Privacy Policy
Last updated: July 7, 2026
Better Workspaces ("we", "us", or "our") operates the Better Workspaces collaboration platform, including our website, API, and desktop application (collectively, the "Service"). This Privacy Policy explains how we collect, use, store, and share information when you use the Service.
By creating an account or using the Service, you agree to this Privacy Policy.
1. Who we are
Service name: Better Workspaces
Contact: [email protected]
Legal entity: Better Workspaces (India)
If you have questions about this policy or your data, contact us at the email above.
2. Information we collect
We collect information in the following categories:
2.1 Account and identity information
When you register, we collect:
- Name and email address
- Password (stored in hashed form; we never store plain-text passwords)
- Email verification status
- Optional profile image
We use Better Auth for authentication. Sign-up is currently email and password only (OAuth providers may be added later).
2.2 Session and security information
When you sign in, we create a session and may store:
- Session token in an HttpOnly cookie named
bw.session_token(or similar, prefixed withbw) - IP address and browser user agent associated with your session
- Session data in our primary database and in Cloudflare KV for performance
We may also record audit logs of certain workspace actions (for example, invitations and administrative changes).
2.3 User-generated content and workspace data
When you use the Service, we store content you and your teammates create, including:
- Messages in channels, direct messages (DMs), and threads
- Reactions, mentions, and replies
- Files you upload (metadata in our database; file contents in Cloudflare R2)
- Canvases (collaborative drawings) and boards (task/kanban data)
- Workspace, team, space, and channel membership and settings
- Notifications and your notification preferences
- Invite and join-request activity
Workspace administrators may access and moderate content within workspaces they manage, subject to their role and permissions.
2.4 Device, push notification, and local data
Web push notifications: If you opt in, we use Firebase Cloud Messaging (FCM) to deliver push notifications. We store a device push token, platform type, and last-used timestamp. The Firebase JavaScript SDK is used only for token registration — not for authentication or analytics.
Local persistence (web): To improve performance and offline resilience, the web app may store workspace data in your browser's IndexedDB and limited keys in localStorage / sessionStorage (for example, theme preference, last workspace, and push token references).
Desktop app: Our Tauri desktop application stores a local encrypted copy of workspace data on your device using your operating system's keychain for encryption keys.
Navigation state: We store per-user navigation preferences (last workspace, space, and channel) in Cloudflare D1 so your place in the app can be restored across sessions. This state may persist across sign-out and sign-in by design.
2.5 Realtime and presence data
When you are active in a workspace, we process ephemeral realtime data via Cloudflare Durable Objects, including:
- WebSocket connections for live message delivery
- Typing indicators
- Online, away, or offline presence within a space
This data is transient and used to power live collaboration features.
2.6 Cookies and similar technologies
We use cookies and similar technologies for:
| Cookie / storage | Purpose |
|---|---|
bw.session_token (HttpOnly) |
Keeps you signed in securely |
sidebar_state |
Remembers UI sidebar open/closed preference (7-day max-age) |
Theme and bw:-prefixed keys |
UI preferences and client-side state |
We do not use third-party advertising cookies. When observability is enabled in a deployment, we use Cloudflare Web Analytics for aggregate page views and performance on our web app, and Cloudflare Analytics Engine (via our own API) for privacy-conscious product events such as sign-in and workspace creation. Client and server errors are logged through our API and Cloudflare Workers observability — not sent to external error vendors like Sentry. Neither pipeline receives your message content. Product analytics correlates signed-in users using a one-way hash of an internal id — not your email or display name. When these features are not configured, we do not deploy third-party analytics or measurement tools (such as Google Analytics) in our application.
2.7 Information we do not intentionally collect
We do not knowingly collect sensitive categories of personal data (such as health, biometric, or financial information) unless you voluntarily include them in user-generated content.
3. How we use your information
We use collected information to:
- Provide, operate, and maintain the Service
- Authenticate you and manage your account and sessions
- Deliver messages, files, notifications, and realtime updates
- Send transactional emails (verification, password reset, invitations, and notification digests) via Cloudflare Email
- Enforce our Terms of Service, acceptable use rules, and workspace policies
- Protect the security and integrity of the Service
- Comply with legal obligations
- Improve reliability and fix bugs (using operational logs, not third-party analytics)
We do not sell your personal information.
4. Legal basis for processing (EEA/UK users)
If you are in the European Economic Area or United Kingdom, we process your data on the following bases:
| Purpose | Legal basis |
|---|---|
| Providing the Service you signed up for | Performance of a contract |
| Security, fraud prevention, and abuse enforcement | Legitimate interests |
| Transactional communications | Performance of a contract / legitimate interests |
| Optional push notifications | Consent (you can disable them in your browser or device settings) |
| Legal compliance | Legal obligation |
You may withdraw consent for optional processing (such as push notifications) without affecting the lawfulness of prior processing.
5. How we share information
We share information only as described below:
5.1 With your workspace
Content you post in a workspace is visible to members according to channel visibility, space permissions, and workspace roles. Direct messages are visible to participants only. Private channels are visible to invited members.
5.2 Service providers (processors)
We use trusted providers to run the Service:
| Provider | Role |
|---|---|
| Cloudflare | Hosting (Workers, Pages), object storage (R2), edge databases (D1), session cache (KV), Durable Objects, email delivery, and optional Access protection for internal admin tools |
| Neon (or equivalent Postgres host) | Primary application database |
| Google Firebase | Push notification delivery (FCM) only |
These providers process data on our behalf under contractual safeguards.
5.3 Legal requirements
We may disclose information if required by law, court order, or governmental request, or when we believe disclosure is necessary to protect rights, safety, or the integrity of the Service.
5.4 Business transfers
If we are involved in a merger, acquisition, or asset sale, your information may be transferred as part of that transaction. We will notify you before your data becomes subject to a different privacy policy.
6. Data retention
We retain information for as long as needed to provide the Service and fulfill the purposes in this policy:
- Account data is kept while your account is active
- User-generated content is retained according to workspace settings and soft-delete policies; deleted content may be purged after a reasonable period
- Sessions expire automatically and inactive sessions are removed
- Push tokens are removed when you sign out, disable notifications, or when they become invalid
- Audit logs are retained for security and compliance for a limited period
- D1 navigation state may persist until overwritten or deleted
When you delete your account (where available), we will delete or anonymize personal data within a reasonable timeframe, except where retention is required by law or for legitimate security purposes.
7. Your rights and choices
Depending on your location, you may have the right to:
- Access the personal data we hold about you
- Correct inaccurate information (via profile and account settings)
- Delete your account and associated data (contact us or use account settings where available)
- Export your data (contact us for assistance)
- Object to or restrict certain processing
- Withdraw consent for optional features like push notifications
To exercise these rights, email [email protected]. We may need to verify your identity before responding.
EEA/UK residents may also lodge a complaint with your local data protection authority.
California residents: We do not sell personal information. You may have rights under the CCPA/CPRA, including access and deletion requests.
8. Security
We implement technical and organizational measures designed to protect your information, including:
- Hashed passwords and HttpOnly session cookies
- Encryption in transit (HTTPS/TLS)
- Encrypted local storage in the desktop app
- Role-based access controls within workspaces
- Infrastructure security provided by our cloud providers
No method of transmission or storage is 100% secure. You are responsible for keeping your password confidential.
9. Children's privacy
The Service is not directed to children under 13 (or the minimum age required in your jurisdiction). We do not knowingly collect personal information from children. If you believe a child has provided us data, contact us and we will delete it.
10. International data transfers
We and our service providers may process data in countries other than where you live, including the United States and other regions where Cloudflare and our database providers operate. Where required, we rely on appropriate safeguards (such as Standard Contractual Clauses) for cross-border transfers.
11. Changes to this policy
We may update this Privacy Policy from time to time. We will post the revised policy on this page and update the "Last updated" date. For material changes, we may notify you by email or in-app notice. Continued use after changes take effect constitutes acceptance.
12. Contact us
Better Workspaces
Email: [email protected]
For terms-of-use questions, see our Terms of Service.