Privacy Policy

Scope & Roles

This Privacy Policy applies to the MBW web application, mobile experiences, and related services (the "Services"). When your company uses MBW, your company is typically the data controller for business data you add to the workspace. MBW acts as your data processor/service provider, processing that data under your instructions and our agreement. We also act as an independent controller for limited diagnostic, security, and service-improvement data about your users and their use of MBW.

Information We Collect

  • Account & Company Data. Admin/user names, emails, phone numbers, login identifiers, company profile details, plan and billing configuration.
  • Workspace Content (Customer/Operational Data). Information you store in MBW (customers/contacts, jobs/appointments, products/inventory, invoices/payments, documents & e-signatures, messages, notes, files).
  • Usage & Device Data. IP address, device/browser type, pages/actions, timestamps, performance diagnostics, and crash/error data.
  • Support & Feedback. Information you provide to support, including problem descriptions and attachments.
  • Integrations. If you connect third-party services (email/SMS, accounting, payments, etc.), MBW receives the data needed to enable those integrations according to permissions you grant.
  • Payment. Subscription payments are handled by a PCI-compliant processor; MBW does not store full card numbers.

How We Use Information

  • Provide, operate, and secure the Services (authentication, access control, fraud/abuse prevention).
  • Perform the features you enable-CRM, scheduling, billing, subscriptions, documents/e-sign, messaging, reporting, inventory, and POS.
  • Send admin/transactional communications (account notices, changes, security alerts).
  • Provide support and troubleshoot issues (including error logging).
  • Analyze aggregate usage to improve reliability, performance, and user experience.
  • Comply with law, enforce agreements, and protect MBW, our users, and the public.

Where required, we rely on appropriate legal bases (e.g., performance of a contract, legitimate interests in securing and improving the service, or your consent).

How We Share Information

  • Your Direction. We share data when you send emails/SMS, issue invoices, take payments, or connect integrations.
  • Service Providers. We use vetted vendors (e.g., Microsoft Azure hosting/storage; email/SMS; optional accounting/payment/communications providers you connect). They may only use data to deliver contracted services and must protect it appropriately.
  • Compliance & Safety. We may disclose information if required by law or to protect rights, safety, and security.
  • Business Transfers. In a merger, acquisition, or asset sale, data may transfer subject to this Policy or a policy with equivalent protections.

We do not sell personal information.

Connected Accounts (Gmail and Microsoft)

  • We can connect to your Gmail or Microsoft 365 account to send calendar invitations, quotes, invoices, and other customer communications that you initiate from within the application. When you connect an account, our application receives authorization tokens from Google or Microsoft. We store these tokens securely and limit access to authorized personnel and systems. We use these tokens only to perform the actions you request within the designed workflows of your company.
  • If you choose to use the integrated email feature, we store limited message metadata, including the recipient, sender, subject, and message ID. We do not store the contents of the email in our system. Email content is retrieved from Google or Microsoft in real time and access to that content is restricted to authorized users only.
  • We do not sell Google or Microsoft user data. We do not use user data for advertising. We do not allow third parties to access Google or Microsoft user data except as necessary to provide the service (for example, cloud hosting and logging providers under confidentiality and security obligations). We will never use connected Google accounts to send emails outside of the designed workflows initiated by your company.
  • We protect Google and Microsoft user data using industry-standard safeguards, including encryption in transit (TLS/HTTPS) and encryption at rest where supported by our hosting providers. Access to connected-account tokens and any related data is restricted by role-based access controls and least-privilege principles, and is limited to authorized systems and personnel who require access to operate and support the service. We maintain logging and monitoring to help detect abuse and security incidents, and we review and update security controls as needed.
  • We request only the OAuth scopes needed for the features you enable and use Google user data only to perform actions you initiate.
  • We retain connected-account tokens only while your account remains connected (or as needed for legitimate business and legal purposes), and you may disconnect your account to revoke access.
  • We only access, process, and store Google user data as needed to provide the features you enable (for example, generating and sending emails and calendar invitations you initiate).
  • We do not store the contents of your Gmail messages. We only use your connected account to send emails and calendar invitations that you initiate from within the application.
  • You can revoke We's access to your Google account at any time by disconnecting your Google account within and/or by removing access in your Google Account security settings.

Cookies & Similar Technologies

We use cookies and similar technologies for session management, authentication, security, preferences, analytics, and feature performance. You can control cookies in your browser; some features may not work if essential cookies are disabled.

Security

Data is hosted in secure Microsoft Azure environments. We apply encryption in transit, network and access controls, least-privilege practices, auditing, and backups. No method is 100% secure; we continuously improve safeguards. We recommend enabling MFA and role-based permissions.

Data Retention

We retain workspace content while your company maintains an account or as needed to provide the Services. Admins control most lifecycle actions. Limited logs/backups may be retained for a reasonable period for security, continuity, and legal obligations. After termination we follow scheduled deletion unless law or your instructions require otherwise.

Your Choices & Rights

  • Account Controls. Admins manage users, roles, features, and retention settings.
  • Access/Correction/Deletion. If your personal data is stored in MBW by a customer, direct requests to that customer (controller). We support our customers in fulfilling requests.
  • Marketing Opt-Out. Use the unsubscribe link to stop marketing emails; we may still send essential service notices.

Children's Privacy

MBW is not directed to children under 13 and we do not knowingly collect personal information from children under 13. If you believe a child's data is in MBW, contact us and we will act appropriately.

International Transfers

MBW may process/store information in the United States and other locations where we or our providers operate. Where required, we use appropriate transfer mechanisms and safeguards.

Changes to this Policy

We may update this Policy from time to time. Material changes will be posted in-app or sent to account contacts. Your continued use of MBW after an update signifies acceptance.

Last updated: October 4, 2025

Contact

My Business Workspace
Email: contact@mybusinessworkspace.com
Phone: 346-435-3128