Privacy Policy

Effective January 1, 2026

This page is maintained by the operator of ShiftPost. It is a template and not legal advice. Have qualified counsel in your jurisdiction review and adapt it before relying on it in production.

This Privacy Policy explains how CA AND MO GROUP LLC ("ShiftPost", "we") collects, uses, discloses, and safeguards personal data when you use the ShiftPost workforce attendance service (the "Service"). It applies to workers, managers, and administrators of a ShiftPost workspace, and to visitors to our marketing site.

1. Roles

When your employer uses ShiftPost to record your attendance, your employer is the data controller and ShiftPost is the data processor. Contact your employer to exercise rights over attendance data collected in your workspace. For our marketing site and account-level data, ShiftPost is the controller.

2. Data we collect

  • Account data: name, email, password hash, role, workspace, language.
  • Location data: GPS coordinates and accuracy at the moment of check-in and check-out, and periodically during an active shift for geofence enforcement and auto-checkout.
  • Selfie images: a still photo captured at check-in and check-out, stored in a private bucket.
  • Device identifiers: a per-device fingerprint used to bind one account to one phone and detect buddy-punching.
  • Attendance records: shift start/end, worksite, breaks, manual adjustments, notifications, and audit logs.
  • Communications: messages sent through the in-app chat, support requests.
  • Diagnostics: crash reports, error logs, and basic analytics for reliability and abuse prevention.

3. Why we process it and legal basis (EEA/UK)

  • Delivering the Service to your employer — Art. 6(1)(b) contract / Art. 6(1)(f) legitimate interests of the employer.
  • Verifying identity and preventing time-theft with selfies and device binding — Art. 6(1)(f), with employer notice and, where required, worker consent.
  • Security, fraud prevention, and audit — Art. 6(1)(f).
  • Legal compliance (labor records, tax, response to lawful requests) — Art. 6(1)(c).

Selfies are biometric-adjacent images. We do not run facial recognition and do not derive biometric templates. Where local law treats such images as sensitive data (e.g. Illinois BIPA, Quebec Law 25, EU Art. 9), the employer is responsible for obtaining any required additional consent from workers before enabling the Service.

4. Retention

  • Selfies: retained for the retention window configured by the employer (default 90 days), then deleted from storage.
  • Attendance records and audit logs: retained for as long as the workspace is active and for the period required by applicable labor and tax law.
  • Account data: retained while the account is active. Deleted or anonymized within 30 days of workspace deletion, subject to legal retention obligations.

5. Sharing

We share personal data with:

  • Your employer's administrators and managers within the same workspace.
  • Infrastructure sub-processors used to host the Service (database, storage, email, error monitoring, AI features). A current list is available in our Data Processing Addendum.
  • Authorities when required by law or to protect rights, property, or safety.

We do not sell personal data and do not share it for cross-context behavioral advertising.

6. International transfers

Personal data may be processed in countries other than your own. Where we transfer EEA/UK/Swiss data outside those regions, we rely on the European Commission's Standard Contractual Clauses or another lawful transfer mechanism.

7. Your rights

Depending on where you live (EU/EEA/UK, California, Canada, Brazil, and others), you may have rights to access, correct, delete, port, or restrict processing of your personal data, and to object to certain processing. For attendance data, please contact your employer first, as they control that data. For account-level data, contact us at moisebibalou@camogroupllc.com. You may also lodge a complaint with your local data protection authority.

California (CPRA) notice

In the last 12 months we have collected the categories above. We do not sell personal information and do not share it for cross-context behavioral advertising. California residents may exercise the right to know, delete, correct, and limit use of sensitive personal information by emailing moisebibalou@camogroupllc.com.

8. Security

We use TLS in transit, encryption at rest for the database and storage buckets, row-level security policies scoped per workspace, hashed passwords with an optional leaked-password check, and audit logging for administrative actions. No system is perfectly secure; workers and administrators must also protect their credentials and devices.

9. Children

The Service is not directed at children under 16 and we do not knowingly collect personal data from them.

10. Changes

We may update this Policy. Material changes will be announced in the Service or by email. The "Effective" date at the top reflects the latest revision.

11. Contact

CA AND MO GROUP LLC, 10150 Westwind Dr, Shreveport, LA 71106, USA. Privacy contact: moisebibalou@camogroupllc.com.