Skip to main content

Privacy Policy for Farm TimeCard

Effective Date: 2026-04-24 Last Reviewed: 2026-04-24

Change Log

  • 2026-04-24 — Aligned with current app binary: removed background-tracking language (app captures GPS only at clock events). Added Oregon Consumer Privacy Act (OCPA), CCPA/CPRA, retention schedule tied to BOLI OAR 839-020-0080, ag-worker minors clause, breach notification, and privacy officer contact. Placeholder support email replaced.
  • 2026-01-15 — Initial release.

1. Introduction

Farm TimeCard ("we," "our," or "us") operates a workforce time-tracking platform used by agricultural employers and their workers. This Privacy Policy describes what personal information we collect, why we collect it, how we use and share it, how long we keep it, and the choices and rights available to you.

If you are a worker using the mobile app at your employer's direction, your employer is the controller of your employment data; we are the processor. If you are an employer (farm owner, manager, bookkeeper) using our services, we are generally the controller for account-level data you provide directly.

2. Information We Collect

A. Information You Provide

  • Identity data — name, date of birth, employee number, preferred language.
  • Contact data — phone number, email address, emergency contact details.
  • Employment data — role, pay rate, pay basis (hourly, day-rate, piece-rate), job titles, department or crew assignments, classification (agricultural non-exempt, salary-exempt, etc.).
  • Authentication data — username, PIN (hashed, never stored in plaintext), multi-factor device registration details if enabled.
  • Optional verification — clock-in photo if your employer has enabled photo verification for their farm.

B. Information We Collect Automatically

  • Clock-event location — when you tap Clock In, Clock Out, Start Break, or End Break, we capture a GPS reading (latitude, longitude, horizontal accuracy) for that moment to verify presence at the designated work site. We do not track your location between clock events. We do not request or use the "Always" or background-location permission on iOS or Android.
  • Clock-event timestamps — the device time and a server-verified timestamp at the moment each event is submitted.
  • Device data — device model, operating-system version, app version, and a per-install identifier used to detect offline-sync issues and prevent duplicate submissions.
  • Technical logs — API request metadata (endpoint, response code, latency), error reports, and anonymized crash diagnostics used to keep the service operating.

C. Information From Third Parties

  • Your employer — roster details, pay rates, schedule assignments, and classification decisions your employer enters or imports.
  • Payroll providers (when your employer configures them) — read-only metadata needed to format exports; we do not receive your pay from these systems.

3. How We Use Your Information

  • Timekeeping verification — confirm that clock events correspond to authorized shifts at designated work sites.
  • Payroll processing — calculate hours worked, overtime under applicable state and federal law, piece-rate earnings, and required wage-statement line items.
  • Compliance and audit protection — maintain the records your employer needs under Oregon BOLI recordkeeping rules, federal FLSA 29 CFR 516, and tax-credit programs such as Oregon's Agricultural Employer Overtime Tax Credit (ORS 315.133).
  • Communication — send work-related notifications, schedule reminders, and service announcements.
  • Security and fraud prevention — detect attempts to bypass clock-in location checks, duplicate submissions, device-clock tampering, and unauthorized account access.
  • Service reliability — diagnose outages, prevent data loss during offline periods, and improve app stability.

4. Data Sharing

We do not sell personal data. We do not share personal data for cross-context behavioral advertising. We share data only as described below.

  • Your employer — your farm manager or employer has access to your time logs, clock-event locations (only at clock events, not between), pay records, and profile information for the purpose of operating the workplace.
  • Service providers — we use vetted third-party processors to host our database, send emails and push notifications, process payments (employer-side), and monitor service errors. Each provider operates under a data-protection agreement limiting their use to our instructions.
  • Payroll providers — when your employer exports payroll to ADP, Gusto, Paychex, QuickBooks, or another supported processor, we transmit the fields required to produce that export.
  • Legal authorities — we disclose data when required by subpoena, court order, or other enforceable legal process, and we resist overbroad requests where permitted.
  • Business transfers — if the company is sold or merged, account data may transfer with the business. We will notify affected users before any such change takes effect.

5. Retention

We retain data for the periods required by labor and tax law and by our service agreements with employers.

  • Hours-worked and pay-period records — retained at minimum for the durations required by Oregon BOLI (OAR 839-020-0080) and federal FLSA 29 CFR 516, generally 3 years for payroll records and 2 years for the supporting time records. Your employer may configure longer retention.
  • Tax-credit evidence — retained for the period your employer needs to claim, defend, or audit the credit, generally 4 years after filing.
  • Clock-event location data — retained alongside the time events they verify, subject to the same retention schedule.
  • Authentication and security logs — retained for 90 days unless a security incident extends the retention.
  • Account-level data — retained while the account is active, then deleted on request consistent with any overlapping legal obligations.

When you request deletion, we remove identifying data except where retention is required by law. Aggregated, de-identified data may be retained indefinitely.

6. Data Security

We use administrative, technical, and physical safeguards that reflect industry practice for systems handling employment and location data:

  • Encryption — data in transit is protected by TLS 1.2+; data at rest is encrypted in our managed database.
  • Access control — least-privilege role-based access to production systems; multi-factor authentication for administrators.
  • Audit trail — time events are written with a tamper-evident SHA-256 hash chain so unauthorized modification is detectable.
  • Monitoring — server errors and anomalies are tracked via Sentry, with response procedures for security incidents.
  • Vendor review — we evaluate third-party processors before engagement and review their security posture periodically.

No system is perfectly secure. If a breach affecting your personal data occurs, we will notify affected users and applicable authorities within the timeframes required by Oregon (ORS 646A.602), California, and other applicable laws.

7. Your Rights and Choices

You have rights over your personal data. Specific rights depend on where you live and the relationship you have with us.

A. All users

  • Access — request a copy of the personal data we hold about you.
  • Correction — request that we correct inaccurate data.
  • Location permission — you may revoke location permission in your device settings at any time. If you do so, you may be unable to clock in where your employer has enabled location verification.
  • Account deletion — request deletion of your account and associated personal data, subject to the retention obligations described in Section 5.

B. Oregon residents (Oregon Consumer Privacy Act — effective July 1, 2024)

OCPA gives Oregon consumers rights to access, correct, delete, obtain a copy of, and opt out of targeted advertising or profiling with significant legal effects. Employment-scoped data processed on behalf of your employer is subject to the controller/processor relationship described in Section 1; rights to employment data are directed to your employer as controller. For account-level data we control directly, contact us using the information in Section 9.

C. California residents (CCPA / CPRA)

California consumers have the right to know the categories of personal information we collect, the purposes for which we use it, the categories of third parties we share it with, and to request deletion or correction. We do not sell personal information and do not share personal information for cross-context behavioral advertising. To exercise CCPA/CPRA rights, contact us using the information in Section 9. We will verify your identity before responding.

Categories of personal information collected (California Disclosure)

| Category | Examples | Collected | |----------|----------|-----------| | Identifiers | Name, email, phone, employee ID | Yes | | Geolocation | GPS coordinates at clock events | Yes | | Professional/Employment info | Job title, pay rate, department | Yes | | Internet/Electronic activity | App usage, device info | Yes | | Sensitive personal info | Precise geolocation (clock events only) | Yes |

D. Exercising your rights

Send your request to the address in Section 9. We will respond within the timeframes required by applicable law (generally 45 days under OCPA and CCPA, with a possible extension). There is no fee for the first request in any 12-month period. We may deny manifestly unfounded or excessive requests as permitted by law.

8. Children's Privacy and Agricultural Minors

The Service is not intended for individuals under 13. We do not knowingly collect data from children under 13. Under federal and Oregon agricultural labor rules, minors 14 and older may be employed in certain non-hazardous agricultural work. If a minor 14–17 is employed by your farm and will use the app, your farm is responsible for ensuring appropriate parental or guardian consent under ORS 653.305 (employment of minors) and for compliance with applicable youth-labor restrictions. Employer accounts may configure permission and visibility settings for minor employees.

9. Contact Us

For privacy questions, data-subject requests, or security concerns:

  • Privacy inbox: privacy@farmtimecard.com
  • Security incidents: security@farmtimecard.com
  • Mailing address: Farm TimeCard Privacy Officer, (street address on request)

A designated Privacy Officer receives and responds to inquiries at the privacy inbox above.

10. Changes to This Policy

We may update this policy to reflect product changes, new legal requirements, or operational improvements. Material changes will be announced in-app at least 30 days before taking effect; the change log at the top of this document tracks every revision. Continuing to use the Service after an update means you accept the updated policy.

11. Governing Law

This policy is governed by the laws of the State of Oregon, without regard to conflicts-of-law principles, unless preempted by federal or other applicable law where you reside.