Effective Date: March 30, 2026
This policy describes Company's external privacy principles and explains how personal data may be processed, protected, and handled in relation to website users, customers, partners, applicants, and other relevant data subjects.
This document is intended as an external-facing privacy policy. Internal governance, accountability, and control requirements are defined in the GDPR Compliance Policy.
Company shall process personal data lawfully, fairly, and transparently, and shall limit processing to specified and legitimate purposes. Personal data shall be adequate, relevant, and limited to what is necessary, kept accurate where required, retained only for as long as needed, and protected through appropriate technical and organizational measures. These principles reflect the core requirements of GDPR and related transparency guidance. (EUR-Lex)
Depending on the relationship with the individual and the services involved, Company may process the following categories of personal data:
Company does not intentionally collect more personal data than is reasonably necessary for the relevant purpose.
Company may collect personal data:
Where personal data is obtained from sources other than the individual, Company shall provide the information required by applicable law unless an exemption applies. (EUR-Lex)
Company may process personal data for the following purposes:
Where GDPR applies, Company shall process personal data only where there is an appropriate legal basis, including:
GDPR defines these legal bases and requires controllers to provide clear information about them in privacy notices. (EUR-Lex)
Company may disclose personal data on a need-to-know basis to:
Company shall require processors and service providers to process personal data only on documented instructions where required by law.
Personal data may be processed in countries outside the country in which it was collected. Where required by applicable law, Company shall implement appropriate safeguards for cross-border transfers, including contractual safeguards or other legally recognized transfer mechanisms.
Under EU rules, standard contractual clauses are a recognized transfer mechanism, and the Swiss FDPIC has recognized the EU standard contractual clauses as a basis for transfers under Swiss law when adapted as necessary. (EDÖB)
Company shall retain personal data only for as long as necessary for the relevant purpose, including to:
Retention periods may vary by data category, business process, and legal requirement. When personal data is no longer required, Company shall delete, anonymize, or securely archive it as appropriate.
Company shall implement appropriate technical and organizational measures designed to protect personal data against accidental or unlawful destruction, loss, alteration, unauthorized disclosure, or unauthorized access
Such measures may include access controls, encryption where appropriate, logging, monitoring, backup, secure development, supplier controls, and role-based restrictions. However, no transmission or storage system can be guaranteed to be completely secure.
Company websites may collect technical and usage information such as internet protocol address, browser type, operating system, referring pages, timestamps, and device information for security, performance, analytics, and service delivery purposes.
Company may use cookies and similar technologies to enable website functionality, security, preferences, analytics, and other legitimate website operations. Where required by law, Company shall provide appropriate notice and choice mechanisms regarding non-essential cookies.
Transparency guidance from the ICO states that privacy notices should clearly explain what information is collected, why it is used, with whom it is shared, and how rights can be exercised. (ICO)
Where applicable under GDPR and other data protection laws, individuals may have the right to:
GDPR requires controllers to provide information about these rights in a concise, transparent, intelligible, and easily accessible form. (EUR-Lex)
Where permitted by law, Company may send business-related updates, event invitations, newsletters, or other marketing communications. Individuals may opt out of marketing communications at any time using the unsubscribe method provided or by contacting Company through the designated privacy contact channel
Company websites, products, and services are not directed to children unless explicitly stated otherwise. Company does not knowingly collect personal data from children in situations where such collection is prohibited by law.
Company does not use personal data for solely automated decision-making producing legal effects or similarly significant effects unless such processing is lawful and appropriately disclosed.
Company shall manage personal data breaches in accordance with its incident response and breach reporting requirements. Where required by law, Company shall notify competent authorities and affected individuals without undue delay.
GDPR includes authority and individual notification duties for certain personal data breaches. (EUR-Lex)
Requests, questions, or concerns regarding this policy or the processing of personal data shall be directed to privacy@11dynamics.com or directly to the Data Protection Officer.
Daniel June | vDPO
daniel@workstreet.com
+1 7832 261 690
2261 Market Street,
STE 22218 San Francisco,
CA 94114 California,
For the purposes of the GDPR's One-Stop-Shop mechanism, the Company has identified the Bayerisches Landesamt für Datenschutzaufsicht (BayLDA) in Germany as its Lead Supervisory Authority.
Company may update this policy from time to time to reflect changes in legal requirements, business practices, services, or security measures. The current version shall be made available through the relevant Company channel.
