Privacy Policy

For data entered by Tenants about their workforce:

• The Tenant is the data controller and determines what personal data is collected and how it is used
• We act as a data processor/service provider, processing data on behalf of Tenants according to their instructions

If you are a Worker with questions about how your personal data is handled, please contact your employer (the Tenant) directly.

For data we collect directly (such as Tenant Admin registration), we act as the data controller.

When Tenants register, we collect:

• Business name and contact information
• Admin names and email addresses
• Billing and payment information
• Account credentials

Tenants may enter information about Workers, including:

• Names and contact information
• Work schedules and time records
• Job assignments and locations
• Profile photos
• Documents and files (including onboarding documents, certificates, invoices, offer letters, and signed agreements)
• Communication history within the Platform
• Kiosk PIN data for shared device clock-in/out (stored as cryptographic hashes, not plaintext)

We automatically collect:

• Device information (type, operating system, browser)
• IP addresses
• Access times and usage patterns
• Feature usage and interactions
• Error logs and performance data
• Permission and role change records (who changed what permissions, when, and the before/after states)
• Document access records (who accessed or downloaded which documents, when, and from where)

With appropriate permissions:

• GPS location for time clock and geofencing features
• Location data for job site management

We use information to:

• Operate and maintain the Platform
• Process time and attendance records
• Facilitate scheduling and communications
• Generate reports and analytics for Tenants
• Provide customer support

We use information to:

• Analyze usage patterns and improve features
• Identify and fix technical issues
• Develop new capabilities

We use information to:

• Protect against unauthorized access
• Detect and prevent fraud
• Comply with legal obligations

We use contact information to:

• Send service-related notifications
• Provide support responses
• Communicate important updates

We share information with service providers who help us operate the Platform:

Tenants may choose to connect external services through the Platform's Integrations settings. When a Tenant enables a third-party integration, data is shared with that service as necessary to fulfill the integration's purpose:

When a Tenant connects QuickBooks Online:

• We use Intuit's OAuth 2.0 authorization to establish a secure connection on the Tenant's behalf
• Only approved timesheet data that the Tenant explicitly exports is sent to QuickBooks
• Data is transmitted securely via Intuit's API using encrypted connections
• The Tenant may disconnect the integration at any time, which stops all data sharing with QuickBooks
• We store OAuth tokens securely and use them solely to facilitate the Tenant's requested exports
• We do not access, read, or use any data from the Tenant's QuickBooks account beyond what is necessary to complete the export

Tenants are responsible for ensuring that their use of integrations complies with applicable laws, including obtaining any necessary consent from Workers whose data may be shared with third-party services.

We may disclose information when required by law, legal process, or government request.

In the event of a merger, acquisition, or sale, information may be transferred to the acquiring entity.

We may share information with Tenant permission for integrations or services requested by the Tenant.

We retain data while Tenant accounts are active and as needed to provide services.

Following account termination, we retain data for a reasonable period (typically 30 days) to allow for data export. Upon written request, we will delete Tenant data within 30 days of termination, except where retention is required by applicable law. Upon completion of deletion, we will provide written confirmation of data destruction upon request. Data may be retained longer for:

• Legal compliance requirements
• Dispute resolution
• Aggregated analytics (de-identified)

We maintain automated backups of all Platform data, including the database and all uploaded files and documents, for disaster recovery and business continuity purposes. Backups are:

• Performed multiple times daily on an automated schedule
• Stored in encrypted form (AES-256 encryption at rest) on Amazon Web Services (AWS) infrastructure located in Canada (Montreal, ca-central-1) to maintain compliance with the Personal Information Protection and Electronic Documents Act (PIPEDA)
• Retained for 30 days, after which they are automatically and permanently deleted
• Accessible only to authorized Platform personnel for disaster recovery purposes

Residual copies in encrypted backups will be overwritten in the normal course of backup rotation.

The data processing obligations, sub-processor disclosures, and audit rights applicable to our handling of Tenant data are set forth in Section 5.7 of our Terms of Service. Tenants requiring a separately executed Data Processing Agreement (DPA) may contact us to discuss their specific requirements.

We implement reasonable security measures including:

• Encryption in transit (TLS 1.2+) and at rest (including AES-256 encryption for all backup data)
• Time-limited signed URLs for document access (maximum 15-minute expiry) to limit exposure
• Comprehensive audit logging of all document access events, including who accessed what, when, and from where
• Granular role-based access controls (RBAC) with per-permission enforcement on sensitive operations such as document downloads, timesheet exports, and file access
• Immutable audit trail of all permission and role changes, recording the actor's identity, the specific permissions granted or revoked, and full before-and-after permission state snapshots
• Tenant-level data isolation ensuring one tenant cannot access another tenant's data
• Multi-factor authentication support for administrative accounts
• Device fingerprinting and session tracking for security monitoring
• Regular security assessments
• Employee training and access restrictions

No system is completely secure. While we take reasonable precautions, we cannot guarantee absolute security of information transmitted to or stored on the Platform.

In the event of a security breach involving personal information, we will notify affected Tenants without undue delay. We will provide sufficient information regarding the nature, scope, and likely consequences of the breach to enable Tenants to fulfill their own notification obligations under applicable privacy legislation, including the Personal Information Protection and Electronic Documents Act (PIPEDA) and equivalent provincial privacy laws. We will cooperate with affected Tenants and take reasonable steps to contain and remediate the incident.

Account security also depends on:

• Maintaining confidential passwords
• Using secure devices and networks
• Reporting suspected security issues promptly

Tenants may:

• Access and update account information
• Export Platform data
• Delete or modify Worker records
• Close accounts

Workers should contact their employer (the Tenant) to:

• Access their personal information
• Request corrections or deletions
• Understand how their data is used

You may opt out of promotional communications but will continue to receive service-related notices.

Mobile app users may control location permissions through device settings.

Personal information may be processed or stored in Canada, the United States, and other jurisdictions where our service providers operate.

Personal information processed or stored outside Canada may be subject to the laws of those jurisdictions, including lawful access requests by courts, law enforcement, or national security authorities.

We remain responsible for personal information under our control, including information transferred to service providers for processing. We use contractual, technical, and organizational safeguards designed to provide a level of protection comparable to that required under Canadian privacy laws, including PIPEDA.