OnShift
Products Privacy Policy
Last
Revised: December 31, 2023
OnShift,
a ShiftKey brand (“OnShift,” “the Company,” “we,” “us,” and “our,”) respects
your privacy and is committed to protecting your privacy through our compliance
with this privacy policy (the “Policy”). This Policy should be read in
conjunction with our products’ Terms
of Use, into which this Policy is incorporated by reference. If
you are an employee of an OnShift customer company, you further agree to comply
with your employer’s policies, procedures or
agreements regarding the use of your personal information with our
products.
This
Policy describes:
· The
types of information we collect from you or that you may provide when you use
any product in the OnShift suite of products, which includes, but is not
limited to OnShift Schedule, OnShift Engage, OnShift Wallet, OnShift Employ,
OnShift Time, OnShift Insight and OnShift’s Payroll-Based Journal reporting
software (individually, the “Product,” collectively, “the Products”).
· Our
practices for collecting, using, maintaining, protecting, and disclosing that
information.
Please
read this Policy carefully to understand our practices regarding your
information and how we will treat it. If you do not agree with our policies and
practices, then please do not use our Products. By using our Products, you
agree to the terms of this Policy. This Policy may change from time
to time (see below, “Changes to this Policy”). Your continued use of our
Products after we make changes is deemed to be acceptance of those changes, so
please check the Policy periodically for updates.
What We
Collect and How We Collect It
To
ensure that we provide you with the best possible experience, we will store,
use, and share information about you in accordance with this Policy.
Information
You Provide to Us
Personal
Information is any information that can be used to individually identify you
from a larger group such as data including, but not limited to, your:
· First
and last name
· Address
number, city, state, zip code
· Date of
birth
· Driver’s
license
· Social
security number
· Biometric
identifiers
· Biometric
information
· Geolocation
information
· Telephone
number (home and mobile)
· Email
address
· Username/login
name
· Password
· Photo of
your image or likeness
In some cases, the nature of your assigned duties may
require that you provide Personal Information relating to individuals other
than yourself (such as other employees). Before providing any Personal
Information to us, it is your responsibility to obtain the appropriate consent
and authorization, to include compliance with any employer policies.
In using
the Products, you may provide us Personal Information when you:
The information that you
provide in each case will vary. For example, the Products may utilize a
device’s global positioning system services to identify your current
geographical location. In some instances, you may be able to disable this
feature through the services function of your device.
In some cases, we may
assign to you a username (“UID”) and ask that you create a password that should
only be known to you.
Important Notice About
Health Information. OnShift is not a healthcare provider, payer or clearinghouse. OnShift is a business that
provides commercial business-to-business software as a service (“SaaS”)
applications and proactive services to solve workforce challenges in
healthcare.
Important Notice About
Consumer Information. OnShift may collect Personal Information, with your
consent, to be used by OnShift’s trusted third-party partners to complete
background checks as ordered by OnShift customers. OnShift is not a “consumer
reporting agency” or “reseller” as those terms are defined under the Fair
Credit Reporting Act (“FCRA”). OnShift does not process, assemble, or merge any
Personal Information to create or modify any consumer report. Furthermore,
OnShift plays no role in any eligibility determination based on the Personal
Information processed as part of the background check process ordered by
OnShift customers. Accordingly, the FCRA does not apply to OnShift’s
processing of Personal Information as described in this Policy. Regardless,
your Personal Information will be processed by OnShift in accordance with this
Policy unless otherwise agreed in writing.
Biometric Information
Through various technology
features, including but not limited to, our OnShift Time services, we may
collect data that potentially falls under the definitions of “biometric
identifiers” or “biometric information” under the Illinois Biometric
Information Privacy Act, 740 ILCS § 14/1 et seq.,
and similar applicable laws. “Biometric identifiers” are defined as retina
or iris scans, fingerprints, voiceprints, or scans of the hand or face
geometry.
“Biometric information,”
means any information, regardless of how it is captured, converted, stored, or
shared, based on an individual’s biometric identifier used to identify an
individual.
Any collection of
biometric identifiers and biometric information are for the sole purpose of
assisting you and your organization in verifying your start and stop times for
work. In other words, our collection of biometric identifiers and
biometric information assists you with “clocking in” with your
organization. We will not disclose or disseminate any biometric
information to any entity, other than those contracted parties that assist us
in providing this service to you, or as required by applicable federal, state,
or local law, or required pursuant to a valid warrant or subpoena issued by a
court of competent jurisdiction.
We shall retain any
biometric identifiers or biometric information for up to three years as long as you consent to such retention and maintain
an account with us. If you do not maintain an account with us, we shall retain
biometric identifiers or biometric information for up to three years, but we
will not be able to retrieve or connect your information to your
identity.
We use appropriate
technical, administrative, and physical safeguards to store, transmit, and
protect from disclosure any biometric identifiers or biometric information
collected. Such storage, transmission, and protection from disclosure shall be
performed in a manner that is the same or more protective than the manner in which we store, transmit, and protect from
disclosure other confidential and sensitive information.
Before using features that
collect biometric identifiers or biometric information, you will be prompted
with a copy of this policy. By accepting, you are consenting to our collection
and storage of your biometric identifiers or biometric information.
Automated
Information Collection
In
addition to the information that you provide to us, we may also collect
information about you during your use of the Products. We collect this
information using automated tools that are detailed below. These tools may
collect information about your behavior and your computer system, such as your
internet address (IP Address), the pages you have viewed, and the actions you
have taken while using the Products. Some of the tools we use to automatically
collect information about you may include:
(a) Cookies. A
“cookie” is a small data file transmitted from a website to your computer’s
hard drive. Cookies are usually defined in one of two ways, and we
may use both of them:
(1) session cookies, which do not stay on your computer after you close your
browser, and
(2) persistent cookies, which remain on your computer until you delete them or they expire.
We use the following categories of cookies on in our Products.
i. Strictly
Necessary Cookies. These cookies are
essential in order to enable you to use the
Products’ feature. Without these cookies, services you have requested, such as
maintaining a record of your shift schedules, cannot be provided.
ii. Performance
Cookies. These cookies collect anonymous
information on how people use our Products to help us understand how you use
our Products and highlight areas where we can improve, such as navigation. The
data stored by these cookies never shows personal details from which your
individual identity can be established.
iii. Functionality
Cookies. These cookies remember
choices you make such as the country from which you use our Products, your
screen layout preferences, and your search parameters. This information can
then be used to provide you with an experience more appropriate to your
selections and to make your use of our Products more tailored to your
preferences. The information in these cookies may be anonymized. These cookies
cannot track your browsing activity on other websites.
iv. Targeting
Cookies or Advertising Cookies. These
cookies collect information about your browsing habits in
order to make advertising more relevant to you and your interests.
They are also used to limit the number of times you see an advertisement as
well as help measure the effectiveness of an advertising campaign. The cookies
are usually placed by third-party advertising networks. These
cookies remember the websites you visit and
that information is shared with other parties such as advertisers.
The
Products may also send aggregated, non-Personal Information to several trusted
third-party providers for the purpose of providing us with the ability to
conduct technical and statistical analysis of the Products performances. Such
trusted third-party partners may include, but are not limited to, Hotjar, Google
Analytics, Pendo.io,
and New
Relic. For more information on how each
third-party provider supports our Products and uses information sent from the
Products, please review the privacy policies hyperlinked to their
name.
Of
course, if you do not wish to have cookies on your devices, you may turn them
off at any time by modifying your internet browser’s settings. However, by
disabling cookies on your device, you may be prohibited from full use of the
Products’ features or lose access to some functionality.
(b) Embedded Web Links. Links
provided in our emails and, in some cases, on third-party websites may include
tracking technology embedded in the link. The tracking is accomplished through
a redirection system. The redirection system allows us to understand how the link
is being used by email recipients. Some of these links will enable us to
identify that you have personally clicked on the link and
this may be attached to the Personal Information that we hold about you. This
data is used to improve our service to you and to help us understand the
performance of our marketing campaigns.
(c) Third-party
Websites and Services. We work with a number
of service providers of marketing communications technology. These
service providers may use various data collection methods to improve the performance
of the marketing campaigns we are contracting them to provide. The information
collected can be gathered through our Products and also on
the websites where our marketing communications are appearing. For example,
OnShift sends metadata identifying individual users to Pendo.io, Inc. for
detailed usage tracking and marketing analysis.
Your
Choices and Selecting Your Privacy Preferences
We want
to provide you with relevant information that you have requested.
If we
provide subscription-based services, such as email newsletters, we will allow
you to make choices about what information you provide at the point of
information collection or at any time after you have received a communication
from us while you are subscribed. Any transactional or
service-oriented messages are usually excluded from such preferences, as such
messages are required to respond to your requests or to provide goods and
services and are not intended for the purposes of marketing.
We will
not intentionally send you email newsletters and marketing emails unless you
consent to receive such marketing information. You may opt out of
them at any time by selecting the “unsubscribe” link at the bottom of each
email. Please note that by opting out or unsubscribing you may
affect other services you have requested we provide to you, in which email
communication is a requirement of the service provided.
Any such
communications you receive from us will be administered in accordance with your
preferences and this Policy.
Accuracy
and Access to Your Personal Information
We
strive to maintain and process your information accurately. We have processes
in place to maintain all of our information
in accordance with relevant data governance frameworks and legal
requirements. We employ technologies designed to help us maintain
information accuracy on input and processing.
Where we
can provide you access to your Personal Information in our possession, we will
always ask you for a username or UID and password to help protect your privacy
and security. We recommend that you keep your password safe, that you change it
periodically, and that you do not disclose it to any other person or allow any
other person to use it.
To view
and change the Personal Information that you have provided to us, you can log
in to your account and follow the provided instructions,
or contact us directly for assistance.
Information
of Minors
We do
not intentionally seek to gather information from individuals under the age of
eighteen (18). We do not target any of our Products to minors and would not
expect them to be engaging with our Products or services. If we are aware of
any Personal Information that we have collected about minors, we will take
steps to securely remove it from our Products and supporting systems.
How We
Use Your Information
The information we gather
and that you provide is collected to provide you information and the services
you request, in addition to various other purposes, including, but not limited
to:
· Assisting
you with items such as personalized experiences, facilitation of Product usage,
and enforcement of Terms of Use.
· Identify
the results of your responses to polls and surveys.
· Preventing
malicious activity and providing you with a secure experience.
· Providing
service and support for services you request.
· Providing
marketing communications that are effective and optimized for you.
· Keeping
you up-to-date with the latest benefits
available from us.
· Preventing
unwanted messages or content.
· Measuring
the performance of our marketing programs.
· Contacting
you about services and offers that are relevant to you.
Duration: The
length of time we intend to retain the Personal Information we collect from
you, including any sensitive information, is for as long as reasonably
necessary to carry out our intended business purpose for such information.
Consent to Receive Text
Messages from OnShift
In providing your mobile
device or cell phone number, you consent to receive text messages from
OnShift in order to facilitate any services
offered through our Products, including, but not limited to, engagement and
communication with employees to schedule shifts. You also consent to
receive phone calls or pre-recorded messages, including those from automated
dialing systems, such as those provided by trusted third-party partners such as
Twilio, at the mobile device number you provide. You consent to the use of your
mobile device number(s) by OnShift and its affiliates in accordance with this
Privacy Policy and our Terms
of Use. You agree you have the authority and permission to
consent to receive such text messages for all mobile device numbers associated
with your account in any of our Products. You further acknowledge
that no purchase is required to opt into this messaging service, and you may
opt out at any time by following instructions from OnShift and its affiliates
in any message you receive and as described in the Privacy Policy.
To discontinue receiving
SMS messages from OnShift at any time, reply STOP or text STOP to 79245 in the
United States or 79246 in Canada or call 216.333.1353 or toll-free
800.385.1494. For help, reply HELP or text HELP to 79245 in the United States
or 79246 in Canada.
How We Share Your
Information
We do
not sell or lease your information to any third party. We may disclose your
Personal Information to our trusted third-party business partners in accordance
with this Policy. We may also share your information with your employer if the
employer is a contracted customer of OnShift. We also work with a number of partners that help us process your
requests, deliver customer service and support, send email marketing
communications, and provide experiences that you have come to expect from us.
For example, when you participate in polls and surveys, we may share the
information that you provide with Pendo.io and Hotjar to analyze your responses
and aggregate them based on your role or your building location.
We will
share your Personal Information with these third parties in order to fulfill the service that they provide to
us. These third-party partners are under contract to keep your Personal
Information secure and not to use it for any reason other than to fulfill the
service we have requested from them. For example, one of our trusted
third-party partners is PayActiv, which performs
some banking services. However, none of the banking information provided
to PayActiv is stored or processed by
OnShift. Likewise, if you provide your credit card information to purchase
certain services from the Products, OnShift will not store or process that
information. Instead, any credit card information collected through the
Products will be stored and processed by a trusted third-party and PCI-DSS
compliance vendor, such as Braintree, a division of PayPal, Inc.
Except
as described in this Policy, we will not share your information with third
parties without your notice and consent, unless it is under one of the
following circumstances:
· Responding
to duly authorized information requests from law enforcement or other
governmental authorities.
· Complying
with any law, regulations, subpoena, or court order.
· Investigating
and helping prevent security threats, fraud, or other malicious activity.
· Enforcing
or protecting the rights and properties of the Company or its subsidiaries.
· Protecting
the rights or personal safety of the Company’s employees.
In addition, OnShift may
use a third party service called Skilljar to provide instructional courses for users on
how to best use our services. Skilljar is a
user interface that provides content for our training, and we may collect
Personal information such as name, email address, mailing address, state,
title, and zip code that may be shared with Skilljar.
To learn more about Skilljar and its
privacy practices, please visit https://www.skilljar.com/privacy/.
There are circumstances
where OnShift may decide to buy, sell, or reorganize its business in selected
countries. Under these circumstances, it may be necessary to share or receive
Personal Information with prospective or actual partners or affiliates. In such
circumstances, OnShift will ensure your information is used in accordance with
this Policy.
Your
Rights Under State Law
California
Pursuant
to California Civil Code Section § 1798.83, we will not disclose or share your
Personal Information with third parties for the purposes of third-party
marketing to you without your prior consent.
Other
than as disclosed in this Policy, the Products do not track users over time and
across third-party websites to provide targeted
advertising. Therefore, the Products do not operate any differently
if it receives Do Not Track (“DNT”) signals from your internet web browser or
device.
Your
Consumer Rights
Some state laws in the United States provide consumers with additional rights
with respect to their personal information (also known as “personal data”), as
those terms are defined under those applicable state laws. Such state laws may
include, but are not limited to, the California Consumer Privacy Act of 2018 (“CCPA”)
as amended by the California Privacy Rights Act (“CPRA”), the Colorado Privacy
Act (“CPA”) and the Virginia Consumer Data Protection Act (“VCDPA”). Any
personal information we collect is collected for the commercial purpose of
effectively providing our services to you, as well as enabling you to learn
more about, and benefit from, our services. If you reside in a state that
provides additional rights with respect to your personal information, you may
exercise each of your rights as identified below, subject to our verification
of your identity.
A. Access. You
have the right to request that we disclose certain information to you about our
collection, use and disclosure of your Personal Information over the past
twelve (12) months. Any disclosures we provide will only cover the 12-month
period preceding receipt of your request. The response we provide will also
explain the reasons we cannot comply with a request, if applicable.
B. Correction. You
can correct what personal data our Product database currently contains by
accessing your account directly, or by contacting us to request that we correct
or rectify any personal data that you have provided to us.
C. Limit Use and Disclosure
of Sensitive Personal Information. If we collect any
sensitive personal information, you have the right to request that we limit the
use of the sensitive personal information to that use which is necessary to
perform the services or provide the goods reasonably expected by an average consumer
who requests those goods or services.
D. Portability. Upon
request and when possible, we can provide you with copies of your Personal
Information. When such a request cannot be honored, we will advise
you accordingly. You can then choose to exercise any other rights under this
Policy.
E. Deletion. You
have the right to request that we delete any of your Personal Information,
subject to certain exceptions. Once we receive and confirm your verifiable
consumer request, we will delete (and direct our service providers to delete)
your Personal Information from our records, unless an exception
applies. Where applicable, we will ensure such changes are shared
with trusted third parties.
F. Opt-out
of Processing. You have the right to request that we do not sell your
Personal Information, use your Personal Information for Targeted Advertising,
or use your Personal Information for profiling. Where applicable, we will
ensure such changes are shared with trusted third parties.
G. Non-Discrimination. If a
data subject exercises his or her rights under applicable state law, including
but not limited to the CCPA, CPA and VCDPA, we shall not discriminate against
that data subject by denying our goods or services, charging different prices
or rates to similarly situated consumers, providing a different level or
quality of our goods or services, or taking any other adverse action.
H. Exercising your rights. If you
are a data subject that has rights under applicable state law, including but
not limited to the CCPA, CPA and VCDPA, who chooses to exercise the rights
listed above, you can:
1. Submit a
request via email at privacy@onshift.com; or
2. Call us at 1-800-385-1494
to submit your request.
Only you, or someone legally authorized to act on your
behalf, may make a request related to your Personal Information. If
an authorized agent makes a request on your behalf, we may require proof that
you gave the agent permission to submit the request.
Responding to Your Request. Upon
receiving your request, we will confirm receipt of your request by sending you
an email confirming receipt. To help protect your privacy and maintain
security, we may take steps to verify your identity before granting you access
to the Personal Information. In some instances, such as a request to delete
personal information, we may first separately confirm that you would like us to
in fact delete your personal information before acting on your request.
We will respond to your request within forty-five (45)
days. If we require more time, we will inform you of the reason and extension
period in writing.
In some
cases, our ability to uphold these rights for you may depend upon our
obligations to process Personal Information for security, safety, fraud
prevention reasons, compliance with regulatory or legal requirements, or
because processing is necessary to deliver the services you have requested.
Where this is the case, we will inform you of specific details in response to
your request.
Third-party
Websites
This Policy does not apply to websites or
other domains that are maintained or operated by third parties or our
affiliates. Our Products may link to third-party websites and services, but
these links are not endorsements of these sites, and this Policy does not
extend to them. Because this Policy is not enforced on these third-party
websites, we encourage you to read any posted privacy policy of the third-party
website before using the service or site and providing any
information.
For
Users Outside of the United States
We do
not warrant or represent this Policy or the Products’ use of your Personal
Information complies with the laws of any jurisdiction. Furthermore, to provide
you with our services, we may store, process, and transmit information in the
United States and other locations around the world, including countries that
may not have the same privacy and security laws as yours. Regardless of the
country in which such information is stored, we will process your Personal
Information in accordance with this Policy.
For
Product Users in the European Union (“EU”)
Under
the General Data Protection Regulation (Regulation (EU) 2016/679 of the
European Parliament and of the Council of 27 April 2016, or “GDPR”),
individuals in the EU are afforded specific rights with respect to their
Personal Information, or “personal data” as defined under the GDPR. For the
purposes of this Policy, OnShift operates as a data controller. Any personal
data we collect from you is processed in the United States and under the terms
of this Policy.
Any
personal data we collect from you is processed in the legitimate interest of
our business and providing our services to you as the lawful means of such
processing. You may always withdraw your consent to our use of your personal
data as described below. We will only retain your personal data for the time
necessary to provide you the information and services to which you have
consented, to comply with the law and in accordance with your rights below.
The Data
Controller is:
NAME: ShiftKey,
LLC
ADDRESS: 1621
Euclid Avenue, Cleveland, OH 44115
EMAIL
ADDRESS: privacy@onshift.com
You can
exercise any of the following rights, subject to verification of your identity,
by notifying us as described below:
· Access. You
may email us at privacy@onshift.com to
request a copy of the personal data our Product databases currently contain.
· Automated
Processing and Decision-Making. You may email us at
privacy@onshift.com to request that we stop using your personal data for
automated processing, such as profiling. In your email, please explain how you
wish us to restrict automated processing of your personal data. When such
restrictions are not possible, we will advise you accordingly. You can then
choose to exercise any other rights under this Policy, to include withdrawing
your consent to the processing of your personal data.
· Correction
or Rectification. You can correct what personal data our Product database
currently contains by accessing your account directly, or by emailing us
at privacy@onshift.com to
request that we correct or rectify any personal data that you have provided to
us. We may not accommodate a request to change information if we believe the
change would violate any law or legal requirement or cause information to be
incorrect. Where applicable, we will ensure such changes are shared with
trusted third parties.
· Restrict
Processing. When applicable, you may restrict the processing of your
personal data by submitting a request via email to privacy@onshift.com. In
your email, please explain how you wish us to restrict processing of your
personal data. When such restrictions are not possible, we will
advise you accordingly. You can then choose to exercise any other
rights under this Policy, to include withdrawing your consent to the processing
of your personal data. Where applicable, we will ensure such changes are shared
with trusted third parties.
· Object
to Processing. When applicable, you have the right to object to the
processing of your personal data by submitting a request via email to privacy@onshift.com. When
such objections are not possible, we will advise you accordingly. You can then
choose to exercise any other rights under this Policy, to include withdrawing
your consent to the processing of your personal data. Where applicable, we will
ensure such changes are shared with trusted third parties.
· Portability. Upon
request and when possible, we can provide you with copies of your personal
data. You may submit a request via email to privacy@onshift.com. When
such a request cannot be honored, we will advise you accordingly. You can then
choose to exercise any other rights under this Policy, to include withdrawing
your consent. Where applicable, we will ensure such changes are shared with any
trusted third parties.
· Withdraw
Consent. At any time, you may withdraw your consent to our
processing of your personal data through the Products by notifying us via email
at privacy@onshift.com. Using
the same email address associated with your Product account, simply type the
words “WITHDRAW CONSENT” in the subject line of your email. Upon receipt of
such a withdrawal of consent, we will confirm receipt and proceed to stop
processing your personal data. Where applicable, we will ensure such changes
are shared with trusted third parties.
· Erasure. If you
should wish to cease use of our Products and have your personal data deleted
from our Products, then you may submit a request by emailing us at privacy@onshift.com. Upon
receipt of such a request for erasure, we will confirm receipt and will confirm
once your personal data has been deleted. Where applicable, we will ensure such
changes are shared with trusted third parties.
· Submit
Complaints or Questions. If you wish to raise a complaint
regarding how we have handled your personal data, you can contact us as
described below. If you reside in a European Union member state, you may also
lodge a complaint with the supervisory authority in your country.
Safeguarding the Information We Collect
We take reasonable
technical, administrative, and physical safeguards in
order to protect your Personal Information against accidental loss
and from unauthorized access, use, alteration, and
disclosure. However, we can never promise 100%
security. You have a responsibility, as well, to safeguard your
information through the proper use and security of any online credentials used
to access your Personal Information, such as a username and password. If you
believe your credentials have been compromised, please change your password.
Please also immediately notify us of any unauthorized use of your credentials
or Personal Information.
Changes to this Policy
If we make any changes to
this Policy, a revised Policy will be posted on this screen and the date of the
change will be reported in the “Last Revised” block above. You can get to this
screen from any of our Products by clicking on the “Privacy Policy” link
(usually at the bottom of the screen).
How to Contact Us
We value your opinions and
welcome your feedback. To contact us about this Policy or your Personal
Information, please contact us at privacy@onshift.com.
|