Privacy Policy

Last updated: April 27, 2026 Version: 2

STAFFSHIELD LLC PRIVACY POLICY

Effective Date: April 27, 2026

This Privacy Policy describes how StaffShield LLC ("StaffShield," "we," "us," or "our") collects, uses, stores, and discloses information in connection with the StaffShield document management platform (the "Service"). This Privacy Policy applies to staffing agencies and organizations ("Agencies") that subscribe to the Service and to individual workers ("Workers") who access the worker portal.

By using the Service, you agree to the collection and use of information in accordance with this Privacy Policy.

1. Who We Are and Our Role

1.1 StaffShield is a data processor. We process data on behalf of and at the direction of Agencies that use our Service. The Agency is the data controller and determines what data is collected, how it is used, and how long it is retained within the parameters of this Privacy Policy.

1.2 If you are a Worker and have questions about how your data is used by your Agency, please contact your Agency directly. StaffShield processes Worker data solely to provide the Service to the Agency.

2. Information We Collect

2.1 Agency Account Information

When an Agency creates an account, we collect: organization name, authorized representative name, email address, billing address, and payment information processed by our third-party payment processor, Stripe, Inc. StaffShield does not store full payment card numbers.

2.2 Worker Data

Through the Service, Agencies and Workers may upload and store employment-related documents, which may include: identity documents (such as passports and driver's licenses), Form I-9 Employment Eligibility Verification forms, background check reports, drug test results, professional licenses and certifications, safety training records, and other employment-related documents. This information is uploaded at the direction of the Agency and is controlled by the Agency.

2.3 Usage Data

We automatically collect certain technical information when you use the Service, including: IP address, browser type, operating system, pages viewed, features used, and timestamps. We use this information to operate and improve the Service.

2.4 Communications

If you contact us for support, we may collect your name, email address, and the content of your communication.

3. How We Use Information

We use information collected through the Service for the following purposes:

  • To provide, operate, and maintain the Service;
  • To process payments and manage subscriptions;
  • To send automated expiration alerts and notifications as configured by the Agency;
  • To generate compliance reports as requested by the Agency;
  • To respond to support requests;
  • To detect, prevent, and address security incidents, fraud, and technical issues;
  • To comply with applicable legal obligations; and
  • To improve and develop the Service.

We do not sell, rent, or trade personal information to third parties for their own marketing purposes.

4.1 Legal Basis. Where applicable under the laws of the European Union, United Kingdom, or other jurisdictions requiring a legal basis for processing, we process personal data on the following bases: (a) performance of a contract with the Agency; (b) legitimate interests in operating and improving the Service; and (c) compliance with legal obligations.

4.2 Automated Decision-Making. The Service does not engage in automated decision-making that produces legal or similarly significant effects on individuals. AI-assisted features within the Service (such as document date extraction or classification) are organizational tools intended to support, not replace, human review by the Agency. The Agency, not StaffShield, makes any decisions concerning workers based on data in the Service.

5. How We Share Information

5.1 Service Providers. We share information with third-party service providers ("Sub-processors") that assist us in operating the Service, including:

  • Render (web hosting and application infrastructure);
  • Neon (database services);
  • Cloudflare R2 (document storage);
  • Postmark (transactional email delivery);
  • Stripe, Inc. (payment processing).

These Sub-processors are contractually obligated to use information only as necessary to provide services to StaffShield and to protect such information. StaffShield reserves the right to add or substitute Sub-processors at any time and will provide Agencies with at least thirty (30) days' advance notice of any material change to its Sub-processors through the Service or by email.

5.2 Legal Requirements. We may disclose information if required to do so by law, court order, governmental authority, or if we believe in good faith that such disclosure is necessary to comply with legal obligations, protect the rights or safety of StaffShield or others, or investigate fraud or security incidents.

5.3 Business Transfers. In the event of a merger, acquisition, or sale of all or substantially all of StaffShield's assets, Customer Data may be transferred to the acquiring entity, subject to the same privacy commitments set forth in this Privacy Policy.

5.4 No Sale of Data. StaffShield does not sell personal information to third parties.

6. Data Retention

6.1 Active Accounts. We retain Customer Data and Worker data for as long as the Agency's account is active or as needed to provide the Service.

6.2 Account Termination. Upon termination or cancellation of an Agency's account, we retain Customer Data for thirty (30) days to allow for data export. After thirty (30) days, we permanently delete Customer Data from our systems, unless retention is required by applicable law.

6.3 Usage Data. We may retain anonymized usage data for longer periods for analytics and service improvement purposes.

6.4 Legal Holds. Notwithstanding the foregoing, we may retain certain information as required by applicable law, including to comply with legal process, enforce our agreements, resolve disputes, or for other legitimate legal purposes.

6.5 Aggregated and De-identified Data. StaffShield may create, retain, and use in perpetuity aggregated, de-identified, or anonymized data derived from data processed through the Service for any lawful business purpose, including service operation and improvement, analytics, benchmarking, security research, and the development, training, and improvement of machine learning and artificial intelligence models. By definition, such data cannot be used to identify any individual or Agency. This use survives termination of any Agency account.

7. Security

7.1 StaffShield implements commercially reasonable technical and organizational security measures designed to protect information against unauthorized access, disclosure, alteration, or destruction. These measures include encryption of data in transit using TLS, encryption of data at rest, access controls, and regular security assessments.

7.2 No method of electronic transmission or storage is completely secure. We cannot guarantee absolute security of information stored within the Service. Agencies and Workers assume responsibility for maintaining the security of their own systems and access credentials.

7.3 In the event of a data breach affecting personal information, StaffShield will notify affected Agencies in accordance with applicable breach notification laws.

8. Your Rights

8.1 Agency Rights. Agencies may access, export, or request deletion of their Customer Data at any time through the Service interface or by contacting us at the address below. Upon termination, Agencies have thirty (30) days to export their data before permanent deletion.

8.2 Worker Rights. Workers who seek to access, correct, or delete their personal information should contact their Agency, as the Agency is the data controller for Worker data. Workers may also contact StaffShield directly, and we will assist to the extent we are able while respecting the Agency's role as data controller.

8.3 California Residents. California residents may have additional rights under the California Consumer Privacy Act (CCPA), including the right to know what personal information is collected, the right to delete personal information, and the right to opt out of the sale of personal information. StaffShield does not sell personal information. To exercise CCPA rights, contact us at the address below.

8.4 Other State Privacy Laws. Residents of other states with applicable privacy laws (including Virginia, Colorado, Connecticut, Texas, and others) may have similar rights. Contact us to exercise applicable rights.

8.5 Response Times. StaffShield will respond to verified rights requests within the period required by applicable law, generally within forty-five (45) days of receipt of a verifiable request. We may extend this period by an additional forty-five (45) days where reasonably necessary, with notice to the requester.

9. Cookies and Tracking

The Service uses cookies and similar technologies to maintain session state, authenticate users, and analyze usage patterns. You may configure your browser to refuse cookies, but doing so may affect the functionality of the Service. We do not use cookies for cross-site advertising or tracking.

10. Children's Privacy

The Service is not directed to individuals under the age of 18. We do not knowingly collect personal information from minors. If we become aware that we have collected personal information from a minor without appropriate consent, we will take steps to delete such information promptly.

The Service may contain links to third-party websites or services. StaffShield is not responsible for the privacy practices of such third parties. We encourage you to review the privacy policies of any third-party services you access.

12. Changes to This Privacy Policy

StaffShield reserves the right to update this Privacy Policy at any time. We will notify Agencies of material changes by email or through the Service at least thirty (30) days before the effective date of such changes. Your continued use of the Service after the effective date of any change constitutes acceptance of the updated Privacy Policy.

13. International Data Transfers

The Service is operated from the United States and is intended for use by organizations and workers located in the United States. If you access the Service from outside the United States, you acknowledge that your information will be transferred to, processed, and stored in the United States, which may have different data protection laws than your jurisdiction.

The Service is not actively offered to data subjects located in the European Union, United Kingdom, or other jurisdictions with cross-border data transfer restrictions. Agencies that wish to use the Service to process personal data of EU, UK, or other jurisdiction-restricted data subjects must execute a separate Data Processing Addendum with StaffShield, including appropriate transfer mechanisms (such as the EU Standard Contractual Clauses), before doing so. Contact support@staffshieldai.com to request such an addendum.

14. Contact Us

If you have questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us at:

StaffShield LLC 6 Osborne Terrace, Maplewood, New Jersey 07040 Email: support@staffshieldai.com

This Privacy Policy was last updated on April 27, 2026.