cloudtimemanager.com

Menu
Sign Up
Login/Sign In
Menu

Privacy Policy

This Privacy Policy explains how Host Merchant Services, LLC (“HMS,” “we,” “us,” or “our”) collects, uses, shares, and protects information when you use the Cloud Time Manager web application, mobile applications for iOS and Android, and related services (collectively, the “Service”). Cloud Time Manager is a cloud-based time-and-attendance, scheduling, and workforce-management platform offered free of charge by HMS.
By creating an account or using the Service, you acknowledge that you have read and understood this Policy. If you do not agree with this Policy, please do not use the Service.

Quick Summary

  • We do not sell your personal information. We do not use your data for cross-app advertising, and we do not allow third-party advertisers to track you through the Service.
  • We do not run biometric matching. Photos taken at clock-in are stored as ordinary images for buddy-punching deterrence; we do not generate face-prints or fingerprints.
  • Most data we hold belongs to your employer. When your employer signs up for Cloud Time Manager, your work-related data is processed on their behalf — they decide how it is used.
  • You can request deletion of your account and data at any time. See Section 11 for self-service and email options.
  • Sensitive permissions (location, camera, notifications) are optional, used only for the feature you trigger, and can be revoked from your device settings at any time.

Our Role: Controller and Processor

Cloud Time Manager is a B2B workforce platform. Our role under privacy law depends on whose data we are handling:
  • When your employer is a customer of HMS,we act as a data processor (or "service provider") for employee data your employer enters or instructs us to collect (punches, schedules, locations, etc.). Your employer is the "data controller" for that information and is responsible for the lawful basis on which it is collected.
  • For account-level information — how the Service is delivered, security, fraud prevention, billing of optional partner services like on-demand pay, and product analytics — we act as the data controller.
If you are an employee with questions about how your specific employer uses your data inside Cloud Time Manager, please contact your employer first. We will assist your employer in responding to you.

Information We Collect

We collect only what we need to operate the Service. The table below summarizes the categories, common examples, and the purpose for each.
Data Category
Account & Identity
Date of Birth
Punch Records

Location (GPS)

Photo at Punch
Schedule & Availability
Earned-Wage Access (On-Demand Pay)
Device & Technical Data
Usage & Diagnostics
Communications
Examples
Name, email, phone, password (hashed), employee ID, role, employer / company assignment.
DOB for employees flagged by the employer as under 18.
Clock-in / clock-out timestamps, breaks, shift assignments, edits, approvals.
Latitude / longitude captured at the moment of a punch when geofencing is enabled by your employer.
A still photo captured by the device camera when your employer enables photo-verification at clock-in.
Availability windows, time-off requests, shift swaps, preferences.
Accrued earnings, pay-advance requests, partner-payout status. We do NOT store full bank account or card numbers.
Device model, OS version, app version, language, IP address, crash logs, push-notification tokens.
Pages viewed, features used, error events, performance metrics.
Messages you send to support; in-app notifications you receive.
Purpose
Create and authenticate your account; provide the Service.
Enforce minor labor laws (allowed hours, prohibited tasks, mandatory breaks).
Core time-and-attendance functionality and audit logs.

Verify that the punch occurred inside an approved geofenced job site.

Deter buddy punching. Photos are stored as standard images; we do not run facial-recognition or any biometric matching on them.
Build and publish schedules; honor PTO and shift-swap requests.
Process optional early-wage requests through our payment partner.
Operate, secure, and improve the Service; deliver push notifications.
Detect bugs, measure reliability, prioritize improvements.
Respond to your requests and operate the Service.
  • We do NOT collect: full bank-account numbers, payment-card numbers, government ID numbers (other than what your employer optionally enters for tax/payroll), health or medical information, contacts from your address book, your microphone audio, or your photo library beyond the punch photo you take through the camera at clock-in.

How We Collect Information

  • Directly from you — when you create your profile, take a punch, request time off, or contact support.
  • From your employer — when they invite you, assign you to a location, set your wage rate, mark you as a minor, or upload your details.
  • Automatically— device, app, and diagnostic data are collected by our servers, our analytics SDKs, and crash-reporting tools when you use the Service.
  • From integrations — if your employer connects a payroll provider (e.g., QuickBooks, ADP, Gusto, Paychex, Rippling, Workday), data flows between Cloud Time Manager and that provider as your employer directs.

How We Use Your Information

  • Authenticate you and operate the time-tracking, scheduling, dashboard, and reporting features.
  • Verify punches against geofences, photo-verification settings, and minor-labor-law rules where enabled by your employer.
  • Send service-related communications, schedule notifications, shift reminders, and approval requests through push notifications and email.
  • Process optional on-demand pay requests through our regulated payment partner.
  • Detect, prevent, and investigate fraud, abuse, security incidents, and policy violations.
  • Maintain audit logs for FLSA, wage-and-hour, and minor-labor-law compliance.
  • Improve, debug, and develop new features (using aggregated or de-identified data wherever practical).
  • Comply with our legal, tax, accounting, and contractual obligations.
We do not use your data for behavioral advertising, third-party advertising profiling, or ad-network targeting.

Mobile Permissions (iOS & Android)

Our mobile apps request the following permissions only when you use the related feature. You can grant, deny, or revoke each one in your device settings without losing access to the rest of the Service.

Location

  • iOS: "While Using the App" location is requested at clock-in to confirm you are inside an employer-defined geofence.
  • Android: ACCESS_FINE_LOCATION (foreground only) is requested for the same reason. We do not use background or "all-the-time" location.
  • Coordinates are captured only at the moment of a punch — we do not continuously track your location.

Camera

  • Used only when your employer enables photo-verification at clock-in, or when you upload a profile picture.
  • We do not access your photo library and we do not run facial-recognition on the captured image.

Notifications

  • Used to deliver shift reminders, schedule changes, swap requests, and approval messages.
  • You can disable notifications in device settings at any time.

Storage / Files

  • Used only to cache offline punches locally so they sync when connectivity returns.

Network State

  • Used to detect online/offline status for the offline-first punch queue.

App Tracking Transparency (iOS)

Cloud Time Manager does not track you across apps and websites owned by other companies. We do not access the IDFA (Identifier for Advertisers) and we do not display the App Tracking Transparency prompt because we have no behavior to disclose under that framework.

How We Share Information

We share information only with the parties below, only for the purposes listed, and only under contracts that require equivalent privacy and security protections.

Your Employer

  • Your employer is the primary recipient of the data you generate (punches, schedules, edits, locations, photos, hours).
  • Managers and administrators designated by your employer can view, edit, and export this data through the Service.

Service Providers (Sub-Processors)

We use a small number of vetted vendors to operate the Service. Each is bound by a written data-processing agreement and may use your information only on our instructions.
  • Cloud hosting and database providers (e.g., MongoDB Atlas, AWS or equivalent infrastructure providers).
  • Push-notification delivery (Apple Push Notification service, Firebase Cloud Messaging).
  • Email and transactional-message providers.
  • Product analytics (used in aggregate; no advertising).
  • Mapping and geocoding (Google Maps Platform or equivalent) for geofence display.
  • Customer-support tooling.

Payroll & Integration Partners

When your employer enables an integration, we transmit hours, wages, and related fields to providers such as QuickBooks, ADP, Gusto, Paychex, Rippling, or Workday. Their handling of your data is governed by their own privacy policies.

On-Demand Pay Partner

If you request earned-wage access, we share the minimum information needed (identity, accrued wages, employer reference) with our regulated payment partner who processes the advance. We do not store full bank or card numbers.

Legal, Safety, and Corporate Events

  • To comply with subpoenas, court orders, or other legal obligations.
  • To investigate, prevent, or respond to fraud, security incidents, or violations of our terms.
  • In connection with a merger, acquisition, financing, or sale of assets, in which case we will require the recipient to honor this Policy.
We do not sell your personal information, and we do not “share” it for cross-context behavioral advertising as those terms are defined under the California Consumer Privacy Act (“CCPA”).

International Data Transfers

HMS is headquartered in the United States. If you access the Service from outside the United States, you understand that your information will be transferred to, stored in, and processed in the United States and other countries where our service providers operate. We rely on lawful transfer mechanisms (such as Standard Contractual Clauses) where required by GDPR or UK GDPR.

Data Retention

We retain personal information only as long as needed for the purposes described in this Policy, or as required by law:
  • Active accounts: data is retained while your employer's account is active.
  • Punch records, edit history, and audit logs: retained for the period required by applicable wage-and-hour and tax law (typically at least 3–7 years), even after an employee is offboarded.
  • Backups: encrypted backups are rotated on a defined schedule and overwritten in the normal course.
  • Inactive employer accounts: deleted or de-identified within 12 months of termination, unless retention is required by law.
  • Diagnostic and crash logs: typically retained for up to 90 days.
After the retention period, data is deleted or irreversibly de-identified.

Account & Data Deletion

You may request deletion of your Cloud Time Manager account and the personal information associated with it at any time using either of the following methods:

In-App

  • Open the mobile app or web dashboard.
  • Go to Settings → Account → Request Account Deletion.
  • Confirm. We will email you to acknowledge receipt and process the request.

By Contact Form

  • Visit our Contact Us page on the Cloud Time Manager website and submit a request with the subject "Account Deletion Request" from the email address on your account.

What Gets Deleted

  • Your profile, contact details, login credentials, schedule preferences, push tokens, profile photo, and device records.
  • Punch photos and personal location records that are not required to be retained for wage-and-hour audit purposes.

What May Be Retained

  • Punch totals, hours worked, pay records, and edit-history audit logs that your employer or applicable law requires us to retain. Where retained, these records are de-identified or pseudonymized to the extent allowed by law.
  • Records needed for fraud prevention, security, dispute resolution, or legal obligations.
Most deletion requests are completed within 30 days. Employees should also contact their employer, since the employer may be the controller of much of the data.

Your Privacy Rights

GDPR / UK GDPR (European Economic Area, United Kingdom, Switzerland)

You have the right to:
  • Access the personal data we hold about you.
  • Request correction of inaccurate or incomplete data.
  • Request erasure ("right to be forgotten") subject to legal retention obligations.
  • Restrict or object to certain processing.
  • Receive a copy of your data in a portable format.
  • Withdraw consent where processing is based on consent.
  • Lodge a complaint with your local supervisory authority.

CCPA / CPRA (California)

California residents have the right to:
  • Know the categories and specific pieces of personal information collected, used, disclosed, and (if applicable) sold or shared.
  • Delete personal information, subject to legal exceptions.
  • Correct inaccurate personal information.
  • Opt out of "sale" or "sharing" — we do not engage in either.
  • Limit the use of sensitive personal information — we use sensitive PI only for the purposes set out in this Policy.
  • Be free from retaliation for exercising your rights.

Other U.S. State Laws

Residents of Virginia, Colorado, Connecticut, Utah, Texas, Oregon, Montana, and other states with comprehensive privacy laws have similar rights, which we honor in line with each state’s requirements.

How to Exercise Your Rights

Reach out through our Contact Us page on the Cloud Time Manager website. We will verify your identity before responding and will reply within the timeframe required by applicable law (typically 30–45 days).

Security

We use a layered approach to protect your data:
  • TLS 1.2+ (256-bit) encryption for all data in transit.
  • Encryption at rest for production databases and backups.
  • Hashed and salted passwords (we never store passwords in plaintext).
  • Role-based access controls and least-privilege internal access.
  • Audit logging of administrative actions and security events.
  • Regular vulnerability scanning, dependency monitoring, and code review.
  • Incident-response procedures and breach-notification protocols.
No system is 100% secure. If we become aware of a breach affecting your personal information, we will notify you and the relevant authorities as required by law.

Children's Privacy

Cloud Time Manager is a workforce-management product for businesses. It is not directed to children under 13, and we do not knowingly collect personal information from anyone under 13.
Some employees who use the Service may be minors aged 14–17 lawfully employed under federal and state child-labor laws. In those cases:
  • The employer is responsible for confirming lawful employment and obtaining any parental consent required by their jurisdiction.
  • We collect date of birth from these employees specifically so the system can enforce minor-labor-law restrictions on their behalf.
  • We do not knowingly collect more data from minor employees than is reasonably necessary to operate the Service and comply with law.
If you believe a child under 13 has provided us information, please contact us and we will delete it promptly.

Changes to This Policy

We may update this Policy from time to time. Material changes will be communicated through the Service, by email, or both, at least 30 days before they take effect when feasible. The “Last Updated” date at the top reflects the most recent version. Your continued use of the Service after a change becomes effective means you accept the updated Policy.

Third-Party Links and Services

The Service may contain links to third-party websites, payroll integrations, or services not operated by HMS. We are not responsible for the privacy practices of these third parties. We encourage you to review their privacy policies before providing information to them.

Contact Us

If you have questions about this Policy or want to exercise a privacy right, please reach out through our Contact Us page on the Cloud Time Manager website (link available in the site footer).
For users in the European Economic Area or the United Kingdom, you may also reach our designated representative through the same Contact Us page.