Privacy Policy

1. Introduction

GuardOps ("we," "us," "our") is a workforce management platform for security companies. We provide a web dashboard for administrators and managers and a mobile application for security guards (collectively, the "Service"). This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our Service.

By accessing or using GuardOps, you agree to the terms of this Privacy Policy. If you do not agree, please discontinue use of the Service immediately.

2. Information We Collect

2.1 Account and Identity Information. When you sign up or are invited to GuardOps, we collect: full name; email address; phone number; password (stored securely using bcrypt hashing, we never store plaintext passwords); role within your organization (administrator, manager, supervisor, or guard); badge or employee ID number; profile photograph; employment type (full-time, part-time, contractor); hire date; hourly rate and maximum weekly hours (entered by your employer).

2.2 Company and Organization Information. For businesses that register for GuardOps, we collect: company name; business email, phone number, and address; billing and subscription information (processed through Stripe, see Section 7).

2.3 Location Data

GuardOps collects precise geolocation data to verify guard presence at assigned security sites. This includes:

Location tracking begins only when a guard clocks in and stops when the guard clocks out. We do not track guards during off-duty hours.

• Real-time GPS coordinates (latitude, longitude, and accuracy) collected while a guard is clocked into a shift.
• Clock-in and clock-out locations recorded at the start and end of each shift.
• Background location tracking during active shifts to provide live guard positioning on the manager dashboard.
• Location history maintained as a record of guard positions during each shift.
• Geofence verification to confirm whether a guard is within the designated radius of their assigned site.
• Location data attached to Daily Activity Reports (DAR) and Incident Reports (IR) at the time of entry.

2.4 Photographs and Images

GuardOps captures and stores photographs for proof-of-service and security verification:

All photographs are stored in private, encrypted storage buckets and are accessible only to authorized users within the same company.

• Login verification selfies captured at each guard login to verify identity.
• Clock-in selfies captured when a guard begins a shift.
• Profile photographs uploaded by the guard or set by an administrator.
• Daily Activity Report (DAR) evidence photos taken by guards during patrols to document observations (camera-only capture required; gallery selection is not permitted for DAR photos to ensure authenticity).
• Incident Report (IR) photos attached to incident reports to document events (camera or gallery selection permitted).
• Task proof images uploaded as evidence of completed tasks.
• Certification documents images of guard certifications and licenses.

2.5 Shift, Reports, and Operational Data

• Shift and attendance: scheduled shift times, actual clock-in and clock-out times, shift status (scheduled, in progress, completed, missed, cancelled, no-show), shift type (regular, overtime, training, on-call), and break start/end times.
• Daily Activity Reports (DARs): guard-written notes, timestamps, categories (patrol, door check, escort, visitor), and attached photographs.
• Incident Reports (IRs): title, description, severity level, actions taken, people involved, whether police or medical services were called, whether injuries were reported, follow-up requirements, and attached photographs.
• Tasks: assigned tasks, instructions, priority, completion status, and proof images.

2.6 Device, Availability, and Certification Data

• Device and technical: device type and platform, push notification tokens, device hash (for login verification and fraud detection), device information string for audit logging, and login risk scoring data.
• Availability and time-off: guard weekly availability schedules and time-off requests (dates, reason, approval status).
• Certification and compliance: certification types, certification numbers, issue dates, expiration dates, and uploaded certification documents.

3. How We Use Your Information

• Provide the Service: create and manage accounts, assign guards to sites, schedule shifts, process clock-ins/outs, and generate reports.
• Verify identity and presence: confirm that the correct guard is at the correct site at the correct time through selfie verification, GPS location, and geofencing.
• Enable proof of service: generate verifiable records of guard activity, shift attendance, and incident response for security companies and their clients.
• Facilitate communication: send shift notifications, schedule changes, and task assignments via push notifications and email.
• Detect fraud and anomalies: score login events for risk using device fingerprinting, location, and photo verification to identify unauthorized access.
• Manage billing: process subscription payments through Stripe.
• Improve the Service: analyze usage patterns to improve performance, fix bugs, and develop new features.
• Comply with legal obligations: maintain records as required by applicable labor, employment, and security industry regulations.

4. How We Share Your Information

4.1 Within Your Organization. Your information is shared with authorized members of your employer’s GuardOps account. Administrators and managers can view guard profiles, shift records, locations, clock-in selfies, DARs, incident reports, certifications, and availability. Guards can view only their own data. No user from one company can access data belonging to another company, this is enforced at the database level through Row-Level Security (RLS) policies.

4.2 Service Providers. We use the following third-party services to operate GuardOps:

4.3 to 4.5 Legal, Business Transfers, and No Sale

4.3 Legal Requirements. We may disclose your information if required to do so by law, regulation, legal process, or governmental request, or when we believe disclosure is necessary to protect our rights, your safety, or the safety of others.

4.4 Business Transfers. If GuardOps is involved in a merger, acquisition, or asset sale, your personal information may be transferred as part of that transaction. We will notify you before your information becomes subject to a different privacy policy.

4.5 We Do Not Sell Your Data. We do not sell, rent, or trade your personal information to third parties for marketing purposes.

5. Data Security

We implement industry-standard security measures to protect your data:

• Encryption in transit: all data transmitted between your device and our servers uses TLS/HTTPS encryption.
• Encryption at rest: database and file storage are encrypted at rest using AES-256.
• Row-Level Security (RLS): every database table enforces company-scoped access policies, preventing cross-company data access even in the event of an application bug.
• Private storage buckets: all photographs (selfies, DAR photos, IR photos, profile photos) are stored in private buckets requiring signed, time-limited URLs for access.
• Password security: passwords are hashed using bcrypt and are never stored in plaintext. We support leaked-password protection to prevent use of known compromised passwords.
• SECURITY DEFINER functions: sensitive database operations (clock-in/out, invitation processing) run with restricted permissions and are not callable by unauthenticated users.
• Authentication: email-based authentication with session management and automatic session refresh via middleware.
• Rate limiting: guard invitation operations are rate-limited (20 per hour per admin) to prevent abuse.
• Audit logging: login events, including selfie verification results, device information, and risk scores, are logged for security review.

6. Data Retention

• Account data: retained for as long as your account is active or as needed to provide the Service. Upon account deletion by your employer, your data is removed within 30 days.
• Shift and attendance records: retained for the duration required by applicable labor laws (typically 3 to 7 years depending on jurisdiction).
• Location history: retained for the same period as shift records, as it constitutes proof of service.
• Photographs: retained for the same period as the associated record (DAR, IR, or shift). Profile photographs are deleted upon account deletion.
• Incident reports: retained for a minimum of 7 years due to potential legal significance.
• Login audit events: retained for 1 year for security monitoring purposes.
• Billing records: retained as required by tax and financial regulations.

7. Payment Processing

Payments are processed by Stripe, Inc. We do not store your credit card number, expiration date, or CVV on our servers. Stripe’s privacy policy governs their handling of your payment information: https://stripe.com/privacy

We store only: Stripe customer ID (for linking your account to your subscription); Stripe subscription ID and status; subscription plan name and billing period dates.

8. Your Rights and Choices

Depending on your jurisdiction, you may have the following rights:

8.1 Access and Portability. You may request a copy of the personal information we hold about you. Guards can view their own data through the mobile app. Administrators can export company data through the dashboard.

8.2 Correction. You may request that we correct inaccurate personal information. Guards can update their profile information through the mobile app.

8.3 Deletion. You may request deletion of your personal information, subject to legal retention requirements. Contact your company administrator or email us at info@getguardops.com.

8.4 Location Tracking. Guards are informed that location tracking occurs only during active shifts (while clocked in). Location tracking automatically stops when the guard clocks out. Guards must grant location permissions through their device’s operating system; if background location permission is denied, the app falls back to foreground-only tracking.

8.5 Push Notifications. You can disable push notifications through your device settings at any time.

8.6 Photo Capture. Login selfie and clock-in selfie features are required by your employer as part of the security verification process. Declining to provide a selfie may prevent you from completing login or clock-in procedures.

9. California Privacy Rights (CCPA/CPRA)

If you are a California resident, you have the right to:

To exercise these rights, contact us at info@getguardops.com or call us using the number listed on our website.

• Know what personal information we collect, use, and disclose.
• Request deletion of your personal information.
• Opt out of the sale of your personal information (we do not sell personal information).
• Non-discrimination for exercising your privacy rights.

10. Washington State Privacy Act (WPA)

As a company headquartered in Washington State, we comply with the Washington Privacy Act where applicable. Washington residents may exercise rights to access, correct, delete, and obtain a copy of their personal data by contacting us at info@getguardops.com.

11. Children’s Privacy

GuardOps is not intended for use by individuals under the age of 18. We do not knowingly collect personal information from children. If we learn that we have collected information from a child under 18, we will delete that information promptly.

12. International Data Transfers

GuardOps is hosted in the United States (AWS US-East-1 region via Supabase). If you access the Service from outside the United States, please be aware that your data will be transferred to, stored, and processed in the United States. By using the Service, you consent to this transfer.

13. Employer Responsibilities

GuardOps provides the platform; your employer (the security company) is the data controller for employee information. Your employer is responsible for:

• Obtaining any required consent from employees for location tracking, selfie verification, and photo capture.
• Complying with applicable labor and employment laws regarding employee monitoring.
• Determining data retention periods consistent with legal requirements.
• Notifying employees about the use of GuardOps and its monitoring capabilities.

14. Third-Party Links

The Service may contain links to third-party websites or services. We are not responsible for the privacy practices of those third parties. We encourage you to read their privacy policies.

15. Changes to This Privacy Policy

We may update this Privacy Policy from time to time. We will notify you of any material changes by posting the new Privacy Policy on this page and updating the "Last Updated" date. For material changes, we will also notify administrators via email.

16. Contact Us

If you have questions or concerns about this Privacy Policy, please contact us:

Bizalux LLC

Kent, Washington, USA

Email: info@getguardops.com

Website: https://getguardops.com

17. Consent

By using GuardOps, you acknowledge that you have read and understood this Privacy Policy and agree to the collection, use, and disclosure of your information as described herein.