Privacy Policy
Last Updated: June 18, 2026At WorkMesh, we take your privacy seriously. This Privacy Policy explains how we collect, use, store, and protect your personal information when you use our field service management platform, including our mobile applications and web services.
By using WorkMesh, you agree to the collection and use of information in accordance with this policy.
1. Information We Collect
1.1 Information You Provide
- Account Information: Name, email address, phone number, password, company/organization name, and role
- Profile Information: Profile photo, job title, department, and preferences
- Customer Data: Names, addresses, contact information, and service history of your customers
- Work Orders: Job details, service descriptions, schedules, and completion notes
- Visit Records: Service visit details, timestamps, and activity logs
- Photos and Files: Images and documents uploaded to document work completion
1.2 Information Collected Automatically
- Location Data: GPS coordinates when you use location-based features (see Section 3)
- Device Information: Device type, operating system, unique device identifiers, and IP address
- Push Notification Tokens: Device tokens required to send push notifications
- Usage Data: App interactions, feature usage, and error logs for crash reporting
- Log Data: API requests, authentication events, and system activities (retained for 7 years for compliance)
2. How We Use Your Information
We use the information we collect to:
- Provide and maintain the WorkMesh service
- Authenticate users and secure accounts
- Enable field service operations (scheduling, routing, visit tracking)
- Send notifications about work assignments and updates
- Process and store photos and files uploaded during service visits
- Generate reports and analytics for business operations
- Detect and prevent fraud, abuse, and security incidents
- Debug and improve application performance
- Comply with legal obligations and industry regulations
3. Location Data
3.1 Foreground Location
WorkMesh uses your device's location when the app is open to:
- Navigate to scheduled service visits
- Display your current position relative to job sites
- Calculate travel distances and estimated arrival times
3.2 Background Location (iOS Only)
On iOS devices, WorkMesh may collect location data in the background to:
- Automatically record arrival times at visit locations
- Track visit completion for time-stamping purposes
- Enable automatic status updates when entering/exiting job sites
Important: Background location collection is disabled on Android. iOS users can disable background location at any time in their device settings, though this may affect automatic visit tracking features.
3.3 Location Storage
Location data is stored with your visit records and is accessible to authorized users within your organization. We do not share location data with third parties for advertising or marketing purposes.
4. Photos and Files
WorkMesh allows you to capture and upload photos and documents to:
- Document work completion and service quality
- Attach evidence to work orders and visit records
- Store customer signatures and approvals
Storage: Files are stored securely on Cloudflare R2 storage with encryption at rest. Access is limited to authorized users within your organization.
Retention: Photos and files associated with active work orders are retained indefinitely for operational and compliance purposes. Files are deleted 30 days after account deletion is finalized.
5. Push Notifications
We use push notifications to inform you about:
- New work assignments and schedule changes
- Visit reminders and deadline alerts
- Team member updates and messages
- System maintenance and important announcements
Push notification tokens are generated by your device's operating system (Apple APNS or Google FCM) and stored securely. You can disable push notifications in your device settings or app preferences at any time.
6. Data Retention
| Data Type | Retention Period | Notes |
|---|---|---|
| Account information | 60 days after deletion request | Grace period allows account recovery |
| Work orders & visit history | 7 years | Business and regulatory compliance |
| Activity/audit logs | 7 years | Compliance and security purposes |
| Photos and files | 30 days after account deletion | Then permanently deleted |
| Push tokens | Until account deletion | Deleted with account closure |
| API access logs | 90 days | Security monitoring |
7. Data Sharing and Third-Party Services
We do not sell your personal data. We share data only with trusted service providers (subprocessors) necessary to operate our platform:
| Service Provider | Purpose | Data Processed | Location |
|---|---|---|---|
| Railway | Application hosting, database | All application data | United States |
| Cloudflare | CDN, security, file storage (R2) | Files, photos, web traffic | Global edge network |
| Resend | Transactional email delivery | Email addresses, email content | United States |
| Expo | Push notifications, OTA updates | Push tokens, device info | United States |
| Bugsnag | Error monitoring, crash reporting | Error logs, device info, user context | United States |
| Twilio (optional) | SMS notifications | Phone numbers, message content | United States |
| Meta Cloud API (optional) | WhatsApp notifications | Phone numbers, message content | Global |
7.1 International Data Transfers
For customers in the European Union, United Kingdom, and Brazil, we rely on Standard Contractual Clauses (SCCs) to ensure adequate protection for international data transfers to the United States.
8. Security
We implement industry-standard security measures:
- Encryption in transit: All data transmitted between your device and our servers uses TLS 1.3 encryption
- Encryption at rest: Database and file storage use AES-256 encryption
- Access controls: Role-based permissions restrict data access to authorized users
- Authentication: Secure password hashing and optional multi-factor authentication
- Regular audits: Security assessments and penetration testing
- Incident response: Breach notification procedures in compliance with GDPR/LGPD
9. Your Rights
Depending on your location, you may have the following rights:
9.1 GDPR (European Union) and UK GDPR
- Right to access your personal data
- Right to rectification of inaccurate data
- Right to erasure ("right to be forgotten")
- Right to restrict processing
- Right to data portability
- Right to object to processing
- Right to withdraw consent
9.2 LGPD (Brazil)
- Confirmation of data processing
- Access to your data
- Correction of incomplete or inaccurate data
- Anonymization, blocking, or deletion of unnecessary data
- Portability to another service
- Deletion of data processed with consent
- Information about third parties with whom data is shared
9.3 CCPA/CPRA (California)
- Right to know what personal information is collected
- Right to know if personal information is sold or shared
- Right to opt out of sale/sharing of personal information
- Right to non-discrimination for exercising privacy rights
- Right to correct inaccurate personal information
- Right to limit use of sensitive personal information
To exercise your rights, contact us at support@getworkmesh.com. We will respond within 30 days.
10. Account Deletion
10.1 How to Delete Your Account
You can request account deletion directly from the WorkMesh mobile app:
- Open the WorkMesh app and navigate to Settings
- Select "Account" → "Delete My Account"
- Enter your password to confirm
- Tap "Delete My Account" to submit the request
10.2 What Happens When You Delete
- Immediate: Your account enters a 60-day grace period. Local app data is wiped from your device.
- During grace period: You can contact support to cancel deletion and restore your account.
- After 60 days: Your account and personal data are permanently deleted.
- Operational data: Work orders, visit records, and associated photos are retained for 7 years for your organization's compliance and audit requirements. This data is anonymized where possible.
10.3 Exceptions
We may retain certain data where required by law, including:
- Financial transaction records
- Audit logs required by industry regulations
- Data necessary to establish, exercise, or defend legal claims
11. Cookies and Tracking
WorkMesh uses minimal cookies and tracking technologies:
- Essential cookies: Required for authentication and session management
- Cloudflare Turnstile: Used for bot protection and security during login
- Analytics: We use Bugsnag for error tracking only - no behavioral analytics or advertising cookies
We do not use cookies for third-party advertising, cross-site tracking, or profiling for marketing purposes. For more details, see our Cookie Policy.
12. Children's Privacy
WorkMesh is not intended for use by children under 16 years of age. We do not knowingly collect personal information from children. If you believe we have inadvertently collected data from a child under 16, please contact us immediately at support@getworkmesh.com and we will delete the information promptly.
13. Changes to This Policy
We may update this Privacy Policy from time to time. We will notify you of significant changes by:
- Posting the new policy on this page with an updated "Last Updated" date
- Sending an email notification to registered users
- Displaying an in-app notification
Continued use of WorkMesh after changes constitutes acceptance of the revised policy.
14. Contact Information
If you have questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us:
Email: support@getworkmesh.com
Website: getworkmesh.com
For privacy-specific inquiries or to exercise your data protection rights, please include "Privacy Request" in the subject line.
15. Regional Privacy Contacts
European Union / GDPR
For GDPR-related inquiries, contact us at support@getworkmesh.com. While we do not currently have an EU establishment, we have appointed a representative for GDPR compliance.
Brazil / LGPD
For LGPD-related inquiries, contact us at support@getworkmesh.com.
California / CCPA
California residents can submit privacy requests to support@getworkmesh.com or call our support line.
16. Dispute Resolution
If you have a privacy-related complaint that we cannot resolve directly, you may have the right to lodge a complaint with your local data protection authority:
- EU: Your national Data Protection Authority
- UK: Information Commissioner's Office (ICO)
- Brazil: Autoridade Nacional de Proteção de Dados (ANPD)
- California: California Attorney General's Office