1. Introduction
StaffCo (“we,” “our,” or “us”) is committed to protecting your privacy. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our time tracking and workforce management platform (the “Service”).
This policy applies to all users of our Service, including:
- Account Owners and Administrators: Individuals who create and manage company accounts
- Team Members: Employees whose time and activity are tracked through the Service
- Website Visitors: Individuals who visit our website without creating an account
Our Commitment: We believe in transparency and giving you control over your data. We only collect data necessary to provide our services and will never sell your personal information to third parties.
2. Data Controller Information
For the purposes of applicable data protection laws, including the General Data Protection Regulation (GDPR), the data controller is:
StaffCo Inc.
Email: [email protected]
Data Protection Officer: [email protected]
When your employer uses StaffCo to track your work time, your employer acts as the data controller for your employment-related data, and StaffCo acts as the data processor.
3. Data We Collect
3.1 Information You Provide
| Data Type | Examples | Purpose |
|---|---|---|
| Account Information | Name, email address, password, company name | Account creation and authentication |
| Profile Information | Job title, department, profile photo, timezone | User identification and settings |
| Payment Information | Billing address, payment method details | Subscription billing (processed by payment providers) |
| Employment Information | Hourly rate, employment status, payroll data | Payroll calculations and reporting |
3.2 Data Collected Automatically
| Data Type | Examples | Purpose |
|---|---|---|
| Time Tracking Data | Start/stop times, duration, project assignments | Core service functionality |
| Activity Data | Active/idle status, keyboard/mouse activity levels | Productivity measurement |
| Application Usage | App names, window titles, time spent per app | Productivity categorization |
| Website Usage | Domain names visited, time spent per site | Productivity categorization |
| Screenshots | Periodic screen captures (optional feature) | Work verification (when enabled) |
| Device Information | OS, browser, device type, IP address | Service optimization and security |
3.3 Data from Third Parties
- Google Sign-In: If you use Google authentication, we receive your Google profile information (name, email, profile picture)
- Calendar Integrations: When connected, we access calendar event data to provide scheduling features
- Payment Processors: Transaction confirmations and billing status
4. How We Use Your Data
We use the collected data for the following purposes:
4.1 Service Provision
- Provide and maintain the time tracking service
- Process and display tracked work hours
- Generate productivity reports and analytics
- Calculate payroll based on tracked time
- Manage user accounts and permissions
4.2 Service Improvement
- Analyze usage patterns to improve features
- Develop new functionality based on user needs
- Fix bugs and optimize performance
- Conduct aggregated analytics (anonymized)
4.3 Communication
- Send service-related notifications
- Respond to support requests
- Provide product updates and announcements
- Send marketing communications (with consent)
4.4 Security and Legal
- Detect and prevent fraud or abuse
- Ensure platform security
- Comply with legal obligations
- Enforce our terms of service
5. Legal Basis for Processing (GDPR)
Under the GDPR, we process your personal data based on the following legal grounds:
| Legal Basis | Processing Activities |
|---|---|
| Contract Performance | Providing the Service, account management, billing, customer support |
| Legitimate Interests | Service improvement, security, fraud prevention, analytics |
| Consent | Marketing communications, optional features like screenshots, cookies |
| Legal Obligation | Tax reporting, responding to legal requests, compliance |
6. Data Sharing and Disclosure
Important: We do not sell your personal data to third parties. We only share data as described below and with appropriate safeguards.
6.1 Within Your Organization
Your time tracking data and activity information is shared with authorized members of your organization based on their role permissions (Owners, Admins, Managers).
6.2 Service Providers
We engage trusted third-party service providers to help operate our Service:
- Cloud Infrastructure: Data hosting and storage
- Payment Processors: Subscription billing
- Email Services: Transactional communications
- Analytics: Usage analysis (anonymized)
- Customer Support: Help desk tools
All service providers are bound by data processing agreements and process data only on our behalf.
6.3 Legal Requirements
We may disclose your data when required by law, court order, or governmental authority, or when we believe disclosure is necessary to protect our rights, your safety, or the safety of others.
6.4 Business Transfers
In the event of a merger, acquisition, or sale of assets, your data may be transferred to the acquiring entity. We will notify you of any such change.
7. Data Retention
We retain your data for as long as necessary to provide the Service and fulfill the purposes described in this policy:
| Data Type | Retention Period |
|---|---|
| Account Information | Duration of account + 30 days after deletion |
| Time Tracking Data | Duration of account (exportable at any time) |
| Screenshots | 1 year (default, configurable by admin) |
| Activity Logs | 2 years for audit purposes |
| Billing Records | 7 years (legal requirement) |
| Support Communications | 3 years after resolution |
8. Your Rights Under GDPR
If you are located in the European Economic Area (EEA), you have the following rights regarding your personal data:
8.1 Right to Access
You have the right to request a copy of the personal data we hold about you. You can export most of your data directly from your account settings.
8.2 Right to Rectification
You can update or correct your personal information through your account settings or by contacting us.
8.3 Right to Erasure (“Right to be Forgotten”)
You can request deletion of your personal data. Note that some data may be retained for legal or legitimate business purposes.
8.4 Right to Restrict Processing
You can request that we limit how we use your data in certain circumstances.
8.5 Right to Data Portability
You can request your data in a structured, commonly used, machine-readable format (JSON, CSV).
8.6 Right to Object
You can object to processing based on legitimate interests or for direct marketing purposes.
8.7 Right to Withdraw Consent
Where processing is based on consent, you can withdraw your consent at any time.
To exercise your rights: Email us at [email protected] or use the data export/deletion features in your account settings. We will respond within 30 days.
9. International Data Transfers
Your data may be transferred to and processed in countries outside your country of residence, including the United States. When we transfer data internationally, we ensure appropriate safeguards are in place:
- Standard Contractual Clauses (SCCs): EU-approved contractual terms
- Adequacy Decisions: Transfers to countries with adequate protection
- Data Processing Agreements: With all third-party processors
10. Google Calendar Integration
StaffCo offers an optional integration with Google Calendar. If a user chooses to connect their Google account, StaffCo accesses Google Calendar data only after the user explicitly grants permission through Google’s OAuth 2.0 consent screen.
This integration is designed solely to help users manage their schedules, synchronize events, and streamline time management within the StaffCo platform.
10.1 Google Calendar OAuth Scopes We Request
When connecting their Google account, users are asked to grant StaffCo the following Google Calendar OAuth scopes:
- https://www.googleapis.com/auth/calendar
- https://www.googleapis.com/auth/calendar.events
These scopes allow StaffCo to read, create, update, and delete calendar events strictly for scheduling and event-management functionality.
StaffCo does not request any additional Google scopes beyond those listed above.
10.2 Data We Access
Depending on the permissions the user approves, StaffCo may access:
- Calendar lists
- Calendar events
- Event metadata such as titles, times, attendees, and descriptions
- Permissions necessary to create, update, and delete calendar events
Data is accessed only after explicit user authorization through the OAuth consent screen.
10.3 How We Use Google Calendar Data
We use Google Calendar data solely to:
- Display the user’s schedule inside StaffCo
- Allow users to create and manage calendar events directly from StaffCo
- Sync StaffCo-created events with the user’s Google Calendar
- Reflect Google Calendar changes inside StaffCo
- Help users avoid scheduling conflicts
StaffCo does not use Google Calendar data for analytics, advertising, or profiling.
10.4 Storage and Handling of OAuth Tokens
- OAuth access and refresh tokens are encrypted at rest and stored securely.
- Tokens are used exclusively to perform Google Calendar actions initiated by the authenticated user.
- StaffCo does not permanently store Google Calendar event content except when temporarily required for synchronization.
- When a user disconnects Google Calendar, all associated OAuth tokens are immediately deleted, and StaffCo no longer has access to any Google Calendar data.
- Users may also revoke StaffCo’s access at any time via their Google Account Permissions page.
10.5 Data Retention
StaffCo does not permanently retain Google Calendar data.
Calendar data is processed in real time and cached only temporarily to support synchronization features.
Once the integration is disconnected:
- All OAuth tokens are removed
- Cached calendar data is deleted
- StaffCo cannot access or process the user’s Google Calendar data
10.6 Data Sharing
StaffCo does not share, sell, rent, or transfer Google Calendar data or OAuth tokens to any third parties.
No Google Calendar data is used for external analytics, marketing, or advertising purposes.
10.7 User Control and Revocation
Users retain full control over their Google Calendar integration:
- They may connect or disconnect Google Calendar at any time within StaffCo
- They may revoke StaffCo’s access directly via their Google Account settings
- Disconnecting the integration immediately removes StaffCo’s ability to view or modify Google Calendar data
10.8 Compliance
This integration complies with:
- The Google API Services User Data Policy
- The Google API Services: Limited Use Policy
- Google OAuth 2.0 standards
- Industry-standard privacy and security best practices
By connecting their calendar, the user consents to StaffCo accessing their Google Calendar data for the limited purposes described in this section.
11. Data Security
We implement comprehensive security measures to protect your data:
11.1 Technical Measures
- TLS/SSL encryption for all data in transit
- AES-256 encryption for data at rest
- Regular security audits and penetration testing
- Secure data centers with physical access controls
- Automated backup and disaster recovery
11.2 Organizational Measures
- Employee security training
- Access controls based on role and need-to-know
- Incident response procedures
- Regular security reviews
11.3 Account Security Features
- Two-factor authentication (2FA)
- Session management and timeout
- Login attempt monitoring
- Password strength requirements
12. Cookies and Tracking Technologies
We use cookies and similar technologies for:
12.1 Essential Cookies
Required for the Service to function (authentication, security, preferences). These cannot be disabled.
12.2 Analytics Cookies
Help us understand how users interact with our Service. You can opt out of these.
12.3 Marketing Cookies
Used to deliver relevant advertisements. These require your consent.
You can manage cookie preferences through your browser settings or our cookie consent banner. For more details, see our Cookie Policy.
13. Employee Monitoring Data
For Employees: If you are being tracked by your employer through StaffCo, your employer is the data controller for your work-related data. Please contact your employer for questions about their monitoring practices.
13.1 What We Collect
When monitoring features are enabled by your employer, we may collect:
- Time tracking data (work start/stop times)
- Activity levels (active/idle time)
- Application and website usage
- Screenshots (if enabled, at 5-30 minute intervals)
13.2 User Notification
Before any monitoring begins, users receive a clear notification explaining what data is collected. For screenshots specifically:
- One-time modal notification at first desktop app launch
- Clear explanation: “StaffCo periodically captures screenshots (every 5-30 mins) to track productivity”
- User must click “Accept” to proceed with tracking
13.3 Privacy Controls
- Screenshots can be blurred for sensitive content
- Admins can disable screenshots per user or team
- Users may be allowed to delete their own screenshots (admin setting)
- Site blocklists can exclude certain URLs from tracking
14. Children’s Privacy
Our Service is designed for business use and is not intended for children under 16 years of age. We do not knowingly collect personal information from children. If we learn that we have collected personal information from a child under 16, we will delete that information promptly.
15. Changes to This Privacy Policy
We may update this Privacy Policy from time to time. When we make material changes, we will:
- Update the “Last updated” date at the top of this page
- Notify you by email at least 30 days before changes take effect
- Display a prominent notice in our Service
Your continued use of the Service after changes become effective constitutes acceptance of the revised policy.
16. Contact Us
If you have questions about this Privacy Policy or our data practices, please contact us:
Privacy Inquiries:
Email: [email protected]
Data Protection Officer:
Email: [email protected]
General Support:
Email: [email protected]
Website: www.staffco.com
Supervisory Authority
If you are located in the EEA and believe we have not addressed your concerns adequately, you have the right to lodge a complaint with your local data protection authority.
Thank you for trusting StaffCo with your data. We are committed to protecting your privacy and being transparent about our data practices.