Effective date of this notice: April 2026. This page describes how the operator of Behind The Workflow (“we”, “us”) processes personal data when you use our web application, related APIs, or the optional Chrome extension “BTW Capture”. This text is a draft and is not a substitute for legal advice — have it reviewed by qualified counsel (and, where applicable, a data protection officer) before you rely on it as binding (in particular: controller identity, imprint, retention periods, and data processing agreements).
For the purposes of the EU General Data Protection Regulation (GDPR), the controller is the operator of Behind The Workflow. Contact: hello@behindtheworkflow.ai. If no separate legal notice (imprint) with a full postal address is published yet, we will provide controller details on request.
The platform is operated using vendors who may act as processors. We maintain an up-to-date list of subprocessors (roles, region, documentation) for customers and data processing schedules — available on request or as an annex to your agreements. Typical categories in production:
For marketing contact requests, a separate SMTP provider or webhook (e.g. Slack/Discord) may be configured — that provider’s terms apply in addition; message content may also be stored in our database (see below).
We process personal data where necessary to provide Behind The Workflow, to take steps prior to or perform a contract, to secure our systems, and to meet legal obligations. This may include in particular:
The applicable legal basis depends on the specific processing (confirm with counsel). Typically:
We keep personal data only as long as needed for the respective purposes or as required by statutory retention periods. Account data and content you create remain until you delete them or the account or organization is removed — internal deletion schedules should be documented and reflected here when finalized. Server and security logs may be rotated on shorter cycles.
Sharing with third parties occurs primarily through the subprocessors listed above to run the platform. Where providers are located outside the European Economic Area or process data there, we rely — where required — on appropriate safeguards (e.g. EU Standard Contractual Clauses) under the respective agreements; confirm details with providers and legal counsel.
Behind The Workflow ships with an optional AI assistant. It is labelled consistently as such in the dashboard (Sparkle icon, “AI assistant” wording) — you are always interacting with an AI system, never a human.
What we send to the model: your chat message, a compacted snapshot of the active project (asset IDs, names, prompt excerpts, connections), the current UI-context snippet (tab, active filters, selected IDs), and the arguments the model emits for tool calls. What we do not send: uploaded media files (storage), data from organizations other than yours, or account areas unrelated to the request.
Providers and contracting entity: depending on server configuration Anthropic (Claude models) or Google (Gemini models). For users in the EEA, the United Kingdom and Switzerland, the contracting entity on Anthropic’s side is Anthropic Ireland, Limited (Dublin, Ireland) — an EU-based entity. Physical processing may still occur on servers outside the EEA; for such transfers, we or the provider rely on appropriate safeguards (EU Standard Contractual Clauses and a Data Processing Addendum).
No training on your data: Anthropic commits in Commercial Terms § B: “Anthropic may not train models on Customer Content from Services.” The DPA is incorporated by reference via Commercial Terms § C. Google makes an equivalent commitment in its Generative AI Service Terms that API data is not used for model training by default.
Provider retention: Anthropic retains API inputs and outputs for up to 30 days by default for abuse prevention, then deletes them automatically (configurable in the Anthropic Console under “Privacy Settings → Data Retention”). Google likewise does not use Gemini API data for model training and maintains its own retention windows (see Google's Generative AI Privacy Hub for specifics).
Legal basis: Art. 6(1)(b) GDPR (performance of the user relationship) or Art. 6(1)(f) GDPR (legitimate interest in a functional product). The actually-active provider follows from server configuration and is recorded in the subprocessor list. If you do not want a particular piece of information sent to an AI provider, do not use the affected feature.
Usage and quota: each request counts against a per-account monthly quota shown in Account → AI assistant; it resets on the 1st of each calendar month (UTC). The audit log records every AI action taken in your project.
The optional extension lets you send prompts and metadata from any web page into a Behind The Workflow project you select. Secret API keys are not embedded in the extension; sign-in uses the same domain as the web app or locally stored encrypted session data (OAuth/token handling as implemented in the current build).
storage.local / sync / session depending on settings).Subject to applicable law, you may have the right of access (Art. 15 GDPR), rectification (Art. 16), erasure (Art. 17), restriction of processing (Art. 18), data portability (Art. 20), and to object to processing based on legitimate interests (Art. 21). Where processing is based on consent, you may withdraw consent with effect for the future (Art. 7(3) GDPR).
To exercise these rights, contact us at hello@behindtheworkflow.ai. You also have the right to lodge a complaint with a data protection supervisory authority (Art. 77 GDPR).
We may update this notice when the product, vendors, or legal requirements change. The current version is always available on this page; material changes should be communicated to users appropriately.