Privacy Policy
1. Who this applies to
This Policy applies to people who create an account with WorkForceFSM LLC ("WorkForceFSM", "we", "us", or "our"), a Delaware limited liability company ("Account Users"), and to end customers of those Account Users whose contact details are entered into the platform ("End Customers"). WorkForceFSM acts as a data processor for End Customer data on behalf of Account Users, who are the data controllers for that information.
2. Information we collect
From Account Users when you register: company name, your name, email address, password (stored as a one-way bcrypt hash), and role within your company.
From Account Users as you use the platform: data you choose to enter — including customer records, employee records, jobs, leads, quotes, bills, expenses, tools, and any notes or messages associated with them.
About End Customers (entered by Account Users): name, email address, phone number, postal address, job history, and billing information related to services provided to them.
Automatically when you use the service: IP address, browser type, device information, server logs of API requests, and approximate timestamps. We do not use third-party analytics trackers or advertising cookies.
For payment processing: We do not store full payment card numbers. Card data is collected and stored directly by Stripe, Inc. under their PCI-compliant systems. We receive only a Stripe customer ID and subscription metadata.
3. Categories of personal information (CCPA reference)
| Category | Examples | Collected? |
|---|---|---|
| Identifiers | Name, email, IP address, account ID | Yes |
| Commercial information | Subscription plan, billing history | Yes |
| Internet / network activity | Server access logs, browser type | Yes |
| Professional / employment info | Job titles, employee records you enter | Yes (Account User-entered) |
| Financial information | Payment card details | No — handled directly by Stripe |
| Sensitive personal information | SSN, precise geolocation, biometrics | No |
| Inferences / profiles | Preferences, behavior profiles | No |
4. How we use the information
- To operate and provide the service to you;
- To bill you for paid subscriptions and process payments via Stripe;
- To send transactional emails (account confirmations, password resets, billing notices);
- To send invoices and notifications to End Customers on your behalf, when you explicitly trigger them;
- To monitor for abuse, troubleshoot issues, and prevent fraud;
- To improve the platform via aggregate, anonymized usage analytics;
- To comply with legal obligations.
We do not use personal information for cross-context behavioral advertising. We do not sell or share personal information with third parties for their own marketing purposes.
5. Who we share it with
| Recipient | Purpose | Data shared |
|---|---|---|
| Stripe, Inc. | Subscription billing and payment processing | Email, billing amount, subscription metadata |
| Resend | Transactional email delivery (invoices, quotes, password resets) | Recipient email address and email content |
| Twilio | SMS notifications you trigger (when enabled) | Recipient phone number and message content |
| Railway | Cloud hosting for our application and database | All data stored in the service |
We do not sell personal information. We may disclose information when required by law, court order, or government request; when necessary to enforce our Terms of Service; or to protect the safety, rights, or property of our users or others.
6. Do not sell or share my personal information
7. Lawful basis (EU / UK users)
We process personal data under one or more of the following legal bases: performance of a contract with you; our legitimate interest in operating and improving the service; your consent (where applicable); and compliance with legal obligations. You may withdraw consent at any time where processing is consent-based, without affecting the lawfulness of prior processing.
8. International data transfers
Our service is hosted in the United States. If you access the service from outside the U.S., your information will be transferred to and processed in the U.S. For transfers from the EU/UK, we rely on Standard Contractual Clauses or equivalent approved safeguards.
9. California residents — your CCPA / CPRA rights
If you are a California resident, you have the following rights under the California Consumer Privacy Act (CCPA) as amended by the California Privacy Rights Act (CPRA):
- Right to know — You may request that we disclose what personal information we collect, use, disclose, and sell about you, including the categories, specific pieces, sources, and business purposes.
- Right to delete — You may request that we delete personal information we have collected from you, subject to certain exceptions (e.g. information needed to complete a transaction or comply with a legal obligation).
- Right to correct — You may request that we correct inaccurate personal information we maintain about you.
- Right to opt-out of sale / sharing — We do not sell or share personal information, so there is nothing to opt out of. If this changes, we will update this Policy and provide an opt-out mechanism.
- Right to limit use of sensitive personal information — We do not collect sensitive personal information (as defined by the CPRA), so this right does not currently apply.
- Right to non-discrimination — We will not discriminate against you for exercising any of your CCPA rights. We will not deny service, charge different prices, or provide a lower level of service because you exercised a privacy right.
How to submit a request: Email privacy@workforcefsm.com with the subject line "California Privacy Request" and describe what you are requesting. We will verify your identity before processing your request and respond within 45 days. We may extend the response period by an additional 45 days when reasonably necessary.
Authorized agents: A California resident may designate an authorized agent to make a request on their behalf. We will require written proof of authorization and may verify the consumer's identity directly.
Shine the Light (California Civil Code § 1798.83): California residents may request information once per calendar year about categories of personal information shared with third parties for their direct marketing purposes. We do not share personal information for third-party direct marketing.
10. How long we keep it
We keep account and usage data for as long as your account is active. After cancellation, we retain Your Data for 30 days during which you may request an export, then remove it from active systems. Backup copies may persist for an additional period before automatic purge. Some records (e.g. financial records required by tax or accounting law) may be retained longer where legally required.
11. Your rights (all users)
Regardless of where you live, you may:
- Access and export the data you have entered into the platform at any time while your account is active;
- Correct inaccurate account information by updating your profile;
- Request deletion of your account and associated data by emailing privacy@workforcefsm.com;
- Lodge a complaint with your local data protection authority if you believe we have processed your data unlawfully.
For End Customers whose data was entered by an Account User: please contact the company that holds your information first — they are the data controller for that data. We will assist them in honoring your request.
12. Security
We use industry-standard technical and organizational measures to protect personal information, including encryption in transit (TLS), bcrypt password hashing, tenant-isolated data access, parameterized database queries to prevent SQL injection, and role-based access controls. No system is perfectly secure. If we become aware of a security breach that affects your personal information, we will notify you in accordance with applicable law without undue delay.
13. Cookies & tracking
We use a small number of strictly necessary cookies and browser local-storage items for authentication (JWT tokens) and language preference. We do not use third-party advertising cookies or cross-site tracking technologies. We do not display a cookie consent banner because we do not set non-essential cookies.
14. Children
The service is intended for use by businesses and professionals aged 18 and over. We do not knowingly collect personal information from children under 16. If you believe a child has provided personal information through our service, please contact us immediately at privacy@workforcefsm.com and we will promptly delete it.
15. Changes to this policy
We may update this Policy from time to time. The "Last updated" date at the top reflects the most recent revision. For material changes that affect your rights, we will provide at least 30 days' advance notice via email or in-app notification. Your continued use of the service after the effective date constitutes acceptance of the updated Policy.
16. Contact
Privacy questions or rights requests: privacy@workforcefsm.com
General support: support@workforcefsm.com