ShiftCrew

Privacy Notice — Version 1.0

Privacy Policy

Notice: This document constitutes the binding privacy instrument governing the relationship between K-NET LABS, its affiliates, successors and assigns (collectively, the “Processor”) and any natural person whose Personal Information is processed in connection with the ShiftCrew platform (each, a “Concerned Individual”). The Concerned Individual is advised to read this instrument in its entirety and, where deemed appropriate, to obtain independent legal advice prior to consenting to the processing operations described herein.

Preamble and Recitals

WHEREAS K-NET LABS, a sole proprietorship duly registered under the laws of the Province of Ontario and bearing operations under the trading style “ShiftCrew” (hereinafter the “Processor”), makes available a software-as-a-service platform (the “Platform”) enabling third-party organizations (each, a “Controller”) to coordinate, administer, and operationalize the scheduling of paid staff, volunteers, contractors, and other persons rendering services in connection with events, committees, festivals, tournaments, and analogous undertakings;

AND WHEREAS the operation of the Platform necessarily entails the collection, storage, organization, structuring, adaptation, retrieval, consultation, use, alignment, combination, restriction, erasure, and destruction (collectively, “Processing”) of certain Personal Information (as that expression is defined herein) belonging to Concerned Individuals;

AND WHEREAS the Processor is committed to conducting all such Processing in strict accordance with the Personal Information Protection and Electronic Documents Act, S.C. 2000, c. 5 (hereinafter “PIPEDA”), the Act respecting the protection of personal information in the private sector, CQLR c. P-39.1, as amended by the Act to modernize legislative provisions as regards the protection of personal information (S.Q. 2021, c. 25) (hereinafter, collectively, “Quebec Law 25”), and such other applicable privacy, data protection, and information security legislation as may from time to time govern the Processor’s undertakings;

NOW THEREFORE the Processor publishes this Privacy Policy (hereinafter the “Policy”) for the information and benefit of all Concerned Individuals, and stipulates that the terms hereof shall, mutatis mutandis, govern all Processing undertaken by the Processor in connection with the Platform from and after the date of publication hereof.

1. Definitions and Interpretation

For the purposes of this Policy, and except where the context otherwise requires, the following capitalized expressions shall bear the respective meanings ascribed to them below, and cognate expressions shall be construed accordingly:

  • “Aggregate Data” means data derived from Personal Information that has been subjected to a process of de-identification, generalization, suppression, noise-injection, or analogous technical transformation such that the resultant dataset cannot, by reasonable means, be re-associated with any identifiable natural person;
  • “Concerned Individual” means any natural person whose Personal Information is, has been, or may in future be Processed by the Processor in connection with the Platform, including without limitation Platform-side administrators, organizational members, paid staff, volunteers, applicants, and end-users of any kind;
  • “Controller” means the organizational entity which, in the capacity of customer of the Processor, determines the purposes and means of the Processing of Personal Information collected via the Platform, and which, for the purposes of PIPEDA and Quebec Law 25, exercises primary responsibility for and authority over such Personal Information;
  • “Personal Information” means any information relating to an identified or identifiable natural person, including without limitation the information enumerated at Section 3 hereof, and being equivalent in substance to the expressions “personal information” as defined in PIPEDA, section 2(1), and “renseignements personnels” as defined in Quebec Law 25;
  • “Sensitive Personal Information” means a subcategory of Personal Information enjoying heightened protection by reason of its inherent sensitivity, including without limitation government-issued identifiers (such as driver licence numbers), financial information, health information, and information from which the foregoing categories may reasonably be inferred;
  • “Sub-processor” means any natural or legal person engaged by the Processor to Process Personal Information on the Processor’s behalf and in furtherance of the operation of the Platform.

2. Identification of the Processor and Designated Officer

The Processor identifies itself as follows: K-NET LABS, an unincorporated business duly registered with the Ontario Business Registry, operating the Platform under the trading style “ShiftCrew.” All inquiries respecting the matters addressed in this Policy, including without limitation requests for access, rectification, erasure, portability, withdrawal of consent, and the lodging of complaints, may be directed to the individual designated by the Processor as bearing primary responsibility for compliance with applicable privacy legislation (hereinafter the “Privacy Officer”), at [email protected]. Pursuant to subsection 8.1 of Quebec Law 25, the Privacy Officer is deemed to be the “person in charge of the protection of personal information” for the purposes of that statute.

3. Categories of Personal Information Processed

The Processor, acting on the documented instructions of the relevant Controller, may Process the following categories of Personal Information in respect of any given Concerned Individual, the precise scope of which shall be determined by the configuration of the intake forms and operational settings elected by the Controller:

  1. Identification Data: given name, surname, preferred name, and analogous identifiers;
  2. Contact Data: electronic mail address, telephone number (including mobile), and ancillary contact particulars;
  3. Government-Issued Identifiers (Sensitive): where elicited by the Controller, driver licence number, licence class, licence expiry date, licence restrictions, and analogous regulatory identifiers, all of which shall be Processed as Sensitive Personal Information;
  4. Availability and Preference Data: declared temporal availability windows, role preferences, location preferences, willingness to undertake consecutive or supplementary engagements, and analogous scheduling-pertinent declarations;
  5. Operational Data: scheduling assignments, hours rostered, role designations, location designations, and related operational artefacts;
  6. Technical and Telemetric Data: internet protocol address, browser user-agent string, device characteristics, session identifiers, timestamps of access, and analogous technical metadata generated incidentally to the use of the Platform;
  7. Authentication Data: hashed credentials (in respect of administrative accounts) and time-limited authentication tokens (in respect of magic-link access for non-administrative Concerned Individuals);
  8. Communications Data: the content and metadata of communications transmitted between the Processor and the Concerned Individual, including without limitation transactional electronic mail.

4. Sources of Personal Information

Personal Information Processed pursuant to this Policy is ordinarily obtained directly from the Concerned Individual at the time of submission of an intake form, request for authentication credentials, or analogous voluntary act of communication; provided, however, that the Processor may, on occasion, receive Personal Information indirectly from a Controller in the discharge of its administrative functions (e.g., the importation of historical rosters), in which event the Controller warrants and represents that it has obtained the consent of the Concerned Individual to such transmission to the fullest extent required at law.

5. Purposes of Processing and Legal Bases

Personal Information shall be Processed solely for those purposes which are necessary, proportionate, and reasonably ancillary to the operation of the Platform, including without limitation:

  1. the establishment, maintenance, and termination of the contractual relationship between the Processor and the Controller, and the discharge of the Processor’s attendant obligations;
  2. the generation, communication, and revision of scheduling outputs by means of the Platform’s constraint-satisfaction scheduling engine, including the automated allocation of Concerned Individuals to discrete operational engagements;
  3. the transmission of transactional communications, including authentication tokens, schedule notifications, and operational reminders;
  4. the safeguarding of the Platform against fraudulent, unauthorized, or otherwise improper use, including by means of rate-limiting, intrusion detection, and audit logging;
  5. compliance with such legal, regulatory, and judicial obligations as may from time to time bind the Processor.

The legal basis for the foregoing Processing is, principally, the informed and meaningful consent of the Concerned Individual, obtained at the time of submission of the relevant intake form and in conformity with the requirements of PIPEDA and Quebec Law 25; and, in the alternative where so permitted at law, the legitimate operational interests of the Processor and Controller in the administration of the underlying engagement, balanced against the reasonable expectations of the Concerned Individual.

6. Automated Decision-Making

The Concerned Individual is hereby placed on express notice that the Platform employs an algorithmic scheduling engine which, by reference to the constraints and preferences encoded by the Controller and the availability declarations of the Concerned Individual, generates proposed shift assignments without real-time human intervention. Such determinations are provisional in character, are subject to discretionary review, modification, and override by the Controller’s administrative personnel prior to publication, and do not in themselves give rise to legal effects concerning the Concerned Individual within the meaning of Article 12.1 of Quebec Law 25. Notwithstanding the foregoing, the Concerned Individual retains the right, on written request directed to the Privacy Officer, to obtain information respecting the principal factors and parameters informing such determinations.

7. Disclosure to Third Parties and Sub-processors

The Processor does not sell, lease, license, or otherwise commercially trade in Personal Information. Subject to the foregoing, the Processor may disclose Personal Information to the following classes of recipient:

  1. The Controller, in whose interest the Processing is conducted and to whom such Personal Information rightfully belongs in the operational sense;
  2. Sub-processors, including without limitation cloud infrastructure providers, database hosting providers, transactional electronic mail delivery providers, payment processors, error monitoring providers, and product analytics providers, each of which shall be contractually bound to Process Personal Information solely on the documented instructions of the Processor and subject to confidentiality and security obligations no less protective than those set forth herein;
  3. Public authorities, where compelled by valid legal process, and only to the extent so compelled, with contemporaneous notice to the affected Concerned Individual where lawful and practicable;
  4. Professional advisors, including legal counsel, auditors, and insurers, under conditions of professional confidentiality;
  5. Successors in interest, in connection with any merger, acquisition, reorganization, financing, or sale of assets affecting the Processor, subject to the recipient undertaking commitments materially equivalent to those set forth herein.

A current register of Sub-processors is available upon written request to the Privacy Officer.

8. Cross-Border Transfers and Communication of Information Outside Quebec

The Concerned Individual is advised that, in the ordinary course of operating the Platform, Personal Information may be transmitted to, stored in, and Processed within jurisdictions outside the Province of Quebec and outside Canada, including without limitation the United States of America, by virtue of the Processor’s engagement of Sub-processors operating cloud computing infrastructure in such jurisdictions. The Processor has, prior to effecting any such communication, conducted a privacy impact assessment in conformity with the requirements of Article 17 of Quebec Law 25, and has concluded that the Personal Information so transmitted will receive protection equivalent to that afforded under the laws of the Province of Quebec, having regard to the contractual safeguards imposed upon the Sub-processors, the technical and organizational measures implemented, and the legal regime of the receiving jurisdiction. A summary of the said assessment is available to the Concerned Individual on written request to the Privacy Officer.

9. Retention of Personal Information

Personal Information shall be retained only for so long as is reasonably necessary to fulfil the purposes for which it was collected, including the administration of the event, engagement, or undertaking to which the Processing relates, the discharge of any post-event operational, reconciliation, or returning-participant requirements identified by the Controller, and compliance with any applicable legal, regulatory, or judicial obligation. The duration of such retention shall be determined by the Controller, acting reasonably, having regard to the nature of the event and the continuing operational utility of the Personal Information. In any event, retention shall cease where:

  1. the Concerned Individual exercises the right of erasure in accordance with Section 11 hereof and no overriding legal ground for continued retention exists;
  2. the Controller communicates to the Processor a determination that the Personal Information is no longer required for the purposes set forth above;
  3. the Processor determines, in its reasonable discretion, that the Personal Information is no longer required for the operation of the Platform; or
  4. the information has been transformed into Aggregate Data, which transformation shall be deemed to constitute destruction for the purposes of this Section 9.

Upon expiry of the applicable retention period, Personal Information shall be destroyed by means of cryptographic erasure, secure overwriting, or analogous technical procedure reasonably calculated to render the said information irrecoverable, in accordance with the Processor’s internal data destruction protocols.

10. Security Safeguards

The Processor implements and maintains technical, organizational, physical, and administrative safeguards reasonably designed to ensure a level of security appropriate to the risk presented by the Processing, including without limitation:

  1. encryption in transit by means of Transport Layer Security (TLS) version 1.2 or higher;
  2. application-layer encryption at rest of Sensitive Personal Information by means of the Advanced Encryption Standard in Galois/Counter Mode with 256-bit keys (AES-256-GCM);
  3. logical access controls based upon the principles of least privilege and separation of duties, enforced by means of role-based access control mechanisms;
  4. comprehensive audit logging in respect of access to and modification of Sensitive Personal Information;
  5. periodic review of access privileges and Sub-processor arrangements;
  6. personnel training in respect of privacy and information security obligations.

Notwithstanding the foregoing, the Concerned Individual is advised that no system of safeguards can, in the present state of the art, be guaranteed to be impervious to compromise, and the Processor does not warrant or represent that Personal Information is or will at all times remain free from unauthorized access, alteration, or destruction.

11. Rights of the Concerned Individual

Subject to the applicable requirements and limitations of PIPEDA, Quebec Law 25, and such other privacy legislation as may be applicable, the Concerned Individual is entitled to exercise the following rights in respect of his, her, or their Personal Information:

  1. Right of access: to obtain confirmation as to whether Personal Information concerning the Concerned Individual is being Processed, and, where so, to access such Personal Information together with the supplementary information prescribed at law;
  2. Right of rectification: to obtain, without undue delay, the rectification of inaccurate or incomplete Personal Information;
  3. Right of erasure: to obtain the erasure or de-indexation of Personal Information where the conditions prescribed by applicable law are satisfied;
  4. Right to data portability: pursuant to Article 27 of Quebec Law 25 (and analogous provisions of future Canadian federal legislation), to obtain such computerized Personal Information as has been collected from the Concerned Individual in a structured, commonly used technological format;
  5. Right to withdraw consent: to withdraw, at any time, consent previously given to the Processing of Personal Information, without prejudice to the lawfulness of Processing effected prior to such withdrawal, and subject to any legal or contractual restrictions and the reasonable notice period required for operational disengagement;
  6. Right to lodge a complaint: with the Privacy Officer in the first instance, and thereafter with the Office of the Privacy Commissioner of Canada, the Commission d’accès à l’information du Québec, or such other competent supervisory authority as may be seized of the matter.

Requests for the exercise of the foregoing rights shall be made in writing to the Privacy Officer, shall include such information as may be reasonably necessary to verify the identity of the requesting party, and shall, save and except in circumstances of manifest unreasonableness or excess, be responded to within thirty (30) days of receipt.

12. Supplementary Provisions Applicable in Quebec

Where the Concerned Individual is resident in, or otherwise subject to the law of, the Province of Quebec, the supplementary provisions set forth in this Section 12 shall apply, and shall prevail to the extent of any inconsistency with other provisions of this Policy. In particular and without limitation:

  1. the Privacy Officer shall, ex officio, discharge the functions attributed by Quebec Law 25 to the person in charge of the protection of personal information, and the Concerned Individual may correspond directly therewith in either of the official languages of Canada;
  2. where the Processor proposes to make use of Personal Information in furtherance of automated decision-making having legal effects, the Concerned Individual shall be informed of the principal factors and parameters informing the decision and shall be afforded a reasonable opportunity to submit observations to a natural person empowered to review the determination;
  3. in the event of a confidentiality incident presenting a risk of serious injury within the meaning of Article 3.5 of Quebec Law 25, the Processor shall notify the Commission d’accès à l’information and the affected Concerned Individuals with promptitude.

13. Cookies, Pixels, and Analogous Tracking Technologies

The Platform makes use of cookies, web beacons, pixels, and analogous tracking technologies for purposes of session maintenance, security, authentication, performance measurement, and (where deployed) the measurement of conversion events attributable to paid advertising campaigns. Strictly necessary technologies are deployed without prior consent; non-essential technologies are deployed only with the informed consent of the Concerned Individual or pursuant to such other lawful basis as may apply.

14. Minors

The Platform is not directed to natural persons under the age of fourteen (14) years, and the Processor does not knowingly collect Personal Information directly from such persons. Where it comes to the attention of the Processor that Personal Information has been collected from a minor in contravention of this paragraph, the Processor shall, with reasonable expedition, cause such Personal Information to be destroyed.

15. Breach Notification

In the event of any breach of security safeguards involving Personal Information and presenting a real risk of significant harm to the Concerned Individual (within the meaning of subsection 10.1(7) of PIPEDA) or a risk of serious injury (within the meaning of Article 3.5 of Quebec Law 25), the Processor shall, in conformity with the applicable statutory regime, notify the affected Concerned Individuals, the relevant supervisory authorities, and such other persons as may be required by law, and shall maintain a register of all such incidents in accordance with prescribed regulatory requirements.

16. Amendments

The Processor reserves the right, in its sole discretion, to amend, supplement, or restate this Policy from time to time, provided that no such amendment shall operate retrospectively to the prejudice of the Concerned Individual. The version number appearing at the head of this Policy shall constitute conclusive notice of any such amendment, and the continued use of the Platform following the publication of an amended Policy shall, to the fullest extent permitted at law, constitute acceptance of the terms thereof.

17. Governing Law and Forum

This Policy, and all matters arising out of or in connection with the Processing described herein, shall be governed by and construed in accordance with the laws of the Province of Ontario and the federal laws of Canada applicable therein, without regard to conflict-of-laws principles; provided, however, that the rights of Concerned Individuals resident in the Province of Quebec under Quebec Law 25 shall remain fully exercisable irrespective of the foregoing choice of law. The parties attorn irrevocably to the non-exclusive jurisdiction of the courts of the Province of Ontario sitting in the City of Toronto in respect of all matters arising hereunder, without prejudice to the entitlement of the Concerned Individual to seise the competent supervisory authority of his, her, or their habitual residence.

18. Severability, Survival, and Entire Statement

If any provision of this Policy is held by a court of competent jurisdiction to be invalid, illegal, or unenforceable, such provision shall be severed and the remaining provisions shall continue in full force and effect. The provisions of Sections 9 (Retention), 10 (Security), 11 (Rights), 15 (Breach), and 17 (Governing Law) shall survive any termination or expiration of the relationship between the Processor and the Concerned Individual. This Policy, together with the Terms of Service published at shiftcrew.app/terms, constitutes the entire statement of the Processor in respect of the Processing of Personal Information by means of the Platform.

19. Contact

All correspondence respecting this Policy should be addressed to:

Privacy Officer
K-NET LABS (operating as ShiftCrew)
Province of Ontario, Canada
[email protected]