Privacy and Security Policy

We are committed to safeguarding your privacy and ensuring the security of your personal information. This document details our practices regarding data collection, usage, and protection on our B2B platform.

1. Introduction

Your privacy and security are of utmost importance to us. This policy outlines how we collect, use, store, and protect your personal information when you use our B2B platform.

2. Information Collection

We collect personal and business information provided by users during account registration, service usage, customer support inquiries, and payment processing. We may collect metadata, device information, IP addresses, and cookies to enhance security and user experience.

3. Use of Information

To provide, maintain, and improve our services. To authenticate users and enable Two-Factor Authentication (2FA) for enhanced security. To communicate important updates, service changes, and promotional offers. To comply with legal and regulatory obligations.

4. SMS Communication and Phone Number Processing

Phone numbers are obtained through your direct contract with your service provider and are already present in our system as part of your service agreement. When you voluntarily enable SMS notifications through your account preferences, we activate SMS messaging services using the phone number from your existing service contract. We use this information solely to send account-related notifications including invoices, contracts, 2FA codes, and appointment reminders. Your phone number is not shared with third parties for marketing purposes. SMS opt-out requests are processed immediately and maintained indefinitely. We comply with TCPA regulations.

5. Location Data Collection (and mobile app)

BizCalify mobile app collects GPS location data to enable optional work verification and notification features. Location data collection is ONLY active when the app is open and in use (foreground only) - we do NOT collect your location in the background. All location features are completely optional and can be enabled or disabled at any time through the app's Settings screen. We collect precise location data for the following purposes: (1) Smart Arrival Notifications: Sends proximity alerts when you arrive near a work location to remind you to clock in/out, displays real-time distance calculations on your work map to help you plan your route. (2) Work Location Verification: Optionally records your GPS location when you clock in/out to create verified records of your work locations for your personal documentation and work history. Before collecting any location data, the app displays a prominent disclosure screen explaining what data is collected, why it's collected, and when it's collected. You must explicitly accept this disclosure before any location permissions are requested. Location data is encrypted in transit using HTTPS, never shared with third parties, and used exclusively for work verification and smart notifications that you've enabled. You can delete your account and all associated location data at any time through the app's Settings > Danger Zone section. We comply with Google Play Store data safety requirements, GDPR, CCPA, and all applicable mobile platform privacy policies.

6. Data Minimization and Purpose Limitation

We adhere to the principle of data minimization, collecting only the personal information that is strictly necessary to provide our services. For clients, we collect only essential contact and service-related information required to fulfill contractual obligations. For personnel, we collect employment-related information necessary for work assignments, scheduling, and payroll processing. For organization administrators, we collect business information required for account management and service delivery. We do not collect extraneous personal information, and all data collected serves a specific, legitimate business purpose that has been communicated to users. We regularly review our data collection practices to ensure compliance with data minimization principles.

7. Data Security Measures

We implement industry-standard encryption and security protocols to protect data from unauthorized access. We enforce Two-Factor Authentication (2FA) for added security in user accounts. We conduct regular security audits and vulnerability assessments. Access to sensitive data is restricted to authorized personnel only. All data transmissions are secured using TLS/SSL encryption protocols.

8. Encryption Standards for Sensitive Data

All sensitive personal information, including passwords, payment details, and authentication credentials, is encrypted using industry-standard one-way encryption algorithms (cryptographic hashing) that cannot be reversed or decrypted. This means that even our system administrators cannot access your passwords or sensitive credentials in plain text. Payment information is tokenized and processed through PCI-DSS compliant payment processors (Stripe Connect) and is never stored in plain text on our servers. Personal identification data and confidential business information are encrypted both in transit (using TLS 1.2 or higher) and at rest (using AES-256 encryption or equivalent). We employ salted hashing algorithms (such as bcrypt or Argon2) for password storage, making it computationally infeasible to reverse-engineer user credentials.

9. No Sale of Personal Information

We explicitly do not sell, rent, trade, or otherwise transfer your personal information to third parties for monetary or other valuable consideration. Your data is used exclusively to provide and improve our services to you and your organization. We do not engage in data brokering, advertising networks, or any form of personal data commercialization. Third-party service providers we work with (such as payment processors, hosting providers, and communication services) are bound by strict data processing agreements and are permitted to use your data only for the specific services they provide to us. We comply with CCPA, GDPR, and other privacy regulations that restrict the sale of personal information. If our business practices ever change regarding data sharing, we will notify all users and obtain explicit consent before implementing any such changes.

10. Data Retention

We retain user data only as long as necessary to fulfill service obligations, comply with legal requirements, and resolve disputes. Active account data is retained for the duration of your service agreement. Upon account closure or service termination, personal data is retained for a maximum of 90 days to allow for account reactivation, after which it is permanently deleted unless longer retention is required by law (e.g., financial records, tax compliance). Please note that certain information may need to be retained to comply with legal obligations (such as financial transaction records for tax purposes), resolve disputes, or enforce our agreements. In such cases, we will inform you of the specific data that must be retained and the legal basis for retention.

11. User Rights and Control

Users have full control over their personal information and privacy settings. You can access, update, or delete your personal information through your account settings (web or mobile app). Users can opt out of non-essential communications at any time. Users can enable or disable Two-Factor Authentication (2FA) for added account security. Mobile app users have complete control over location-based features: Smart Arrival Notifications and Work Location Verification can be enabled or disabled independently at any time through Settings without requiring approval from anyone. Before any location data is collected, you must explicitly accept the in-app data disclosure. You have the right to: (1) Request a copy of your personal data, (2) Request corrections to inaccurate information, (3) Request complete deletion of your account and associated data through Settings > Danger Zone (mobile app) or by contacting [email protected], (4) Disable location features at any time, (5) Revoke consent for data collection. Mobile app users receive a prominent disclosure before any permission requests, and all location features remain optional.

12. Third-Party Services and Compliance

We integrate third-party services such as Stripe Connect for payment processing, adhering to their security and compliance standards. We do not sell or share user data with third parties for marketing purposes. All third-party service providers are carefully vetted and bound by data processing agreements that ensure compliance with applicable privacy laws and our privacy standards.

13. Policy Updates

This policy may be updated periodically to reflect changes in regulatory requirements and security practices. Users will be notified of significant changes via email or platform notifications. Continued use of our services after such notifications constitutes acceptance of the updated policy.

14. Contact Information

If you have any questions or concerns about this policy or wish to exercise your data rights, please contact us at [email protected]. We are committed to responding to all privacy inquiries within 48 hours.

15. Account Deletion and Right to be Forgotten

You have the right to request complete deletion of your account and all associated personal information at any time. We provide two convenient methods for account deletion: (1) Mobile App Users: Navigate to Settings > Danger Zone > Delete Account in the BizCalify mobile app to submit a deletion request directly. The app will display a confirmation dialog explaining that this action is permanent and cannot be undone. All your data including time entries, work location records, assignments, and profile information will be permanently deleted. (2) Web/Email Users: Contact our support team at [email protected] with the subject line 'Account Deletion Request' to initiate the deletion process. Account deletion is processed asynchronously as a background operation to ensure all data is completely removed from our systems. You will remain logged in while your deletion request is being processed. You will receive notifications via email and in-app (for mobile users) when the deletion process is complete, typically within 30 days. Once the process begins, you cannot cancel the deletion request. Please note that certain information may need to be retained for a limited time to comply with legal obligations (such as financial transaction records required for tax reporting), resolve pending disputes, or enforce our agreements. In such cases, we will inform you of the specific data that must be temporarily retained and the legal basis for retention. All deletable personal data is permanently removed from active systems and backups within 90 days of deletion confirmation. This includes your profile information, location data, work history, time entries, and any other personal information not subject to legal retention requirements. After deletion, your data cannot be recovered.