Zosimos Inc., a corporation incorporated under the laws of the Province of Alberta, Canada ("Zosimos", "we", "us", or "our"), operates the ZOSIMOS Timesheet mobile application for iOS and Android, and the related web-based services accessible at timesheet.zosimos.ca (collectively, the "Service").
This Privacy Policy describes our practices regarding the collection, use, storage, disclosure, and protection of personal information obtained through the Service. This Policy applies to all users of the Service, including employees, contractors, administrators, and supervisors whose accounts are provisioned by their employer or contracting organization (the "Organization").
By accessing or using the Service, you acknowledge that you have read, understood, and agree to be bound by this Privacy Policy. If you do not agree with any provision of this Policy, you must discontinue use of the Service immediately.
1. Definitions
- "Personal Information"
- Any information about an identifiable individual, as defined under the Personal Information Protection and Electronic Documents Act (PIPEDA), S.C. 2000, c. 5, and the Personal Information Protection Act (PIPA), S.A. 2003, c. P-6.5.
- "Organization"
- The employer, business entity, or contracting party that has subscribed to the ZOSIMOS Enterprise platform and provisioned user accounts for the Service.
- "Data Controller"
- The Organization that determines the purposes and means of processing Personal Information through the Service. Zosimos acts as a Data Processor on behalf of the Organization.
- "Data Processor"
- Zosimos Inc., which processes Personal Information on behalf of and under the instructions of the Data Controller (the Organization).
- "Service"
- The ZOSIMOS Timesheet mobile application (iOS and Android), web application, and all related backend services, APIs, and infrastructure operated by Zosimos Inc.
- "User"
- Any individual who accesses or uses the Service, including employees, contractors, administrators, and supervisors.
2. Legal Basis for Processing
We process Personal Information on the following legal bases:
- Contractual Necessity — Processing is necessary for the performance of the service agreement between Zosimos and your Organization, and for the provision of workforce management services to you as an authorized user.
- Legitimate Interests — Processing is necessary for our legitimate interests in maintaining the security, integrity, and availability of the Service, preventing fraud, and improving application performance, provided such interests are not overridden by your fundamental rights and freedoms.
- Legal Obligations — Processing is necessary for compliance with applicable employment, tax, occupational health and safety, and labour standards legislation.
- Consent — Where required by applicable law, we obtain your consent before collecting certain categories of information, including precise location data and push notification permissions. You may withdraw consent at any time through your device settings, though this may limit certain functionality.
3. Information We Collect
3.1 Information Provided by Your Organization
Your Organization provisions your account through the ZOSIMOS Enterprise platform. In the course of account provisioning and ongoing use, we receive and process the following categories of Personal Information:
- Identity Information — First name, last name, employee number, username
- Contact Information — Work email address, work telephone number
- Employment Information — Position title, department, facility assignment, unit, employment type (full-time, part-time, casual), employment classification, hire date, probation period, supervisor assignment, and organizational role
- Compensation Information — Pay type (hourly/salary), standard hours per day and per week, overtime eligibility, vacation accrual rate, and banked overtime entitlements
- Access and Authorization — Role-based permissions, approval authority designations, delegation assignments, and impersonation privileges
3.2 Information Collected Through Use of the Service
When you interact with the Service, we collect the following categories of information:
- Time and Attendance Records — Clock-in and clock-out timestamps, break start and end times, time-off entries, overtime hours, and shift duration calculations
- Leave Management Data — Leave requests (type, dates, hours, justification), leave balances (accrued, used, remaining), and approval/denial records
- Overtime Records — Overtime pre-approval requests, justifications, overtime category assignments, and banked overtime ledger entries
- Approval Workflow Data — Approval and denial actions, reviewer identities, review timestamps, delegation records, and escalation history
3.3 Information Collected Automatically
- Precise Geolocation Data — GPS coordinates collected at the moment of clock-in and clock-out actions, solely for the purpose of geofence verification when your Organization has enabled location-based restrictions. Location data is not collected continuously or in the background.
- Coarse Location Data — Approximate geographic location derived from network information, used to verify general proximity to approved work sites.
- Device Information — Device manufacturer, model, operating system name and version, application version, screen dimensions, and a cryptographic device fingerprint generated for security and fraud prevention purposes.
- Unique Identifiers — User ID (assigned by the Service), device ID, push notification token, and session identifiers.
- Diagnostic and Performance Data — Application crash reports, stack traces, error logs, API response times, memory usage metrics, and network connectivity status. This data is used exclusively for maintaining application stability and improving performance.
3.4 Biometric Authentication Data
If your Organization enables biometric authentication for clock actions, the Service invokes your device's native biometric capabilities (Apple Face ID, Apple Touch ID, or Android BiometricPrompt). Biometric data is processed entirely on your device by the operating system. Zosimos does not receive, transmit, store, or have access to any biometric templates, facial geometry data, or fingerprint data at any time. We receive only a boolean confirmation of successful or failed authentication from the device operating system.
3.5 Information We Do Not Collect
We do not collect: social insurance numbers (SIN), banking or financial account information, health or medical records, racial or ethnic origin, political opinions, religious beliefs, trade union membership, genetic data, sexual orientation, or criminal records.
4. How We Use Your Information
We use the information we collect strictly for the following purposes:
| Purpose | Categories of Data Used | Legal Basis |
|---|---|---|
| User authentication, session management, and access control | Identity, contact, user ID, device ID | Contractual necessity |
| Recording clock-in/out times and calculating work hours | User ID, timestamps, location (if enabled) | Contractual necessity |
| Geofence verification of approved work sites | Precise and coarse location | Consent; legitimate interest |
| Processing leave requests and maintaining balance records | User ID, employment information, leave data | Contractual necessity |
| Processing overtime pre-approvals and payroll calculations | User ID, compensation information, overtime records | Contractual necessity |
| Facilitating approval workflows and delegation chains | User ID, approval workflow data, role information | Contractual necessity |
| Delivering push notifications for shift reminders and approvals | Device ID, push token, user ID | Consent; legitimate interest |
| Fraud prevention, security monitoring, and audit trails | Device information, device fingerprint, location, user actions | Legitimate interest |
| Diagnosing application errors and improving performance | Crash data, performance data, diagnostic logs | Legitimate interest |
| Compliance with employment and labour standards legislation | Time records, employment information | Legal obligation |
We do not use your Personal Information for advertising, marketing, behavioural profiling, automated decision-making, user tracking across applications, or any purpose unrelated to the operation of the Service. We do not sell, rent, license, or otherwise commercially exploit your Personal Information.
5. Data Sharing and Disclosure
5.1 With Your Organization (Data Controller)
Your time entries, clock actions, leave requests, overtime records, and related workforce data are accessible to your Organization's authorized administrators, supervisors, and designated approvers as part of the Service's core functionality. Your Organization, as the Data Controller, determines the policies governing access to and use of this data within their management processes. Zosimos processes this data strictly in accordance with the Organization's instructions and our service agreement.
5.2 Sub-Processors and Service Providers
We engage the following categories of third-party service providers (sub-processors) to assist in operating the Service:
| Provider Category | Purpose | Data Shared |
|---|---|---|
| Cloud infrastructure provider | Server hosting, data storage, and computation | All data stored within the Service |
| Apple Push Notification Service (APNs) | Delivering push notifications to iOS devices | Device push token, notification content |
| Firebase Cloud Messaging (FCM) | Delivering push notifications to Android devices | Device push token, notification content |
| Expo Application Services (EAS) | Application builds, over-the-air updates | Application bundle (no user data) |
All sub-processors are bound by written data processing agreements that require them to: (a) process Personal Information only as instructed by Zosimos; (b) implement appropriate technical and organizational security measures; (c) notify Zosimos of any data breaches without undue delay; and (d) delete or return Personal Information upon termination of the engagement.
5.3 Legal and Regulatory Disclosure
We may disclose Personal Information without your consent where required or permitted by law, including:
- In response to a valid subpoena, court order, search warrant, or other legally binding request from a government authority with jurisdiction
- To comply with applicable federal, provincial, or municipal legislation, regulations, or legally binding orders
- To protect the rights, property, or personal safety of Zosimos, our users, or the public
- In connection with an investigation of suspected fraud, security incidents, or violations of our terms of service
- As part of a corporate transaction, including a merger, acquisition, asset sale, or reorganization, subject to the acquiring party agreeing to be bound by terms no less protective than this Policy
5.4 No Sale of Personal Information
Zosimos does not sell, rent, or trade Personal Information to any third party for monetary or other valuable consideration. We do not share Personal Information with third-party advertising networks, data brokers, or analytics platforms. We do not incorporate third-party SDKs or libraries that collect Personal Information for cross-application tracking or targeted advertising purposes.
6. Data Storage, Security, and Infrastructure
6.1 Data Location
All Personal Information is stored on servers located in Canada. We do not transfer Personal Information outside of Canada except as described in Section 11 (International Data Transfers).
6.2 Security Measures
We implement and maintain industry-standard technical, administrative, and physical safeguards designed to protect Personal Information against unauthorized access, alteration, disclosure, or destruction, including:
- Encryption in Transit — All data transmitted between your device and our servers is encrypted using TLS 1.2 or higher (HTTPS)
- Authentication — JWT-based authentication with short-lived access tokens (15-minute expiry), rotating refresh tokens (7-day expiry), and automatic session invalidation
- Secure Local Storage — Authentication tokens are stored using the operating system's secure enclave (iOS Keychain / Android Keystore) via expo-secure-store
- Access Controls — Role-based access controls (RBAC) enforcing the principle of least privilege across all API endpoints
- Audit Logging — Comprehensive audit trails recording all data access, modifications, and administrative actions with timestamps and actor identification
- Database Security — PostgreSQL databases with parameterized queries preventing SQL injection, connection encryption, and regular automated backups
- Device Verification — Cryptographic device fingerprinting to detect unauthorized device usage and session hijacking
- Input Validation — Server-side validation and sanitization of all user inputs to prevent injection attacks and data corruption
6.3 Breach Notification
In the event of a breach of security safeguards involving Personal Information that creates a real risk of significant harm to affected individuals, Zosimos will: (a) notify the Office of the Privacy Commissioner of Canada and, where applicable, the Alberta Information and Privacy Commissioner; (b) notify the affected Organization(s); and (c) notify affected individuals, in each case as required under PIPEDA, PIPA, and other applicable breach notification laws. Notifications will be made without unreasonable delay and in any event within 72 hours of becoming aware of the breach.
7. Data Retention and Deletion
7.1 Retention Periods
| Data Category | Retention Period | Justification |
|---|---|---|
| Time entries and payroll records | 7 years after creation | Employment standards and tax compliance (Canada Revenue Agency requirements) |
| Leave records and balance history | 7 years after creation | Employment standards compliance |
| Audit logs | 3 years after creation | Security, compliance, and dispute resolution |
| Device and session logs | 1 year after creation | Security monitoring and fraud prevention |
| Location data (GPS coordinates) | 1 year after collection | Geofence verification audit trail |
| Crash and diagnostic data | 90 days after collection | Application stability and performance improvement |
| Account and profile data | Duration of Organization's subscription + 90 days | Service delivery and wind-down |
7.2 Deletion Upon Termination
When an Organization terminates its subscription to the Service, or when an Organization requests deletion of a specific User's data, Zosimos will delete or irreversibly anonymize the applicable Personal Information within 90 days of the request, except where retention is required by applicable law. Anonymized data that can no longer be associated with an identifiable individual may be retained indefinitely for aggregate statistical analysis.
7.3 Individual Deletion Requests
Individual Users may request deletion of their Personal Information by contacting their Organization's administrator, who may submit a deletion request to Zosimos. Direct deletion requests from individuals will be forwarded to the applicable Organization for authorization, as the Organization is the Data Controller.
8. Your Privacy Rights
Under PIPEDA, PIPA, and other applicable privacy legislation, you have the following rights with respect to your Personal Information:
- Right of Access — You have the right to request access to the Personal Information we hold about you and to receive a copy in a commonly used electronic format. We will respond to access requests within 30 days.
- Right of Correction — You have the right to request correction of Personal Information that is inaccurate, incomplete, or out of date. Where we are unable to make the requested correction, we will annotate the information with the correction requested.
- Right of Deletion — You have the right to request deletion of your Personal Information, subject to legal retention requirements and the authorization of your Organization as Data Controller.
- Right to Withdraw Consent — Where processing is based on consent (e.g., location data, push notifications), you may withdraw consent at any time by adjusting your device settings. Withdrawal of consent does not affect the lawfulness of processing conducted prior to withdrawal.
- Right to Complain — You have the right to file a complaint with the Office of the Privacy Commissioner of Canada (www.priv.gc.ca) or the Office of the Information and Privacy Commissioner of Alberta (www.oipc.ab.ca) if you believe your privacy rights have been violated.
To exercise any of these rights, contact your Organization's administrator or contact Zosimos directly at the contact information in Section 15. Since your account is managed by your Organization, some requests may require the Organization's authorization before we can act.
9. Location Data
We collect precise geolocation data only under the following conditions:
- Your Organization has enabled GPS-based clock verification in their administrative settings;
- You have granted location permission to the ZOSIMOS Timesheet application through your device's operating system;
- You are actively performing a clock-in or clock-out action.
Location data is collected as a single point-in-time reading at the moment of the clock action. We do not track your location continuously, in the background, or between clock actions. Location data is stored as part of the time entry audit record and is accessible only to your Organization's authorized administrators.
You may revoke location permissions at any time through your device's Settings application. If your Organization requires location verification for clock actions, disabling location permissions may prevent you from clocking in or out through the mobile application.
10. Push Notifications
The Service uses push notifications to deliver time-sensitive, work-related communications including shift start reminders, approval notifications, leave request updates, overtime alerts, and administrative announcements. Push notifications are delivered through Apple Push Notification Service (APNs) for iOS devices and Firebase Cloud Messaging (FCM) for Android devices.
Push notification tokens are stored securely on our servers and are used exclusively for delivering Service-related notifications. Tokens are not shared with any third party for marketing, advertising, or any purpose unrelated to the delivery of Service notifications. You may disable push notifications at any time through your device's Settings application.
11. International Data Transfers
Your Personal Information is primarily stored and processed on servers located in Canada. In the following limited circumstances, Personal Information may be transferred to or accessed from locations outside Canada:
- Push notification delivery through Apple (United States) and Google (United States) infrastructure
- Application build and distribution through Expo (United States) infrastructure
- Where your Organization operates facilities in jurisdictions outside Canada, authorized administrators in those jurisdictions may access data through the Service
Where Personal Information is transferred outside Canada, we ensure that appropriate contractual safeguards are in place requiring the recipient to provide a level of protection comparable to that afforded under Canadian privacy legislation.
12. Children's Privacy
The Service is designed for use by adults in employment or contractual relationships with subscribing Organizations. The Service is not directed at, and we do not knowingly collect Personal Information from, individuals under the age of 16. If we become aware that we have inadvertently collected Personal Information from an individual under 16, we will take immediate steps to delete such information and terminate the associated account.
13. Cookies and Tracking Technologies
The ZOSIMOS Timesheet mobile application does not use cookies, web beacons, pixel tags, or similar tracking technologies. The web application (timesheet.zosimos.ca) uses only strictly necessary session cookies for authentication and security purposes. We do not use any analytics cookies, advertising cookies, or third-party tracking cookies.
14. Changes to This Privacy Policy
We reserve the right to modify this Privacy Policy at any time. Material changes will be communicated by: (a) posting the updated Policy at the URL where this Policy is published; (b) updating the "Effective Date" at the top of this Policy; and (c) where practicable, providing notice to Organizations through the Service. Your continued use of the Service following the posting of a revised Policy constitutes your acceptance of the revised terms. We encourage you to review this Policy periodically.
Non-material changes (formatting, clarification of existing practices, typographical corrections) may be made without notice.
15. Contact Information
If you have questions, concerns, or complaints regarding this Privacy Policy, our data practices, or your privacy rights, you may contact us through the following channels:
Zosimos Inc. — Privacy Office
Email: privacy@zosimos.ca
General Inquiries: info@zosimos.ca
Website: https://zosimos.ca
We will acknowledge receipt of your inquiry within 5 business days and will respond substantively within 30 days. If you are unsatisfied with our response, you have the right to escalate your complaint to the applicable privacy commissioner.
16. Governing Law and Jurisdiction
This Privacy Policy is governed by and construed in accordance with the laws of the Province of Alberta and the federal laws of Canada applicable therein, without regard to conflict of law principles. Any disputes arising from or relating to this Policy shall be subject to the exclusive jurisdiction of the courts of the Province of Alberta, sitting in the City of Calgary.
17. Regulatory Compliance
This Privacy Policy is designed to comply with the following legislation and regulations:
- Personal Information Protection and Electronic Documents Act (PIPEDA), S.C. 2000, c. 5
- Personal Information Protection Act (PIPA), S.A. 2003, c. P-6.5 (Alberta)
- Canada's Anti-Spam Legislation (CASL), S.C. 2010, c. 23 (to the extent applicable to push notifications)
- Employment Standards Code, R.S.A. 2000, c. E-9 (Alberta) (as it relates to record-keeping requirements)
- Income Tax Act, R.S.C. 1985, c. 1 (5th Supp.) (as it relates to payroll record retention)
Your Organization, as the Data Controller, bears primary responsibility for ensuring that the collection and processing of employee Personal Information through the Service complies with all applicable employment, labour, privacy, and human rights legislation in the jurisdiction(s) in which it operates.
18. Severability
If any provision of this Privacy Policy is found by a court of competent jurisdiction to be invalid, illegal, or unenforceable, the remaining provisions shall continue in full force and effect. The invalid or unenforceable provision shall be modified to the minimum extent necessary to make it valid and enforceable while preserving the parties' original intent.