Last Revised: July 7, 2023
This Policy describes:
The types of information we collect
from you or that you may provide when you use any product in the OnShift suite
of products, which includes, but is not limited to OnShift Schedule, OnShift
Engage, OnShift Wallet, OnShift Employ, OnShift Time, OnShift Insight and
OnShift’s Payroll-Based Journal reporting software (individually, the
“Product,” collectively, “the Products”).
· Our practices for collecting, using, maintaining, protecting, and disclosing that information.
Please read this Policy carefully to understand our practices regarding your information and how we will treat it. If you do not agree with our policies and practices, then please do not use our Products. By using our Products, you agree to the terms of this Policy. This Policy may change from time to time (see below, “Changes to this Policy”). Your continued use of our Products after we make changes is deemed to be acceptance of those changes, so please check the Policy periodically for updates.
What We Collect and How We Collect It
To ensure that we provide you with the best possible experience, we will store, use, and share information about you in accordance with this Policy.
Information You Provide to Us
Personal Information is any information that can be used to individually identify you from a larger group such as data including, but not limited to, your:
· First and last name
· Address number, city, state, zip code
· Date of birth
· Driver’s license
· Social security number
· Biometric identifiers
· Biometric information
· Geolocation information
· Telephone number (home and mobile)
· Email address
· Username/login name
· Photo of your image or likeness
In some cases, the nature of your assigned duties may require that you provide Personal Information relating to individuals other than yourself (such as other employees). Before providing any Personal Information to us, it is your responsibility to obtain the appropriate consent and authorization, to include compliance with any employer policies.
In using the Products, you may provide us Personal Information when you:
The information that you provide in each case will vary. For example, the Products may utilize a device’s global positioning system services to identify your current geographical location. In some instances, you may be able to disable this feature through the services function of your device.
In some cases, we may assign to you a username (“UID”) and ask that you create a password that should only be known to you.
Important Notice About Health Information. OnShift is not a healthcare provider, payer or clearinghouse. OnShift is a business that provides commercial business-to-business software as a service (“SaaS”) applications and proactive services to solve workforce challenges in healthcare. Unless otherwise established in an agreement between OnShift and a regulated Covered Entity (i.e., a doctor, pharmacy, or insurer) as defined by the Health Insurance Portability and Accountability Act (“HIPAA”), OnShift does not collect “Protected Health Information” as defined under HIPAA.
Important Notice About Consumer Information. OnShift may collect Personal Information, with your consent, to be used by OnShift’s trusted third-party partners to complete background checks as ordered by OnShift customers. OnShift is not a “consumer reporting agency” or “reseller” as those terms are defined under the Fair Credit Reporting Act (“FCRA”). OnShift does not process, assemble, or merge any Personal Information to create or modify any consumer report. Furthermore, OnShift plays no role in any eligibility determination based on the Personal Information processed as part of the background check process ordered by OnShift customers. Accordingly, the FCRA does not apply to OnShift’s processing of Personal Information as described in this Policy. Regardless, your Personal Information will be processed by OnShift in accordance with this Policy unless otherwise agreed in writing.
Through various technology features, including but not limited to, our OnShift Time services, we may collect data that potentially falls under the definitions of “biometric identifiers” or “biometric information” under the Illinois Biometric Information Privacy Act, 740 ILCS § 14/1 et seq., and similar applicable laws. “Biometric identifiers” are defined as retina or iris scans, fingerprints, voiceprints, or scans of the hand or face geometry.
“Biometric information,” means any information, regardless of how it is captured, converted, stored, or shared, based on an individual’s biometric identifier used to identify an individual.
Any collection of biometric identifiers and biometric information are for the sole purpose of assisting you and your organization in verifying your start and stop times for work. In other words, our collection of biometric identifiers and biometric information assists you with “clocking in” with your organization. We will not disclose or disseminate any biometric information to any entity, other than those contracted parties that assist us in providing this service to you, or as required by applicable federal, state, or local law, or required pursuant to a valid warrant or subpoena issued by a court of competent jurisdiction.
We shall retain any biometric identifiers or biometric information for up to three years as long as you consent to such retention and maintain an account with us. If you do not maintain an account with us, we shall retain biometric identifiers or biometric information for up to three years, but we will not be able to retrieve or connect your information to your identity.
We use appropriate technical, administrative, and physical safeguards to store, transmit, and protect from disclosure any biometric identifiers or biometric information collected. Such storage, transmission, and protection from disclosure shall be performed in a manner that is the same or more protective than the manner in which we store, transmit, and protect from disclosure other confidential and sensitive information.
Before using features that collect biometric identifiers or biometric information, you will be prompted with a copy of this policy. By accepting, you are consenting to our collection and storage of your biometric identifiers or biometric information.
Automated Information Collection
In addition to the information that you provide to us, we may also collect information about you during your use of the Products. We collect this information using automated tools that are detailed below. These tools may collect information about your behavior and your computer system, such as your internet address (IP Address), the pages you have viewed, and the actions you have taken while using the Products. Some of the tools we use to automatically collect information about you may include:
(a) Cookies. A “cookie” is a small data file transmitted
from a website to your computer’s hard drive.
Cookies are usually defined in one of two ways, and we may use both of
(1) session cookies, which do not stay on your computer after you close your browser, and
(2) persistent cookies, which remain on your computer until you delete them or they expire.
We use the following categories of cookies on in our Products.
i. Strictly Necessary Cookies. These cookies are essential in order to enable you to use the Products’ feature. Without these cookies, services you have requested, such as maintaining a record of your shift schedules, cannot be provided.
ii. Performance Cookies. These cookies collect
anonymous information on how people use our Products to help us understand how you
use our Products and highlight areas where we can improve, such as navigation.
The data stored by these cookies never shows personal details from which your
individual identity can be established.
iii. Functionality Cookies. These cookies remember choices you make such
as the country from which you use our Products, your screen layout preferences,
and your search parameters. This information can then be used to provide you
with an experience more appropriate to your selections and to make your use of
our Products more tailored to your preferences. The information in these
cookies may be anonymized. These cookies cannot track your browsing activity on
iv. Targeting Cookies or Advertising
Cookies. These cookies collect information about your
browsing habits in order to make advertising more
relevant to you and your interests. They are also used to limit the number of
times you see an advertisement as well as help measure the effectiveness of an
advertising campaign. The cookies are usually placed by third-party advertising
networks. These cookies remember the
websites you visit and that information is shared with
other parties such as advertisers.
The Products may also send aggregated, non-Personal Information to several trusted third-party providers for the purpose of providing us with the ability to conduct technical and statistical analysis of the Products performances. Such trusted third-party partners may include, but are not limited to, Hotjar, Google Analytics, Pendo.io, and New Relic. For more information on how each third-party provider supports our Products and uses information sent from the Products, please review the privacy policies hyperlinked to their name.
Of course, if you do not wish to have cookies on your devices, you may turn them off at any time by modifying your internet browser’s settings. However, by disabling cookies on your device, you may be prohibited from full use of the Products’ features or lose access to some functionality.
Web Links. Links
provided in our emails and, in some cases, on third-party websites may include
tracking technology embedded in the link. The tracking is accomplished through
a redirection system. The redirection system allows us to understand how the
link is being used by email recipients. Some of these links will enable us to
identify that you have personally clicked on the link
and this may be attached to the Personal Information that we hold about you.
This data is used to improve our service to you and to help us understand the
performance of our marketing campaigns.
(c) Third-party Websites and Services. We work with a number of service providers of marketing communications technology. These service providers may use various data collection methods to improve the performance of the marketing campaigns we are contracting them to provide. The information collected can be gathered through our Products and also on the websites where our marketing communications are appearing. For example, OnShift sends metadata identifying individual users to Pendo.io, Inc. for detailed usage tracking and marketing analysis.
Your Choices and Selecting Your Privacy Preferences
We want to provide you with relevant information that you have requested.
If we provide subscription-based services, such as email newsletters, we will allow you to make choices about what information you provide at the point of information collection or at any time after you have received a communication from us while you are subscribed. Any transactional or service-oriented messages are usually excluded from such preferences, as such messages are required to respond to your requests or to provide goods and services and are not intended for the purposes of marketing.
We will not intentionally send you email newsletters and marketing emails unless you consent to receive such marketing information. You may opt out of them at any time by selecting the “unsubscribe” link at the bottom of each email. Please note that by opting out or unsubscribing you may affect other services you have requested we provide to you, in which email communication is a requirement of the service provided.
Any such communications you receive from us will be administered in accordance with your preferences and this Policy.
Accuracy and Access to Your Personal Information
We strive to maintain and process your information accurately. We have processes in place to maintain all of our information in accordance with relevant data governance frameworks and legal requirements. We employ technologies designed to help us maintain information accuracy on input and processing.
Where we can provide you access to your Personal Information in our possession, we will always ask you for a username or UID and password to help protect your privacy and security. We recommend that you keep your password safe, that you change it periodically, and that you do not disclose it to any other person or allow any other person to use it.
To view and change the Personal Information that you have provided to us, you can log in to your account and follow the provided instructions, or contact us directly for assistance.
Information of Minors
We do not intentionally seek to gather information from individuals under the age of eighteen (18). We do not target any of our Products to minors and would not expect them to be engaging with our Products or services. If we are aware of any Personal Information that we have collected about minors, we will take steps to securely remove it from our Products and supporting systems.
How We Use Your Information
The information we gather and that you provide is collected to provide you information and the services you request, in addition to various other purposes, including, but not limited to:
· Identify the results of your responses to polls and surveys.
· Preventing malicious activity and providing you with a secure experience.
· Providing service and support for services you request.
· Providing marketing communications that are effective and optimized for you.
· Keeping you up-to-date with the latest benefits available from us.
· Preventing unwanted messages or content.
· Measuring the performance of our marketing programs.
· Contacting you about services and offers that are relevant to you.
Duration: The length of time we intend to retain the Personal Information we collect from you, including any sensitive information, is for as long as reasonably necessary to carry out our intended business purpose for such information.
Consent to Receive Text Messages from OnShift
To discontinue receiving SMS messages from OnShift at any time, reply STOP or text STOP to 79245 in the United States or 79246 in Canada or call 216.333.1353 or toll-free 800.385.1494. For help, reply HELP or text HELP to 79245 in the United States or 79246 in Canada.
How We Share Your Information
We do not sell or lease your information to any third party. We may disclose your Personal Information to our trusted third-party business partners in accordance with this Policy. We may also share your information with your employer if the employer is a contracted customer of OnShift. We also work with a number of partners that help us process your requests, deliver customer service and support, send email marketing communications, and provide experiences that you have come to expect from us. For example, when you participate in polls and surveys, we may share the information that you provide with Pendo.io and Hotjar to analyze your responses and aggregate them based on your role or your building location.
We will share your Personal Information with these third parties in order to fulfill the service that they provide to us. These third-party partners are under contract to keep your Personal Information secure and not to use it for any reason other than to fulfill the service we have requested from them. For example, one of our trusted third-party partners is PayActiv, which performs some banking services. However, none of the banking information provided to PayActiv is stored or processed by OnShift. Likewise, if you provide your credit card information to purchase certain services from the Products, OnShift will not store or process that information. Instead, any credit card information collected through the Products will be stored and processed by a trusted third-party and PCI-DSS compliance vendor, such as Braintree, a division of PayPal, Inc.
Except as described in this Policy, we will not share your information with third parties without your notice and consent, unless it is under one of the following circumstances:
· Responding to duly authorized information requests from law enforcement or other governmental authorities.
· Complying with any law, regulations, subpoena, or court order.
· Investigating and helping prevent security threats, fraud, or other malicious activity.
· Enforcing or protecting the rights and properties of the Company or its subsidiaries.
· Protecting the rights or personal safety of the Company’s employees.
In addition, OnShift may use a third party service called Skilljar to provide instructional courses for users on how to best use our services. Skilljar is a user interface that provides content for our training, and we may collect Personal information such as name, email address, mailing address, state, title, and zip code that may be shared with Skilljar. To learn more about Skilljar and its privacy practices, please visit https://www.skilljar.com/privacy/.
There are circumstances where OnShift may decide to buy, sell, or reorganize its business in selected countries. Under these circumstances, it may be necessary to share or receive Personal Information with prospective or actual partners or affiliates. In such circumstances, OnShift will ensure your information is used in accordance with this Policy.
Your Rights Under State Law
Pursuant to California Civil Code Section § 1798.83, we will not disclose or share your Personal Information with third parties for the purposes of third-party marketing to you without your prior consent.
Other than as disclosed in this Policy, the Products do not track users over time and across third-party websites to provide targeted advertising. Therefore, the Products do not operate any differently if it receives Do Not Track (“DNT”) signals from your internet web browser or device.
Your Consumer Rights
Some state laws in the United States provide consumers with additional rights with respect to their personal information (also known as “personal data”), as those terms are defined under those applicable state laws. Such state laws may include, but are not limited to, the California Consumer Privacy Act of 2018 (“CCPA”) as amended by the California Privacy Rights Act (“CPRA”), the Colorado Privacy Act (“CPA”) and the Virginia Consumer Data Protection Act (“VCDPA”). Any personal information we collect is collected for the commercial purpose of effectively providing our services to you, as well as enabling you to learn more about, and benefit from, our services. If you reside in a state that provides additional rights with respect to your personal information, you may exercise each of your rights as identified below, subject to our verification of your identity.
A. Access. You have the right to request that we disclose certain information to you about our collection, use and disclosure of your Personal Information over the past twelve (12) months. Any disclosures we provide will only cover the 12-month period preceding receipt of your request. The response we provide will also explain the reasons we cannot comply with a request, if applicable.
B. Correction. You can correct what personal data our Product database currently contains by accessing your account directly, or by contacting us to request that we correct or rectify any personal data that you have provided to us.
C. Limit Use and Disclosure of Sensitive Personal Information. If we collect any sensitive personal information, you have the right to request that we limit the use of the sensitive personal information to that use which is necessary to perform the services or provide the goods reasonably expected by an average consumer who requests those goods or services.
D. Portability. Upon request and when possible, we can provide you with copies of your Personal Information. When such a request cannot be honored, we will advise you accordingly. You can then choose to exercise any other rights under this Policy.
E. Deletion. You have the right to request that we delete any of your Personal Information, subject to certain exceptions. Once we receive and confirm your verifiable consumer request, we will delete (and direct our service providers to delete) your Personal Information from our records, unless an exception applies. Where applicable, we will ensure such changes are shared with trusted third parties.
F. Opt-out of Processing. You have the right to request that we do not sell your Personal Information, use your Personal Information for Targeted Advertising, or use your Personal Information for profiling. Where applicable, we will ensure such changes are shared with trusted third parties.
G. Non-Discrimination. If a data subject exercises his or her rights under applicable state law, including but not limited to the CCPA, CPA and VCDPA, we shall not discriminate against that data subject by denying our goods or services, charging different prices or rates to similarly situated consumers, providing a different level or quality of our goods or services, or taking any other adverse action.
H. Exercising your rights. If you are a data subject that has rights under applicable state law, including but not limited to the CCPA, CPA and VCDPA, who chooses to exercise the rights listed above, you can:
1. Submit a request via email at firstname.lastname@example.org; or
2. Call us at 1-800-385-1494 to submit your request.
Only you, or someone legally authorized to act on your behalf, may make a request related to your Personal Information. If an authorized agent makes a request on your behalf, we may require proof that you gave the agent permission to submit the request.
Responding to Your Request. Upon receiving your request, we will confirm receipt of your request by sending you an email confirming receipt. To help protect your privacy and maintain security, we may take steps to verify your identity before granting you access to the Personal Information. In some instances, such as a request to delete personal information, we may first separately confirm that you would like us to in fact delete your personal information before acting on your request.
We will respond to your request within forty-five (45) days. If we require more time, we will inform you of the reason and extension period in writing.
In some cases, our ability to uphold these rights for you may depend upon our obligations to process Personal Information for security, safety, fraud prevention reasons, compliance with regulatory or legal requirements, or because processing is necessary to deliver the services you have requested. Where this is the case, we will inform you of specific details in response to your request.
For Users Outside of the United States
We do not warrant or represent this Policy or the Products’ use of your Personal Information complies with the laws of any jurisdiction. Furthermore, to provide you with our services, we may store, process, and transmit information in the United States and other locations around the world, including countries that may not have the same privacy and security laws as yours. Regardless of the country in which such information is stored, we will process your Personal Information in accordance with this Policy.
For Product Users in the European Union (“EU”)
Under the General Data Protection Regulation (Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016, or “GDPR”), individuals in the EU are afforded specific rights with respect to their Personal Information, or “personal data” as defined under the GDPR. For the purposes of this Policy, OnShift operates as a data controller. Any personal data we collect from you is processed in the United States and under the terms of this Policy.
Any personal data we collect from you is processed in the legitimate interest of our business and providing our services to you as the lawful means of such processing. You may always withdraw your consent to our use of your personal data as described below. We will only retain your personal data for the time necessary to provide you the information and services to which you have consented, to comply with the law and in accordance with your rights below.
The Data Controller is:
NAME: OnShift, Inc.
ADDRESS: 1621 Euclid Avenue, Cleveland, OH 44115
EMAIL ADDRESS: email@example.com
You can exercise any of the following rights, subject to verification of your identity, by notifying us as described below:
Access. You may email us at firstname.lastname@example.org to request a copy
of the personal data our Product databases currently contain.
Automated Processing and Decision-Making. You may email us
at email@example.com to request that we stop using your personal data for
automated processing, such as profiling. In your email, please explain how you
wish us to restrict automated processing of your personal data. When such
restrictions are not possible, we will advise you accordingly. You can then
choose to exercise any other rights under this Policy, to include withdrawing
your consent to the processing of your personal data.
Correction or Rectification. You can correct
what personal data our Product database currently contains by accessing your
account directly, or by emailing us at firstname.lastname@example.org to request that
we correct or rectify any personal data that you have provided to us. We may
not accommodate a request to change information if we believe the change would
violate any law or legal requirement or cause information to be incorrect.
Where applicable, we will ensure such changes are shared with trusted third
Restrict Processing. When applicable,
you may restrict the processing of your personal data by submitting a request
via email to email@example.com. In your email,
please explain how you wish us to restrict processing of your personal
data. When such restrictions are not
possible, we will advise you accordingly.
You can then choose to exercise any other rights under this Policy, to
include withdrawing your consent to the processing of your personal data. Where
applicable, we will ensure such changes are shared with trusted third
Object to Processing. When applicable,
you have the right to object to the processing of your personal data by
submitting a request via email to firstname.lastname@example.org. When such
objections are not possible, we will advise you accordingly. You can then
choose to exercise any other rights under this Policy, to include withdrawing
your consent to the processing of your personal data. Where applicable, we will
ensure such changes are shared with trusted third parties.
Portability. Upon request and when possible, we can
provide you with copies of your personal data. You may submit a request via
email to email@example.com. When such a request cannot be honored, we
will advise you accordingly. You can then choose to exercise any other rights
under this Policy, to include withdrawing your consent. Where applicable, we
will ensure such changes are shared with any trusted third parties.
Withdraw Consent. At any time, you may withdraw your consent
to our processing of your personal data through the Products by notifying us
via email at firstname.lastname@example.org. Using the same
email address associated with your Product account, simply type the words
“WITHDRAW CONSENT” in the subject line of your email. Upon receipt of such a
withdrawal of consent, we will confirm receipt and proceed to stop processing
your personal data. Where applicable, we will ensure such changes are shared
with trusted third parties.
Erasure. If you should wish to cease use of our Products
and have your personal data deleted from our Products, then you may submit a
request by emailing us at email@example.com. Upon receipt of
such a request for erasure, we will confirm receipt and will confirm once your
personal data has been deleted. Where applicable, we will ensure such changes
are shared with trusted third parties.
· Submit Complaints or Questions. If you wish to raise a complaint regarding how we have handled your personal data, you can contact us as described below. If you reside in a European Union member state, you may also lodge a complaint with the supervisory authority in your country.
Safeguarding the Information We Collect
We take reasonable technical, administrative, and physical safeguards in order to protect your Personal Information against accidental loss and from unauthorized access, use, alteration, and disclosure. However, we can never promise 100% security. You have a responsibility, as well, to safeguard your information through the proper use and security of any online credentials used to access your Personal Information, such as a username and password. If you believe your credentials have been compromised, please change your password. Please also immediately notify us of any unauthorized use of your credentials or Personal Information.
Changes to this Policy
How to Contact Us
We value your opinions and welcome your feedback. To contact us about this Policy or your Personal Information, please contact us at firstname.lastname@example.org.