Information We Collect
We collect only the data needed to provide, secure, support, and improve Friday.
Account and profile data
Name, email address, organisation, role, job title, team, manager relationship, segments, language, timezone, notification preferences, profile picture where used, and account settings.
Employee check-in data
Well-being or work-week score, written feedback/comments, reflections, selected or active feedback privacy mode, timestamps, check-in history, AI-generated themes, recommendations, reports, and trend data.
Organisation data
Company name, employee lists, teams, segments, domains, check-in schedules, privacy settings, role permissions, administrator configuration, and implementation settings.
Website, sales, and support data
Demo requests, contact form submissions, email conversations, support messages, onboarding notes, customer communications, and billing or contract-related contact information.
Technical and security data
IP address, browser type, device information, log data, pages viewed, product usage events, error reports, performance data, authentication data, and security events.
Sources Of Personal Data
We receive personal data from users directly, customer organisations, authentication providers where enabled, service usage/logs, and communications with Friday.
This includes:
- Users directly, when they create an account, submit a check-in, write feedback, contact support, or communicate with Friday.
- Customer organisations, when they invite users, configure teams, roles, segments, schedules, permissions, and account settings.
- Authentication providers where enabled, such as Google Sign-In.
- Service usage, logs, devices, browsers, and security systems when people visit the website or use the product.
- Emails, demo requests, contracts, onboarding notes, and other communications with Friday.
How We Use Data
| Purpose | Data used | Legal basis / role |
|---|---|---|
| Provide Friday product | Account/profile data, organisation data, check-in data, technical data. | Processor for customer workplace data under customer instructions; contract/legitimate interests for customer account administration. |
| Run check-ins and reminders | Account/profile data, schedule settings, email address, check-in history. | Processor under customer instructions. |
| Analyse feedback and generate insights | Scores, comments, themes, timestamps, teams/segments, historical trends. | Processor under customer instructions. |
| Generate employee and manager recommendations | Check-in data, themes, trends, and relevant organisation context. | Processor under customer instructions. |
| Manage demos, support, contracts, and billing | Contact details, messages, customer information. | Contract, steps prior to contract, legitimate interests, and legal obligations. |
| Secure, monitor, debug, and improve the service | Logs, device/browser data, security events, usage and error data. | Legitimate interests and, for customer workplace data, processor under customer instructions. |
| Comply with law and protect rights | Relevant account, contract, technical, and communication data. | Legal obligations and legitimate interests. |
Feedback Privacy Modes
Friday is built around employee feedback, so visibility must be clear before employees submit feedback. A customer organisation chooses the feedback visibility mode available for a check-in. Employees should be able to see the active mode before submitting feedback.
Aggregated
Individual employee feedback and personal data are not shown. Friday summarizes feedback for a relevant period.
Anonymized
Written feedback can be shown without employee names only when more than 3 people in the relevant team or segment have submitted feedback for that period. This mode hides employee names from customer-facing views, but it does not necessarily make the underlying data anonymous under GDPR.
Open
Feedback may be shown together with the employee’s name according to the customer’s configuration.
Even where feedback is displayed as aggregated or anonymized in the product, Friday may retain account-level backend records where needed to operate the service, enforce access controls, troubleshoot issues, maintain auditability, support security, and comply with customer agreements or law. Access to those records is restricted to authorised systems and personnel.
Sensitive Data
Friday does not ask employees to submit special-category personal data. Users should avoid submitting unnecessary sensitive personal data about themselves or others.
Written feedback is free text, so users may choose to include information about health, stress, relationships, workplace conflicts, or other sensitive matters. Customers should configure and use Friday in a way that is appropriate for their workplace and legal obligations.
Customers must not use Friday to intentionally collect special-category personal data unless they have identified a valid legal basis, an applicable Article 9 condition, appropriate safeguards, and have informed employees accordingly.
Friday processes submitted workplace data only according to the customer’s instructions, unless law requires otherwise.
AI Processing
Friday uses AI to help interpret written feedback, map comments to well-being drivers, identify themes, detect trends, and generate recommendations for employees, managers, and People & Culture teams.
Friday does not use customer workplace data or employee feedback to train public AI models or third-party foundation models. Customer-specific organisation context may be used as input for that customer’s recommendations and insights, but not to train public or third-party foundation models.
AI outputs are recommendations and decision-support only. They are not automated employment decisions.
Friday does not currently provide features that allow employers to use employee feedback for profiling, performance evaluation, promotion decisions, disciplinary decisions, dismissal decisions, compensation decisions, or other employment decisions with legal or similarly significant effect.
Friday is not designed, authorised, or intended for recruitment, selection, promotion, termination, compensation, disciplinary decisions, performance scoring, or automated monitoring/evaluation of individual employee performance.
Friday is not designed or intended to identify employees’ emotions through biometric, behavioural, or surveillance-based emotion recognition. Friday must not be used for employee monitoring, ranking, profiling, or employment decision-making.
Customers and managers remain responsible for how they interpret and act on insights. Friday outputs, scores, feedback, recommendations, reports, and insights must not be used as the sole, primary, or determinative basis for hiring, firing, promotion, compensation, discipline, performance evaluation, or other decisions that may significantly affect an employee.
If Friday introduces new employee profiling or materially different AI processing in the future, update this Privacy Policy and relevant customer documentation before that feature is released.
Service Providers/Subprocessors
Vercel Inc.
- Purpose
- Hosting, deployment, and Vercel Analytics where enabled.
- Used for customer workplace data?
- Yes, where required to host and provide the service.
- Data processed
- Website and product hosting data, logs, IP address, device/browser data, and product analytics events where enabled.
- Processing location / region
- Configured for EU/EEA processing where available; may involve access from outside the EEA.
- Transfer safeguard
- SCCs, adequacy decision, or other applicable safeguards where required.
MongoDB, Inc.
- Purpose
- Database and data storage.
- Used for customer workplace data?
- Yes, where required to provide the service.
- Data processed
- Account data, organisation data, check-in data, feedback, configuration, logs, and related product records.
- Processing location / region
- Configured for EU/EEA database region where available; may involve access from outside the EEA.
- Transfer safeguard
- SCCs, adequacy decision, or other applicable safeguards where required.
Sentry / Functional Software, Inc.
- Purpose
- Error and bug reporting.
- Used for customer workplace data?
- No, unless included in support or error context.
- Data processed
- Error reports, stack traces, device/browser data, IP address, performance data, and limited account or event context where needed to debug issues.
- Processing location / region
- Configured for EU/EEA processing where available; may involve access from outside the EEA.
- Transfer safeguard
- SCCs, adequacy decision, or other applicable safeguards where required.
Microsoft Ireland Operations Limited
- Purpose
- Data analysis and AI-related processing.
- Used for customer workplace data?
- Yes, where required for configured AI and analysis features.
- Data processed
- Feedback text, scores, themes, organisation context, prompts, outputs, recommendations, and usage metadata where configured.
- Processing location / region
- Configured for EU/EEA or data-zone processing where available; may involve access from outside the EEA.
- Transfer safeguard
- SCCs, adequacy decision, or other applicable safeguards where required.
Slack Technologies LLC
- Purpose
- Operational notifications.
- Used for customer workplace data?
- Limited, where configured for operational notifications.
- Data processed
- Operational activity notifications and metadata, which may include account, organisation, or service event information where configured.
- Processing location / region
- May involve processing in the United States and other provider locations.
- Transfer safeguard
- SCCs, adequacy decision, or other applicable safeguards where required.
Resend / Plus Five Five, Inc.
- Purpose
- Email delivery.
- Used for customer workplace data?
- Yes, where required for product emails and reminders.
- Data processed
- Names, email addresses, login links, notification content, reminder content, service emails, and delivery metadata.
- Processing location / region
- May involve processing in the United States and other provider locations.
- Transfer safeguard
- SCCs, adequacy decision, or other applicable safeguards where required.
Google Sign-In / Google Ireland Limited
- Purpose
- Authentication where enabled.
- Used for customer workplace data?
- No, authentication and account data only.
- Data processed
- Google account identifier, email address, name, authentication tokens, IP address, device/browser data, and login metadata.
- Processing location / region
- Google infrastructure locations; may involve access from outside the EEA.
- Transfer safeguard
- SCCs, adequacy decision, Google transfer safeguards, or other applicable safeguards where required.
Some providers are headquartered outside the EEA. Where customer workplace data is processed outside the EEA or accessed from outside the EEA, Friday uses appropriate transfer safeguards such as adequacy decisions, Standard Contractual Clauses, and supplementary technical and organisational measures where required. Processing locations and safeguards are described in our subprocessor list.
Friday may add or replace subprocessors when needed to provide, secure, or improve the service. Where required by a customer agreement or data processing agreement, Friday will give notice of material subprocessor changes and allow objections according to that agreement.
Customers may request information about subprocessors and material subprocessor changes by contacting Friday.
International Transfers
Friday is operated from Denmark. We aim to use EU/EEA hosting and processing locations for customer workplace data where available and agreed. Some providers are headquartered outside the EEA. Where customer workplace data is processed outside the EEA or accessed from outside the EEA, Friday uses appropriate transfer safeguards such as adequacy decisions, Standard Contractual Clauses, and supplementary technical and organisational measures where required. Processing locations and safeguards are described in our subprocessor list.
Retention
For customer workplace data processed on behalf of a customer, Friday keeps personal data for as long as the customer relationship exists, unless the customer agreement says otherwise. When the customer relationship ends, personal data is deleted or returned according to the customer’s instructions. Unless otherwise agreed or legally required, production personal data is deleted within 30 days after termination of the customer relationship, and backups are deleted automatically within a maximum of 90 days.
For website, sales, support, billing, and contract data where Friday is the controller, we keep data only for as long as needed for the purpose collected, including to manage the relationship, comply with legal obligations, resolve disputes, and maintain business records.
For data where Friday acts as controller, we generally apply the following retention periods unless a longer period is required by law, dispute resolution, security investigation, or customer agreement: demo, contact, and sales enquiries for up to 24 months after last interaction; support and customer communications for up to 36 months after last interaction; security logs and technical event data typically for 6 to 12 months unless needed for investigation; and billing, invoice, and accounting records as required under applicable bookkeeping and tax laws.
Individual employees should normally direct workplace data deletion/export/access requests to their employer or organisation, because that organisation is normally the data controller. Friday will assist the organisation as required.
Data Deletion Requests
Users and organisations can contact us at sofie@hifriday.app to request deletion of stored data. If the request concerns workplace data controlled by a customer organisation, we may need to refer the request to that organisation or coordinate with it before acting.
Your Rights
Depending on the context and applicable law, individuals may have the right to request access, correction, deletion, restriction, objection, portability, and information about processing. If processing is based on consent, individuals may withdraw consent at any time without affecting prior lawful processing.
If Friday processes data on behalf of an employer or organisation, Friday may refer the request to that organisation or assist it in responding.
Complaint Right
You may also complain to a data protection authority. In Denmark, the relevant authority is Datatilsynet, Carl Jacobsens Vej 35, 2500 Valby, Denmark, dt@datatilsynet.dk, +45 33 19 32 00.
Security
We use technical and organisational measures designed to protect personal data against unauthorised access, loss, misuse, alteration, or disclosure. These measures include access controls, role-based permissions, authentication, encryption in transit and at rest where appropriate, logging, monitoring, backup procedures, vulnerability management, and operational safeguards.
No internet service or electronic storage system can be guaranteed to be completely secure. If we become aware of a personal data breach, we will take appropriate steps in line with applicable law and customer agreements.
Children
Friday is intended for workplace use and is not directed at children. We do not knowingly collect personal data from children through the public website. If a child has provided personal data to Friday, contact us so we can review and delete it where appropriate.
Links
Friday websites or communications may link to external websites or services that we do not operate. We are not responsible for their privacy practices, content, or security.
Changes
We may update this Privacy Policy from time to time. When we make material changes, we will update the effective date and may notify customers or users through the service, by email, or by another appropriate method.