Privacy Policy
Last updated: February 28, 2026
Effective: February 28, 2026
Key Points
Here's the short version of what matters most:
- • Your community administrator is the data controller for member data. We process it on their behalf.
- • We never sell your personal information. We don't share it for cross-context behavioral advertising.
- • Payment card data goes directly to Stripe—we never see or store your full card number.
- • We use only the cookies needed to run the service. No third-party tracking or ad cookies.
- • You can request access to, correction of, or deletion of your data at any time.
- • We honor Global Privacy Control (GPC) signals from your browser.
- • If we make material changes to this policy, we'll give you at least 30 days' notice.
1. Introduction
WorkersLab LLC ("we," "our," or "us") operates Somiti, a community management platform. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our service at somiti.net, community subdomains (*.somiti.net), custom domains pointed to our platform, and any related services (collectively, the "Service").
This policy applies to all users of the Service, including community administrators ("Admins") who create and manage communities, and community members ("Members") who join those communities.
By using the Service, you agree to the collection and use of information in accordance with this policy. If you do not agree with our policies and practices, please do not use our Service.
2. Data Controller vs. Data Processor
Understanding who controls your data depends on your relationship with Somiti:
2.1 When We Are the Data Controller
We act as the data controller for information we collect directly from you to operate the Service, including:
- Admin account registration and billing information
- Data collected through our marketing website (somiti.net)
- Usage analytics and log data we collect for our own operational purposes
2.2 When We Are the Data Processor
When community administrators use Somiti to manage their members, the administrator is the data controller and we are the data processor. This means:
- The administrator decides what member data to collect, how to use it, and how long to keep it
- We process member data only on the administrator's instructions and to provide the Service
- For questions about how a specific community uses your data, contact that community's administrator
Community administrators who need a formal Data Processing Agreement (DPA) can contact us at the address listed in Section 17.
3. Information We Collect
3.1 Information You Provide
When you register for an account or use our services, we collect:
| Category | Examples | Who Provides It |
|---|---|---|
| Account Information | Name, email address, password, profile photo | Admins & Members |
| Community Information | Community name, description, subdomain, custom domain settings | Admins |
| Member Profile Data | Phone number, address, emergency contacts, custom profile fields | Members |
| Payment Information | Billing address, payment method details (processed by Stripe) | Admins & Members |
| Event Information | Event registrations, attendance records, event-related communications | Members |
| Documents | Files uploaded to the document library | Admins & Members |
| Communications | Messages sent through announcements and notifications | Admins |
3.2 Information Collected Automatically
When you access our Service, we automatically collect:
- Log Data: IP address, browser type, operating system, referring URLs, and pages visited
- Device Information: Device type, unique device identifiers, and mobile network information
- Usage Data: Features used, actions taken, time spent on pages, and interaction patterns
- Cookies: Session cookies and authentication tokens (see Section 14 and our Cookie Policy)
3.3 Information from Third Parties
We may receive information about you from third-party sources:
- Stripe: Payment confirmation, billing details, and fraud-prevention signals related to your transactions
- Community Administrators: Admins may import member lists or provide additional member information when setting up their community
4. How We Use Your Information
We use the information we collect for the following purposes:
| Purpose | Examples | Legal Basis (GDPR) |
|---|---|---|
| Service Delivery | Provide, maintain, and improve the platform | Contract performance |
| Payment Processing | Process transactions, send invoices and confirmations | Contract performance |
| Communications | Send technical notices, updates, security alerts, support messages | Contract performance / Legitimate interest |
| Customer Support | Respond to your questions and requests | Contract performance |
| Internal Analytics | Monitor trends, usage, and activities; generate reports for admins | Legitimate interest |
| Website Analytics | Aggregate audience measurement: page views, referrers, device type, and country (derived from IP). No cookies, no user profiles, no cross-site tracking. IP hashed immediately, never stored. You can opt out via the footer link. | Legitimate interest |
| Security | Detect, investigate, and prevent fraud and abuse | Legitimate interest |
| Legal Compliance | Comply with applicable laws, regulations, and legal processes | Legal obligation |
5. Information Sharing and Disclosure
We may share your information in the following circumstances:
5.1 With Community Administrators
Community administrators can access member information within their community, including profile data, membership status, event attendance, and payment history. Administrators are responsible for how they use this information within their community.
5.2 With Other Members
Depending on your privacy settings and community configurations, certain profile information may be visible to other community members through the member directory.
5.3 With Service Providers
We share information with third-party service providers who perform services on our behalf, such as payment processing, email delivery, file storage, and error monitoring. These providers are detailed in Section 6.
5.4 For Legal Reasons
We may disclose information if we believe it is necessary to comply with applicable laws, regulations, or legal processes; protect the rights, property, and safety of Somiti, our users, or others; or enforce our terms of service.
5.5 Business Transfers
If WorkersLab LLC is involved in a merger, acquisition, or sale of all or a portion of its assets, your information may be transferred as part of that transaction. We will notify you via email or a prominent notice on the Service before your information becomes subject to a different privacy policy.
5.6 With Your Consent
We may share your information with third parties when you give us explicit consent to do so, such as when an administrator enables optional integrations (Slack, Mailchimp) for their community.
6. Third-Party Services
We integrate with the following third-party services to operate the platform:
Stripe
RequiredPayment processing for memberships, event tickets, and Somiti platform subscriptions
Data shared: Payment card data is sent directly to Stripe (we never see or store full card numbers), billing address, and transaction details. This applies to both member payments within communities and admin subscription payments to Somiti.
Cloudflare R2
RequiredCloud storage for uploaded documents and files
Data shared: Files and documents uploaded through the Service are stored in Cloudflare R2.
Amazon SES
RequiredTransactional email delivery (account confirmations, password resets, notifications)
Data shared: Email addresses and message content for transactional emails.
Sentry
RequiredError monitoring and application performance tracking
Data shared: Error data and community/subdomain context for debugging. Personal information (PII) is not sent to Sentry.
Slack
OptionalCommunity administrators may enable Slack integration for notifications
Data shared: Announcement content and event data are sent to configured Slack webhook channels.
Mailchimp
OptionalCommunity administrators may enable Mailchimp integration for email marketing
Data shared: Member names, email addresses, and tags are synced to configured Mailchimp audience lists.
Umami Analytics (Self-Hosted)
OptionalCookieless, privacy-focused website analytics hosted on our own EU infrastructure
Data processed: Page URL, referrer URL, browser type, operating system, device type, country (derived from IP address, then immediately hashed). No cookies are set. No personal data is stored. IP addresses are hashed with a monthly rotating salt and never saved in plain text.
No third-party access: All data stays on our own servers in the EU. No data is shared with or accessible by any third party.
Opt out: Use the “Opt out” link in the website footer, or set localStorage.setItem('umami.disabled', '1') in your browser console.
7. Data Retention
We retain your personal information for as long as your account is active or as needed to provide you services. When data is no longer needed, we delete or anonymize it according to the following schedule:
| Data Type | Retention Period | Reason |
|---|---|---|
| Account data | Until account deletion + 30 days | Grace period for accidental deletion |
| Payment records | 7 years after transaction | Tax and legal compliance |
| Event attendance | Lifetime of the community | Historical records for community administrators |
| Uploaded documents | Until removed by user or account deletion | User-controlled content |
| Log data | 90 days | Security monitoring and debugging |
| Error reports (Sentry) | 90 days | Application stability monitoring |
8. Security
We implement appropriate technical and organizational measures to protect your personal information, including:
- Encryption of data in transit (TLS/SSL) and at rest
- Secure password hashing using bcrypt
- Role-based access controls and authentication requirements
- Regular security assessments and dependency updates
For detailed information about our security practices, please see our Security page.
9. International Data Transfers
Somiti is operated from the United States. If you access the Service from outside the United States, your information will be transferred to, stored, and processed in the United States, where our servers and central database are located.
For users in the European Economic Area (EEA), United Kingdom, or Switzerland, we rely on the following transfer mechanisms:
- Standard Contractual Clauses (SCCs): We use EU-approved Standard Contractual Clauses where required for transfers of personal data to the United States
- Data Processing Agreements: Our third-party service providers maintain their own transfer mechanisms (Stripe, AWS, and Cloudflare each maintain SCCs and/or approved certifications)
By using the Service, you acknowledge that your information may be transferred to and processed in the United States, which may have different data protection laws than your country of residence.
10. Your Privacy Rights
10.1 All Users
Regardless of your location, you have the right to:
- Access: Request a copy of the personal information we hold about you
- Correction: Request that we correct inaccurate or incomplete information
- Deletion: Request that we delete your personal information
- Portability: Request a copy of your data in a structured, machine-readable format
To exercise these rights, contact us using the information in Section 17. We will respond within 30 days.
10.2 California Residents (CCPA/CPRA)
If you are a California resident, you have additional rights under the California Consumer Privacy Act (CCPA) as amended by the California Privacy Rights Act (CPRA):
- Right to Know: You can request the categories and specific pieces of personal information we have collected about you, the sources, the business purposes for collection, and the categories of third parties with whom we share it
- Right to Delete: You can request deletion of your personal information, subject to certain exceptions
- Right to Correct: You can request correction of inaccurate personal information
- Right to Opt Out: You can opt out of the "sale" or "sharing" of personal information (see Section 11)
- Right to Non-Discrimination: We will not discriminate against you for exercising your privacy rights
The following table describes the categories of personal information we collect under the CCPA:
| CCPA Category | Examples | Sold or Shared? |
|---|---|---|
| Identifiers | Name, email, IP address, account ID | No |
| Commercial information | Payment history, membership records | No |
| Internet activity | Log data, usage data, pages visited | No |
| Professional information | Community membership, organizational role | No |
10.3 EU/UK Residents (GDPR)
If you are in the European Economic Area or United Kingdom, you have additional rights under the General Data Protection Regulation (GDPR):
- Restriction: Request that we restrict the processing of your information in certain circumstances
- Objection: Object to our processing of your personal information based on legitimate interests
- Withdraw Consent: Where processing is based on consent, withdraw that consent at any time without affecting the lawfulness of prior processing
- Lodge a Complaint: File a complaint with your local data protection authority (see Section 16)
The legal bases for our processing are described in the table in Section 4.
11. Do Not Sell or Share
We do not sell your personal information. We do not share your personal information for cross-context behavioral advertising. This has been our practice since our founding and is not contingent on receiving opt-out requests.
As defined by the CCPA/CPRA, we do not "sell" or "share" personal information and have not done so in the preceding 12 months.
12. Global Privacy Control
We honor Global Privacy Control (GPC) signals. If your browser or device sends a GPC signal, we treat it as a valid opt-out request under applicable privacy laws, including the CCPA/CPRA.
You can learn more about GPC and enable it in your browser at globalprivacycontrol.org.
13. Children's Privacy
Somiti is not intended for children. We do not knowingly collect personal information from children under 13 years of age (under COPPA) or under 16 years of age (under GDPR, where applicable).
If you are a parent or guardian and believe your child has provided us with personal information, please contact us using the information in Section 17 so we can promptly delete such information.
15. Changes to This Policy
We may update this Privacy Policy from time to time. When we do, we will post the revised policy on this page and update the "Last updated" date at the top.
For material changes—such as new categories of data collection, new sharing practices, or reduced privacy rights—we will provide at least 30 days' advance notice via email or a prominent notice on the Service before the changes take effect. Your continued use of Somiti after the effective date of any changes indicates your acceptance of the updated policy.
16. Dispute Resolution
This Privacy Policy is governed by the laws of the State of Wyoming, United States, without regard to its conflict of law provisions.
If you have a concern about our privacy practices that we have not resolved to your satisfaction, you may:
- Contact us first using the information in Section 17—we commit to responding within 30 days
- File a complaint with the appropriate regulatory authority in your jurisdiction
For EU/UK residents: You have the right to lodge a complaint with your local Data Protection Authority (DPA). A list of EU DPAs is available at edpb.europa.eu. For the UK, contact the Information Commissioner's Office (ICO).
For California residents: You may contact the California Attorney General's office at oag.ca.gov/privacy.
17. Contact Us
If you have any questions about this Privacy Policy, want to exercise your privacy rights, or have a complaint about our data practices, please contact us:
WorkersLab LLC
30 N Gould ST STE R
Sheridan, WY 82801
Website: workerslab.com
We will acknowledge your request within 10 business days and provide a substantive response within 30 days. If we need more time, we will let you know why and provide an updated timeline.