--- title: "Privacy Policy — SpiffWorks" description: "SpiffWorks — Open Source BPMN Workflow Orchestration" source_url: https://spiff.works/legal/privacy/ --- # Privacy Policy **Last Modified:** June 11th, 2026 **Effective Date:** May 30, 2025 Sartography LLC (d/b/a SpiffWorks), a Virginia limited liability company (referred to in this Agreement as "*SpiffWorks*", "*Sartography*", "*we*", "*us*", or "*our*") respects your privacy and we are committed to protecting it through compliance with this Privacy Policy. This Privacy Policy is part of the SpiffWorks Terms of Service Agreement, located at (the "*Terms of Service*"). Except as otherwise defined herein, all terms used in this Privacy Policy have the meanings set forth in the Terms of Service. **Please read this Privacy Policy and the Terms of Service carefully to understand our policies and practices regarding how we use your information.** ## 1. Introduction This Privacy Policy describes the types of information we may collect through your use of the SpiffWorks Service (as defined in the Terms of Service) and the SpiffWorks Websites located at and (collectively, together with any subdomains of spiff.works and spiffworkflow.org, the "*SpiffWorks Websites*") and our practices for collecting, using, maintaining, protecting, and sharing that information. This Privacy Policy does not apply to Personal Information we may obtain about you from third parties. ## 2. Updates to Privacy Policy We may update this Privacy Policy from time to time. Changes to this Privacy Policy will be made and will become effective as described in the Terms of Service. ## 3. Children Under Age 13 We are committed to protecting the privacy of children under the age of thirteen (13) years (each a "*Child*" and collectively, "*Children*"). Access to and use of the SpiffWorks Websites by anyone under the age of 18 years old is prohibited. The SpiffWorks Websites is not designed for or marketed to Children, and we do not knowingly collect Personal Information (as defined below) from Children. If we learn we have collected or received Personal Information from a Child, we will delete that information. If you believe we might have any information from or about a Child, please contact us at: [info@spiff.works](mailto:info@spiff.works). ## 4. Definitions As used in this Privacy Policy: - **4.1.** "*Location Information*" means global positioning system (GPS) coordinates, Global Navigation Satellite System (GLONASS), iBeacon, or other geolocation information that can be used to identify the precise location of a person or device, but excluding Internet Protocol (IP) addresses. - **4.2.** "*Non-Personal Information*" means information or content other than Personal Information, including, for example, aggregated, anonymized, or de-identified information about our users and other information that does not identify any individual, and Operational Metrics (as defined in the Terms of Service). - **4.3.** "*Personal* *Data Protection Laws*" means laws, regulations, rules, orders, and legal requirements relating to the acquisition, protection, access, use, processing, transfer, disclosure, storage, retention, disposal, deletion, or security of Personal Information or of any other data or information relating to individuals. Personal Data Protection Laws include, without limitation, the EU General Data Protection Regulation (GDPR), the California Consumer Privacy Act of 2018 (CCPA) (as amended by the California Privacy Rights Act of 2020 (CPRA)), the Colorado Privacy Act, the Connecticut Data Privacy and Online Monitoring Act, the Delaware Personal Data Privacy Act, the Indiana Consumer Data Protection Act, the Iowa Consumer Data Protection Act, the Kentucky Consumer Data Protection Act, the Maryland Online Data Privacy Act, the Minnesota Consumer Data Privacy Act, the Montana Consumer Data Privacy Act, the Nebraska Data Privacy Act, New Hampshire Revised Statutes Chapter 507-H, New Jersey P.L. 2023 Chapter 266, the Oregon Consumer Privacy Act, the Rhode Island Data Transparency and Privacy Protection Act, the Tennessee Information Protection Act, the Texas Data Privacy and Security Act, the Utah Consumer Privacy Act, the Virginia Consumer Data Protection Act, and any other applicable state, federal, or foreign laws. - **4.4.** "*Personal Information*" (or "*Personal Data*") means any data or information that identifies, relates to, describes, could be used to identify, locate, or contact, or is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular individual or household. As used in the previous sentence, "*household*" means a group, however identified, of individuals who cohabitate with one another at the same residential address. Personal Information includes, without limitation, any data or information that is subject to any applicable Personal Data Protection Laws or Data Broker Laws. ## 5. Types of Information Collected ### 5.1 Device and Activity Information We may automatically collect information about you when you use the SpiffWorks Websites, such as the pages, materials, and features you access and use, the amount of data transferred, the links and buttons you click/tap/select, the amount of time you spend interacting with the components of the SpiffWorks Websites, and other information about your interactions with the SpiffWorks Websites, as well as certain standard information that your browser or device sends to every website or Internet server that you visit, including your Internet Protocol (IP) address, operating environment (such as browser type and version, browser plugins installed, operating system version, regional and language settings, screen size and/or resolution, windows size, and page size), access dates and times, and referring websites. The SpiffWorks Websites may use cookies, flash cookies, web beacons, pixel gifs, HTML 5 local storage, and other technologies for a variety of purposes, such as saving and retrieving information about you, your visit, and your preferences and settings. We may use such technologies to share Non-Personal Information with third parties or to retrieve Non-Personal Information from third parties. At this time, the SpiffWorks Websites does not respond to "Do Not Track" signals sent to us by your browser. ### 5.2 Location Information We do not collect Location Information from you except to the extent that you provide us with your physical address or mailing address as part of your Account Information. ### 5.3 Analytics We use Plausible Analytics, a privacy-friendly web analytics service, to understand how visitors use the SpiffWorks Websites so that we can improve our content and the visitor experience. Plausible does not use cookies and does not collect or store any personal information or personally identifiable data. It does not track visitors across websites or devices, and it does not generate persistent identifiers. All measurement data is aggregated and cannot be used to identify any individual visitor. Plausible is operated in the European Union, and the data it processes on our behalf is hosted within the European Union. For more information, see the Plausible Data Policy (located at: ) and the Plausible Privacy Policy (located at: ). We do not use Google Analytics or any cross-site advertising or tracking analytics on the SpiffWorks Websites. ### 5.4 Information You Provide When you create and use a SpiffWorks Account (as defined in the Terms of Service), you may provide us with a variety of information, such as your name, e-mail address, billing address, payment information, and other types of information. We will store and use such information only in accordance with the Terms of Service and this Privacy Policy. ### 5.5 Third-Party Services Embedded on Our Websites Certain pages of the SpiffWorks Websites embed or load services that are operated by third parties. When the relevant page or feature loads, these providers may receive your IP address and standard connection information, and may set their own cookies: - **5.5.1. Scheduling (Calendly):** We use Calendly to let you schedule demos and meetings with us. When you open the Calendly scheduling widget, Calendly processes the information you provide (such as your name, e-mail address, and selected meeting time) in order to schedule the meeting, and may set cookies. Calendly's handling of your information is governed by the Calendly Privacy Notice (located at: ). ### 5.6 Session Recording For users of the Visual Design Studio, we may offer optional session recording to help us identify and fix usability issues. Recordings capture mouse movements, clicks, and scrolling; all text content and form inputs are fully masked and never transmitted. Recordings are retained for 30 days and then deleted. Session recording only activates after you explicitly consent via an in-app prompt, and you may decline at any time. ## 6. Use of Non-Personal Information We may use Non-Personal Information (including, for example, aggregated information about our users or information that does not identify any individual) for any purposes whatsoever (including without limitation, advertising, marketing, enhancing, designing, or developing products and/or services, and research), and we may share Non-Personal Information with others, including our partners, affiliates, and our service providers. ## 7. Cookie Policy We may use cookies and other similar technologies, such as HTML 5 local storage, to provide the SpiffWorks Service. ### 7.1 Cookies and Local Storage Cookies are small text files placed onto your device when you visit and interact with the SpiffWorks Websites. Local storage is a technology that allows a website or application to store information locally on your device. These technologies enable us to provide and enhance your experience using the SpiffWorks Service. ### 7.2 How We Use Cookies and Local Storage We use these technologies to provide the SpiffWorks Service to you and to analyze and improve the SpiffWorks Service. Our uses generally fall into one of the following categories: - **7.2.1. Essential Processes and Security:** To enable essential functions of the SpiffWorks Service, such as to facilitate logging you in to the SpiffWorks Websites, facilitating payments, protecting your security, and helping us fight spam, abuse, and violations of the Terms of Service. - **7.2.2. Preferences:** To remember information about your browser and your preferences. - **7.2.3. Performance, Analytics, and Research:** To help us understand and measure how you use the SpiffWorks Websites and to improve the SpiffWorks Service. ### 7.3 Blocking and Removing Cookies We are committed to protecting your privacy, as described in this Privacy Policy. Most browsers allow you to modify your settings to accept or deny all cookies or to request your permission each time a website attempts to place a cookie on your device, and most browsers allow you to delete cookies that have already been placed on your device. The public, unauthenticated pages of the SpiffWorks Websites use privacy-friendly, cookieless analytics and do not require cookies, so you can browse them with cookies disabled. However, certain features of the SpiffWorks Service — in particular logging in to your SpiffWorks Account and completing payments — rely on essential cookies and will not function properly if you prevent the SpiffWorks Websites from placing cookies on your device. ## 8. Use of Personal Information ### 8.1 How We Use Your Information We will only store and use your Personal Information as is reasonably necessary or appropriate in connection with your use of the SpiffWorks Service, including: - **8.1.1.** to contact you in connection with your use of the SpiffWorks Service, including to respond to your inquiries; - **8.1.2.** for authentication and identification purposes; - **8.1.3.** to enable us to process any orders you place through the SpiffWorks Service; - **8.1.4.** to provide you with notices about your SpiffWorks Account (including reminders about the expiration of any applicable SpiffWorks Subscriptions or Paid Services (as defined in the Terms of Service)); - **8.1.5.** to fulfill any other purpose for which you provide such information to us; - **8.1.6.** in any other way we may describe when you provide the information; - **8.1.7.** to carry out our obligations and enforce our rights; - **8.1.8.** to ensure your compliance with the Terms of Service and/or to investigate any potential breach of the Terms of Service; and - **8.1.9.** to protect third parties. ### 8.2 How We Share Your Information We are committed to protecting your privacy and we will not sell, lease, or disclose your Personal Information to any third party except as described in the Terms of Service and in this Privacy Policy. In addition to using and disclosing your Personal Information in the manner described above and elsewhere in this Privacy Policy, we may disclose your Personal Information: - **8.2.1.** to any person, entity, or organization which you consent for us to disclose your Personal Information to; - **8.2.2.** to a buyer or other successor in the event of a merger, divestiture, restructuring, reorganization, dissolution or other sale or transfer of some or all of our assets, whether as a going concern or as part of bankruptcy, liquidation or similar proceeding, in which Personal Information held by us about our users is among the assets transferred; - **8.2.3.** to any person, entity, or organization in order to facilitate the provision of the SpiffWorks Service, such as providing your name and payment information to our third party payment processor if you purchase a Paid Service (as defined in the Terms of Service) through the SpiffWorks Websites; - **8.2.4.** to any of the SpiffWorks Parties (as defined in the Terms of Service), our business partners, service providers, vendors, and agents who provide hosting services, technical support services, or other services, and as is necessary or appropriate in connection with the operation, maintenance, and support of the SpiffWorks Service; - **8.2.5.** to comply with any legal requirements, subpoenas, discovery requests, or court orders, to defend any legal or administrative proceedings, or as we believe in good faith is necessary to comply with any laws or legal requirements (including without limitation to comply with any Personal Data Protection Laws); - **8.2.6.** to any person as we believe is necessary or appropriate in an emergency situation, including without limitation, to prevent criminal activity, personal injury, or property damage; - **8.2.7.** to law enforcement, financial institutions, or other appropriate authorities in connection with any investigation of suspected criminal or fraudulent activity by any person or entity; and - **8.2.8.** if we believe it is necessary or appropriate to protect the rights, property, or safety of the SpiffWorks Parties (as defined in the Terms of Service) or other third parties (including, without limitation, to facilitate the enforcement of our rights under the Terms of Service or to facilitate compliance with any applicable Personal Data Protection Laws). ## 9. Opt-In Sharing Features We will not knowingly disclose any of your Personal Information that you submit to us through the SpiffWorks Websites to a third party if we know or have reason to believe that the third party will use your Personal Information for direct marketing purposes, unless you opt-in or otherwise expressly consent for such sharing. ## 10. Security We have implemented measures designed to secure your Personal Information from accidental loss and from unauthorized access, use, alteration, and disclosure, including the use of TLS to encrypt information you send through the SpiffWorks Websites. The safety and security of your information also depends on you. You are responsible for safeguarding your login credentials associated with your SpiffWorks Account and notifying us immediately if you suspect your login credentials for your SpiffWorks Account have been compromised. Unfortunately, the transmission of information via the internet is not completely secure. Despite our measures to protect your Personal Information, we cannot guarantee the security of your Personal Information transmitted to or through the SpiffWorks Websites. Any transmission of Personal Information is at your own risk. We are not responsible for circumvention of any privacy settings or security measures of the SpiffWorks Websites or of our service providers, agents, or other third parties. ## 11. Payment Information For purchases of Paid Services through the SpiffWorks Websites, we currently use Stripe, Inc. ("*Stripe*"), a third party payment processor, to process payments. Your payment information collected through the SpiffWorks Websites is transmitted directly to Stripe and is not stored by us. You acknowledge and agree that payments processed using Stripe are subject to the Stripe Terms of Service () and the Stripe Privacy Policy (), as amended from time to time by Stripe, and that we are not responsible for any acts or omissions of Stripe. ## 12. Third Party Sites The SpiffWorks Websites may contain links to other websites that are operated by third parties. Once you have clicked on a link connecting you to such third party website, you will leave the SpiffWorks Websites and be taken to a website that we do not control. This Privacy Policy does not apply to any Personal Information (or other information) collected on a third party site. You should read the privacy policy of the third party site before providing any Personal Information on such third party site. We are not responsible for any use by any person or entity of any information that you may provide while accessing or using any websites or services provided by a third party. ## 13. Access to and Change of Personal Information You may contact us at any time to: (a) request the removal of the Personal Information you provided to us from our databases; or (b) update your Personal Information that you provided to us. However, certain information associated with your use of the SpiffWorks Websites may be retained permanently for legal, tax, and business reasons. In addition, because certain Personal Information may be necessary to provide the SpiffWorks Service to you, you understand that the removal of that Personal Information may require us to delete your SpiffWorks Account. When your Personal Information is updated or deleted, copies of such information may remain in our backups. ## 14. Contacting Us You may contact us with questions relating to this Privacy Policy by sending an e-mail to [info@spiff.works](mailto:info@spiff.works). ## 15. Additional Information for Residents of the European Economic Area, the United Kingdom, and Switzerland If you are located in the European Economic Area (EEA), the United Kingdom (UK), or Switzerland, the following additional information applies to our processing of your Personal Data, which is governed by the EU and UK General Data Protection Regulation (GDPR) and equivalent Swiss law. In the event of a conflict between this Section 15 and the rest of this Privacy Policy, this Section 15 controls with respect to such individuals. ### 15.1 Data Controller Sartography LLC (d/b/a SpiffWorks) is the controller responsible for your Personal Data. You can reach us at [info@spiff.works](mailto:info@spiff.works) or at the address set forth in the Terms of Service. ### 15.2 Legal Bases for Processing We process your Personal Data only where we have a valid legal basis to do so. Depending on the circumstances, those bases are: - **15.2.1. Performance of a contract:** to create and administer your SpiffWorks Account, provide the SpiffWorks Service, process payments, and respond to your requests (Article 6(1)(b) GDPR). - **15.2.2. Consent:** where you have given us consent, such as when you opt in to receive marketing or product communications or when you consent to session recording in the Visual Design Studio (as described in Section 5.6). You may withdraw your consent at any time as described in Section 15.4 (Article 6(1)(a) GDPR). - **15.2.3. Legitimate interests:** to operate, secure, and improve the SpiffWorks Websites and the SpiffWorks Service, to measure how our websites are used through privacy-friendly analytics, to communicate with you about your account, and to prevent fraud and abuse, except where such interests are overridden by your rights and freedoms (Article 6(1)(f) GDPR). - **15.2.4. Legal obligation:** to comply with applicable legal, tax, accounting, and regulatory obligations (Article 6(1)(c) GDPR). ### 15.3 International Data Transfers We are based in the United States, and we and certain of our service providers process Personal Data in the United States and in other countries that may not provide the same level of data protection as your home jurisdiction. Where we transfer Personal Data out of the EEA, the UK, or Switzerland, we rely on an appropriate safeguard, such as the European Commission's Standard Contractual Clauses (together with the UK International Data Transfer Addendum or the Swiss equivalent, where applicable) or an adequacy decision. You may contact us at [info@spiff.works](mailto:info@spiff.works) to request more information about these safeguards. ### 15.4 Your Rights Subject to applicable law, you have the right to: (a) request access to the Personal Data we hold about you; (b) request correction of inaccurate or incomplete Personal Data; (c) request erasure of your Personal Data; (d) request restriction of, or object to, our processing of your Personal Data; (e) request data portability (to receive certain Personal Data in a structured, commonly used, machine-readable format); and (f) where we rely on your consent, withdraw that consent at any time, without affecting the lawfulness of processing carried out before the withdrawal. To exercise any of these rights, contact us at [info@spiff.works](mailto:info@spiff.works), and we will respond as required by applicable law. You can opt out of marketing communications at any time by using the unsubscribe link in any marketing e-mail or by contacting us. ### 15.5 Right to Lodge a Complaint If you believe our processing of your Personal Data infringes applicable data protection law, you have the right to lodge a complaint with your local supervisory authority. We would, however, welcome the chance to address your concerns directly before you do so — please contact us at [info@spiff.works](mailto:info@spiff.works). ### 15.6 Data Retention We retain your Personal Data only for as long as is necessary to fulfil the purposes for which it was collected, including to provide the SpiffWorks Service to you, to comply with our legal, tax, and accounting obligations, to resolve disputes, and to enforce our agreements. When Personal Data is no longer needed, we delete or anonymize it, except where retention is required by law. When your Personal Data is updated or deleted, copies may remain in our backups for a limited period until those backups are overwritten in the ordinary course. ### 15.7 EU and UK Representative [To be completed: where required by Article 27 GDPR, SpiffWorks will designate a representative in the European Union and/or the United Kingdom. The name and contact details of any such representative will be listed here.]