Privacy Policy

Last updated: May 2026

1. Who we are

Clockd ("we", "us", "our") is a workforce scheduling and attendance management platform built for the hospitality industry. We are operated by Caolan Derry. This privacy policy explains how we collect, use, store, and protect your personal data when you use our mobile application, web application, and related services (collectively, the "Service").

2. What data we collect

Account and identity data

  • Email address — used as your login identifier and for account communications.
  • Full name — displayed to team members and managers within your business.
  • Password — stored as a bcrypt hash. We never store your password in plain text and cannot read it.
  • Business name — the name of the hospitality business you register or are invited to.
  • Role — your assigned role (Owner, Manager, or Employee) within the business.

Workforce and scheduling data

  • Shift assignments — scheduled start/end times, department, and supervisor status.
  • Clock-in and clock-out records — timestamps recorded when you clock in or out via NFC tap or manual entry.
  • Break records — break type (lunch, rest, other), start and end times, and optional notes.
  • Holiday requests — dates, title, optional notes, and approval status.
  • Shift swap requests — requesting and target staff members, reason, and approval status.
  • Timesheets — scheduled vs. actual hours, variance, and approval records.

Device and notification data

  • Push notification token — an Expo push token stored so we can send you shift reminders, rota updates, holiday responses, and swap notifications to your device.
  • Device platform — whether your device is iOS or Android, stored alongside the push token.

Data we do NOT collect

  • We do not collect precise GPS location data.
  • We do not collect WiFi network names or identifiers.
  • We do not collect device identifiers beyond the push token and platform.
  • We do not use any analytics, advertising, or tracking SDKs.
  • We do not build profiles about you for advertising purposes.

3. How we use your data

We use your personal data solely to provide and improve the Service:

  • To authenticate you and maintain your account.
  • To display your shifts, holidays, and clock-in records.
  • To send push notifications about schedule changes, shift reminders, and requests.
  • To allow managers and owners to build rotas, approve requests, and export timesheets.
  • To send transactional emails such as staff invitations and password reset instructions.
  • To maintain the security and integrity of the platform.

4. NFC clock-in

The mobile app reads NFC tags (NTAG215 stickers) placed at your workplace to verify you are on-site when clocking in or out. The NFC tag contains only a business identifier — no personal data is stored on or read from NFC tags. NFC reading happens entirely on your device; only the resulting clock-in timestamp and business identifier are sent to our servers.

5. Third-party services

We use the following third-party services to operate the platform:

  • Google Sign-In — used for single sign-on authentication. When you sign in with Google, we receive only your email address and display name from your Google account. Google processes the authentication according to Google's own privacy policy.
  • Resend — used to send transactional emails (staff invitations, password resets). Your email address and name are shared with Resend solely for email delivery.
  • Expo Push Notifications — used to deliver push notifications to your device. Your push token and notification content are sent through Expo's infrastructure.
  • Railway — our API hosting provider. All API traffic passes through Railway's infrastructure under their security standards.
  • Google Fonts — used to load web fonts on our website. Standard browser headers (such as your IP address) may be transmitted to Google during font loading.

We do not sell, rent, or share your personal data with any other third parties. We do not use any advertising networks, data brokers, or tracking platforms.

6. Authentication methods

You can access the Service using one of two methods:

  • Google Single Sign-On — you authenticate using your Google account. We receive your email and name from Google, but do not request or store access to any other Google data (calendars, contacts, Drive, etc.).
  • Email and password — you register with an email address and password. Passwords are hashed with bcrypt (10 salt rounds) before storage. We never store or can retrieve your plain-text password.

Access tokens (JWT) expire after 1 hour. Refresh tokens are stored as SHA-256 hashes with a 30-day expiry and are rotated on each use. A maximum of 5 active refresh tokens are allowed per account.

7. Cookies

Our web application uses a small number of essential cookies to maintain your authenticated session. These are strictly necessary for the Service to function and are not used for tracking or advertising.

  • auth_token — your session token (expires after 7 days). Marked Secure and SameSite=Strict.
  • refresh_token — used to obtain new session tokens (expires after 30 days). Marked Secure and SameSite=Strict.
  • user_profile — stores your name, email, role, and business ID for the UI (expires after 30 days).

The mobile app does not use cookies. Instead, authentication tokens are stored in the device's secure storage (iOS Keychain or Android EncryptedSharedPreferences).

8. Data security

We take the following measures to protect your data:

  • All API communication is encrypted over HTTPS (TLS).
  • Passwords are hashed with bcrypt and never stored in plain text.
  • Refresh and reset tokens are stored as SHA-256 hashes.
  • Authentication tokens on mobile devices are stored in platform secure storage (iOS Keychain / Android EncryptedSharedPreferences).
  • API responses strip sensitive fields (passwords, reset tokens) before returning data.
  • Rate limiting is applied to all authentication endpoints to prevent abuse.
  • CORS policies restrict API access to authorised origins only.
  • The mobile app includes root and jailbreak detection to prevent use on compromised devices.
  • Input validation is enforced on all API endpoints.

While we strive to protect your personal data, no method of electronic transmission or storage is 100% secure. We cannot guarantee absolute security.

9. Data retention

We retain your personal data for as long as your account is active or as needed to provide the Service. Specifically:

  • Account data (email, name, role) — retained until your account is deleted by a business owner or manager.
  • Workforce data (shifts, clock records, holidays, swaps, timesheets) — retained for the lifetime of your account.
  • Push tokens — retained until you uninstall the app (automatic cleanup) or your account is deleted.
  • Refresh tokens — expire after 30 days or are revoked on logout or password change.
  • Password reset tokens — expire after 15 minutes and are deleted after use.

10. Your rights

You have the following rights regarding your personal data:

  • Access — you can request a copy of the personal data we hold about you.
  • Correction — you can update your name and email through the app, or ask us to correct any inaccurate data.
  • Deletion — you can request that your account and all associated data be permanently deleted. A business owner or manager can also remove your account and all related data from the platform.
  • Data export — managers and owners can export timesheet data (including your name, email, and work records) as CSV from the dashboard.
  • Withdraw consent — you can disable push notifications on your device at any time through your device settings.

To exercise any of these rights, please contact us at privacy@derrysrota.com. We will respond to all legitimate requests within 30 days.

11. Children's privacy

Our Service is intended for use by businesses and their employees in the hospitality industry. We do not knowingly collect personal data from children under the age of 16. If we become aware that we have collected data from a child under 16, we will take steps to delete that information promptly.

12. International data transfers

Our servers are hosted within the European Union. However, some of the third-party services we use (Google, Resend) may process data outside the EU. These services comply with appropriate data transfer mechanisms such as Standard Contractual Clauses.

13. Changes to this policy

We may update this privacy policy from time to time. If we make material changes, we will notify you via email or through a notice in the app before the changes take effect. We encourage you to review this page periodically.

14. Contact us

If you have any questions or concerns about this privacy policy or how we handle your data, please contact us: