Last updated: 2026-02-18
1. Introduction
This Privacy Policy explains how Jeremy Kidder ("we," "us," or "our") collects, uses, stores, and protects information through the MyWork platform ("Platform"), including the admin dashboard (mwadmin.makeitnice.world), customer portal (login.mywork.makeitnice.world), and public website (mywork.makeitnice.world).
MyWork is a multi-tenant SaaS platform. This means we handle two categories of data:
- Platform Data: Information we collect directly from Subscribers (business operators) and their team members to provide the Service.
- Subscriber Data: Information that Subscribers enter into the Platform about their own customers, contacts, and business operations. We process this data on behalf of our Subscribers.
By using the Platform, you consent to the practices described in this Privacy Policy. If you are a customer of one of our Subscribers (e.g., you use the customer portal), you should also consult that Subscriber's own privacy policy regarding how they handle your information.
2. Information We Collect
2a. From Subscribers and Team Members (Platform Data)
| Data Type | Examples | Purpose |
|---|
| Account information | Name, email, username, password (hashed) | Authentication, account management |
| Business information | Business name, address, phone, industry | Onboarding, platform configuration |
| Billing information | Subscription plan, payment history | Subscription management |
| Payment details | Credit card (via Stripe — we never store card numbers) | Payment processing |
| Usage data | Feature usage, resource counts, login history | Plan enforcement, analytics |
| Support interactions | Support tickets, messages, satisfaction ratings | Customer support |
2b. From Subscriber's Customers (Subscriber Data)
Subscribers may enter and store information about their customers in the Platform, including:
- Names, email addresses, phone numbers, and physical addresses
- Project/job details, scheduling information, and service history
- Documents, images, and files shared through the customer portal
- Messages exchanged through the Platform's messaging system
- Invoices, estimates, and payment records
We process Subscriber Data solely on behalf of and under the instructions of the Subscriber. The Subscriber is the data controller for their customer data; we are the data processor. See our Data Processing Agreement for details.
2c. Automatically Collected Information
- Session data: IP address, browser type, device type, operating system, and session timestamps.
- Session fingerprint: A hash of your user agent string and IP address subnet, used to detect session hijacking. This is not used for tracking across sessions.
- Public website analytics: Pages visited, scroll depth, click interactions, page load times, and navigation patterns (collected via our own first-party analytics system — no third-party trackers).
- Approximate location: IP-based geolocation (city/region/country) via ip-api.com, used for analytics on the public website.
3. How We Use Information
Platform Data (Subscriber/Team Member Info)
- Provide, operate, and maintain the Service
- Authenticate users and manage account security
- Process billing and subscription changes
- Enforce plan limits and usage quotas
- Provide customer support
- Send transactional emails (account verification, password resets, billing notifications)
- Improve the Platform based on usage patterns
- Comply with legal obligations
Subscriber Data (Their Customers' Info)
- Store and display data as directed by the Subscriber
- Enable customer portal access and messaging
- Facilitate document sharing between Subscribers and their customers
- Generate reports and analytics for the Subscriber
We do not use Subscriber Data for our own marketing, analytics, or any purpose other than providing the Service to the Subscriber.
4. Cookies and Session Technologies
We use a minimal number of first-party cookies and browser storage. We do not use third-party advertising or tracking cookies. For full details, see our Cookie Notice.
| Name | Type | Purpose | Duration |
|---|
PHPSESSID | Session cookie | Maintains your login session | Browser session |
mw_rv | First-party cookie | Return visitor flag (public site only) | 365 days |
mw_sid | Session storage | Anonymous session ID for analytics (public site only) | Tab close |
5. Third-Party Services
We share data with the following third-party service providers, solely for the purposes described:
| Service | Purpose | Data Shared |
|---|
| Stripe | Payment processing | Billing details provided by Subscriber. We never store credit card numbers. Stripe Privacy |
| Resend | Transactional email delivery | Recipient email address and email content. Resend Privacy |
| ip-api.com | IP geolocation (public site analytics) | Visitor IP address. Results are cached. ip-api Terms |
We do not sell, rent, or trade personal information to third parties. We do not use Google Analytics, Facebook Pixel, or similar third-party analytics services.
6. Data Security
We implement multiple layers of security to protect your data:
- Encryption in transit: All connections use HTTPS/TLS encryption.
- Tenant isolation: Multi-tenant architecture with strict data separation. Every database query is scoped to the authenticated tenant.
- Session security: 30-minute idle timeout, session fingerprinting (user agent + IP subnet hash) to detect hijacking.
- HTTP security headers: Content Security Policy (CSP), HSTS, X-Frame-Options, X-Content-Type-Options, Referrer-Policy, and Permissions-Policy on all responses.
- Upload security: File uploads are validated by MIME type, checked for path traversal attacks, and scanned for malware using ClamAV antivirus.
- API rate limiting: Sliding-window rate limiting to prevent abuse.
- CSRF protection: Token-based CSRF protection with timing-safe comparison.
- Password security: All passwords are hashed using bcrypt. We never store plaintext passwords.
- Regular backups: Automated database and file backups.
No system is 100% secure. While we implement reasonable and appropriate safeguards, we cannot guarantee absolute security. We will notify affected users promptly in the event of a data breach, as described in our Data Processing Agreement.
7. Data Retention
- Active accounts: Data is retained for the duration of your subscription.
- Cancelled accounts: Data is retained for 90 days after cancellation to allow for reactivation, then permanently deleted.
- Terminated accounts: Data is retained for 90 days to allow for export requests, then permanently deleted.
- Public site analytics: Aggregated analytics data is retained indefinitely. Individual session records may be purged after 24 months.
- Support tickets: Retained for the life of the account plus 12 months for quality assurance.
- Billing records: Retained as required by applicable tax and financial regulations.
8. Data Isolation and Multi-Tenancy
MyWork is a multi-tenant platform. This means multiple Subscribers share the same infrastructure, but their data is strictly isolated:
- Every database query includes tenant-scoping to prevent cross-tenant data access.
- Subscriber A cannot view, search, or access Subscriber B's data under any circumstances.
- Team members and customer portal users are scoped to their Subscriber's tenant.
- File uploads are stored in tenant-specific paths.
9. Your Rights
All Users
You have the right to:
- Access: Request a copy of the personal data we hold about you.
- Correction: Request correction of inaccurate or incomplete data.
- Deletion: Request deletion of your personal data (subject to legal retention requirements).
- Data portability: Request your data in a standard, machine-readable format.
- Opt-out: Unsubscribe from promotional communications at any time.
If You Are a Subscriber's Customer
If your data is stored in the Platform by one of our Subscribers (e.g., you are a customer who uses the portal), your primary point of contact for data rights requests is the Subscriber who entered your data. They are the data controller. If you cannot reach the Subscriber, you may contact us and we will make reasonable efforts to assist.
California Residents (CCPA)
If you are a California resident, you have additional rights under the California Consumer Privacy Act (CCPA), including the right to know what personal information we collect and the right to request deletion. We do not sell personal information.
European Residents (GDPR)
If you are located in the European Economic Area (EEA) or United Kingdom, you have additional rights under the General Data Protection Regulation (GDPR), including the right to lodge a complaint with a supervisory authority. Our legal basis for processing Platform Data is contract performance (providing the Service) and legitimate interest (improving the Service and ensuring security). For Subscriber Data, we process on the basis of our contract with the Subscriber (as data processor).
10. Children's Privacy
The Platform is a business tool and is not directed at individuals under the age of 18. We do not knowingly collect personal information from children. If we become aware that we have collected data from a child under 18, we will take steps to delete it promptly.
11. SMS/Text Message Policy
If you opt in to receive SMS/text messages from us or from a Subscriber using the Platform:
- Consent is required before any messages are sent.
- Message frequency varies. Message and data rates may apply.
- You can opt out at any time by replying STOP.
- Reply HELP for assistance.
- Phone numbers are never shared with third parties for marketing purposes.
12. Changes to This Policy
We may update this Privacy Policy from time to time. When we make material changes:
- We will post the updated policy on this page with a new "Last updated" date.
- We will notify active Subscribers via email or in-platform notification.
- Continued use of the Service after the effective date constitutes acceptance of the updated policy.
14. Contact Us
If you have questions about this Privacy Policy, your data, or wish to exercise your rights, contact us: