Privacy Policy
Anastasis Operators, Inc. ("Anastasis," "we," "us") provides a remote workforce platform connecting companies with vetted operators. This policy explains what personal data we collect, why, and your rights under GDPR, CCPA, and other applicable privacy laws.
1. Data Controller
Anastasis Operators, Inc.
Contact: privacy@anapro.co
For EU/UK data subjects: You may also lodge a complaint with your local
supervisory authority.
2. What We Collect
2.1 Account Data
When you register (via Clerk), we process: name, email address, and authentication credentials. Clerk, our identity provider, handles password storage and multi-factor authentication. We never see your password.
2.2 Profile Data
Contractors: skills, assessments (DISC, language, internet speed, PC specs), work history, government ID (for compliance), payout account details (handled by Stripe). Clients: company name, role specifications, team member accounts.
2.3 Work Activity Data
Timesheets, screen captures (domain-level only — never full URLs), application URLs visited, approval decisions, and audit logs. Screen captures are stored as short-lived signed URLs with 15-minute expiry.
2.4 Payment Data
Card numbers, CVV, and full bank details never touch our servers. Payments are processed by Stripe (PCI DSS Level 1). We store only payment status, charge IDs, and payout references.
2.5 Communications
Messages sent through the platform, support tickets, and booking call requests. We do not record calls without explicit consent.
3. Legal Basis for Processing (GDPR)
- Contractual necessity: Account creation, payment processing, platform functionality.
- Legitimate interest: Platform security, fraud prevention, service improvement, aggregated analytics.
- Consent: Assessment tests, screen activity capture during clocked-in sessions, marketing communications (opt-in only).
- Legal obligation: Tax records, compliance with labor laws, law enforcement requests.
4. Third-Party Data Processors
We use the following processors who may access personal data to provide services:
| Processor | Purpose | Privacy Policy |
|---|---|---|
| Clerk, Inc. | Authentication, user management | clerk.com/privacy |
| Stripe, Inc. | Payment processing, payouts | stripe.com/privacy |
| Vercel, Inc. | Hosting, CDN, serverless functions | vercel.com/legal/privacy-policy |
5. Data Retention
- Account data: Retained while account is active. Deleted 90 days after account closure, unless required by law.
- Work activity data: Screen captures expire after 15 minutes. Timesheets and URLs retained for the duration of the client engagement plus 12 months.
- Payment records: Retained 7 years for tax compliance.
- Audit logs: Retained indefinitely for security and compliance, with PII redacted from purge logs.
6. Data Storage & Transfers
Data is stored in the United States on infrastructure provided by Vercel and Stripe. For EU/UK users: data is transferred under Standard Contractual Clauses (SCCs). We apply encryption at rest and in transit for all personal data.
7. Your Rights
7.1 GDPR Rights (EU/UK Residents)
- Access: Request a copy of your personal data.
- Rectification: Correct inaccurate or incomplete data.
- Erasure: Request deletion ("right to be forgotten"), subject to legal retention requirements.
- Portability: Receive your data in a machine-readable format.
- Objection: Object to processing based on legitimate interest.
- Restriction: Limit processing while a dispute is resolved.
7.2 CCPA Rights (California Residents)
- Know: Request categories and specific pieces of personal data collected.
- Delete: Request deletion of personal data.
- Opt-out: We do not sell personal data. No opt-out is needed.
- Non-discrimination: Exercising your rights will not affect service quality.
7.3 How to Submit a Request
To exercise any of the above rights, email privacy@anapro.co with:
- Your full name and the email address associated with your account.
- A description of the right you wish to exercise (access, deletion, correction, or portability).
- For access requests: we will provide your data within 30 days in a portable, machine-readable format.
- For deletion requests: we will confirm completion within 30 days, subject to legal retention obligations.
You may also designate an authorized agent to submit a request on your behalf by providing written authorization signed by you. We do not charge fees for reasonable requests. We do not discriminate against users who exercise their privacy rights.
8. Children's Privacy
Our platform is not intended for users under 18. We do not knowingly collect data from children under 13 (COPPA) or 16 (GDPR). If you believe a minor has provided personal data, contact us immediately for deletion.
9. Cookies & Analytics
We use essential cookies for authentication (Clerk) and session management. We do not use advertising or cross-site tracking cookies. Our marketing pages use self-hosted, cookieless analytics (Umami) that we run on our own infrastructure: it records aggregated page views and clicks without cookies, without persistent identifiers, and without sharing data with any third party. No cookie consent banner is required for essential-only cookies under current ePrivacy guidance, however we disclose this use transparently.
10. Security & Breach Notification
We apply encryption at rest (database) and in transit (TLS 1.3). In the event of a personal data breach, we will notify affected users and relevant authorities within 72 hours of discovery, as required by GDPR Art. 33-34.
11. Changes to This Policy
We will post updates on this page and notify active users of material changes via email. Continued use after changes constitutes acceptance unless consent is legally required.
12. Contact
Anastasis Operators, Inc.
Email: privacy@anapro.co
Response time: Within 30 days for data subject requests, 72 hours for breach
notifications.