Privacy Policy | BizyClock

1. Introduction

Embedded Iron Inc. ("Company," "we," "us," or "our") operates the BizyClock time-tracking service ("Service"). This Privacy Policy explains how we collect, use, disclose, and protect your personal information when you use our Service, website, and mobile application.

This Privacy Policy should be read together with our Terms of Service. By using the Service, you consent to the practices described in this policy.

2. Information We Collect

Information You Provide

Account information: Name, email address, and password when you create an account
Organization information: Company name, timezone, and business configuration settings
Employee information: Names, email addresses, phone numbers, hire dates, roles, departments, and pay rates (entered by account owners/administrators)
Time-tracking data: Clock-in/out timestamps, break durations, manual time entries, job assignments, and work codes
Payment information: Billing details processed through Stripe (we do not store credit card numbers directly)
Messages: Content sent through the internal messaging feature
Support communications: Feedback, bug reports, and feature requests you submit

Information Collected Automatically

Location data: GPS coordinates (latitude and longitude) at the time of clock-in and clock-out events, only when GPS tracking is enabled by your organization's account owner. Location data is not collected continuously or in the background.
Device information: Device type, operating system, and push notification tokens (for mobile app users)
Usage data: IP addresses, browser type, user agent, pages visited, and actions taken within the Service (logged for security and audit purposes)
Cookies and similar technologies: We use essential cookies for authentication and session management. See Section 8 (Cookies) for details.

Sensitive Information

The Service may process information considered sensitive, including:

Employee pay rates and payroll-related data
GPS/location data
Kiosk PINs (stored encrypted)
Badge identifiers

The collection and processing of this data is configured and controlled by your organization's account owner. We process this data solely to provide the Service.

3. How We Use Your Information

We use the information we collect to:

Provide, operate, and maintain the Service
Process payments and manage subscriptions
Send transactional communications (account verification, password resets, payment receipts, employee invitations)
Send service notifications and scheduled reports
Provide AI-powered analytics and insights (when you use AI features)
Maintain security, detect fraud, and prevent unauthorized access
Generate audit logs for accountability and compliance
Improve and develop the Service using aggregated, anonymized data
Respond to support requests and feedback
Comply with legal obligations

4. How We Share Your Information

We do not sell your personal information. We share your information only in the following circumstances:

Service providers: With third-party providers who help us operate the Service, including Stripe (payment processing), Anthropic (AI features), cloud infrastructure providers (hosting and storage), and email delivery services. These providers are bound by confidentiality agreements and process data only as necessary to provide their services.
Within your organization: Data you enter into the Service is accessible to other users in your organization based on their role and permissions (e.g., administrators can view employee time entries, supervisors can view their direct reports' data).
Legal requirements: When required by law, legal process, or government request, or to protect our rights, safety, or property.
Business transfers: In connection with a merger, acquisition, or sale of assets, your information may be transferred as part of the transaction. We will notify you of any such change.
With your consent: In any other circumstances where you have given explicit consent.

5. Data Retention

We retain your information for as long as your account is active or as needed to provide the Service. Specific retention periods include:

Account and time-tracking data: Retained while your account is active. Upon account termination, you may request a data export within 30 days. Data is deleted within 90 days post-termination unless legally required otherwise.
Messages: Automatically deleted 30 days after creation.
Audit logs: Retained for security and compliance purposes for the duration of your account.
Payment records: Retained as required by tax and financial reporting laws.
Backup data: Deleted in accordance with the same schedule as primary data.

6. Data Security

We implement industry-standard security measures to protect your information, including:

Encryption in transit (TLS 1.3+) and at rest (AES-256)
Password hashing using bcrypt
Row-level security (RLS) for tenant data isolation in our database
Rate limiting to prevent brute-force attacks
Comprehensive audit logging of all access and changes
Encrypted storage of kiosk PINs and device tokens

While we strive to protect your information, no method of transmission over the Internet or electronic storage is 100% secure. We cannot guarantee absolute security and are not liable for unauthorized access that occurs despite our security measures.

7. Your Rights

Depending on your location, you may have the following rights regarding your personal information:

All Users

Access: Request a copy of the personal information we hold about you
Correction: Request correction of inaccurate or incomplete information
Deletion: Request deletion of your personal information (subject to legal retention requirements)
Data export: Export your data in standard formats (CSV, JSON) through the Service
Opt out of communications: Unsubscribe from non-essential emails and push notifications

Canadian Residents (PIPEDA)

Under the Personal Information Protection and Electronic Documents Act (PIPEDA), you have the right to access, correct, and challenge the accuracy of your personal information. You may also withdraw consent for the collection, use, or disclosure of your information, subject to legal or contractual limitations. To exercise these rights, contact us at support@embeddediron.com.

EEA/UK Residents (GDPR)

Under the General Data Protection Regulation (GDPR), you have additional rights including the right to restrict processing, object to processing, and data portability. You also have the right to lodge a complaint with your local data protection supervisory authority. See Section 4a of our Terms of Service for full GDPR provisions.

California Residents (CCPA/CPRA)

Under the California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA), you have additional rights including the right to know what information we collect, the right to delete, and the right to opt out of the sale of personal information (we do not sell personal information). See Section 4b of our Terms of Service for full CCPA provisions.

To exercise any of these rights, contact us at support@embeddediron.com. We will respond to requests within 30 days (or as required by applicable law).

8. Cookies and Tracking Technologies

We use cookies and similar technologies to operate the Service. Our use of cookies is limited to the following:

Essential Cookies

These cookies are necessary for the Service to function and cannot be disabled. They include:

Authentication tokens: To keep you signed in and maintain your session
Security tokens: To prevent cross-site request forgery and protect your account

Analytics Cookies (Marketing Pages Only)

On our public marketing pages (including the homepage, blog, features pages, pricing, login, and registration), we use Google Analytics 4 ("GA4") to understand how visitors discover and interact with the site. GA4 sets cookies (e.g., _ga,_ga_*) that record information such as the pages you view, the referring site, your approximate location (city-level, derived from IP), browser type, and device type. IP addresses are anonymized by Google before storage.

Analytics cookies are loaded only after you accept the cookie consent banner shown on your first visit to a marketing page. If you decline, no analytics cookies are set and no data is sent to Google. Analytics cookies are not used inside the authenticated Service (employee, supervisor, owner, kiosk, and admin areas).

You can revoke consent at any time by clearing your browser's site data for BizyClock; the consent banner will reappear on your next visit. For more information about Google Analytics, see Google's Privacy Policy and How Google uses data when you use partner sites or apps.

Other Third-Party Cookies

We do not use third-party advertising cookies. Payment processing through Stripe may set its own cookies, which are subject to Stripe's Cookie Policy.

9. Children's Privacy

The Service is not intended for use by individuals under the age of 18. We do not knowingly collect personal information from children. If we learn that we have collected personal information from a child under 18, we will take steps to delete that information promptly. If you believe we have inadvertently collected information from a child, please contact us at support@embeddediron.com.

10. International Data Transfers

Your information may be transferred to and processed in countries other than your country of residence, including Canada and the United States, where our servers and service providers are located. These countries may have different data protection laws than your jurisdiction.

For transfers from the EEA/UK, we rely on applicable adequacy decisions and Standard Contractual Clauses (SCCs) approved by the European Commission. For transfers from Canada, we comply with PIPEDA's requirements for cross-border data transfers, including ensuring comparable levels of protection through contractual safeguards.

11. Data Breach Notification

In the event of a data breach that poses a real risk of significant harm to individuals, we will:

Notify affected account owners as soon as practicable and in any event within 72 hours of becoming aware of the breach (as required by GDPR and PIPEDA)
Report the breach to relevant data protection authorities as required by law
Provide information about the nature of the breach, the data affected, and the measures taken to address it
Take immediate steps to contain and remediate the breach

12. Employer Responsibilities

If you are using the Service to manage employees or contractors, you are the data controller (or equivalent under applicable law) for the personal information of those individuals. As the data controller, you are responsible for:

Obtaining all necessary consents and providing required notices to employees before enabling tracking features (including GPS, time tracking, and kiosk monitoring)
Complying with all applicable employment, privacy, and data protection laws in your jurisdiction
Determining the lawful basis for processing employee data
Responding to data subject access requests from your employees (we will assist upon request)
Ensuring that your use of the Service complies with your own privacy policies and employment agreements

Embedded Iron Inc. acts as a data processor on your behalf. We process employee data only as necessary to provide the Service and in accordance with your instructions (as configured through the Service settings).

13. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of material changes by posting the updated policy on this page, updating the "Last updated" date, and emailing account owners if the changes materially affect how we handle personal information.

Your continued use of the Service after changes are posted constitutes your acceptance of the revised policy.

14. Contact Us

If you have any questions about this Privacy Policy, want to exercise your privacy rights, or need to report a data concern, please contact us at:

Embedded Iron Inc.
Email: support@embeddediron.com

For GDPR-related inquiries, you may also contact your local data protection supervisory authority.