What is Personal Information?
Personal Information is information relating to an identified or identifiable natural person. An identifiable natural person is one who can be identified, directly or indirectly, by reference to an identifier such as a name, an identification number, location data, an online identifier, or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
We do not consider personal information to include information that has been anonymized or aggregated so that it can no longer be used to identify a specific natural person, whether in combination with other information or otherwise.
We collect personal information from you when you use our Services.
We collect personal information from you and any devices (including mobile devices) you use when you: use our Services, register for an account with us, provide us information on a web form, update or add information to your account, join or otherwise participate in a Group, or when you otherwise correspond with us.
Some of this personal information, such as a way to identify you, is necessary to enter into our Terms of Service ("TOS" or "the TOS"). The provision of all other personal information is voluntary, but may be necessary in order to use our Services, such joining a Group, performing a punch, completing and sending a time sheet, and manipulating a schedule.
We may also collect personal information from other sources, as described below.
Personal information you give us when you use our Services or register for an account with us
Identifying information such as your name, addresses, telephone numbers or email addresses when you register for an account with us.
Subject, time, date, task and notes-related information you provide during a punch, or other time tracking, time sheet, or scheduling content that you generate or that is connected to your account as a result of a time tracking or scheduling transaction you are involved in.
Other content that you generate, or that is connected to your account (such as requesting activity reports).
Financial information (such as credit card) in connection with the purchase of a subscription within a Group.
You may also provide us other information through a web form, by updating or adding information to your account, through your participation and actions in a Group, member-to-member communications, internal messages, dispute resolution, or when you otherwise communicate with us regarding our Services.
Additional information we are required or authorized by applicable national laws to collect and process in order to authenticate or identify you or to verify the information we have collected.
Personal information we collect automatically when you use our Services or register for an account with us
We collect information about your interaction with our Services, your preferences, and your communications with us. This is information we receive from devices (including mobile devices) you use when you access our Services. This information could include the following: Device ID or unique identifier, device type, and unique device token.
Location information, including location information from your mobile device. Keep in mind that most mobile devices allow you to control or disable the use of location services by any application on your mobile device in the device's settings menu. Disabling location information could have a negative impact on your Group's ability to confirm the validity of your punches.
Computer and connection information such as statistics on your page views, traffic to and from the sites, referral URL, ad data, your IP address, your browsing history, and your web log information.
Personal information we collect using cookies and similar technologies
For more information about our use of these technologies, and how to control them, see Cookies and Similar Technologies.
Personal information collected from other sources
We supplement the personal information we collect directly with information collected from third parties and add it to your account and/or your Group(s) information. For examples of information that is collected at the Group level, we collect information that is entered by certain members of your Group with appropriate permission sets, such as your Group administrator or your Group managers. To further illustrate this example, these members might enter information such as identification codes used by your Group, phone numbers, gender, miscellaneous and sundry notes, roles, and permission sets. For examples of information that is collected at your own account level, Group members with appropriate permission sets can add, modify, or delete information on your behalf, such as punches (and all of the information contained within a punch), time sheets, and schedule information.
If you give us personal information about someone else, you must do so only with that person’s authorization. You should inform them how we collect, use, disclose, and retain their personal information according to our privacy notice. An example of a person that will provide us with personal information about someone else would be a Group administrator or someone with appropriate Group privileges (such as a manager) to create, edit, and delete data regarding Group members.
We use your personal information to provide and improve our Services, provide you with a personalized experience on our sites, contact you about your account and our Services, provide you customer service, provide you with personalized notifications, and to detect, prevent, mitigate and investigate fraudulent or illegal activities.
Our operations are supported by a network of computers, cloud-based servers, and other infrastructure and information technology, including, but not limited to, third-party service providers. We and our third-party service providers store process, and access your personal data in Canada, in the United States of America and elsewhere in the world. By using our Service, you consent to your personal data being transferred to other countries, including countries that have different data protection rules than your country. In cases where your personal data is transferred to other countries, the personal information is subject to the law of the jurisdiction in which it is used or stored, including any law permitting or requiring disclosure of the information to the government, government agencies, courts and law enforcement in that jurisdiction. We do not represent that our Service is appropriate or available in any particular jurisdiction.
We may use technologies considered artificial intelligence, automated decision making or profiling. We will not make automated-decisions about you that would significantly affect you, unless such a decision is necessary as part of a contract we have with you, we have your consent, or we are required by law to use such technology.
You have the right to withdraw your consent at any time. Information that you have provided or that was obtained from other sources about you prior to the withdrawal of your consent may be retained for some time. See How We Might Share Your Personal Information.
We use the personal information we collect from you for a range of different business purposes and according to different legal bases of processing. The following is a summary of how and according to which legal bases we use your personal information.
We use your personal information to fulfill a contract with you and provide you with our Services, to comply with our legal obligation, protect your vital interest, or as may be required for the public good. This includes:
We use your personal information to pursue our legitimate interests where your rights and freedoms do not outweigh these interests. We have implemented controls to balance our interests with your rights. This includes to:
With your consent, we may use your personal information to:
We use your personal information to facilitate the exchange of your personal data between XPunch Services and social media or other external sites and services to:
Other information that you should know:
By associating an account managed by a social media site, a federated identity management system, or any other third party account or platform that you lawfully control or own with your XPunch account, you authorize us to have access to the information that becomes available to us as a result of this association, and you agree that we can collect, use and retain the information provided by these third party entities in accordance with this Privacy Notice.
Consult the "How we might share your personal information" section, further below, to learn more information about the sharing of your personal information with third parties.
By logging into, registering for, subscribing to, or accessing our Services and/or submitting information to us in connection with using our Services, you are providing your consent to the collection, use and disclosure of personal information as set out in this Privacy Notice. In some cases, your consent may be “implied” i.e. your permission is assumed based on your action or inaction at the point of collection, use or sharing of your personal information.
You have choices about how we use your personal information to communicate with you, to send you marketing information, how we provide you with customized and relevant advertising, and whether you want to stay signed into your account.
The current version of XPunch does not offer any control over your email communication preferences. You may receive communications from us that are directly related to our Services.
Marketing and Advertising
At the present time, XPunch does not issue targeted, direct marketing communications. Keep in mind, we do not sell, rent, or otherwise disclose your personal information to third parties for their marketing purposes without your consent.
Staying Signed in
When you sign in to your account on our Services, you may remain stay signed in to your account for certain amount of time. If you are using a public or shared computer or device, we encourage you to sign out of XPunch after you no longer require access to your account. Please note that it is not enough to simply sign out of social media login, or to sign out of a federated identity management system, you must also sign out of XPunch itself. You or any other user of the computer / device / browser you signed in on will be able to view and access most parts of your account and take certain specific actions during this signed in period without any further authorization. Examples of specific actions and account activities that you or any other user of this computer / device / browser may take include:
If you attempt to change your password, User ID, update any other account information or attempt other account activity beyond those listed above, you may be required to enter your password.
You can typically end your signed in session by either signing out of XPunch and / or clearing your cookies. If you have certain browser privacy settings enabled, simply closing your browser may also end your signed in session. If you are using a public or shared computer / device, you should sign out of XPunch and / or clear your cookies when you are done using our Services to protect your account and your personal information.
We respect your right to access, correct, request deletion or request restriction of our usage of your personal information as required by applicable law. We also take steps to ensure that the personal information we collect is accurate and up to date.
Access, correction, and deletion of your personal information
You can see, review and change most of your personal information by signing in to your account. Please, update your personal information immediately if it changes or is inaccurate. Keep in mind, once you make a public or group posting, you may not be able to change or remove it. For example, performing a punch or submitting a time sheet can result in copies of that activity being shared with other members of your XPunch group and these members or the group itself may retain copies of your activity.
We will honor any statutory right you might have to access, modify or erase your personal information. To request access and to find out whether any fees may apply, if permitted by applicable national laws, please contact us following the instructions in the Contact Us section below. Where you have a statutory right to request access or request the modification or erasure of your personal information, we can still withhold that access or decline to modify or erase your personal information in some cases in accordance with applicable national laws.
If you request that we stop processing some or all of your personal information or you withdraw (where applicable) your consent for our use or disclosure of your personal information for purposes set out in this privacy notice, we might not be able to provide you all of the Services and customer support offered to our users and authorized under this privacy notice and our TOS.
Upon your request and reasonable confirmation of your identity, we will close your account and remove your personal information from view as soon as reasonably possible, based on your account activity and in accordance with applicable national laws.
We retain your personal information for as long as necessary to provide the Services you have requested, or for other essential purposes such as complying with our legal obligations, resolving disputes, and enforcing our policies.
The following factors typically influence retention periods:
After it is no longer necessary for us to retain your personal information, we will dispose of it in a secure manner according to our data retention and deletion policies.
When you provide information or perform any activity within an XPunch group, it is important to understand that other members of your XPunch group(s) are immediately able to save, record and otherwise archive snapshots and reports of your personal information, your activities, your punches and punch information, your schedule information, and your timesheets—amongst other data—in your group(s). These users may retain this information or data for longer periods of time than that which is described in this privacy notice. Your group, your organization, and these users should inform you of their own data retention policies. They should follow their, and your, own data retention policies that apply to their own organizations, jurisdictions, and regions. Webinnovex does not assume responsibility for the data retention timelines of your group's individual users or your organization. To put this into a plain English analogy: imagine that you provide an old-fashioned, paper-based punch card (or other information) to your employer and that employer then, in turns, keeps your information in a filing cabinet for legal or archival purposes. Webinnovex naturally cannot have any control over how long your employer keeps that paper in that filing cabinet.
We do our utmost to protect your personal information using technical and administrative security measures to reduce the risks of your information's loss, misuse, unauthorized access, disclosure and alteration. Some of the safeguards we use are firewalls and data encryption (SSL), physical access controls to our data centers, and information access authorization controls (OAuth 2). We rely on Microsoft Azure’s infrastructure to implement best practices in the industry.
We want to be up front and transparent about this: we simply do not have the resources to guarantee to you that a data breach will never happen. A data breach is the unintentional release of secure or private/confidential information to an untrusted environment. To put this in plain English, we do not suggest for a moment that we are able to offer invulnerability against a sheer assault of worldwide resources that are available to hack information and, for this reason, we suggest that you only share information with our Services under that context. In the event a data breach occurs, we will inform you: see the "Data controllers and data protection officers" section, immediately below.
You are contracting with Webinnovex Inc., 402-1625 Clark, Montreal, QC, H2X 2R4, Canada
The company you are contracting with is your data controller, and is responsible for the collection, use, disclosure, retention and protection of your personal information in accordance with our privacy standards, this privacy notice, as well as any applicable national laws.
Your data controller may transfer data to other members of the Webinnovex Inc. corporate family, as described in this privacy notice.
We may process and retain your personal information on our servers in the U.S., Canada, and elsewhere in the world where our data centers are located.
In the case of a personal data breach, your controller shall without undue delay and, where feasible, not later than 72 hours after having become aware of it, notify you of a data breach, unless the personal data breach is unlikely to result in a risk to the rights and freedoms of natural persons. Notices of data breaches, changes to terms of service, or other matters that affect you may be made by displaying partial copies of notices or links to notices via one or more of the following: an electronic click-through, a Service notification, a banner notice on a Service interface, an email to the email associated with your account, the Service's internal messaging system, the XPunch Message Center, or via one of our social media outlets such as https://twitter.com/XPunchApp/ and https://facebook.com/XPunchApp/. If you fail to maintain accurate account information, such as contact information, you may not receive critical information about the Service or the TOS. Your data controller may also advise other bodies such as regulatory privacy commissions depending on the (region of the) users that were affected by the data breach.
This section describes some additional privacy information related to your use of our Services that you may find important.
When you share your personal information on our sites or applications – what happens?
Other users have access to the information you share on XPunch. For example, other users can see your scheduled shifts, time clock punches, time sheets, and all of the associated information connected to these items.
When you use our Services, your user ID or name may be displayed and available to other members of your XPunch group(s) and associated with all of your XPunch activity. Communications sent to other users as part of our Services may refer to your user ID or name.
Your responsibilities over interactional information you receive through XPunch
When you interact with another user, we enable you to obtain or we may provide you with the personal information of the other user (such as their name, account ID, email address, and contact details) to complete the interaction. Independent from us, you are the controller of such data and we encourage you to inform the other user about your privacy practices and respect their privacy. In all cases, you must comply with the applicable privacy laws, and must give the other user a chance to remove them from your database and them a chance to review what information you have collected about them.
You may use the personal information that you have access to only for XPunch interaction-related purposes, or for other services offered through XPunch, and for purposes expressly consented by the user to whom the information relates. Using personal information of other users that you have access to for any other purpose constitutes a violation of our TOS.
Unwanted or threatening communications
We do not tolerate abuse of our Services. Sending unwanted or threatening email and text messages is against our TOS. To report XPunch-related spam or spoof emails please report the email via https://xpunch.zendesk.com/hc/en-us/requests/new/.
We may scan messages automatically and check for spam, viruses, phishing and other malicious activity, illegal or prohibited content or violations of our TOS, this privacy notice or our other policies.
Our websites are general audience websites and not intended for children. We do not knowingly collect personal information from users deemed to be children under their respective national laws.
Third Party Privacy Practices
This privacy notice addresses only our use and handling of personal information we collect from you in connection with providing you our Services. If you disclose your information to a third party, or visit a third party website via a link from our Services, their privacy notices and practices will apply to any personal information you provide to them or they collect from you.
We cannot guarantee the privacy or security of your personal information once you provide it to a third party and we encourage you to evaluate the privacy and security policies of your trading partner before entering into a transaction and choosing to share your personal information. This is true even where the third parties to whom you disclose personal information are bidders, buyers or sellers on our site.