Privacy Policy

Last Updated: January 15, 2025
Effective Date: January 15, 2025

This Privacy Policy explains how Payly ("we," "us," or "our") collects, uses, discloses, and protects your personal information when you use our workforce management platform (the "Service"). We take the privacy and security of your data seriously, especially given the sensitive nature of worker information, time tracking, and business data processed through our platform.

1. Information We Collect

1.1 Account Information

When you create an account with Payly, we collect:

• Name, email address, and phone number
• Company name and details
• Account credentials (encrypted passwords)
• Payment information for subscription billing
• Role and permission settings within your account

1.2 Worker and Contractor Data

As a workforce management platform, we process worker information on behalf of our customers, including:

• Full names, addresses, and contact information
• Email addresses and phone numbers
• Tax Identification Numbers (TINs) or similar identifiers (for onboarding workflows)
• Hourly rates and compensation details
• Worker classification (employee, independent contractor, freelancer)
• Start dates and project assignments
• Emergency contact information (optional)
• Identity documents uploaded during onboarding (e.g., driver's license, certifications)

Note: Payly does NOT collect bank account numbers, process direct deposits, or handle tax withholding forms (W-4, etc.). You remain responsible for payment processing and tax compliance.

1.3 Business and Work Data

We collect business and work-related information including:

• Hours worked, time entries, and timesheet submissions
• Project assignments, task descriptions, and milestones
• Approval workflows and manager reviews
• Client billing information, hourly rates, and pricing
• Invoice generation data (line items, amounts, payment terms)
• Purchase orders and expense records
• Documents uploaded to the platform (contracts, agreements, certificates)
• E-signature requests and signed document records
• Communications related to document signatures

1.4 Usage Data and Analytics

We automatically collect information about how you use the Service:

• Login times, session duration, and feature usage
• Pages viewed, buttons clicked, and user interactions
• Search queries and filters applied
• Error logs and performance metrics
• API usage and integration activity

1.5 Device and Technical Information

We collect technical data from your devices:

• IP address, browser type, and version
• Operating system and device information
• Screen resolution and language preferences
• Referring URLs and navigation paths
• Cookies and similar tracking technologies

1.6 Cookies and Tracking Technologies

We use cookies, web beacons, and similar technologies to maintain your session, remember your preferences, analyze usage patterns, and improve our Service. See Section 8 for detailed information about cookies.

2. How We Use Your Information

2.1 Service Delivery

• Track time, manage timesheets, and calculate billable hours
• Generate invoices based on time entries and project rates
• Facilitate document storage, management, and e-signature workflows
• Process onboarding workflows for new workers and contractors
• Generate reports for clients, projects, and workers
• Manage user accounts, roles, and permissions
• Provide customer support and respond to inquiries
• Enable integrations with third-party services (Stripe, QuickBooks, Xero, Zapier)

2.2 Legal and Compliance

• Respond to legal requests, subpoenas, and government inquiries
• Enforce our Terms of Service and prevent fraud or abuse
• Maintain accurate business records as required by law
• Comply with data protection regulations (GDPR, CCPA, etc.)
• Protect the rights, property, and safety of Payly, our users, and others

Note: You (the customer) remain responsible for tax reporting (1099s, etc.), employment law compliance, and worker classification. Payly does not handle tax filings or provide tax/legal advice.

2.3 Service Improvement

• Analyze usage patterns to improve features and user experience
• Develop new features and functionality
• Monitor system performance and security
• Conduct research and analytics (using aggregated, de-identified data)
• Test new features and conduct A/B testing

2.4 Communications

• Send service notifications (timesheet approvals, invoice generation, document signatures)
• Provide account updates and security alerts
• Share product announcements and feature updates
• Send marketing communications (with your consent, opt-out available)
• Respond to support requests and feedback

3. How We Share Your Information

We do not sell or rent your personal information to third parties. We may share your information in the following limited circumstances:

3.1 Service Providers

We share data with trusted third-party service providers who assist in operating our Service, including:

• Cloud hosting and infrastructure providers (AWS)
• Payment processing providers (for subscription billing)
• Email service providers for transactional and marketing emails
• Analytics and monitoring services
• Customer support and communication tools

These providers are contractually obligated to protect your data and use it only for the services they provide to us.

3.2 Third-Party Integrations

When you enable integrations with third-party services (Stripe, QuickBooks, Xero, Zapier), we share relevant data with these services based on your authorization:

• Invoice and billing data (for accounting integrations)
• Time tracking and project data (for synchronization)
• Worker information as needed for integration functionality

Your use of third-party services is governed by their privacy policies, which we encourage you to review.

3.3 Legal Requirements

We may disclose your information when required by law or in response to:

• Valid legal processes (subpoenas, court orders, search warrants)
• Government or regulatory requests
• Investigations of potential violations of our Terms of Service
• Situations involving potential threats to safety or security
• Protection of our legal rights and property

3.4 Business Transfers

In the event of a merger, acquisition, bankruptcy, or sale of assets, your information may be transferred to the acquiring entity. We will notify you via email and/or prominent notice on our website before your information becomes subject to a different privacy policy.

3.5 Aggregated and De-Identified Data

We may share aggregated, de-identified information that cannot reasonably be used to identify you or your organization. This may include industry benchmarks, usage statistics, or research findings.

4. Data Security and Protection

We implement industry-standard security measures to protect your personal information from unauthorized access, disclosure, alteration, and destruction.

4.1 Security Measures

• Encryption of data in transit using TLS/SSL protocols
• Encryption of sensitive data at rest in our databases
• Regular security audits and vulnerability assessments
• Access controls and authentication requirements
• Employee training on data security and privacy practices
• Monitoring and logging of system access and activities
• Regular backups and disaster recovery procedures

4.2 Your Responsibilities

You play an important role in protecting your data:

• Use strong, unique passwords for your account
• Enable two-factor authentication when available
• Keep your login credentials confidential
• Log out of shared or public computers
• Report any suspected security breaches immediately
• Regularly review user access permissions in your account

4.3 Data Breach Notification

In the event of a data breach that affects your personal information, we will notify you and relevant authorities as required by applicable laws. We will provide information about the breach, steps we're taking to address it, and recommendations for protecting your information.

4.4 Limitations

While we implement robust security measures, no system is completely secure. We cannot guarantee absolute security of your data transmitted to or stored on our Service. You acknowledge and accept this inherent risk when using online services.

5. Data Retention

We retain your personal information for as long as necessary to fulfill the purposes outlined in this Privacy Policy, unless a longer retention period is required or permitted by law.

5.1 Active Accounts

While your account is active, we retain all data necessary to provide the Service, including timesheet records, invoices, documents, and worker information.

5.2 Closed Accounts

After account closure or subscription cancellation, we retain your data for a limited period (typically 30-90 days) to allow for account reactivation or data retrieval. After this grace period, we may permanently delete your Customer Data.

5.3 Legal and Compliance Requirements

We may retain certain information longer when required by law, to resolve disputes, enforce our agreements, or for legitimate business purposes such as:

• Financial records for tax and accounting purposes (typically 7 years)
• Transaction history and billing records
• Communications related to legal matters or support requests
• Security logs and audit trails

5.4 Data Deletion

You can request deletion of your personal information at any time by contacting us at legal@payly.com.au. We will respond to your request within a reasonable timeframe and in accordance with applicable laws. Note that we may retain certain information as required by law or for legitimate business purposes.

6. Your Privacy Rights

Depending on your location, you may have certain rights regarding your personal information under applicable data protection laws, including GDPR (European Union) and CCPA (California).

6.1 Access and Portability

You have the right to access your personal information and request a copy in a portable format. You can export most of your data directly through the Service's export features.

6.2 Correction and Update

You can update your account information and profile details at any time through your account settings. If you need assistance correcting your information, contact us at support@payly.com.au.

6.3 Deletion (Right to be Forgotten)

You have the right to request deletion of your personal information, subject to certain exceptions (e.g., legal obligations, pending transactions, dispute resolution). We will respond to deletion requests within 30 days.

6.4 Restriction and Objection

You may request that we restrict processing of your personal information or object to certain types of processing, such as direct marketing. You can opt out of marketing emails using the unsubscribe link in any marketing message.

6.5 Withdraw Consent

Where we rely on your consent to process your information, you have the right to withdraw that consent at any time. This does not affect the lawfulness of processing prior to withdrawal.

6.6 Lodge a Complaint

If you believe we have violated your privacy rights, you have the right to lodge a complaint with your local data protection authority or supervisory authority.

6.7 Exercising Your Rights

To exercise any of these rights, please contact us at legal@payly.com.au. We will respond to your request within the timeframe required by applicable law, typically within 30 days. We may need to verify your identity before processing your request.

7. International Data Transfers

Payly is based in Australia and our infrastructure is hosted on Amazon Web Services (AWS). Your information may be transferred to, stored, and processed in data centers located in various countries where AWS operates.

If you are located in the European Economic Area (EEA), United Kingdom, or other regions with data transfer restrictions, please be aware that we transfer personal data to countries that may not have the same data protection laws as your jurisdiction. When we transfer data internationally, we implement appropriate safeguards, such as:

• Standard Contractual Clauses (SCCs) approved by the European Commission
• Data Processing Agreements with service providers
• Compliance with applicable data protection frameworks
• Technical and organizational security measures

By using the Service, you consent to the transfer of your information to countries outside your country of residence, which may have different data protection rules than your country.

8. Cookies and Tracking Technologies

We use cookies and similar tracking technologies to enhance your experience, analyze usage patterns, and improve our Service.

8.1 What Are Cookies?

Cookies are small text files stored on your device that help us recognize you, remember your preferences, and understand how you use our Service.

8.2 Types of Cookies We Use

• Essential Cookies: Required for the Service to function (authentication, session management)
• Functional Cookies: Remember your preferences and settings
• Analytics Cookies: Help us understand usage patterns and improve features
• Advertising Cookies: Used for targeted marketing (if you opt in)

8.3 Managing Cookies

You can control cookies through your browser settings. Most browsers allow you to refuse cookies or delete existing cookies. However, disabling essential cookies may impair the functionality of the Service. Please note that opting out of analytics or advertising cookies does not mean you will stop seeing ads, but ads may be less relevant to you.

8.4 Do Not Track

Some browsers support "Do Not Track" signals. We currently do not respond to Do Not Track signals, as there is no industry-wide standard for compliance. We will continue to monitor developments in this area.

9. Third-Party Services

Our Service integrates with third-party services to provide enhanced functionality. When you use these integrations, you are subject to the privacy policies and terms of those third parties.

9.1 Integrated Services

• Stripe: Payment processing for subscription billing (see Stripe's privacy policy)
• QuickBooks & Xero: Accounting and invoicing integration (see their respective privacy policies)
• Zapier: Workflow automation (see Zapier's privacy policy)

9.2 Third-Party Links

Our Service may contain links to third-party websites. We are not responsible for the privacy practices or content of these external sites. We encourage you to review the privacy policies of any third-party sites you visit.

9.3 Data Sharing with Integrations

When you authorize an integration, you grant Payly permission to share relevant data with the third-party service. You can revoke integration authorizations at any time through your account settings.

10. Children's Privacy

Our Service is not directed to individuals under the age of 18, and we do not knowingly collect personal information from children. If you believe we have inadvertently collected information from a child, please contact us immediately at legal@payly.com.au, and we will take steps to delete such information.

Users of the Service must represent that they are at least 18 years old or have parental/guardian consent to use the Service. Account owners are responsible for ensuring that minor users (if any) have appropriate permissions and supervision.

11. Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors. When we make changes, we will:

• Update the "Last Updated" date at the top of this policy
• Notify you via email if changes are material
• Post a prominent notice on our website or within the Service
• Provide a reasonable notice period before changes take effect

Your continued use of the Service after changes to this Privacy Policy constitutes your acceptance of the updated policy. If you do not agree with the changes, you should discontinue use of the Service and contact us to close your account.

We encourage you to review this Privacy Policy periodically to stay informed about how we protect your information.

12. Contact Information

If you have any questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us:

Payly
Email: legal@payly.com.au
Support: support@payly.com.au
Website: www.payly.com.au

We will respond to your inquiries within a reasonable timeframe, typically within 30 days. For data subject requests (access, deletion, etc.), we may need to verify your identity before processing your request.

---

By using Payly, you acknowledge that you have read, understood, and agree to the collection, use, and disclosure of your information as described in this Privacy Policy.