Privacy Policy

1. Who We Are

WorkPulse ("we", "us", "our") is a time tracking, invoicing, and contractor management application operated by ACarr Software. This policy describes how we collect, use, and protect your personal information when you use our service at *.acarr.org.

2. Information We Collect

When you sign up for WorkPulse, we collect:

• Account information: Company name, email address, phone number, and password (stored as a one-way cryptographic hash).
• Business data: Clients, projects, contractors, time entries, invoices, expenses, and payment records that you enter into the application.
• Usage data: Login timestamps, IP addresses, and user agent strings for security auditing.

3. How We Use Your Information

• Provide the service: Store and process your business data to deliver time tracking, invoicing, and contractor management features.
• Account verification: Send a one-time SMS verification code to your phone number during signup.
• Transactional notifications: Send SMS and email alerts for invoice payments, due date reminders, overdue notices, and pay period updates. You control which notifications you receive via your notification preferences.
• Security: Audit logging of authentication events and data changes to protect your account.

4. SMS Communications

By providing your phone number and checking the SMS consent box during signup, you agree to receive:

• A one-time verification code during account creation.
• Transactional SMS notifications related to your business activity (invoice payments, due dates, pay periods).

We will never send marketing or promotional messages via SMS. You can disable SMS notifications at any time in your account notification preferences. Message and data rates may apply. Messaging frequency varies based on your business activity.

To opt out of SMS notifications, update your notification preferences in the application or reply STOP to any message.

5. Data Storage and Security

• Tenant isolation: Each customer's data is stored in a dedicated, isolated database. Your data is never mixed with another customer's data.
• Encryption in transit: All connections use TLS 1.2 or higher. Database connections are encrypted via SSL and VPN tunnel.
• Encryption at rest: Storage volumes are encrypted using AES-256.
• Password security: Passwords are hashed using BCrypt with a cost factor of 12. We never store plaintext passwords.
• Access control: Role-based access control with per-user permissions. All data access is logged in an audit trail.

6. Data Sharing

We do not sell, rent, or share your personal information with third parties. We use the following service providers to operate WorkPulse:

• Amazon Web Services (AWS): Cloud infrastructure, email delivery (SES), and SMS delivery (SNS).
• Let's Encrypt: TLS certificate issuance.

These providers process data only as necessary to provide their services and are bound by their own privacy policies.

7. Data Retention

• Active accounts: Your data is retained for the duration of your account.
• Trial expiration: If your trial expires and you do not subscribe, your data is retained for 30 days after expiration, then permanently deleted.
• Account deletion: Upon request, we will delete all your data within 30 days. Contact us at the address below.
• Audit logs: Retained for 90 days for security purposes.

8. Your Rights

You have the right to:

• Access: Request a copy of all data we hold about you.
• Correction: Update or correct your personal information.
• Deletion: Request permanent deletion of your account and all associated data.
• Opt-out: Disable SMS or email notifications at any time.

9. Changes to This Policy

We may update this privacy policy from time to time. We will notify you of material changes by email or through the application.

10. Contact Us

For privacy-related questions or data requests, contact us at:
Email: privacy@acarr.org