Privacy Policy

Effective Date: February 16, 2026

Jurisdiction: Ontario, Canada

HubbleWorks Inc. ("HubbleWorks", "we", "us", "our") is committed to protecting the privacy of personal information in accordance with the Personal Information Protection and Electronic Documents Act ("PIPEDA"), applicable provincial privacy laws, and other Canadian privacy legislation. This Privacy Policy explains how we collect, use, disclose, retain, and safeguard personal information in connection with our SaaS scheduling platform (the "Service").

1. ACCOUNTABILITY AND GOVERNANCE

1.1 Roles and Responsibilities: For personal information of employees and workers processed through the Service, you (the Customer/Employer) act as the data controller under PIPEDA, determining the purposes and means of processing. We act as a data processor (service provider), processing personal information on your behalf and in accordance with your instructions and this Privacy Policy. For our own business purposes (such as marketing and Service improvement), we may act as a data controller for certain personal information we collect directly.

1.2 Privacy Officer: We have designated a Chief Privacy Officer who is accountable for our compliance with this Privacy Policy and applicable privacy laws. Our Privacy Officer can be reached at support@hubbleworks.com.

1.3 Staff Training: We provide privacy and security training to all employees and contractors who handle personal information. We conduct privacy impact assessments for new features or processing activities that may affect privacy rights.

2. IDENTIFYING PURPOSES

We collect and use personal information for the following purposes, which are identified at or before the time of collection:

  • 2.1 Service Delivery: To provide, operate, maintain, and improve the Service, including: creating and managing employee schedules; tracking work hours, shifts, and availability; managing time-off requests and shift swaps; facilitating communication between managers and employees; generating reports and analytics.
  • 2.2 Notifications: To send transactional notifications via email, SMS, or push notifications regarding shifts, schedule changes, time-off approvals, and other Service-related updates. You can manage notification preferences within the Service.
  • 2.3 Billing and Payments: To process subscription billing and payments via our third-party payment processor, Stripe, and to maintain billing records.
  • 2.4 Customer Support: To provide technical support, respond to inquiries, troubleshoot issues, and communicate with you about the Service.
  • 2.5 Security and Fraud Prevention: To detect, prevent, and investigate security incidents, fraud, unauthorized access, and violations of our Terms of Service.
  • 2.6 Service Improvement and Analytics: To analyze usage patterns, improve Service functionality, develop new features, and conduct research using aggregated, de-identified data that does not identify individuals.
  • 2.7 Legal Compliance: To comply with applicable laws, regulations, legal processes, or enforceable governmental requests, including tax and accounting obligations.
  • 2.8 Enforcement: To enforce our Terms of Service, protect our rights and property, and investigate violations.

3. CONSENT

3.1 Customer Responsibility for Employee Consent: As the data controller for your employees' personal information, you are solely responsible for obtaining all necessary consents from your employees, contractors, and other workers whose personal information you provide to us through the Service. This includes obtaining meaningful, informed consent as required under PIPEDA and applicable provincial privacy laws. You must inform employees about: (a) what personal information is being collected; (b) the purposes for which it is being used; (c) who will have access to it; (d) where it may be stored or processed; and (e) their right to withdraw consent (subject to legal or contractual restrictions).

3.2 Our Collection of Consent: For personal information we collect directly (such as from account administrators), we obtain consent at the time of collection or use. By registering for the Service or providing us with personal information, you consent to our collection, use, and disclosure of that information as described in this Privacy Policy.

3.3 Implied Consent: In some cases, consent may be implied from your actions, such as when you voluntarily provide information for a specific purpose.

3.4 Withdrawal of Consent: You may withdraw consent for certain uses of personal information, subject to legal or contractual restrictions and reasonable notice. Please note that withdrawing consent may limit or prevent our ability to provide the Service to you. To withdraw consent for employee data, please contact your employer (the Customer). To withdraw consent for your own information as an administrator, contact us at privacy@hubbleworks.com.

3.5 Marketing Communications: We will only send you marketing or promotional communications if you have opted in or where permitted by law. You may opt out at any time by using the unsubscribe link in emails or contacting us.

4. LIMITING COLLECTION

We limit the collection of personal information to what is necessary and relevant for the purposes identified in Section 2. We collect information by fair and lawful means.

4.1 Types of Information Collected:

  • Account Information: When you create an account, we collect your business name, contact name, email address, phone number, and payment information (processed by Stripe).
  • Employee and User Information: Information you provide about Organizational Users and employees, including names, email addresses, phone numbers, job titles, departments, employee IDs, work locations, and any custom fields you configure.
  • Scheduling Data: Work hours, shift assignments, availability preferences, time-off requests, shift swaps, schedule templates, labor cost data, and any notes or comments you add to schedules.
  • Communications: Messages sent through the Service, support tickets, and any other communications with us.
  • Usage Data: Automatically collected information about how you use the Service, including IP addresses, device information, browser type and version, operating system, referring URLs, pages viewed, features used, session duration, and timestamps.
  • Cookies and Similar Technologies: We use cookies, web beacons, and similar technologies to maintain sessions, remember preferences, and collect analytics. You can control cookies through your browser settings, but disabling cookies may limit Service functionality.

5. LIMITING USE, DISCLOSURE, AND RETENTION

5.1 Use Limitation: We use personal information only for the purposes for which it was collected, as identified in Section 2, or for purposes consistent with those purposes. We will not use personal information for new purposes without obtaining consent, except as required or permitted by law.

5.2 Disclosure to Third Parties:

We do not sell or rent personal information to third parties. We may disclose personal information only in the following circumstances:

  • Service Providers: We engage trusted third-party service providers to perform functions on our behalf, such as: (a) Amazon Web Services (AWS) for cloud hosting and infrastructure; (b) Stripe for payment processing; (c) Twilio or similar providers for SMS notifications; and (d) customer support and analytics tools. These service providers are contractually obligated to use personal information only for the purposes we specify and to maintain appropriate security measures.
  • Legal Requirements: We may disclose personal information if required by law, regulation, legal process (such as a subpoena or court order), or enforceable governmental request from Canadian or Ontario authorities.
  • Business Transfers: If we are involved in a merger, acquisition, asset sale, or bankruptcy, personal information may be transferred to the acquiring entity.
  • Protection of Rights: We may disclose personal information when we believe in good faith that disclosure is necessary to protect our rights, prevent fraud, or enforce our Terms of Service.

5.3 Aggregated and De-Identified Data: We may create aggregated, anonymized, or de-identified data from personal information by removing identifiers such that the data can no longer reasonably be linked to an individual. We may use and disclose such aggregated data for any lawful business purpose.

5.4 Retention:

We retain personal information only for as long as necessary. Specific retention periods include:

  • Active account data is retained during the subscription period.
  • After account termination, Customer Data is retained for 30 days to allow retrieval, then securely deleted.
  • Backup copies may persist for up to 90 days in our backup systems.
  • Billing records and invoices are retained for 7 years as required by Canadian tax law.

6. ACCURACY

We strive to maintain accurate, complete, and up-to-date personal information. However, as a data processor for employee information, we rely on you (the Customer) to ensure the accuracy of data you provide through the Service. You are responsible for updating employee information promptly when changes occur.

If you become aware of inaccurate or outdated personal information in the Service, please update it through the Service interface or contact our support team at support@hubbleworks.com.

7. SAFEGUARDS

We implement and maintain reasonable administrative, technical, and physical safeguards to protect personal information.

7.1 Technical Safeguards

  • Encryption of data in transit (TLS 1.2+).
  • Encryption of data at rest (AES-256).
  • Firewalls and intrusion detection systems.
  • Regular security assessments and penetration testing.
  • Multi-factor authentication options.

7.2 Administrative Safeguards

  • Role-based access controls.
  • Confidentiality agreements with staff.
  • Privacy and security training.
  • Background checks for sensitive access.
  • Incident response procedures.

7.3 Physical Safeguards: Secure data centers with restricted physical access, surveillance, and environmental controls (provided by AWS), and secure disposal of physical media.

7.4 Breach Notification: In the event of a data breach involving personal information that poses a real risk of significant harm to individuals, we will: (a) notify you (the Customer) without unreasonable delay; (b) notify affected individuals as required by PIPEDA; and (c) notify the Office of the Privacy Commissioner of Canada if required.

8. OPENNESS

We are committed to transparency about our privacy policies and practices. This Privacy Policy is publicly available on our website. We will make information about our privacy policies and practices readily available to individuals upon request. If you have questions, contact our Chief Privacy Officer at support@hubbleworks.com.

9. INDIVIDUAL ACCESS

9.1 Employee Access Requests: If you are an employee whose information is in the Service, you should direct access requests to your employer (the Customer), who is the data controller of your information. Your employer can use the Service tools to retrieve and provide your information to you.

9.2 Customer Access Requests: If you are an account administrator or have provided personal information directly to us, you may request access to your information by contacting privacy@hubbleworks.com. We will respond to access requests within 30 days or as required by applicable law.

9.4 Exceptions: We may refuse or limit access in certain circumstances permitted by PIPEDA, such as when disclosure would reveal confidential commercial information or threaten the security of another individual.

10. CHALLENGING COMPLIANCE

Individuals have the right to challenge our compliance with this Privacy Policy and applicable privacy laws.

To challenge our compliance or make a complaint, contact our Chief Privacy Officer at support@hubbleworks.com. We will investigate your complaint promptly and thoroughly.

If you are not satisfied with our response, you have the right to file a complaint with the Office of the Privacy Commissioner of Canada:

30 Victoria Street, Gatineau, Quebec K1A 1H3
Toll-free: 1-800-282-1376
Website: www.priv.gc.ca

11. INTERNATIONAL TRANSFERS

Personal information collected through the Service may be stored, processed, or accessed in Canada, the United States, or other jurisdictions where our service providers operate. When we transfer personal information outside of Canada, we take steps to ensure adequate protection through contractual obligations and security reviews. Our primary hosting provider (AWS) operates data centers in Canada and the United States.

12. CHILDREN'S PRIVACY & 13. ADDITIONAL RIGHTS (QUEBEC)

The Service is not directed to children under the age of 18. We do not knowingly collect personal information from children without proper consent.

Quebec Residents: You may have additional rights under Quebec's Act respecting the protection of personal information in the private sector, including enhanced rights regarding automated decision-making and de-indexing. Contact us for details.

14. CHANGES TO THIS PRIVACY POLICY

We may update this Privacy Policy from time to time. When we make material changes, we will provide at least 30 days' notice before they take effect (via email or Service notification). Your continued use of the Service after the effective date constitutes acceptance of the updated Privacy Policy.

15. CONTACT INFORMATION

If you have questions, concerns, or requests regarding this Privacy Policy or our privacy practices, please contact:

Chief Privacy Officer
HubbleWorks Inc.
796 Canal Rd
Peterborough, Ontario, Canada
Email: support@hubbleworks.com

16. PIPEDA COMPLIANCE SUMMARY

This Privacy Policy is designed to comply with the 10 Fair Information Principles established by PIPEDA:

1. Accountability – Section 1
6. Accuracy – Section 6
2. Identifying Purposes – Section 2
7. Safeguards – Section 7
3. Consent – Section 3
8. Openness – Section 8
4. Limiting Collection – Section 4
9. Individual Access – Section 9
5. Limiting Use, Disclosure – Section 5
10. Challenging Compliance – Section 10
Important Disclaimer This Privacy Policy is a general framework for compliance with PIPEDA and applicable Canadian privacy laws. Your specific privacy obligations may vary depending on your industry, location, and the nature of personal information you process. We recommend consulting with qualified legal counsel to ensure your privacy practices comply with all applicable laws and regulations, particularly regarding employee consent requirements and employment-related privacy obligations.
Last Updated: February 16, 2026