Staffly Privacy Policy 

1. Introduction

Staffly is a workforce management and HR platform operated by Staffly We are committed to protecting personal data and ensuring transparency regarding how information is collected, used, stored and processed.

This Privacy Policy explains how Staffly processes personal data when organisations use the Staffly platform, website, mobile applications and related services.

Staffly provides services to businesses and organisations acting as employers. In most cases, the employer or organisation using Staffly acts as the Data Controller, while Staffly acts as a Data Processor processing data on the customer’s behalf.

---

2. Information We Process

Depending on the services enabled by the customer, Staffly may process the following categories of personal data:

• Employee identification information
• Name, email address and contact details
• Employment information
• Department, role and work location
• Scheduling and attendance records
• Payroll-related time records
• Annual leave and absence records
• Device and login information
• Geolocation data during attendance events
• Profile photographs
• Attendance verification images
• Biometric identifiers used for identity verification
• Training, certification, visa or licence expiry information
• Communications and task management activity within the platform

Staffly does not intentionally collect unnecessary personal data and limits processing to data relevant for workforce management and operational purposes.

---

3. Location Data & Geofencing

Where enabled by the employer or organisation, Staffly may process location data for workforce attendance verification purposes.

Location information is collected only at the time an employee performs a clock-in or clock-out action within the application. Staffly does not continuously monitor, track or record employee location in the background outside attendance-related events.

Location data may be used to:

• verify attendance at approved work locations;
• support geofencing functionality;
• assist with attendance accuracy and fraud prevention;
• support workforce compliance and operational reporting.

Users can manage location permissions through their device settings.

---

4. Camera, Photos & Attendance Verification

Staffly may use device camera and photo functionality for workforce management features including:

• profile image uploads;
• attendance verification;
• clock-in and clock-out validation;
• site-based attendance integrity controls.

Where enabled by the employer, attendance verification may involve facial recognition technology to compare a user’s facial characteristics against an enrolled reference profile.

This functionality is used solely for workforce attendance verification and identity confirmation purposes.

Staffly does not use facial recognition data for:

• advertising;
• behavioural profiling;
• emotion recognition;
• surveillance;
• social scoring;
• or automated employment decisions.

---

5. Biometric Data Processing

Where facial verification features are enabled, biometric data may be processed for the purpose of uniquely identifying individuals during attendance verification workflows.

This functionality may involve:

• the creation of biometric identifiers using Amazon Web Services (AWS) Rekognition technology;
• storage of biometric reference identifiers within AWS Rekognition collections;
• secure storage of profile or attendance images in cloud storage environments;
• storage within the Staffly database of reference identifiers only, rather than raw biometric templates.

Biometric processing functionality is configurable by the customer organisation and may not be enabled by all customers.

Employers using biometric attendance functionality are responsible for:

• determining the appropriate lawful basis for processing;
• conducting any required Data Protection Impact Assessments (DPIAs);
• implementing appropriate employee notices and workplace policies;
• ensuring compliance with local employment and privacy laws;
• providing alternative attendance methods where legally required.

Staffly acts as a Data Processor in relation to such processing activities.

---

6. Artificial Intelligence (AI)

Staffly may provide limited AI-assisted functionality to improve the user experience and simplify interaction with workforce data.

AI functionality within Staffly is limited to converting user requests written in natural language into structured database queries in order to retrieve information from the customer’s own workforce database.

Staffly:

• does not use AI to make automated employment decisions;
• does not conduct behavioural profiling or employee scoring;
• does not train AI models using customer or employee data;
• does not use customer data to improve third-party AI systems;
• does not sell or share workforce data for AI model training purposes.

AI functionality is intended solely to assist users in retrieving workforce-related information more efficiently.

---

7. Automated Decision-Making

Staffly does not use AI or automated systems to make decisions that produce legal or similarly significant effects on individuals.

The platform does not perform:

• automated hiring decisions;
• automated disciplinary actions;
• social scoring;
• emotion recognition;
• biometric categorisation;
• or fully automated employment profiling.

All employment-related decisions remain under the control of the employer or organisation using the platform.

---

8. Data Retention

Staffly retains personal data only for as long as necessary to provide services to customers and meet contractual, legal and operational obligations.

Retention periods may vary depending on:

• customer configuration;
• employment relationships;
• legal obligations;
• payroll and tax requirements;
• dispute resolution requirements.

Where biometric attendance functionality is enabled:

• biometric enrolment data should be removed when employment ends or when verification functionality is no longer required;
• attendance verification images should be retained only for limited operational or compliance purposes.

Customers remain responsible for defining appropriate retention schedules in accordance with applicable laws.

---

9. Security Measures

Staffly implements appropriate technical and organisational security measures designed to protect personal data against unauthorised access, disclosure, alteration or destruction.

Security measures may include:

• encryption in transit and at rest;
• role-based access controls;
• audit logging;
• secure authentication mechanisms;
• cloud infrastructure security controls;
• restricted administrative access;
• monitoring and incident response procedures.

No internet-based platform can guarantee absolute security; however, Staffly continuously reviews and improves its security practices.

---

10. Subprocessors & Cloud Providers

Staffly may engage trusted third-party service providers to support platform operations, hosting, authentication, communications and infrastructure services.

These providers may include:

• cloud hosting providers;
• infrastructure providers;
• authentication providers;
• communication and notification providers;
• artificial intelligence service providers;
• biometric verification providers.

Where applicable, Staffly implements appropriate contractual and technical safeguards with subprocessors.

---

11. International Data Transfers

Where personal data is transferred outside the European Economic Area (EEA), Staffly takes appropriate measures to ensure adequate protection of personal data, including the use of approved contractual safeguards where required.

Customers may request additional information regarding international data transfer mechanisms.

---

12. Your Rights

Depending on applicable law, individuals may have rights relating to their personal data, including:

• the right to access;
• correction of inaccurate data;
• deletion;
• restriction of processing;
• objection to processing;
• data portability;
• and the right to lodge a complaint with a supervisory authority.

As Staffly generally acts as a Data Processor, requests relating to employee data should usually be directed first to the relevant employer or organisation acting as Data Controller.

---

13. Contact Information

Questions relating to privacy, data protection or this Privacy Policy can be directed to:

Email: privacy@staffly.ie
Website: Staffly