Privacy Policy

This Privacy Policy explains how Friday™ by Sordahl ApS ("Friday", "we", "us") collects, uses, stores, and protects personal data when people visit our website, contact us, book a demo, or use the Friday™ product.

Friday is primarily a data processor when we process employee check-in data on behalf of a customer organisation. The customer organisation is normally the data controller for workplace data. For website visitors, demo requests, customer contacts, billing contacts, and our own business administration, Friday is normally the data controller.

Information We Collect

We collect only the data needed to provide, secure, support, and improve Friday.

Account and profile data

Name, email address, organisation, role, job title, team, manager relationship, segments, language, timezone, notification preferences, profile picture where used, and account settings.

Employee check-in data

Well-being or work-week score, written feedback/comments, reflections, selected or active feedback privacy mode, timestamps, check-in history, AI-generated themes, recommendations, reports, and trend data.

Organisation data

Company name, employee lists, teams, segments, domains, check-in schedules, privacy settings, role permissions, administrator configuration, and implementation settings.

Website, sales, and support data

Demo requests, contact form submissions, email conversations, support messages, onboarding notes, customer communications, and billing or contract-related contact information.

Technical and security data

IP address, browser type, device information, log data, pages viewed, product usage events, error reports, performance data, authentication data, and security events.

Sources Of Personal Data

We receive personal data from users directly, customer organisations, authentication providers where enabled, service usage/logs, and communications with Friday.

This includes:

  • Users directly, when they create an account, submit a check-in, write feedback, contact support, or communicate with Friday.
  • Customer organisations, when they invite users, configure teams, roles, segments, schedules, permissions, and account settings.
  • Authentication providers where enabled, such as Google Sign-In.
  • Service usage, logs, devices, browsers, and security systems when people visit the website or use the product.
  • Emails, demo requests, contracts, onboarding notes, and other communications with Friday.

Cookies And Similar Technologies

Cookies, local storage, session storage, and similar technologies may be used for authentication, security, preferences, diagnostics, and product functionality. Non-essential analytics, tracking, or similar technologies must only run where legally permitted and, where required, after valid consent. The public website does not currently set non-essential analytics or tracking cookies.

Tool / technologyProviderPurposeCategoryDurationConsent required?
Authentication and session storageFridayAuthenticate users, keep product sessions active, and protect account access.Necessary authentication/securityCookie storage is set for up to 1 year; local/session storage remains until logout, expiry, or browser clearing.No, necessary.
Local storage preferencesFridayRemember product preferences such as display theme and support core product functionality.Product functionality/preferenceUntil changed or cleared by the user.No, product functionality.
Vercel AnalyticsVercel Inc.Understand product usage and performance in the authenticated app. Vercel Web Analytics does not use cookies.AnalyticsNo persistent analytics cookie set by Friday.Yes, where required by law.
Google Sign-In where enabledGoogle Ireland LimitedAllow invited users to authenticate with a Google account.Necessary authenticationSet by Google according to the user’s Google account, browser settings, and Google policies.No, necessary when used for authentication.
Sentry error reporting where enabledSentry / Functional Software, Inc.Detect and investigate technical errors, crashes, and performance issues.Diagnostics/error reportingRetained according to the configured error-reporting settings and support needs.Depends on configuration and data collected.
Public website analytics or marketing cookiesNot currently usedFriday does not currently set non-essential analytics, tracking, or marketing cookies on the public website.Not currently usedNot applicable.Not applicable.

You can withdraw or change non-essential consent through the controls shown where non-essential technologies are offered, or by clearing browser storage. Necessary session storage is required for the product to work and clearing it may sign you out.

How We Use Data

PurposeData usedLegal basis / role
Provide Friday productAccount/profile data, organisation data, check-in data, technical data.Processor for customer workplace data under customer instructions; contract/legitimate interests for customer account administration.
Run check-ins and remindersAccount/profile data, schedule settings, email address, check-in history.Processor under customer instructions.
Analyse feedback and generate insightsScores, comments, themes, timestamps, teams/segments, historical trends.Processor under customer instructions.
Generate employee and manager recommendationsCheck-in data, themes, trends, and relevant organisation context.Processor under customer instructions.
Manage demos, support, contracts, and billingContact details, messages, customer information.Contract, steps prior to contract, legitimate interests, and legal obligations.
Secure, monitor, debug, and improve the serviceLogs, device/browser data, security events, usage and error data.Legitimate interests and, for customer workplace data, processor under customer instructions.
Comply with law and protect rightsRelevant account, contract, technical, and communication data.Legal obligations and legitimate interests.

Feedback Privacy Modes

Friday is built around employee feedback, so visibility must be clear before employees submit feedback. A customer organisation chooses the feedback visibility mode available for a check-in. Employees should be able to see the active mode before submitting feedback.

Aggregated

Individual employee feedback and personal data are not shown. Friday summarizes feedback for a relevant period.

Anonymized

Written feedback can be shown without employee names only when more than 3 people in the relevant team or segment have submitted feedback for that period. This mode hides employee names from customer-facing views, but it does not necessarily make the underlying data anonymous under GDPR.

Open

Feedback may be shown together with the employee’s name according to the customer’s configuration.

Even where feedback is displayed as aggregated or anonymized in the product, Friday may retain account-level backend records where needed to operate the service, enforce access controls, troubleshoot issues, maintain auditability, support security, and comply with customer agreements or law. Access to those records is restricted to authorised systems and personnel.

Sensitive Data

Friday does not ask employees to submit special-category personal data. Users should avoid submitting unnecessary sensitive personal data about themselves or others.

Written feedback is free text, so users may choose to include information about health, stress, relationships, workplace conflicts, or other sensitive matters. Customers should configure and use Friday in a way that is appropriate for their workplace and legal obligations.

Customers must not use Friday to intentionally collect special-category personal data unless they have identified a valid legal basis, an applicable Article 9 condition, appropriate safeguards, and have informed employees accordingly.

Friday processes submitted workplace data only according to the customer’s instructions, unless law requires otherwise.

AI Processing

Friday uses AI to help interpret written feedback, map comments to well-being drivers, identify themes, detect trends, and generate recommendations for employees, managers, and People & Culture teams.

Friday does not use customer workplace data or employee feedback to train public AI models or third-party foundation models. Customer-specific organisation context may be used as input for that customer’s recommendations and insights, but not to train public or third-party foundation models.

AI outputs are recommendations and decision-support only. They are not automated employment decisions.

Friday does not currently provide features that allow employers to use employee feedback for profiling, performance evaluation, promotion decisions, disciplinary decisions, dismissal decisions, compensation decisions, or other employment decisions with legal or similarly significant effect.

Friday is not designed, authorised, or intended for recruitment, selection, promotion, termination, compensation, disciplinary decisions, performance scoring, or automated monitoring/evaluation of individual employee performance.

Friday is not designed or intended to identify employees’ emotions through biometric, behavioural, or surveillance-based emotion recognition. Friday must not be used for employee monitoring, ranking, profiling, or employment decision-making.

Customers and managers remain responsible for how they interpret and act on insights. Friday outputs, scores, feedback, recommendations, reports, and insights must not be used as the sole, primary, or determinative basis for hiring, firing, promotion, compensation, discipline, performance evaluation, or other decisions that may significantly affect an employee.

If Friday introduces new employee profiling or materially different AI processing in the future, update this Privacy Policy and relevant customer documentation before that feature is released.

Sharing And Disclosure

We do not sell personal data.

We may share personal data only:

  • With the customer organisation, according to its role permissions, configuration, and selected feedback privacy mode.
  • With authorised service providers/subprocessors needed to host, store, secure, deliver, analyse, monitor, and support Friday.
  • With professional advisers, authorities, courts, or regulators where legally required or necessary to protect rights, safety, security, or legal interests.
  • In connection with a merger, acquisition, financing, restructuring, or sale of assets, subject to appropriate safeguards.

Service Providers/Subprocessors

Vercel Inc.

Purpose
Hosting, deployment, and Vercel Analytics where enabled.
Used for customer workplace data?
Yes, where required to host and provide the service.
Data processed
Website and product hosting data, logs, IP address, device/browser data, and product analytics events where enabled.
Processing location / region
Configured for EU/EEA processing where available; may involve access from outside the EEA.
Transfer safeguard
SCCs, adequacy decision, or other applicable safeguards where required.

MongoDB, Inc.

Purpose
Database and data storage.
Used for customer workplace data?
Yes, where required to provide the service.
Data processed
Account data, organisation data, check-in data, feedback, configuration, logs, and related product records.
Processing location / region
Configured for EU/EEA database region where available; may involve access from outside the EEA.
Transfer safeguard
SCCs, adequacy decision, or other applicable safeguards where required.

Sentry / Functional Software, Inc.

Purpose
Error and bug reporting.
Used for customer workplace data?
No, unless included in support or error context.
Data processed
Error reports, stack traces, device/browser data, IP address, performance data, and limited account or event context where needed to debug issues.
Processing location / region
Configured for EU/EEA processing where available; may involve access from outside the EEA.
Transfer safeguard
SCCs, adequacy decision, or other applicable safeguards where required.

Microsoft Ireland Operations Limited

Purpose
Data analysis and AI-related processing.
Used for customer workplace data?
Yes, where required for configured AI and analysis features.
Data processed
Feedback text, scores, themes, organisation context, prompts, outputs, recommendations, and usage metadata where configured.
Processing location / region
Configured for EU/EEA or data-zone processing where available; may involve access from outside the EEA.
Transfer safeguard
SCCs, adequacy decision, or other applicable safeguards where required.

Slack Technologies LLC

Purpose
Operational notifications.
Used for customer workplace data?
Limited, where configured for operational notifications.
Data processed
Operational activity notifications and metadata, which may include account, organisation, or service event information where configured.
Processing location / region
May involve processing in the United States and other provider locations.
Transfer safeguard
SCCs, adequacy decision, or other applicable safeguards where required.

Resend / Plus Five Five, Inc.

Purpose
Email delivery.
Used for customer workplace data?
Yes, where required for product emails and reminders.
Data processed
Names, email addresses, login links, notification content, reminder content, service emails, and delivery metadata.
Processing location / region
May involve processing in the United States and other provider locations.
Transfer safeguard
SCCs, adequacy decision, or other applicable safeguards where required.

Google Sign-In / Google Ireland Limited

Purpose
Authentication where enabled.
Used for customer workplace data?
No, authentication and account data only.
Data processed
Google account identifier, email address, name, authentication tokens, IP address, device/browser data, and login metadata.
Processing location / region
Google infrastructure locations; may involve access from outside the EEA.
Transfer safeguard
SCCs, adequacy decision, Google transfer safeguards, or other applicable safeguards where required.

Some providers are headquartered outside the EEA. Where customer workplace data is processed outside the EEA or accessed from outside the EEA, Friday uses appropriate transfer safeguards such as adequacy decisions, Standard Contractual Clauses, and supplementary technical and organisational measures where required. Processing locations and safeguards are described in our subprocessor list.

Friday may add or replace subprocessors when needed to provide, secure, or improve the service. Where required by a customer agreement or data processing agreement, Friday will give notice of material subprocessor changes and allow objections according to that agreement.

Customers may request information about subprocessors and material subprocessor changes by contacting Friday.

International Transfers

Friday is operated from Denmark. We aim to use EU/EEA hosting and processing locations for customer workplace data where available and agreed. Some providers are headquartered outside the EEA. Where customer workplace data is processed outside the EEA or accessed from outside the EEA, Friday uses appropriate transfer safeguards such as adequacy decisions, Standard Contractual Clauses, and supplementary technical and organisational measures where required. Processing locations and safeguards are described in our subprocessor list.

Retention

For customer workplace data processed on behalf of a customer, Friday keeps personal data for as long as the customer relationship exists, unless the customer agreement says otherwise. When the customer relationship ends, personal data is deleted or returned according to the customer’s instructions. Unless otherwise agreed or legally required, production personal data is deleted within 30 days after termination of the customer relationship, and backups are deleted automatically within a maximum of 90 days.

For website, sales, support, billing, and contract data where Friday is the controller, we keep data only for as long as needed for the purpose collected, including to manage the relationship, comply with legal obligations, resolve disputes, and maintain business records.

For data where Friday acts as controller, we generally apply the following retention periods unless a longer period is required by law, dispute resolution, security investigation, or customer agreement: demo, contact, and sales enquiries for up to 24 months after last interaction; support and customer communications for up to 36 months after last interaction; security logs and technical event data typically for 6 to 12 months unless needed for investigation; and billing, invoice, and accounting records as required under applicable bookkeeping and tax laws.

Individual employees should normally direct workplace data deletion/export/access requests to their employer or organisation, because that organisation is normally the data controller. Friday will assist the organisation as required.

Data Deletion Requests

Users and organisations can contact us at sofie@hifriday.app to request deletion of stored data. If the request concerns workplace data controlled by a customer organisation, we may need to refer the request to that organisation or coordinate with it before acting.

Your Rights

Depending on the context and applicable law, individuals may have the right to request access, correction, deletion, restriction, objection, portability, and information about processing. If processing is based on consent, individuals may withdraw consent at any time without affecting prior lawful processing.

If Friday processes data on behalf of an employer or organisation, Friday may refer the request to that organisation or assist it in responding.

Complaint Right

You may also complain to a data protection authority. In Denmark, the relevant authority is Datatilsynet, Carl Jacobsens Vej 35, 2500 Valby, Denmark, dt@datatilsynet.dk, +45 33 19 32 00.

Security

We use technical and organisational measures designed to protect personal data against unauthorised access, loss, misuse, alteration, or disclosure. These measures include access controls, role-based permissions, authentication, encryption in transit and at rest where appropriate, logging, monitoring, backup procedures, vulnerability management, and operational safeguards.

No internet service or electronic storage system can be guaranteed to be completely secure. If we become aware of a personal data breach, we will take appropriate steps in line with applicable law and customer agreements.

Children

Friday is intended for workplace use and is not directed at children. We do not knowingly collect personal data from children through the public website. If a child has provided personal data to Friday, contact us so we can review and delete it where appropriate.

Changes

We may update this Privacy Policy from time to time. When we make material changes, we will update the effective date and may notify customers or users through the service, by email, or by another appropriate method.

Contact

If you have questions about this Privacy Policy or want to make a privacy request, contact:
Friday™ by Sordahl ApS
Email: sofie@hifriday.app