We’re a security company.
We treat your data accordingly.
Last updated: May 14, 2026. This policy covers NecessityWorks.com.
- If you fill out the waitlist form, we get the email and details you typed. They go to a Google Sheet RJ Friedman (founder) reads.
- If you accept analytics cookies, we get aggregate usage data via PostHog. If you decline, we don’t.
- We don’t sell your data.
- Email [email protected] to see, correct, or delete your data. Replied to within 5 business days.
Who we are
NecessityWorks is a software company building an AI-native security and governance platform. The site at necessityworks.com is operated by NecessityWorks. We are based in the United States.
What we collect (and exactly when)
| Trigger | What we collect |
|---|---|
You fill out the waitlist form | Email, name, company, role, and any free-text you type. Plus the source page (which CTA), Cloudflare Turnstile token (proves you’re not a bot), and approximate IP-derived location (kept by Google as part of Apps Script logs). |
You accept the analytics cookie banner | Anonymized page views, button clicks, scroll depth, browser, OS, country. Captured by PostHog. No keystrokes, no form contents, no session replay (explicitly disabled). |
You decline the cookie banner | Nothing. PostHog doesn’t initialize. No analytics calls fire. |
You just visit and don’t consent | Standard server-side request logs at the CDN edge: IP address, user-agent, timestamp, requested URL. Used for site delivery, abuse detection, and security investigation. |
What we don’t do
The security industry has spent twenty years training buyers to expect surveillance. We refuse the model. We do not:
- Sell your data to anyone, ever.
- Run session replay, keystroke capture, or rage-click recording. PostHog has those features; we have them explicitly turned off in code.
- Use dark patterns to extract consent. The cookie banner has equally weighted Accept and Decline buttons. Decline works.
- Email you outside the topic you signed up for. Waitlist signups get launch-readiness updates. SAST early-access signups get SAST progress. No cross-promotion.
- Share data with advisors, investors, or any party not directly required to operate the site.
Who actually touches your data
These are the third parties that necessarily process some of your data because of how the site is built. Each is pinned for a specific function. We do not authorize them to use it for anything else. The authoritative list lives at /legal/subprocessors.
| Subprocessor | Purpose | Region | Contract |
|---|---|---|---|
Cloudflare | Hosts the static site, runs Pages Functions for the waitlist API, provides WAF/CDN protection, and performs Turnstile bot checks. | Global edge | Cloudflare DPA |
Google (Apps Script + Sheets + Workspace email) | Receives waitlist form submissions and stores them in a private Google Sheet. Provides the @necessityworks.com inbox. | Multi-region (Google chooses) | Google Workspace DPA |
PostHog | Anonymous product analytics. Only loads if you accept the cookie banner. | United States (us.posthog.com) | PostHog DPA |
Squarespace | Domain registrar and authoritative DNS for necessityworks.com. | United States | Squarespace registrar agreement |
Your rights
Wherever you are in the world, you can ask us to:
- Show you what we have on you (a copy of your row in the waitlist sheet, plus any analytics keyed to your email if you identified yourself).
- Correct anything that’s wrong.
- Deletethe whole record. We’ll do it within 5 business days and confirm by email.
- Object or withdraw consent at any time.
Email [email protected] from the address that’s on file (so we know it’s you). Use the subject line that fits: “Show me my data”, “Correct my data”, “Delete my data”. We respond from the same address.
EEA / UK residents: you have GDPR rights including data portability and the right to lodge a complaint with your local supervisory authority. California residents: you have CCPA/CPRA rights. The above process honors both.
Security of the site itself
Things we did that you can verify yourself:
- TLS 1.2 minimum, HSTS enabled with a 2-year max-age and preload.
- Strict Content-Security-Policy that allows only the hosts named in the “Who actually touches your data” section above.
- Cloudflare WAF, host allowlisting, rate limiting, and Turnstile verification in front of the waitlist API.
- No user accounts, no session cookies, no payment forms, and no client-side secret values in the production bundle.
- Coordinated disclosure contact at /.well-known/security.txt per RFC 9116.
Changes to this policy
If we make a material change, we’ll email anyone on the waitlist before it takes effect. Cosmetic edits get a quiet update with a new “Last updated” date. Past versions are kept in our git history forever.
Contact
Privacy questions: [email protected]
Security disclosures: [email protected]
Everything else: [email protected]