SturdyShift

Legal · Last updated Jul 5, 2026

Privacy Policy

Effective Jul 16 2026
Before you read this

This document is a good-faith, source-mapped draft aligned to PIPEDA, the CCPA/CPRA, and Apple/Google store requirements. It is not legal advice — have counsel review it before you rely on it for a dispute.

1. Who we are

SturdyShift ("SturdyShift", "we", "us", or "our") is a workforce scheduling, time-tracking, and payroll-assistance mobile application operated by DeAndrey O'Connor. This Privacy Policy explains what personal information we collect, why we collect it, how we use and share it, how long we keep it, and the rights you have over it.

This policy applies to the SturdyShift mobile app and related services (the "Service"). It does not apply to third-party services we integrate with, which have their own privacy policies.

2. The two kinds of people who use SturdyShift

SturdyShift is a workplace tool with two roles, and the privacy relationship differs for each:

  • Managers / Employers — the business (or individual employer) that creates an account, sets up jobs, schedules shifts, and manages workers.
  • Workers — individuals invited by a Manager to clock in/out, view their schedule, and track their pay.

For much of the work-related data (shifts, clock times, pay records), your employer is the party that decides how that data is used in the employment relationship, and SturdyShift processes it on their behalf to provide the Service. For your account and identity data, and for your individual rights (access, correction, deletion, export), you deal with us directly through the in-app Privacy & Data screen and the contact below.

3. Information we collect

We collect only what the Service needs to function. The table below maps each category to how it is actually used in the app.

3.1 Account and profile information

  • Name (first and last), and a display name
  • Contact information you provide (e.g., email or phone)
  • Preferred language, country, and province/state
  • Authentication credentials (email and password) — passwords are handled by our authentication provider and are stored hashed; we never see your plaintext password
  • For kiosk/shared-device workers: a numeric PIN used to clock in without a personal login

3.2 Work and time data

  • Jobs/worksites you are assigned to
  • Scheduled shifts (dates, times, assignments)
  • Clock-in and clock-out times, break start/stop times, and accumulated break minutes
  • Shift status, amendments, no-show/absence records, and attendance history

3.3 Pay and payroll-assistance data

  • Hourly rates, scheduled vs. actual payable amounts, overtime and minimum-wage calculations
  • Extra-time approvals, short-shift adjustments, and pay discrepancies/disputes
  • Payment logs and confirmations recorded by managers and workers

SturdyShift is not a payment processor and does not move money. Pay data is recorded to help you and your employer track and reconcile wages. Your employer remains responsible for actually paying you.

3.4 Communications and user-generated content

  • Messages, shift comments, and announcements you send or receive within the app

3.5 Device and technical information

  • Push notification tokens (device identifiers issued by the operating system / Expo) so we can deliver notifications you've enabled
  • Basic diagnostic and update information needed to deliver over-the-air (OTA) app updates and keep the app working

3.6 Location information (optional — only if your employer turns it on)

Location collection is off by default. A Manager may enable location verification for a job. When, and only when, a Manager has enabled it:

  • At the moment you tap Clock In or Clock Out, the app may read your device's location once to confirm you are at the worksite (geofence verification).
  • Where a Manager has enabled it, that clock-in/clock-out location may also be retained for geo-analytical purposes (for example, verifying attendance patterns across worksites).

We do not track your location continuously, we do not collect location in the background, and we do not read your location when you are not clocking in or out. If location is not enabled by your employer, no location data is collected. You will be asked for the operating-system location permission before any location is read, and you can decline or revoke it in your device settings — see Section 7.

See Section 6 for the full location disclosure.

3.7 Consent records

  • The date, time, and version of the Terms and this Privacy Policy you accepted, so we can honor your consent and show you what you agreed to.

3.8 Information we do not collect

  • We do not collect your contacts, camera, microphone, photos, or advertising identifiers.
  • We do not use third-party advertising or tracking SDKs.
  • We do not sell your personal information, and we do not "share" it for cross-context behavioral advertising (as those terms are defined under the CCPA/CPRA).

4. How we use your information

We use personal information to:

  • Create and manage your account and authenticate you
  • Provide scheduling, clock-in/out, break, and attendance features
  • Calculate and display pay, overtime, and minimum-wage-compliant figures
  • Deliver notifications you have enabled
  • Enable workplace communication (messages, comments, announcements)
  • Verify attendance at a worksite when your employer has enabled location (Section 6)
  • Maintain security, prevent fraud and abuse, and debug and improve the Service
  • Comply with legal obligations, including labor and payroll record-keeping

We identify the purpose of collection at or before the time we collect it, consistent with PIPEDA's purpose-identification and consent principles.

5. How we share information

We share personal information only as described here:

  • With your employer / your workers. SturdyShift is a shared workplace tool. Managers can see the work-related data of the workers they manage (shifts, clock times, attendance, pay records). Workers can see their own data and limited crew information relevant to shared shifts.
  • Service providers (processors) who operate the Service on our behalf:
    • Supabase — database hosting, authentication, and realtime infrastructure. Data may be stored and processed in ca-central-1 (Canada).
    • Expo — push-notification delivery and over-the-air app updates. These providers are permitted to process data only to provide services to us and are bound by their own privacy and security commitments.
  • Legal and safety. We may disclose information if required by law, regulation, legal process, or governmental request, or to protect the rights, property, or safety of SturdyShift, our users, or the public.
  • Business transfers. If we are involved in a merger, acquisition, or sale of assets, personal information may be transferred as part of that transaction, subject to this policy.

We do not sell your personal information.

6. Location data — full disclosure

Because location is sensitive, we describe it separately and in full:

  • Default off. Location is disabled unless a Manager explicitly enables location verification for a job.
  • Foreground and event-based only. Location is read only in the foreground, only at the instant you tap Clock In or Clock Out, and only as a one-time reading. There is no continuous or background tracking.
  • Purpose. (1) Geofence verification — confirming you are at the assigned worksite when clocking in/out; (2) where enabled, geo-analytics — helping your employer understand attendance across worksites.
  • Permission. The operating system will prompt you for location permission before any reading. You may decline. If you decline, clock-in may fall back to non-location behavior where your employer allows it, or your employer may require in-person/kiosk clock-in instead.
  • Control. You can revoke location permission at any time in your device settings. Revoking it stops all location reads by the app.
  • Retention. Location readings tied to a clock event are retained with that work record for the retention period in Section 8, unless your employer configures a shorter period.

If we ever change how location is used, we will update this policy, update our store privacy labels and Data Safety disclosures, and provide an in-app disclosure before the change takes effect.

7. Your privacy rights and choices

You have rights over your personal information. Many can be exercised directly in the app under Profile → Privacy & Data:

  • Access / export. Export a copy of your data (profile, shifts, and pay logs) from the Privacy & Data screen. To request a complete right-to-access package, contact us (Section 12).
  • Correction / rectification. Update your personal information from the Privacy & Data screen or by contacting us.
  • Deactivation. Deactivate your account: your identifying information is removed while legally required wage and time records are retained (see Section 8).
  • Erasure. Permanently erase your account and personal data beyond what we must retain by law. This is irreversible.
  • Withdraw consent. You may withdraw consent to optional processing (for example, by revoking location permission), subject to legal or contractual limits.

Destructive account actions (deactivate, erase) require you to re-enter your password to confirm your identity.

Depending on where you live, you may have additional rights (see Sections 10 and 11). We will not discriminate against you for exercising your privacy rights.

8. Data retention

  • We keep personal information for as long as your account is active and as needed to provide the Service.
  • Wage, hour, clock, and payroll records are retained for the period required by applicable employment and tax law, even after you deactivate your account. In Canada and the United States this is commonly at least three (3) years; the exact period depends on your jurisdiction.
  • When you deactivate, we remove or anonymize identifying details but keep the legally required records in anonymized form.
  • When you erase, we purge personal information that is not subject to a legal retention obligation; device tokens are deleted, messages are removed/redacted, and comment content is removed.
  • After the legal retention period expires, remaining retained records are permanently purged.

9. How we protect your information

We use technical and organizational safeguards appropriate to the sensitivity of the data, including:

  • Encryption in transit (HTTPS/TLS)
  • Hashed password storage handled by our authentication provider
  • Row-level access controls so users can only reach the data they are authorized to see
  • Server-side validation of sensitive actions
  • Append-only wage and clock records that cannot be silently altered

No system is perfectly secure, but we work to protect your information and to limit collection, use, and retention to what is necessary.

10. Canada — PIPEDA

If you are in Canada, we handle your personal information in accordance with the Personal Information Protection and Electronic Documents Act (PIPEDA) and applicable provincial privacy laws. This includes accountability, identifying purposes, consent, limiting collection/use/retention, accuracy, safeguards, openness, individual access, and the ability to challenge compliance. You may direct questions or complaints to our privacy contact (Section 12), and you have the right to complain to the Office of the Privacy Commissioner of Canada.

11. United States — California (CCPA/CPRA) and other states

If you are a California resident, you have the right to know what personal information we collect and how we use and disclose it, to request access and deletion, to correct inaccurate information, and to not be discriminated against for exercising these rights. We do not sell or "share" personal information for cross-context behavioral advertising. To exercise these rights, use the in-app Privacy & Data tools or contact us (Section 12). Residents of other US states with comparable laws may have similar rights, which we honor where applicable.

12. How to contact us

For privacy questions, requests, or complaints:

Privacy contact: privacy@sturdyshift.com Operator: DeAndrey O'Connor

We will respond to verifiable requests within the timeframes required by applicable law.

13. Children's privacy

SturdyShift is a workplace tool intended for use by people who are legally able to work. It is not directed to children, and we do not knowingly collect personal information from anyone under the minimum working age in their jurisdiction (and in no case under 16). If you believe a minor has provided us information improperly, contact us and we will address it.

14. International data transfers

Your information may be stored and processed in ca-central-1 (Canada) and other locations where our service providers operate. Where required, we take steps to ensure your information receives an adequate level of protection when transferred across borders.

15. Changes to this policy

We may update this policy from time to time. When we make material changes, we will update the "Last updated" date, and where required we will notify you in-app and ask you to re-accept. Your continued use of the Service after an update means you accept the revised policy.

One more thing

This draft is provided for implementation purposes and is not legal advice. Have qualified counsel review it before publication.