Privacy Policy

Last Updated: March 31, 2026

StaffLoop (operated by Siva Tech Services Pty Ltd, ABN 61 680 000 640) ("we," "our," or "us") provides a multi-tenant software-as-a-service (SaaS) platform for workforce and care management. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our application. This policy is governed by the Australian Privacy Principles (APPs) under the Privacy Act 1988 (Cth).

1. Roles and Responsibilities

It is important to understand the distinction between StaffLoop and your employing organisation (the "Subscriber"):

• The Subscriber (Data Controller): Your employing organisation is the "Data Controller" of your personal information. They determine what data is collected, how it is used, and who it is shared with.
• StaffLoop (Data Processor): We act as the "Data Processor," providing the platform and infrastructure to store and process this data on behalf of the Subscriber.

2. Information We Collect

We collect information under the direction of our Subscribers. The information we process includes:

• Personal Data: Information such as your name, email address, phone number, address, profile image (avatar), and worker screening details, as required by your employer.
• Biometric Recognition Data: If your Subscriber (employer) enables facial recognition for identity verification, we collect and process facial images to create a mathematical representation ("face template"). This template is used solely for the purpose of matching your identity during clock-in/out events and secure authentication. The processing of biometric data is performed in accordance with your Subscriber's policies and legal obligations as the Data Controller. StaffLoop stores these templates securely using encrypted storage on AWS infrastructure.
• Shift and Break Information: We collect detailed time logs of your working hours, including clock-in and clock-out times, the start and end times of breaks taken during your shift, and the specific reasons/categories for such breaks as configured by your Subscriber. This data is used for payroll, compliance, and WHS management.
• Geolocation Information: We request access to track location-based information from your mobile device to provide location-based services. Specifically, we collect this data during your clocked-in shifts for service verification, staff safety, and mileage calculation (processed using third-party mapping services including Mapbox). For NDIS and Aged Care services, this verification is a regulatory requirement to prove service delivery. To ensure the integrity of time and attendance records, the application may also collect device environment data to detect the use of location spoofing tools or "mock location" settings. You acknowledge that the application may emit brief audible indicators (beeps or tones) to confirm tracking status or diagnostic events while GPS is active.
• Kiosk and QR Scanning Data: When setting up a Kiosk device, we scan QR codes to securely link the physical device to your Subscriber's tenant. We collect and store Kiosk-specific technical identifiers (e.g., Device ID) to manage secure venue-based authentication and to enforce location-specific clock-in rules.
• Incident Reports: When you or your organisation report an incident, we collect detailed information including descriptions, dates, involved parties, and potentially sensitive health information. This data is processed on behalf of your Subscriber to meet workplace health and safety (WHS) and regulatory reporting (e.g., NDIS Reportable Incidents) obligations.
• Motion & Fitness Activity: On compatible mobile devices, we request access to "Physical Activity" or "Motion" sensors. This data is processed locally on your device solely to optimize battery life (by powering down GPS when the device is stationary). We do not collect or store your fitness data (steps, calories, etc.).
• Communications Data: When you use our in-app messaging and chat features, we store message content, timestamps, and participant information. Messages are retained for the operational needs of your Subscriber and compliance purposes.
• File Uploads and Attachments: Documents, images, and files you upload (e.g., shift notes, photos, compliance documents) are stored securely on AWS S3 infrastructure in Australia. Your Subscriber controls retention policies for these files.
• Device Information: For push notifications, we collect device tokens and notification preferences. You can opt out of notifications through your device settings or app preferences.
• Usage Data and Cookies: We collect anonymized data on how you interact with the Service to improve performance and user experience. This includes tracking the completion of the "Staff Onboarding Tour" and other instructional modules to assist with application adoption. We use strict "functional" cookies and local storage mechanisms to manage your secure session, remember your branding preferences, and store essential application state. Because these are strictly necessary for the platform to function securely, explicit cookie consent is not required under typical privacy frameworks, though your continued use of the app constitutes acceptance. We do not use third-party tracking or advertising cookies.
• Demo Request Information: If you submit a demo request through our website, we collect your name, email, phone number, company name, and message. This information is used solely to respond to your inquiry and is not shared with third parties.
• Signed Agreements: When you use the "Employer Agreement" or "Document Signing" features, we store the PDF documents, digital signatures, and audit logs (timestamp, user ID) associated with the signing event. This data is processed on behalf of your Subscriber to provide proof of execution.
• Financial & Invoicing Data: If your Subscriber uses the Invoicing or NDIS Claiming features, we process shift costs, billing rates, and NDIS participant details to generate invoices and claim files.

3. Data Storage and Location

Your data is stored in secure AWS data centers located in the Asia Pacific (Sydney) region. We choose local infrastructure to ensure compliance with Australian data sovereignty requirements and to minimize latency.

4. Data Isolation and Security

We are committed to the security of your data:

• Tenant Isolation: Your data is logically isolated within our multi-tenant architecture. Users from one organisation cannot access data from another organisation.
• Encryption: Data is encrypted in transit (TLS 1.2+) and at rest (AES-256) using industry-standard protocols.
• Access Control: Only authorized users within your organisation can access your personal data. StaffLoop administrators may access data solely for maintenance, support, or security purposes, and are bound by strict confidentiality obligations.
• File Storage Security: Uploaded files are stored in private S3 buckets with pre-signed URL access controls and automatic encryption.
• Message Security: Chat messages are encrypted in transit and stored in secure databases with tenant-level isolation.

5. Data Retention

We retain your personal information for as long as necessary to provide the Service to you and your Subscriber. Specific retention policies:

• User Profiles: Retained while your account is active and for 7 years after account closure (for compliance and audit purposes).
• Shift Records, Time Logs, and Incident Reports: Retained for 7 years in accordance with Fair Work Act and regulatory requirements (e.g., NDIS/Aged Care records).
• Chat Messages: Retained as per your Subscriber's policy. Systems may implement automated cleanup for idle connection metadata (24-hour TTL) but message content remains as per retention policy.
• File Attachments: Subject to your Subscriber's retention policy. Archived files may be automatically deleted after a configured period (default: 1 year after archiving).
• Demo Requests: Retained for 2 years or until you request deletion.

6. Disclosure of Your Information

We may share information we have collected about you in certain situations:

• With Your Employer/Administrator: Your information, including personal data, shift times, geolocation data, messages, and uploaded files, is fully accessible to the administrative users of your organisation for rostering, payroll, compliance, and management purposes.
• By Law: If required by law, court order, or regulation.
• Accounting & Payroll Integrations: If your Subscriber connects the Service to third-party accounting software (including Xero, QuickBooks Online, MYOB, and Zoho Books), we will share relevant data such as employee details, timesheets, leave requests, and pay rates with these providers to facilitate payroll processing. This sharing is initiated and controlled by your Subscriber's administrators.
• Service Providers: We may share data with trusted third-party service providers (e.g., AWS for hosting, Amazon SNS/SES for notifications and emails, Google Maps and Mapbox for geolocation, mapping, and routing services, Google reCAPTCHA for security, and Sentry for error tracking and performance monitoring) who assist us in operating the Service. These providers are contractually bound to process data only as instructed and to maintain appropriate security measures.

7. Security and Bot Protection

This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply. We use reCAPTCHA v3 to protect our login and signup forms from automated abuse and bots.

8. Your Rights

As the Data Controller, your employing organisation is responsible for handling your requests regarding access, correction, or deletion of your personal data. Please contact your administrator directly for such requests.

You may also exercise the following rights:

• Access: Request a copy of your personal data.
• Correction: Request correction of inaccurate data. In many cases, you can update your profile information directly through the app.
• Deletion: You may initiate account deletion directly within the Application via the "My Profile" > "Security" section. Upon initiation, your authentication credentials will be permanently deleted and your login access revoked. Note that identifiable records (including shift logs and activity history) will be retained for 7 years for legal and regulatory compliance (e.g., NDIS, Aged Care, or Fair Work requirements) before being permanently purged.
• Notification Opt-Out: Disable push notifications through your device settings or app preferences at any time.

9. International Data Transfers

While we primarily store data in Australia, some service providers (e.g., AWS global services, notification infrastructure) may involve data processed in other regions. We ensure all such transfers comply with Australian privacy laws and use appropriate safeguards.

10. Children's Privacy

Our Service is not directed to individuals under the age of 16. We do not knowingly collect personal information from children. If you believe we have collected information from a child, please contact us immediately.

11. Changes to This Privacy Policy

We may update our Privacy Policy from time to time. We will notify you of any changes by posting the new Privacy Policy on this page and updating the "Last Updated" date. Your continued use of the Service after changes constitutes acceptance of the updated policy.

12. Contact Us

If you have questions about this Privacy Policy, please contact:

• Your Organisation's Administrator: For requests regarding your personal data.
• StaffLoop Support: For technical privacy concerns regarding the platform itself at contact@staffloop.com.au

If you have a complaint about our compliance with the Privacy Act and we have not resolved your complaint within 30 days, you can refer your complaint to the Office of the Australian Information Commissioner (OAIC) at www.oaic.gov.au.