Last updated: March 2026
Delegate (“we,” “our,” or “us”) operates the Delegate workspace platform accessible at delegate.ws and its associated mobile applications (collectively, the “Service”). This Privacy Policy explains how we collect, use, disclose, and safeguard your personal information when you use our Service.
We are committed to protecting your privacy and handling your data with transparency and respect. By accessing or using Delegate, you acknowledge that you have read, understood, and agree to be bound by this Privacy Policy. If you do not agree with the terms of this Privacy Policy, please discontinue use of the Service immediately.
This policy applies to all users of Delegate, including individuals on our cloud-hosted platform, self-hosted deployments where our software is used to process data, and visitors to our marketing website. It should be read alongside our Terms of Service.
For the purposes of applicable data protection legislation, including the General Data Protection Regulation (GDPR) and the California Consumer Privacy Act (CCPA), Delegate acts as the data controller for personal information collected directly through the Service, and as a data processor for information you store within your workspace on our behalf.
When you create an account, configure your workspace, or contact us, we collect information you provide, including:
When you interact with the Service, we automatically collect certain technical and usage information:
When you connect third-party services to Delegate, we receive data from those services on your behalf and subject to your authorization:
The scope of data received from each provider is limited to the permissions you explicitly grant during the OAuth authorization flow. You may revoke these permissions at any time from your Integrations settings or directly through the third-party provider.
When you use AI-powered features (email triage, meeting summarization, task generation, and similar), the relevant content is processed by AI model providers as described in Section 4. We store the outputs of these analyses (summaries, extracted action items, importance scores) in your workspace data, associated with your account.
We use the information we collect for the following purposes, each grounded in a lawful basis under applicable data protection law:
We process your data to provide, operate, and maintain the Service. This includes authenticating your identity, rendering your workspace content, executing integrations with connected services, processing AI analysis requests on your behalf, sending transactional emails (verification, password reset, billing receipts), and ensuring the Service functions as intended. The lawful basis for this processing is performance of our contract with you.
We use aggregated and anonymized usage data to understand how users interact with the Service, identify performance bottlenecks, prioritize feature development, and improve reliability. We do not use the content of your workspace (emails, tasks, meeting notes) for training AI models. The lawful basis for this processing is our legitimate interest in maintaining and improving a high-quality service.
We may contact you for the following reasons:
We may process your data to detect, investigate, and prevent fraud, abuse, or other harmful activity; to enforce our Terms of Service; to comply with applicable laws and legal processes; and to protect the rights, property, and safety of Delegate, our users, and the public. The lawful bases for this processing are our legitimate interests and compliance with legal obligations.
We use your account information and Stripe customer identifiers to manage your subscription plan, process payments, issue invoices, handle refunds, and enforce plan-level usage limits.
We do not sell your personal information. We do not share your data with third parties for their own marketing purposes. We share data only as described below and solely to the extent necessary.
Delegate's use of information received from Google APIs adheres to the Google API Services User Data Policy, including the Limited Use requirements. Data obtained via Google APIs is used only to provide and improve features that are directly visible to and used by the user within Delegate. We do not use Google user data to serve advertising, transfer it to third parties except as necessary to provide the Service, or allow humans to read it except with your explicit consent, for security purposes, or as required by law.
To deliver AI-powered features, content you submit for analysis (email text, meeting transcripts, task descriptions) is transmitted to our AI model providers for inference. Our current providers include:
Users on self-hosted deployments may configure their own AI providers, and in those cases Delegate transmits data only to the providers you configure and control.
Billing and subscription management is handled by Stripe, Inc. When you provide payment information, it is submitted directly to Stripe and governed by Stripe's Privacy Policy. We receive a Stripe customer identifier and subscription status in return, but we never store raw payment card data on our infrastructure.
Our cloud-hosted Service runs on infrastructure provided by reputable cloud providers operating data centers in the United States and the European Union (depending on your region). All sub-processors are bound by data processing agreements consistent with applicable law.
We may disclose your information if required to do so by law, court order, or governmental authority, or if we believe in good faith that such disclosure is necessary to protect the rights or safety of Delegate, our users, or the public. We will notify affected users of such requests to the extent permitted by law.
In the event of a merger, acquisition, reorganization, bankruptcy, or sale of all or a portion of our assets, your information may be transferred as part of that transaction. We will notify you via email and/or prominent notice on the Service of any such change in ownership or use of your personal information, and will outline choices you may have with respect to your information.
Your workspace data is stored in a PostgreSQL 16 database. We use Prisma ORM for all database interactions to enforce query parameterization and prevent SQL injection. Production databases are provisioned with automated daily backups, point-in-time recovery, and replicas for high availability.
All data transmitted between your device and Delegate is encrypted in transit using TLS 1.2 or higher. Data at rest in our database and storage systems is encrypted using AES-256. OAuth tokens and other credentials stored in the database are subject to encryption at the infrastructure layer.
Note: We are currently working to implement application-layer encryption for OAuth tokens stored in the database. Users with elevated security requirements are encouraged to use self-hosted deployments where they control key management.
Access to production data is restricted to authorized personnel on a strict need-to-know basis. All employee access to production systems requires multi-factor authentication. We conduct periodic access reviews to revoke unnecessary privileges. Database credentials are rotated regularly and managed via secrets management systems.
We conduct regular dependency audits and apply security patches promptly. Our application layer is built on Next.js with NextAuth for authentication, employing JWT sessions with server-side validation, CSRF protections, and HTTP security headers. Webhook endpoints validate cryptographic signatures before processing payloads.
We retain your personal data for as long as your account is active or as needed to provide the Service. Upon account deletion, we delete or anonymize your personal data within 30 days, except where we are required to retain it for longer periods to comply with legal obligations, resolve disputes, or enforce agreements. Workspace content (tasks, meetings, emails cached for AI analysis) is deleted immediately upon your request or account closure.
In the event of a data breach that is likely to result in a risk to your rights and freedoms, we will notify affected users within 72 hours of becoming aware of the breach, to the extent required by applicable law, and will provide guidance on protective steps you can take.
Depending on your jurisdiction, you have certain rights with respect to your personal information. We are committed to honoring these rights without requiring you to justify your request. To exercise any of the rights below, contact us at privacy@delegate.ws.
You have the right to request a copy of the personal information we hold about you, including the categories of data, the purposes for which it is processed, and the third parties with whom it is shared.
You have the right to request that we correct inaccurate or incomplete personal information about you. You can update most profile information directly within your account settings.
You have the right to request deletion of your personal information. You may delete your account at any time from your account settings, and we will delete your data within 30 days.
You have the right to receive your personal information in a structured, commonly used, machine-readable format and to transmit that data to another controller.
In certain circumstances, you have the right to request that we restrict the processing of your personal information, for example while a correction request is being resolved.
You have the right to object to processing of your personal information where we rely on legitimate interests as the lawful basis, including for direct marketing purposes.
Where processing is based on your consent, you have the right to withdraw that consent at any time without affecting the lawfulness of prior processing.
We will not discriminate against you for exercising any of your privacy rights, including by denying you the Service or charging different prices.
We will respond to all rights requests within 30 days. In complex cases we may extend this by a further 60 days, in which case we will notify you. We may need to verify your identity before processing your request. California residents may additionally designate an authorized agent to make requests on their behalf.
If you are located in the European Economic Area and believe your rights have not been respected, you have the right to lodge a complaint with your local data protection supervisory authority.
The Delegate Service is not directed to, and we do not knowingly collect personal information from, children under the age of 13 (or under 16 in the European Economic Area). Our Service is intended for use by adults and business users only.
If you are a parent or guardian and you believe that your child has provided personal information to us without your consent, please contact us immediately at privacy@delegate.ws. If we become aware that we have collected personal information from a child under the applicable age of consent without verified parental consent, we will take steps to delete that information from our systems within 72 hours.
Organizations that use Delegate for educational purposes involving minors are responsible for ensuring appropriate consent and compliance with applicable laws such as COPPA (Children's Online Privacy Protection Act) and FERPA in the United States.
Delegate is operated primarily in the United States. If you are accessing the Service from outside the United States — including from the European Economic Area (EEA), United Kingdom, or Switzerland — your personal information may be transferred to, stored in, and processed in the United States and other countries where our service providers operate.
The United States and certain other countries may not provide the same level of data protection as the laws of your home country. Where we transfer personal data from the EEA, UK, or Switzerland to third countries that have not been deemed adequate by the relevant supervisory authority, we rely on appropriate safeguards, including:
You may request a copy of the safeguards we have put in place for international transfers by contacting us at privacy@delegate.ws. Self-hosted deployments allow you to keep your data entirely within your own infrastructure and jurisdiction.
We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors. When we make changes, we will update the “Last updated” date at the top of this page.
For material changes — those that significantly affect your rights or the way we use your data — we will provide a more prominent notice, including:
For non-material changes (such as clarifications, corrections, or updates to reflect new features that do not change how existing data is used), we will update the policy without separate notification. We encourage you to review this policy periodically to stay informed about how we protect your information.
Your continued use of the Service after the effective date of a revised Privacy Policy constitutes your acceptance of the changes. If you do not agree to the updated policy, you must discontinue your use of the Service and may request deletion of your account and data.
If you have any questions, concerns, or requests relating to this Privacy Policy or our handling of your personal data, please contact us:
For data rights requests, questions about this policy, or concerns about our data practices.
For account issues, technical questions, and general product support.
For responsible disclosure of security vulnerabilities or suspected data breaches.
Delegate
Privacy requests submitted by post should include your name, email address, and a clear description of your request. We aim to respond within 30 days.
We take all privacy inquiries seriously and will respond to your request within 30 days. If you are not satisfied with our response, you have the right to escalate your complaint to the relevant data protection supervisory authority in your jurisdiction.
This Privacy Policy was last reviewed and approved in March 2026. Previous versions are available upon request.