Privacy Policy
Last updated: 14 July 2026
This Privacy Policy explains how ClockIT ("we", "us", or "our") collects, uses, stores, and shares personal information when you use our staff scheduling and attendance service (the "Service").
ClockIT is designed for organisations that manage shift-based teams. Where you use ClockIT on behalf of a business, that business (your organisation) decides how staff and workplace data is used in the Product. We process that information to provide the Service.
This document is provided for transparency. It is not legal advice. Requirements can vary by location. If you need advice for your situation, consult a qualified professional.
1. Information we collect
Depending on how you use ClockIT, we may collect:
- Account information: email address, password (stored as a secure hash), full name, phone number, and related profile details.
- Organisation and store information: business name, optional ABN, business contact details, store addresses, and related settings.
- Staff and workforce information: staff profiles, job roles, employment type, hourly rates, store assignments, availability windows, rosters, and shift assignments.
- Attendance and clock data: clock-in and clock-out times, PIN verification events (without storing the PIN in plain text), store QR clock context, emergency or non-rostered punches, and manager review notes.
- Support and security information: password reset and invitation tokens (hashed), notification preferences, and limited technical metadata such as IP address or user agent where recorded for security or audit purposes.
We do not intentionally collect payment card numbers in ClockIT today. Payroll features prepare labour summaries for review; they do not process employee banking details.
2. How we use information
We use personal information to:
- Create and manage accounts, organisations, and store locations
- Provide rostering, availability, attendance, replacements, and related reporting
- Send transactional email such as staff invitations and password reset links
- Maintain security, prevent abuse, and investigate incidents
- Operate, improve, and support the Service
We do not sell personal information. We do not use account email addresses for unrelated marketing unless you separately agree to that in future.
3. Who can access information
- Within your organisation: administrators of your organisation can view and manage staff, roster, and attendance data for their business, subject to product permissions.
- Staff: staff users can view information needed for their role, such as their own profile, published roster, and clock status.
- Service providers: we use third-party infrastructure to run ClockIT, including hosting, database, and email delivery providers. Those providers process data only as needed to run the Service under their terms and security controls.
Typical infrastructure used to operate ClockIT includes application hosting, PostgreSQL database hosting, and transactional email delivery. Exact providers may change as we scale.
4. Cookies and sessions
ClockIT uses an httpOnly session cookie to keep you signed in after authentication. This cookie is required for the product to function. We do not use advertising trackers on the Service today.
5. Retention
We retain information for as long as needed to provide the Service, meet legal or accounting obligations, and maintain security records. Organisations control much of the workforce data stored in their account. When an organisation account is closed, we delete or anonymise associated data within a reasonable period, unless we must retain limited records for security, dispute, or legal reasons.
6. Security
We use industry-standard measures appropriate to a cloud application, including password hashing, access controls scoped by organisation, HTTPS in production, and rate limiting on sensitive endpoints. No method of transmission or storage is completely secure. Please use a strong unique password and protect admin access to your organisation.
7. Your choices and requests
- Staff members who need corrections or deletion of workplace records should contact their organisation administrator first. That organisation is usually the primary decision maker for staff data.
- Organisation administrators may update many profile and business fields in Settings, and may invite, deactivate, or manage staff according to product rules.
- You may request access, correction, or deletion where applicable law gives you that right. We may need to verify your identity and may refuse or limit a request where the law allows (for example, where retention is required or another person's rights would be affected).
8. Children
ClockIT is intended for workplace use by organisations and their staff. It is not directed to children. Do not create accounts for anyone who is not eligible to work under applicable law.
9. International processing
The Service may be hosted in regions selected by our infrastructure providers. If you access ClockIT from another country, your information may be processed outside your home region. By using the Service, you understand that this transfer may occur as part of normal cloud operations.
10. Changes
We may update this Privacy Policy from time to time. The "Last updated" date at the top of this page will change when we do. Continued use of the Service after an update means you accept the revised Policy, where permitted by law.
11. Contact
For privacy questions about your own staff records, contact your organisation administrator. Organisation administrators may contact ClockIT using the email address registered on their admin account for account-related privacy requests.