Staff Track Limited← Back to Home

Privacy Policy

Last updated: May 2026

1. Who We Are

Staff Track Limited ("we", "our", "us") provides field-service management software for trades and contracting businesses — covering staff time, scheduling, mileage, jobs, quotes, invoicing and project management — via our website at staff-track.com and our mobile applications. We are based in Ireland and our service is designed to comply with the EU General Data Protection Regulation (GDPR) and the Irish Data Protection Act 2018.

Two roles apply, depending on whose data we are handling:

  • Staff data — when an employer uses Staff Track to manage their workforce, the employer is the data controller for that staff data (names, time records, location, mileage and so on) and we act as their data processor.
  • Customer account data — when a business subscribes to Staff Track, we are the controller for the administrator's own account data (login email, billing details, support correspondence) and for aggregated, non-identifying analytics we use to operate and improve the service.

Our Data Processing Agreement, which governs our processor obligations, is available at /dpa.

2. Information We Collect

We collect the following categories of personal data:

  • Account information: company name, administrator name, email address and password.
  • Employee information: name, role, contact email, schedule, hourly/mileage rate and other employment details added by the account administrator.
  • Time records: clock-in / clock-out timestamps, shift duration, worksite, notes and answered shift questions.
  • Location data (mileage and live tracking): GPS coordinates of the device while a staff member is clocked in or inside the short envelope around a scheduled shift (see Section 4). Stored points include latitude, longitude, accuracy, speed and timestamp.
  • Device information: a device token used to bind a staff account to a specific device for security purposes, and OS-level push notification tokens.
  • Payment information: billing is handled by Stripe. We do not store card numbers on our servers.

3. Legal Basis (GDPR Article 6)

We rely on the following legal bases:

  • Performance of a contract (Art. 6(1)(b)) — to provide the service to your employer and to bill our subscription.
  • Legitimate interests (Art. 6(1)(f)) — for the employer's interest in accurate timesheets, mileage reimbursement, live job dispatch and proof of attendance, balanced against the rights and freedoms of staff. Our Legitimate Interests Assessment for location tracking is available on request.
  • Legal obligation (Art. 6(1)(c)) — to meet tax, payroll and statutory record-keeping requirements (e.g. Irish Revenue six-year retention).
  • Consent (Art. 6(1)(a)) — for optional features such as marketing emails and integrations the user opts into.

We do not rely on consent as the sole basis for workplace location tracking, because the Irish Data Protection Commission considers that staff cannot freely consent to monitoring by their employer. Staff may, however, switch off live location sharing at any time in the app; the employer is responsible for any consequences this has for mileage reimbursement or attendance verification.

4. Location Data — How and When

Location tracking is one of the more sensitive parts of the service, and we want to be precise about what happens.

When tracking is active. Location is recorded only when both of the following are true:

  • The employer has enabled live tracking for their company (a master switch under their admin settings); and
  • The staff member is either currently clocked in, or the current time falls inside the company's configured envelope around a scheduled shift. The default envelope is one hour before the scheduled start until one hour after the scheduled end, set in the company's local timezone. Each company can adjust this from 0 to a maximum reasonable buffer in their mileage settings. Outside this window the app collects no location data.

What we record. Latitude, longitude, GPS accuracy, instantaneous speed and a timestamp. We record a point only when the device is moving at 15 km/h or above — walking pace, stationary periods and slow car-park manoeuvres are filtered out before storage. We do not store heading, behavioural scoring, or any audio or video.

How long. Raw GPS points (the second-by-second trail) are retained for 90 days, after which they are deleted. The aggregated trip record (start point, end point, distance, time) is retained for the duration of the employer's account plus the statutory tax retention period (currently six years in Ireland).

Who can see it. Only authorised users at the staff member's employer (typically managers, payroll and the company administrator). Other companies cannot see your data.

Personal-vehicle and out-of-hours use. Where staff use a personal vehicle for work, tracking still applies only inside the envelope above and only while moving. We do not track personal trips made outside the envelope. Staff may also turn the location switch off entirely; the employer must then accept manual mileage submissions or alternative attendance proof.

A full Data Protection Impact Assessment for this processing is maintained and available to employer admins on request.

5. How We Use Your Information

We use the information we collect to:

  • Provide, operate and maintain the Staff Track service for your employer;
  • Verify attendance at designated worksites;
  • Generate timesheets, mileage reports and payroll exports;
  • Show job position on the employer's map during a shift;
  • Process subscription payments and send service notifications;
  • Investigate security incidents and suspected misuse;
  • Improve our services in aggregated, non-identifying form;
  • Comply with legal and regulatory obligations.

We do not sell your personal data, do not use it for advertising, and do not use it to train external AI models.

6. Sub-processors and Data Sharing

We share data only with sub-processors that are contractually bound to GDPR-equivalent terms, and only to the extent necessary to run the service:

  • Supabase — database and authentication, hosted in the EU (Ireland region).
  • Vercel — application hosting and CDN.
  • Stripe — subscription billing.
  • Apple Push Notification Service / Firebase Cloud Messaging — push notifications.
  • Google Maps — map rendering and geocoding.
  • Optional integrations — Xero, Revolut and similar are activated only when an admin connects them; data flows to those providers under their own terms.
  • Legal disclosure — we may disclose information where required by law or to protect our or others' rights.

A current list of sub-processors is available at /dpa. We notify customers of material changes before they take effect.

7. Data Retention

We retain personal data only for as long as it is needed for the purposes set out above:

  • Account and employee profile data — for the life of the employer's account.
  • Time records and aggregated trip records — for the life of the account, plus the statutory tax retention period (six years in Ireland) where applicable.
  • Raw GPS trail points — 90 days, after which they are deleted automatically.
  • Application logs — 30 days.
  • Backups — up to 30 days.

If the employer cancels their account, all customer data is deleted within 30 days of cancellation, except where retention is required by law.

8. Data Security

All data is encrypted in transit using TLS 1.2 or higher, and at rest in our database. Access is gated by row-level security policies that isolate each company's data. Administrative access is restricted to a small number of named engineers and audit-logged.

9. Your Rights (GDPR)

If you are a staff member, your employer is the controller for most of your personal data and your first point of contact for these rights is them. We will support your employer in responding. You have the right to:

  • Access the personal data held about you (Art. 15);
  • Correct inaccurate data (Art. 16);
  • Request deletion (Art. 17), subject to legal retention obligations on your employer;
  • Restrict or object to processing (Arts. 18, 21), including objecting to processing based on legitimate interests;
  • Data portability (Art. 20);
  • Withdraw consent for any processing that relies on consent (Art. 7), without affecting prior processing;
  • Lodge a complaint with the Irish Data Protection Commission (www.dataprotection.ie) or your local supervisory authority.

You can also wipe your own raw location history at any time from inside the staff app (Settings → Live Location). To exercise any other right directly with us, contact admin@staff-track.com; we respond within 30 days.

10. International Transfers

Our primary data store is hosted in the EU (Ireland). Some sub-processors (e.g. Stripe, Apple, Google) may process data outside the EU. Where they do, transfers are protected by Standard Contractual Clauses or an adequacy decision under Art. 46 GDPR.

11. Cookies

Our website uses cookies to maintain your login session and remember your device for security purposes. We do not use cookies for advertising or cross-site tracking. You can disable cookies in your browser settings; the service may not function correctly without them.

12. Children's Privacy

Staff Track is intended for use by people aged 16 or over in an employment context. We do not knowingly collect personal data from anyone under 16.

13. Changes to This Policy

We may update this policy from time to time. We will post the updated version here with a new "last updated" date. Where changes are material, we will notify employer admins by email at least 30 days before they take effect.

14. Contact Us

For questions about this policy or how we handle your data:

Staff Track Limited
Email: admin@staff-track.com
Website: www.staff-track.com

© 2026 Staff Track Limited. All rights reserved. · Privacy Policy · Terms of Service