• Auth0 (Okta): identity and authentication — hosted in Australia. Australia is recognised as providing adequate protection by the European Commission.
• Sentry: error monitoring — currently hosted in the US (Iowa).
• Inngest: background job processing — hosted in the US. Event payloads contain primarily opaque identifiers (UUIDs); personally identifiable information is resolved within EU-hosted serverless functions.

New Zealand is recognised by the European Commission, the relevant Swiss authorities, and UK authorities as providing adequate protection for personal data.

Where we transfer personal information outside the EEA, Switzerland, or the UK in the absence of an adequacy decision, we put in place appropriate safeguards (such as Standard Contractual Clauses). Contact us at legal@eddy.works for further information on the safeguards applicable to any specific transfer.

Subject to applicable law, you have the right to access the personal information we hold about you and to request a correction. Before responding, we will need to verify your identity.

If you request a correction and we consider it reasonable, we will make it. If we do not make the correction, we will take reasonable steps to note on the personal information that you requested the correction.

To exercise these rights, email legal@eddy.works with evidence of your identity and the details of your request.

We may charge our reasonable costs of providing copies of personal information, unless prohibited by applicable law.

You may request deletion of your Eddy account by contacting legal@eddy.works. We will process your request within 30 days in accordance with applicable law.

Our approach: on deletion we anonymise your account record (replacing your name and email with anonymous placeholders) and delete your authentication credentials. Workspace memberships are removed. Responses you submitted as part of other users' Sessions may be retained in anonymised form — the Session record is co-owned by all participants, and removing your data unilaterally would affect other parties' records. We will respond to any GDPR erasure requests within 30 days and explain the basis for any data we retain.

An in-product account deletion flow is planned but not yet available. Until it ships, requests must be made by email.

We retain personal information for as long as necessary to provide the Service and fulfil the purposes described in this Policy, or as required by applicable law.

Specifically:

• Account data — retained while your account is active; anonymised on account deletion
• Session participation data — retained as part of the co-owned Session record; subject to mutual-consent deletion (a planned feature — the legal position can be settled now)
• Audit and security logs — retained for 12 months
• Aggregated and de-identified analytics — retained indefinitely; cannot be linked back to you personally

No automated retention schedule is currently implemented. Data is retained indefinitely unless a deletion request is processed manually. Implementing a retention schedule is on the product roadmap.

We use cookies and similar technologies to operate the Service, to remember your preferences, and to collect analytics data about how the Service is used.

Analytics: we use PostHog, hosted on EU infrastructure, for product analytics. In the EEA, we will request your consent before loading PostHog or any other non-essential analytics scripts.

You may disable cookies through your browser settings. Disabling certain cookies may affect the functionality of the Service.

While we take reasonable steps to maintain secure connections, if you provide personal information to us online, the provision of that information is at your own risk. You are responsible for ensuring the security of your own transmission and taking measures to protect your personal information against the security risks inherent in sharing information online.

If you follow a link in the Service to a third-party website (including our payment processor), that website will have its own privacy policy. We suggest reviewing it before providing personal information.

These additional terms apply if you are located in the EEA, Switzerland, or the UK and access or use the Service.

Our dual role under EU/UK law. As described in clause 3, Eddy Works acts as:

• Data processor when we store and process personal data that Customers collect through their Maps and Sessions. The Customer is the data controller for that data. Eddy Works processes it only as directed under the applicable Data Processing Agreement.
• Data sub-processor when a Customer is itself a processor for its own clients' data, and uses Eddy to store and process that data.
• Data controller when we process your account information, usage telemetry, and aggregated analytical data for the purposes of providing, securing, and improving the Service.

The remainder of this section applies only to data for which we are the data controller.

Lawful bases for processing. Our lawful bases for processing your personal data depend on the context:

• Contract performance — we process your account data and usage information to perform the contract for provision of the Service.
• Legitimate interests — we process data for security, fraud prevention, service improvement, and analytics where this does not override your fundamental rights. We conduct balancing tests before relying on this basis.
• Legal obligation — we process data where required by applicable law.
• Consent — we process data for marketing communications and for non-essential cookies where we have obtained your consent. You may withdraw consent at any time without affecting the lawfulness of prior processing.

Contact legal@eddy.works if you have questions about the legal basis for any specific processing.

Your data protection rights. Under EU/UK Data Protection Laws, you have the following rights (subject to applicable conditions and exemptions):

• Right of access — to confirmation of whether we process your personal data and to a copy of it.
• Right to rectification — to have inaccurate or incomplete personal data corrected or completed.
• Right to erasure — to have your personal data deleted where it is no longer necessary for the purpose it was collected, or where you withdraw consent (where processing is based on consent). See clause 14 for how we handle erasure requests.
• Right to restrict processing — to request restriction of processing in certain circumstances (for example, while contesting accuracy).
• Right to object — to object to processing based on legitimate interests, including profiling for that purpose; and to object to processing for direct marketing (including profiling for that purpose).
• Rights related to automated decision-making — not to be subject to a decision based solely on automated processing that produces legal or similarly significant effects. We do not currently undertake automated individual decision-making.
• Right to data portability — to receive personal data you have provided to us in a structured, commonly used, machine-readable format, and to transmit it to another controller where technically feasible. (See clause 16 for current capabilities.)
• Right to lodge a complaint — to lodge a complaint with your local supervisory authority if you believe your rights have not been respected.

To exercise any of these rights, contact legal@eddy.works. Where you are the data controller for personal data we process as a processor, we will notify you of any data subject request relating to that data and defer to your instructions.

Transfers outside the EEA / UK / Switzerland. See clause 11. Where we rely on Standard Contractual Clauses, copies are available on request from legal@eddy.works.

Representative. Eddy Works is incorporated in New Zealand. New Zealand is recognised by the European Commission, the relevant Swiss authorities, and the UK Information Commissioner's Office as providing adequate protection for personal data. By virtue of this adequacy determination, Eddy Works is not required to appoint an EU representative under Article 27 GDPR. Eddy Works has personnel based in an EU member state who may be contacted at legal@eddy.works.