1. Types of Information Collected.
To better provide you with our numerous services, we collect two (2) types of information about our users: Personal Information and Non-Personal Information (both defined below). Our primary goal in collecting information from you is to provide you with a smooth, efficient, and customized experience while using our Site and Services.
For purposes of this Policy, "Site" means the access-controlled, server-based platform made available to Users located on the Internet at www.startwoven.com or app.woven.team, as further defined in the Terms of Service.
(a) Personal Information. "Personal Information" refers to information that identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, to an identifiable individual. When you engage in certain activities through the Services, such as registering for the Services, creating or updating your user profile, submitting content, using messaging or communication features, filling out a survey, or sending us feedback, we may ask you to provide certain information by completing and submitting an online form. It is completely optional for you to engage in these activities. If you elect to engage in these activities, however, we may ask that you provide us Personal Information, such as your first and last name, mailing address (including zip code), email address, employer, job title and department, and telephone numbers. Depending upon the activity, some of the information we ask you to provide is identified as mandatory and some as voluntary. If you do not provide the mandatory data with respect to a particular activity, you will not be able to engage in that activity.
(b) Non-Personal Information. "Non-Personal Information" refers to information that does not by itself identify a specific individual. We gather certain information about you based upon how you use our Site and Services. This information is compiled and analyzed on both a personal and an aggregated basis. This information may include the Uniform Resource Locator ("URL") of any sites you visited prior to or after our Site, your browser type, and your Internet Protocol ("IP") address. An IP address is a numerical identifier assigned to your device by your internet service provider, which enables communication between devices on a network and allows web servers to identify your connection. Non-Personal Information may also include technical and behavioral data collected for security purposes, including but not limited to TLS fingerprint data, browser configuration details, mouse movement and interaction patterns, scroll behavior, keystroke cadence (timing only, not content), and other signals used to distinguish human users from automated access. Such data is collected and used solely for security and fraud prevention purposes as described in Section 2.
(c) Categories of Personal Information Collected. In accordance with applicable privacy laws, the following describes the categories of Personal Information Woven may collect:
Identifiers: Name, email address, phone number, mailing address, username, employee ID
Professional/Employment Information: Employer name, job title, department, work schedule, role, location assignment
Internet/Electronic Network Activity: IP address, browser type, device information, pages visited, access logs, session data
Geolocation Data: Approximate location derived from IP address; precise location only if enabled by User or Employer
Communications Data: Messages, posts, and other content transmitted through the Services
Inferences: Profiles or summaries generated from the above categories to support scheduling, operations, or platform functionality
AI Interaction Data: Prompts, queries, and outputs generated through AI Features of the Services
For details on how each category is used, see Section 2. For third-party sharing, see Section 3.
(d) Sensitive Personal Information. Woven may process the following categories of sensitive Personal Information in connection with the Services:
Precise Geolocation Data: Only if enabled by User or Employer for location-based features.
Account Credentials: Username and password used to access the Services.
Woven processes sensitive Personal Information only as necessary to provide the Services and does not use it for purposes beyond those disclosed in this Policy. Where applicable law requires opt-in consent for the processing of sensitive Personal Information, Woven will obtain such consent. You may limit the use of sensitive Personal Information to purposes necessary to provide the Services by contacting support@startwoven.com.
Woven does not collect or process the following categories of sensitive data through the Services: Social Security numbers, financial account numbers, biometric data, racial or ethnic origin, religious beliefs, health information, sexual orientation, or union membership — unless such data is voluntarily submitted by Users in free-text fields, in which case Woven disclaims responsibility for the sensitivity of User-provided content.
2. Collection Methods and Use of Information.
We may process certain information to enable age-gating, parental consent flows, safety features, and to operate AI-powered functionality; such processing will be limited to what is reasonably necessary for those purposes.
(a) Woven only collects the Personal Information that is necessary to provide the information or services requested by an individual or their Employer.
(b) We do not collect any Personal Information about you unless you voluntarily provide it to us or your Employer provides it on your behalf. You provide certain Personal Information to us when you: (a) register for or are provisioned access to the Services by your Employer; (b) create or update your user profile; (c) send messages, submit forms, or transmit other information through the Services; (d) contact us via email, phone, or other support channels; or (e) interact with AI Features within the Services. We may also collect information from you at other points on our Site or within the Services that state that such information is being collected.
(c) Payment processing for the Services is handled by Woven's agreement with your Employer. Woven uses third-party payment processors to process Employer payments. Woven neither collects nor stores payment card data (see Section 7 below).
(d) In addition, we may collect certain Non-Personal Information automatically when you use the Services. This includes device information, browser type, operating system, access times, pages viewed, and actions taken within the Services. We use this information to diagnose problems, administer the Services, and analyze usage patterns in aggregate. On our marketing website, third-party analytics and advertising services may collect similar information as described in Section 8.
(e) We will primarily use your Personal Information to provide our Services to you, as required by our agreements with you and your Employer. We will also use Personal Information to enhance the operation of our Site, improve our marketing and promotional efforts, statistically analyze Site use, improve our product and service offerings, and customize our Site's content, layout, and services. We may use Personal Information to deliver information to you and to contact you regarding administrative notices. We may also use Personal Information to resolve disputes, troubleshoot problems and enforce our agreements with you, including our Terms of Service, Order Forms, and this Privacy Policy.
(f) Woven uses the collected information to respond appropriately to requests. This may be to respond directly to you or to improve the Site and Services. Email or other information requests sent to Woven may be retained for future use by Woven.
(g) Woven understands that the nature of the User Content submitted to, exchanged with, reported from, and/or generated by Woven may be of a confidential, sensitive, and proprietary nature. Woven warrants and represents that it shall not share, utilize, review, access, or otherwise make use of any information submitted to, exchanged with, reported from, and/or generated by Woven except for the explicit purposes of operating Woven or as provided herein.
(h) Woven will not share, sell, or distribute User Content covered by this Policy with any third parties, including any of our affiliated companies, officers, directors, shareholders, subsidiaries, agents, or representatives except as otherwise provided herein.
(i) Notwithstanding the foregoing, we may share User Content with third parties in the following circumstances:
We may employ third-party service providers to perform functions on our behalf. They may have access to Personal Information needed to perform their functions, but may not use it for other purposes.
From time to time, we may be required to share Personal Information in response to a valid court order, subpoena, government investigation, or as otherwise required by law. We also reserve the right to report to law enforcement agencies any activities that we, in good faith, believe to be unlawful.
We may release User Content when we believe release is appropriate to comply with the law or any rule, regulation, government or court order; enforce or apply our Terms of Service and other agreements; or protect the rights, property, or safety of Woven, our affiliated companies, our users, or others. However, this does not include selling, sharing, or otherwise disclosing Personal Information from customers for commercial purposes in violation of the commitments set forth in this Policy.
(j) Security, Fraud, and Bot Detection.
Woven may collect and process Non-Personal Information and technical data — including but not limited to IP addresses, browser fingerprints, device characteristics, TLS handshake data, mouse movement and interaction patterns, access frequency, navigation behavior, and other behavioral and technical signals — for the purposes of:
(i) detecting and preventing unauthorized automated access, scraping, crawling, or other abusive access patterns;
(ii) identifying and blocking bots, headless browsers, browser automation tools, and other non-human access methods;
(iii) protecting the security, integrity, and availability of the Services;
(iv) enforcing the Terms of Service, including the prohibitions on automated access and reverse engineering; and
(v) investigating and responding to suspected violations of law or this Policy.
This processing is conducted on the basis of Woven's legitimate interest in protecting the Services and its Users. Woven may employ third-party bot detection and security services for these purposes, subject to the sub-processor obligations described in Section 4 of this Policy.
3. Release of Information.
We do not sell, trade, or rent your Personal Information to others. We may provide some of our services through contractual arrangements with affiliates, service providers, partners, and other third parties. We and our service partners use your Personal Information to operate our Site and to deliver their services. Use of your Personal Information by our service partners is governed by the privacy policies of those service partners and is not subject to our control.
Occasionally we may be required by law enforcement or judicial authorities to provide Personal Information to the appropriate governmental authorities. We will disclose Personal Information upon receipt of a court order, subpoena, or to cooperate with a law enforcement investigation. We fully cooperate with law enforcement agencies in identifying those who use our services for illegal activities. We reserve the right to report to law enforcement agencies any activities that we in good faith believe to be unlawful.
We may also provide Non-Personal Information about our customers' usage, traffic patterns, and related Site information to third-party service providers, but these statistics do not include any Personal Information.
4. Service Providers and Sub-Processors.
Woven engages third-party service providers ("sub-processors") to assist in delivering the Services, including cloud hosting, analytics, communication delivery, AI processing, and security and bot detection services. All sub-processors are contractually required to process Personal Information only as directed by Woven and to maintain data protection standards consistent with this Policy. A current list of sub-processors is available upon request by contacting support@startwoven.com. Woven will notify Employers of material changes to its sub-processor list in advance where required by applicable law or contract.
5. Updating and Correcting Information.
We encourage you to promptly update your Personal Information if it changes. You may ask to have the information on your account deleted or removed; however, because we keep track of past transactions, you cannot delete information associated with past transactions on this Site. In addition, it may be impossible to completely delete your information without some residual information because of backups.
6. Modifications.
We reserve the right to change this Policy at any time. Such changes, modifications, additions, or deletions will be effective immediately upon notice thereof, which may be given by means including, but not limited to, issuing an email to the email address listed by registered users or Employers, posting a notice on the Employer's invoice, or posting a notice in the Administrator's view of the Employer's account. You acknowledge and agree that it is your responsibility to maintain a valid email address as a registered user, review this Site and Policy periodically, and to be aware of any modifications. Your continued use of the Site after such modifications will constitute your (a) acknowledgment of the modified Policy; and (b) agreement to abide and be bound by the modified Policy.
Previous versions of this Policy will be archived and made available upon request by contacting support@startwoven.com. Material changes will be summarized at the top of the updated Policy with the revision date.
7. User Choices on Collection and Use of Information.
We may, from time to time, send you email regarding our Site or Services. In addition, if you indicated upon registration that you are interested in receiving offers or information from us and our partners, we may occasionally send you direct mail about products and services that we feel may be of interest to you. Only Woven (or agents working on behalf of Woven and under confidentiality agreements) will send you these direct mailings and only if you indicated that you do not object to these offers. If you do not want to receive such mailings, simply tell us when you give us your personal information. Or, at any time you can easily edit your account information to no longer receive such offers and mailings.
You also have choices with respect to cookies, as described below. By modifying your browser preferences, you have the choice to accept all cookies, to be notified when a cookie is set, or to reject all cookies. If you choose to reject all cookies, some parts of our Site may not work properly.
8. Do Not Sell or Share; Universal Opt-Out Signals.
Woven does not sell Personal Information as defined under applicable state privacy laws. To the extent that any data sharing constitutes a "sale" or "sharing" under the CCPA/CPRA or other applicable law, you may opt out by contacting support@startwoven.com. Woven honors Global Privacy Control ("GPC") and other legally recognized universal opt-out signals. When we detect a GPC signal from your browser, we will treat it as a valid opt-out request for the sale or sharing of Personal Information associated with that browser. For more information about GPC, visit https://globalprivacycontrol.org.
9. Security of Information.
At our Site you can be assured that your Personal Information and Non-Personal Information is secure, consistent with current industry standards. The importance of security for all Personal Information associated with our users is of utmost concern to us. We may encrypt your Personal Information and thereby prevent unauthorized parties from viewing such information when it is transmitted to us.
Payment processing for the Services is handled through established third-party banking and processing institutions engaged by Woven under its agreement with your Employer. Woven neither collects nor processes any payment card information (PCI). We may also use other third parties to assist with the performance of certain services or functions related to the Site and Services.
Unfortunately, no data transmission over the Internet or any wireless network can be guaranteed to be 100% secure. As a result, while we strive to protect your Personal Information and Non-Personal Information, you acknowledge that: (a) there are security and privacy limitations of the Internet which are beyond our control; (b) the security, integrity and privacy of any and all information and data exchanged between you and us through this Site cannot be guaranteed; and (c) any such information and data may be viewed or tampered with in transit by a third party.
Proactive Security Measures.
Woven may deploy technical security measures within the Services, including honeypot endpoints, canary tokens, data watermarking, and other monitoring techniques, to detect unauthorized access, scraping, automated data collection, or other violations of the Terms of Service. Information collected through these measures is used solely for security enforcement and may be shared with law enforcement as described in Section 3.
10. Data Breach Notification.
In the event of a security breach involving Personal Information, Woven will notify affected individuals and applicable regulatory authorities in accordance with applicable law. Where required, Woven will provide notification within the timeframes mandated by applicable federal, state, or international law (including, without limitation, within thirty (30) calendar days for California and New York residents, and within seventy-two (72) hours for individuals protected under the GDPR). Notification will include, to the extent known: the nature of the breach, the categories of data affected, and the measures taken or proposed to address the breach.
11. Cookies and Tracking Technologies.
Woven uses cookies and similar tracking technologies to facilitate your use of the Services. A cookie is a small data file stored on your device that helps us recognize you and customize your experience.
(a) Cookie Categories.
We use the following categories of cookies:
Essential Cookies: Required for the Services to function. These include authentication cookies, session cookies, and security cookies. These cannot be disabled.
Functional Cookies: Store your preferences (language, display settings) to personalize your experience.
Analytics Cookies: Help us understand how Users interact with the Services, measure performance, and improve functionality. These may include third-party analytics tools such as Google Analytics.
Advertising/Marketing Cookies: Used on our marketing website (www.startwoven.com) to measure the effectiveness of our marketing campaigns and deliver relevant content. These cookies are not placed within the Woven product platform (app.woven.team).
(b) Your Choices.
You can manage your cookie preferences through your browser settings. Most browsers allow you to block or delete cookies. If you are located in the EEA, UK, or a jurisdiction that requires prior consent for non-essential cookies, you will be presented with a cookie consent mechanism before non-essential cookies are placed. Rejecting non-essential cookies will not affect the core functionality of the Services.
(c) Do Not Track / GPC.
Woven honors Global Privacy Control (GPC) signals as described in Section 8. Some browsers offer a "Do Not Track" signal; we treat GPC as the legally recognized universal opt-out mechanism.
12. Privacy Policies of Third-Party Sites.
Except as otherwise stated in this Policy, this document only addresses the use and disclosure of information we collect from you. Other sites accessible through our Site have their own privacy policies and data collection, use and disclosure practices. Please consult each site's privacy policy. We are not responsible for the policies or practices of third parties. Additionally, other companies which may place advertising on our Site may collect information about you when you view or click on their advertising using cookies. We cannot control this collection of information. You should contact these advertisers directly if you have any questions about their use of the information that they collect. We do not sell your Personal Information to third parties.
13. Children and Teens; Parental Consent.
We do not knowingly collect Personal Information from children under thirteen (13) without prior verifiable parental consent. If we learn that a child under 13 has provided Personal Information without such consent, we will delete it. For teens aged thirteen (13) to under sixteen (16) in jurisdictions that require it, we will obtain an affirmative opt-in before any "sale" or "sharing" of Personal Information (as those terms are defined by applicable law). Parents/guardians may review, delete, or withdraw consent for their child's information by contacting us at support@startwoven.com. We may request reasonable information to verify the requester's identity and parental status.
AI Features do not override these protections. We do not use children's Personal Information to independently train third-party AI models.
14. Artificial Intelligence and Automated Data Processing.
(a) Woven may use automated systems, including artificial intelligence and machine learning technologies ("AI Systems"), to assist in providing, improving, personalizing, and securing the Services. These systems may process user inputs, operational data, usage data, and related content to generate insights, automate actions, or produce AI-generated output.
(b) Information processed by AI Systems may include pseudonymized or anonymized data, logs, and interaction metadata. Woven does not use AI Systems to make decisions that produce legal or similarly significant effects without human involvement.
(c) AI-generated output may occasionally be inaccurate or incomplete and is intended to assist users. Users are responsible for reviewing and validating any AI-generated output prior to use.
(d) Data used to operate or improve AI Systems will be handled in accordance with this Policy and applicable laws. Woven will not sell, lease, or transfer Personal Information to third parties for their independent AI training or model-building purposes.
(e) Woven implements administrative, technical, and organizational safeguards designed to protect personal data used within AI Systems and to maintain confidentiality, integrity, and availability.
(f) Woven may partner with or rely upon third-party service providers to host or operate AI Systems. Such providers are required to maintain data protection standards consistent with this Policy and applicable law. A current list of third-party AI service providers is available upon request by contacting support@startwoven.com.
(g) Woven does not use identifiable Personal Information, User Input, or AI Output to train, fine-tune, or build foundational AI or machine learning models. To the extent Woven uses aggregated, de-identified data to improve the performance or reliability of the Services, such use will be conducted in accordance with this Policy and applicable law. Woven does not sell, share, or make available Personal Information to third parties for the purpose of training large language models or other generative AI systems.
15. Data Retention.
Woven retains Personal Information for the following periods:
Account Data (name, email, credentials, profile): Duration of Employer's active account with Woven, plus thirty (30) days following account termination to facilitate data export.
Usage and Activity Data (access logs, session data, analytics): Up to twenty-four (24) months from the date of collection.
Communications Data (messages, posts): Duration of Employer's active account, subject to Employer's own retention settings where available.
AI Interaction Data (prompts, outputs): Duration of Employer's active account unless earlier deletion is requested.
Security and Bot Detection Data (browser fingerprints, behavioral signals, TLS data, honeypot logs): Up to twelve (12) months from the date of collection, or longer if required for active investigation or enforcement of the Terms of Service.
Billing and Transaction Records: As required by applicable tax, accounting, and legal obligations, typically up to seven (7) years.
Aggregated/De-Identified Data: May be retained indefinitely as it cannot be used to identify individuals.
After the applicable retention period, Woven will delete or de-identify Personal Information in accordance with its standard data disposal procedures, unless retention is required by law. You can initiate a request regarding your data by contacting support@startwoven.com.
16. California Residents.
If you are a California resident, you have the following rights under the California Consumer Privacy Act, as amended by the California Privacy Rights Act ("CCPA/CPRA"):
(a) Right to Know. You have the right to request that we disclose the categories and specific pieces of Personal Information we have collected about you, the categories of sources from which we collected it, the business or commercial purposes for collecting or selling it, and the categories of third parties with whom we share it.
(b) Right to Delete. You have the right to request deletion of your Personal Information, subject to certain legal exceptions.
(c) Right to Correct. You have the right to request correction of inaccurate Personal Information.
(d) Right to Opt-Out. You have the right to opt out of the sale or sharing of your Personal Information. Woven does not sell Personal Information. To the extent that any data sharing constitutes a "sale" or "sharing" as defined by the CCPA/CPRA, you may opt out by contacting support@startwoven.com.
(e) Right to Limit Use of Sensitive Personal Information. You have the right to limit the use and disclosure of your sensitive Personal Information to purposes necessary to provide the Services.
(f) Non-Discrimination. We will not discriminate against you for exercising any of your CCPA/CPRA rights.
(g) How to Exercise Your Rights. To submit a request, contact us at support@startwoven.com. We will respond to verifiable requests within forty-five (45) calendar days. You may designate an authorized agent to make a request on your behalf.
(h) Categories of Information. For details on the categories of Personal Information we collect, the purposes for which we use it, and the categories of third parties with whom we share it, see Sections 1 and 2 of this Policy.
17. Residents in the European Economic Area (EEA), United Kingdom, and Switzerland.
If you are located in the EEA, UK, or Switzerland, the following additional provisions apply:
(a) Data Controller. Woven Brands, LLC is the data controller for Personal Information processed through the Services. For privacy inquiries, contact support@startwoven.com.
(b) Lawful Bases for Processing. We process your Personal Information on the following legal bases:
Performance of a Contract: To provide the Services as agreed between Woven and your Employer.
Legitimate Interests: To operate, improve, and secure the Services, provided such interests are not overridden by your data protection rights. This includes the collection and processing of technical and behavioral data for security, fraud prevention, and bot detection purposes as described in Section 2(j).
Legal Obligation: To comply with applicable laws, regulations, or legal processes.
Consent: Where you have provided explicit consent for specific processing activities, such as optional AI Features. You may withdraw consent at any time by contacting support@startwoven.com.
(c) Your Rights Under GDPR. You have the right to:
Access your personal data and obtain a copy
Rectify inaccurate or incomplete personal data
Erase your personal data ("right to be forgotten"), subject to legal exceptions
Restrict processing in certain circumstances
Data portability — receive your data in a structured, commonly used, machine-readable format
Object to processing based on legitimate interests or for direct marketing
Not be subject to automated decision-making, including profiling, that produces legal or similarly significant effects
To exercise any of these rights, contact support@startwoven.com. We will respond within thirty (30) days.
(d) Supervisory Authority. If you believe your data protection rights have been violated, you have the right to lodge a complaint with the supervisory authority in your country of residence.
(e) International Transfers. Personal data transferred outside the EEA is protected using the mechanisms described in Section 20 (Cross-Border Data Transfers).
18. International Transfers.
Woven operates its technology infrastructure from servers located in the United States and processes all user data in the U.S. If you access the Services from outside the United States, your Personal Information will be transferred to, stored, and processed in the United States, where data protection laws may differ from those of your jurisdiction. By using the Services, you consent to such transfer. For information on the legal mechanisms Woven uses to protect personal data during cross-border transfers, see Section 20 (Cross-Border Data Transfers).
19. Changes in Corporate Structure.
In the event that Woven is involved in a bankruptcy, merger, acquisition, reorganization, or sale of assets, your information may be sold or transferred as part of that transaction. The commitments in this Privacy Policy will apply to your information as transferred to the successor entity. Woven will use commercially reasonable efforts to notify affected users of any such transfer that materially changes the processing of Personal Information described in this Policy.
20. Cross-Border Data Transfers.
When personal data is transferred outside the jurisdiction in which it was collected, Woven relies on applicable legal mechanisms to ensure adequate protection, including Standard Contractual Clauses (SCCs) approved by the European Commission, the EU-U.S. Data Privacy Framework (DPF), and any applicable adequacy decisions. Woven will process all transferred data in accordance with this Policy and applicable data protection laws. For questions regarding cross-border transfers, contact support@startwoven.com.
21. Your Rights.
You have rights to access, correct, delete, restrict, or object to processing of your personal data. Contact support@startwoven.com to exercise these rights.
22. Automated Decision-Making and Profiling.
Woven does not use automated decision-making systems that produce legal or similarly significant effects on individuals without human involvement. To the extent the Services use AI Features or automated processing to generate recommendations, insights, or suggestions, such outputs are intended to assist — not replace — human decision-makers. Where required by applicable law, you have the right to:
Opt out of profiling that produces legal or similarly significant effects
Request information about the logic involved in automated processing that affects you
Challenge the results of automated decisions and request human review
Understand what actions may lead to a different outcome
To exercise these rights, contact support@startwoven.com.
23. Right to Appeal.
If we deny your privacy request in whole or in part, you may appeal that decision by contacting support@startwoven.com with the subject line "Privacy Request Appeal." We will review your appeal and respond within the timeframe required by applicable law (typically sixty (60) days). If your appeal is denied, we will provide information on how to contact the relevant regulatory authority to file a complaint.
24. Withdrawing Your Consent.
Where processing relies on your consent, you may withdraw it at any time by contacting support@startwoven.com.
25. Addendum: Relationship to Terms of Service.
This Privacy Policy should be read in conjunction with the Woven Terms of Service. For details about AI-generated content, limitations, and disclaimers, see the "Artificial Intelligence and Machine Learning Features" section of the Terms of Service.
Woven reviews this Privacy Policy periodically to ensure ongoing compliance with applicable laws and industry best practices.
