Privacy Policy

AiDR App is a workforce management application currently in active development. This Privacy Policy explains what personal information is collected through this application, how it is used, and the measures in place to protect it. We are committed to handling personal information responsibly and in a manner consistent with the Personal Information Protection and Electronic Documents Act (PIPEDA, S.C. 2000, c. 5) and Canadian Centre for Cyber Security (CCCS) guidelines.

This application is in a pre-production development phase. It is not yet publicly available and access is limited to authorised testers and internal users only.

1. Information We Collect

Only the personal information necessary to operate workforce time tracking is collected:

• Identity: First name, last name
• Contact: Work email address
• Employment: Role, employment status
• Time & attendance: Clock-in/clock-out timestamps, project assignments, hours worked
• Time-off requests: Leave type, dates, and approval decisions
• Location: GPS coordinates captured at clock-in solely to verify work-site presence via geofencing — not tracked continuously or stored beyond the individual time entry
• Audit records: Administrative actions logged with anonymised identifiers for security compliance purposes

No sensitive personal information (health data, financial data, government IDs) is collected.

2. Why We Collect It

Personal information is used only for:

• Recording and managing employee time and attendance
• Processing and approving time-off requests
• Generating payroll-support and hours reports
• Verifying physical presence at designated work sites via geofencing
• Maintaining a security audit trail for compliance and accountability
• Sending account-related notifications (password resets, account setup)

Personal information is never used for advertising, marketing, profiling, or sold to third parties.

3. Data Residency

All data is stored in Canada. The database is hosted on Supabase in the AWS Canada (Central) — ca-central-1 region (Montreal/Toronto). No personal information leaves Canada in the ordinary course of operations.

4. Data Retention

Records are retained for the duration of an active user account. When an account is deactivated, personal data is retained for 60 days to allow for payroll reconciliation, after which it is permanently deleted. Audit log entries are anonymised using a one-way hash — the original email address is not recoverable after deletion.

5. Who Can See Your Information

Personal information is accessible only to:

• The individual user (their own records only)
• Authorised administrators of the organisation, on a need-to-know basis
• Infrastructure service providers (Supabase for database hosting, Vercel for application hosting) acting as data processors — they do not use the data for any independent purpose
• Law enforcement or regulatory authorities, only where required by Canadian law

6. Security Safeguards

The following technical and administrative controls are in place:

• Encryption in transit (TLS 1.2+) and at rest
• Row-Level Security enforced at the database — users can only access their own records
• Role-based access control separating employee and administrator capabilities
• Session authentication using secure, httpOnly cookies
• Password resets delivered via single-use cryptographic links — no plaintext passwords transmitted by email
• Unconditional audit logging at the database level for all data changes
• Content Security Policy headers to mitigate XSS and injection attacks

7. Your Rights

Under PIPEDA, you have the right to access, correct, and request deletion of your personal information. You may also challenge our compliance with this policy.

To exercise any of these rights, contact the application administrator directly. Requests will be acknowledged within 30 days. If you are not satisfied with the response, you may escalate to the Office of the Privacy Commissioner of Canada.

8. Cookies

This application uses session cookies solely for authentication. Cookies are marked httpOnly and secure and cannot be accessed by JavaScript. No advertising, analytics, or tracking cookies are used.

9. Changes to This Policy

This policy may be updated as the application develops. The "Last updated" date at the top of this page will reflect any changes. Users will be notified of material changes via the application or by email.