FieldworkSign in

Data Processing

When you run research through Fieldwork, you are the data controller for your participants' data. Locallabs Pty Ltd acts as your data processor. This page explains how we handle that data, who we share it with, and what controls you have.

Your role and ours

You are the data controller. You decide what research to run, which participants to invite, and what questions to ask. You are responsible for obtaining participant consent and complying with the data protection laws that apply to your organisation and jurisdiction.

We are the data processor. We process participant data only to deliver the service you have configured. We do not use participant data for any purpose beyond operating your studies. We do not sell it, use it to train models independently of your session, or share it with third parties except as listed below.

What data we process on your behalf

When participants interact with a Fieldwork study, we process:

  • Responses to interview questions (text)
  • Session metadata (timestamps, completion status, study ID)
  • Any demographic or screening data you configure as part of your study

We do not independently collect participant contact details, IP addresses, or device identifiers unless you configure your study to capture them.

Sub-processors

We use the following sub-processors to deliver the platform. Each has contractual obligations to process data only as instructed.

| Sub-processor | Role | Location | Data passed | |---|---|---|---| | Supabase | Database, auth, file storage | US (AWS us-east-1) | All platform data including session content | | Vercel | Application hosting | US / global edge | Request data in transit | | Anthropic | AI interview facilitation and analysis | US | Interview messages during active sessions | | Upstash | Rate limiting | US | Request metadata only, no content | | Inngest | Background job processing | US | Job payloads including session identifiers |

Stripe, Resend, and Loops process your account and billing data only. They do not receive participant research data.

We will provide 30 days' notice before adding or changing sub-processors for customers on paid plans.

International data transfers

Fieldwork is operated from Australia. Our sub-processors are primarily based in the United States. Data transferred to the US is processed under standard contractual clauses or equivalent transfer mechanisms where required by GDPR or UK GDPR.

If your organisation has specific data residency requirements, contact joel@locallabs.dev before onboarding.

Retention defaults

These are the default retention settings applied to all workspaces. Growth and Scale plan customers can adjust these in workspace settings.

| Data type | Default action | Default period | |---|---|---| | Interview message content | Anonymised (content replaced, metadata retained) | 180 days | | Participant records | Deleted | 365 days | | Session metadata | Retained for workspace lifetime | Until account deletion | | Account data | Retained on free tier after cancellation | Until deletion request |

To request deletion of your workspace data, contact joel@locallabs.dev. We will action requests within 30 days.

Security measures

We apply the following technical and organisational measures to protect data we process on your behalf:

  • Encryption in transit via TLS for all data in motion
  • Encryption at rest for all data stored in Supabase (AES-256, managed by AWS)
  • Access controls: platform data is isolated per workspace using row-level security
  • Authentication via magic link (passwordless), reducing credential exposure risk
  • Rate limiting on all API endpoints to limit abuse
  • Background job isolation via Inngest to prevent cross-workspace data leakage

See our Security page for the full picture.

Your rights as data controller

As the data controller, you can:

  • Export research data from your workspace at any time
  • Delete individual participant records within your workspace
  • Configure retention periods (Growth and Scale plans)
  • Request full workspace deletion by contacting joel@locallabs.dev

If your participants exercise data subject rights (access, deletion, portability) under GDPR or equivalent law, you are responsible for responding to those requests. We will support you in fulfilling them within a reasonable timeframe on request.

Data Processing Agreement

Enterprise customers and teams with formal DPA requirements can request a signed Data Processing Agreement by contacting joel@locallabs.dev. This is available at no additional cost for Growth and Scale plan customers.

Contact

For data processing questions, GDPR inquiries, or DPA requests:

Locallabs Pty Ltd joel@locallabs.dev Queensland, Australia

Last updated: 2026-04-13