Privacy Policy

Last updated: June 1, 2026

This Privacy Policy explains how Crew Hour LLC ("CrewHour," "we," or "us") collects, uses, shares, and protects information when you use the CrewHour mobile application, web admin console, kiosk surface, and related services (together, the "Service"). CrewHour provides time-tracking and wage-and-hour compliance software to employers ("Employers" or "Customers"). If your Employer has deployed CrewHour, you interact with the Service as an authorized user of your Employer's CrewHour account.

1. Information We Collect

1.1 Account and identity information

When your Employer provisions you in the Service, we receive identifiers your Employer assigns to you, such as an employee ID, display name, business email address, role within the Employer (for administrative users), and any division or location assignments. Your Employer is the source of this information.

1.2 Authentication credentials

We collect and store information needed to verify your identity at sign-in. For most employee users this is a personal identification number (PIN), stored in our systems only as a one-way cryptographic hash. For administrative users, this may include a password (also stored as a hash) or a session token issued through your Employer's single sign-on identity provider. When you use biometric unlock on your mobile device, the biometric data itself never leaves your device — the device confirms a match locally and releases a stored authentication token to the app.

1.3 Time and attendance data

The core of the Service is recording clock-in, clock-out, and meal-break events ("punches"). Each punch carries a timestamp, the event type, the device or source that recorded it, and any associated adjustments, approvals, or compliance flags. This data is created in the course of your employment and is the primary record your Employer relies on for payroll and wage-and-hour compliance.

1.4 Photos

The Service captures and stores photographs in two contexts:

• Kiosk punch photo. When you clock in or out at a shared kiosk device, the kiosk captures a photograph at the moment of the punch. This image is used to associate the punch with the person who made it and serves as evidence in the event of a payroll or compliance dispute. Where face-presence detection is enabled on the kiosk, the captured frame is also evaluated for image quality (whether a face is visible in frame); the detection occurs in the browser on the kiosk device and produces no separate biometric record.
• Profile photo. If you choose to upload a profile photo from your mobile device, that photograph is stored with your employee record and displayed in the Service to help managers and coworkers recognize you. You may remove your profile photo at any time from within the mobile app.

1.5 Device and diagnostic information

To support the Service and diagnose problems, we may collect limited information about the device you use, including device model, operating system version, application version, language and timezone settings, and crash and error reports. This information is generally not linked to your personal identity except where necessary to investigate a specific reported issue.

1.6 Communications and notifications

If you grant notification permission, the Service stores a push notification token issued by Apple Push Notification service (APNs) or Firebase Cloud Messaging (FCM) so we can deliver shift reminders, meal-break notifications, schedule changes, and similar messages from your Employer. We store records of in-app notifications and your interaction with them (read, dismissed). The Service may also send transactional email or SMS messages when your Employer has configured them; SMS sending is gated by an explicit per-employee opt-in.

1.7 Audit and adjustment records

Every change to a punch — including manager adjustments, HR escalations, and meal-violation determinations — is recorded in an immutable audit log. This log includes the actor (whoever made the change), the time, the change made, and any reason provided. Audit records support payroll accuracy, compliance with California Labor Code Section 226 and Section 226.7, and the Employer's defense in the event of a wage-and-hour dispute.

2. What We Do Not Collect

For clarity, the CrewHour mobile application does not request, collect, or transmit:

• Your precise or coarse geographic location
• Audio from your device's microphone
• Continuous live camera feed (the mobile app uses a photo picker for profile photos and does not run live face matching on the phone)
• Contacts, calendar entries, photo library beyond the single image you select for upload, or files outside the app's own storage
• Cross-application advertising identifiers (IDFA on iOS, advertising ID on Android)
• Information for advertising, marketing, or profiling outside the Service

3. How We Use Information

We process the information described above to:

• Provide, operate, and support the Service to your Employer and to you as an authorized user
• Authenticate sign-in and protect against unauthorized access (PIN verification, rate limits, session management)
• Record punches, calculate hours worked, detect meal-break violations, and produce wage-statement-ready reporting
• Send shift, meal-break, and similar notifications that you or your Employer have configured
• Maintain audit, compliance, and evidence records as required by California labor law and federal record-retention rules
• Diagnose, fix, and improve the Service
• Comply with our legal obligations and respond to lawful requests

4. How We Share Information

4.1 With your Employer

Your Employer can see the time and attendance information you generate through the Service, including your punches, photos, adjustments, notifications, and related records. This is the central purpose of the Service.

4.2 With service providers we use to operate the Service

We share limited information with vendors that help us run the Service. As of the last-updated date above, these include:

• Amazon Web Services (AWS) — hosting our application servers, databases, file storage, and audit logs in the United States
• Expo (Application Services, Inc.) — mobile application build, over-the-air update delivery, and push notification routing
• Apple Push Notification service (APNs) and Firebase Cloud Messaging (FCM) — delivering push notifications to your mobile device
• Crash and error reporting services — diagnosing application failures and performance problems
• Email and SMS delivery providers — delivering transactional messages when configured by your Employer

These providers process information on our behalf under written agreements that require them to keep the information confidential and use it only to provide their services to us.

4.3 For legal reasons

We may disclose information to comply with a lawful subpoena, court order, or other legal process; to enforce our agreements; to protect our rights, property, or safety, or the rights, property, or safety of our users, your Employer, or the public; or in connection with an investigation of suspected or actual fraud or unlawful activity.

4.4 In a business transfer

If CrewHour is involved in a merger, acquisition, financing, reorganization, bankruptcy, or sale of assets, information may be transferred as part of that transaction. We will notify your Employer and, where required by law, take reasonable steps to require the recipient to honor this Privacy Policy.

4.5 What we do not do

We do not sell your personal information. We do not share your personal information for cross-context behavioral advertising. We do not use your information to train artificial intelligence or machine learning models for any purpose unrelated to providing the Service to your Employer.

5. Biometric and Photo Information

The kiosk surface of the Service captures a photograph of the person punching in or out and stores that image as part of the punch record. Photographs of faces may qualify as biometric information under state laws including California's Confidentiality of Medical Information Act, the California Consumer Privacy Act as amended, and the Illinois Biometric Information Privacy Act if your Employer operates in Illinois.

CrewHour processes these photographs on behalf of your Employer for the purpose of verifying punch identity and producing evidence for wage-and-hour compliance. We do not use these photographs to identify you outside your Employer's deployment, and we do not share them with third parties other than the service providers listed above. Your Employer is responsible for obtaining any consent required by applicable law from you before enabling photograph capture, and your Employer controls retention of these records subject to applicable record-retention laws.

If face-matching against an enrollment template is later enabled for your Employer, you will receive notice and your Employer will be required to obtain any required consent before such matching is applied to your punches.

6. Data Retention

Your Employer controls how long records are retained, subject to applicable record-retention laws. California Labor Code Section 1174 generally requires payroll records to be retained for at least three years; federal regulations under the Fair Labor Standards Act require similar retention. Some categories of records, such as audit logs and tax-related records, may be retained for longer periods to meet legal obligations. When records reach the end of their applicable retention period, we delete or de-identify them in accordance with our standard retention schedules and your Employer's instructions.

7. Security

We use technical and organizational measures designed to protect information against unauthorized access, alteration, disclosure, or destruction. These include encryption in transit, encryption at rest for production data stores, restricted administrative access on a need-to-know basis, an immutable audit log of state-changing actions, and regular review of access controls. No method of transmission or storage is completely secure, and we cannot guarantee absolute security.

8. Your California Privacy Rights

If you are a California resident, you have specific rights under the California Consumer Privacy Act as amended by the California Privacy Rights Act ("CCPA/CPRA"). These rights include:

• Right to know. You can request that we disclose what personal information we have collected about you, the categories of sources, the business purposes for collection, and the categories of third parties with whom it has been shared.
• Right to correct. You can request that we correct inaccurate personal information we maintain about you.
• Right to delete. You can request that we delete personal information we have collected about you, subject to exceptions for information we are required to retain by law or for legitimate business purposes such as completing a transaction or detecting fraud.
• Right to opt out of sale or sharing. We do not sell personal information and we do not share personal information for cross-context behavioral advertising.
• Right to limit use of sensitive personal information. You may request that we limit the use of sensitive personal information to what is necessary to provide the Service.
• Right to non-discrimination. We will not discriminate against you for exercising these rights.

Because your Employer controls the information processed about you through the Service, requests to exercise these rights are most efficiently directed to your Employer's HR or privacy contact in the first instance. You may also contact us directly using the contact information below, and we will route your request to your Employer or respond directly as appropriate. We may need to verify your identity before fulfilling a request.

9. Children's Privacy

The Service is intended for use by employees of our Customers and is not directed to children under the age of 13. We do not knowingly collect personal information from children under 13. If you believe a child has provided us with personal information, please contact us and we will take steps to delete the information.

10. International Users

CrewHour operates in the United States and stores information on infrastructure located in the United States. If you access the Service from outside the United States, you understand that your information will be transferred to, processed, and stored in the United States.

11. Changes to This Policy

We may update this Privacy Policy from time to time. When we make material changes, we will post the updated policy on this page and update the "Last updated" date at the top. We may also notify your Employer or you directly through the Service. Your continued use of the Service after changes become effective constitutes your acknowledgment of the changes.

12. Contact Us

If you have questions about this Privacy Policy or our handling of your information, contact us: