Staff Track LimitedBack to Dashboard →
Legal

Data Processing Agreement

Effective date: 1 May 2026

1. Parties

This Data Processing Agreement ("DPA") is between Staff Track Limited ("Staff Track Limited", "we", "us") and the company or individual ("Customer", "you") who has agreed to the Staff Track Limited Terms of Service.

2. What data we process

In providing the Staff Track Limited platform, we process the following categories of Customer data:

  • Employee data — names, email addresses, roles, clock-in/clock-out records, GPS coordinates, photos
  • Business data — project details, contract values, invoice amounts, pricing, profit margins, labour rates
  • Communication data — messages sent through the in-app chat
  • Financial data — billing information, payment records (processed via Stripe; not stored by Staff Track Limited)
  • Usage data — feature usage, login times, device information

3. How we use your data

We process your data solely for the following purposes:

  • Delivering the Staff Track Limited service as described in the Terms of Service
  • Providing technical support when requested by you
  • Troubleshooting bugs or service incidents affecting your account
  • Complying with legal obligations

We will never use your business data — including pricing, profit margins, employee records, or customer information — for our own commercial purposes, marketing, benchmarking, or sale to third parties.

4. Data isolation

Each company's data is isolated at the database level using Row Level Security (RLS). No company can access another company's data through the application.

Staff Track Limited personnel access customer data only via our internal superadmin tools. Every access is logged and visible to you on the Data Privacy page of your dashboard.

5. Sub-processors

We use the following sub-processors to deliver the service. Each is bound by its own data processing terms:

Sub-processorPurposeCountry
SupabaseDatabase & authenticationEU (AWS eu-west-1, Ireland)
VercelApplication hostingGlobal (primary: USA)
StripePayment processingUSA / Ireland
Google MapsAddress geocoding & mapsUSA
Apple Push Notification ServiceMobile push notificationsUSA
Firebase Cloud MessagingAndroid push notificationsUSA

6. Data retention

We retain your data for the duration of your subscription plus a 30-day grace period. After cancellation and expiry of the grace period, all company data is permanently deleted from our systems, including backups, within 30 days.

You may request immediate deletion by contacting us at admin@staff-track.com. We will action deletion requests within 14 days.

7. Security measures

We implement the following security measures to protect your data:

  • All data encrypted in transit (TLS 1.2 and 1.3) and at rest (AES-256)
  • Row Level Security enforcing company-level data isolation
  • Staff Track Limited personnel access logs visible to you in real time
  • No customer passwords stored in plaintext — scrypt hashed (memory-hard algorithm)

8. Your rights

Depending on your jurisdiction, you may have the right to:

  • Access — request a copy of all data we hold about your company
  • Correction — request correction of inaccurate data
  • Deletion — request deletion of your data (right to erasure)
  • Portability — request an export of your data in a machine-readable format
  • Restriction — request we limit processing to storage only
  • Objection — object to certain types of processing

To exercise any of these rights, contact admin@staff-track.com. We will respond within 30 days.

9. Data breach notification

In the event of a personal data breach that is likely to result in a risk to your rights and freedoms, we will notify you without undue delay and no later than 72 hours after becoming aware of the breach. Notification will include the nature of the breach, categories of data affected, likely consequences, and steps taken to address it.

10. Governing law

Staff Track Limited is established in Ireland and complies with the EU General Data Protection Regulation (GDPR) and the Irish Data Protection Act 2018. For customers located in the United Kingdom, we align our practices with the UK GDPR and the UK Data Protection Act 2018. For customers located in the United States, we align our practices with applicable US federal and state privacy laws, including the California Consumer Privacy Act (CCPA) as amended by the CPRA. For customers located in Australia, we align our practices with the Australian Privacy Act 1988 (Cth) and the Australian Privacy Principles. We also align with applicable international privacy standards for customers in other jurisdictions. This DPA is governed by the laws of Ireland and the parties submit to the exclusive jurisdiction of the Irish courts.

11. Contact

For any data privacy questions, requests, or concerns:
Staff Track Limited
Email: admin@staff-track.com

Last updated: 1 May 2026 · Terms of Service