Privacy Policy
Last Updated: July 15, 2025
1. Introduction
Obsidian Staffing ("we," "our," or "us") is committed to protecting the privacy and security of your personal information. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our Obsidian Staff Hub service ("the Service"), a remote staff productivity tracking system designed specifically for law firms.
This Privacy Policy applies to all users of the Service, including employees whose activities are being tracked ("Employees") and administrators who manage the system ("Administrators"). We encourage you to read this Privacy Policy carefully to understand our practices regarding your information.
By accessing or using the Service, you acknowledge that you have read and understood this Privacy Policy.
3. How We Use Your Information
We use the information we collect for various purposes, including:
3.1 Providing and Improving the Service
- To operate, maintain, and provide the features and functionality of the Service
- To monitor and analyze productivity and work patterns
- To verify attendance through the time clock system
- To generate reports and analytics
- To improve and develop new features and services
- To provide customer support and respond to inquiries
3.2 Communications
- To communicate with you about your account or use of the Service
- To send administrative messages, updates, security alerts, and support messages
- To provide information about new features or products we offer
3.3 Legal and Security Purposes
- To enforce our Terms and Conditions
- To protect the rights, property, or safety of our users, ourselves, or others
- To detect, investigate, and prevent fraudulent transactions or unauthorized access
- To comply with legal obligations
Important Note: While we collect activity data, we do NOT:
- Record keystrokes (what you're typing)
- Capture screenshots or screen content
- Access personal files or browsing history
- Monitor camera feeds (except during specific verification moments)
- Record audio or conversations
4. Information Sharing and Disclosure
We may share your information in the following circumstances:
4.1 With Your Employer
If you are an Employee, your activity data, productivity metrics, and webcam verification photos are accessible to authorized Administrators at your law firm. This information is used for productivity monitoring, attendance verification, and performance evaluation purposes.
4.2 Service Providers
We may share information with third-party service providers who help us operate, provide, improve, or secure the Service, including:
- Cloud hosting providers (Digital Ocean, Vultr)
- Analytics providers
- Customer support services
- Payment processors
These service providers are contractually obligated to use your information only as directed by us and in a manner consistent with this Privacy Policy.
4.3 Business Transfers
If we are involved in a merger, acquisition, financing, reorganization, bankruptcy, or sale of company assets, your information may be transferred as part of that transaction. We will notify you of any such change in ownership or control of your personal information.
4.4 Legal Requirements
We may disclose your information if required to do so by law or in response to valid requests by public authorities (e.g., a court or government agency). We may also disclose your information if we believe in good faith that disclosure is necessary to:
- Protect our rights, property, or safety
- Protect the rights, property, or safety of our users or others
- Investigate fraud, security, or technical issues
- Respond to an emergency
5. Data Storage and Security
We implement appropriate technical and organizational measures to protect the data collected through the Service:
- Encryption: All data transmitted between your device and our servers is encrypted using industry-standard SSL/TLS protocols. Data stored in our databases is encrypted at rest.
- Access Controls: We maintain strict access controls for our employees and contractors. Only authorized personnel have access to personal information, and only for specific business purposes.
- Security Infrastructure: Our service utilizes VPC network isolation, cloud firewalls with restrictive rules, and regular security scanning and patching.
- Authentication: We use secure JWT-based authentication with SSO integration where applicable.
- Regular Audits: We conduct regular security assessments and vulnerability testing of our systems.
While we strive to use commercially acceptable means to protect your information, no method of transmission over the Internet or method of electronic storage is 100% secure. Therefore, we cannot guarantee its absolute security.
6. Data Retention
We retain different types of data for different periods:
- Account Information: We retain your account information for as long as your account is active and for a reasonable period thereafter to comply with legal obligations or resolve disputes.
- Activity and Productivity Data: Activity and productivity data is typically kept for 12 months for reporting and analysis purposes.
- Webcam Verification Photos: Webcam verification photos are automatically deleted after one day.
- Payroll Information: Payroll information is kept according to legal requirements, which is generally 7 years.
When information is no longer necessary for the purposes for which it was collected, we will securely delete or anonymize it, unless retention is required by law.
7. Activity Monitoring Details
The Service includes activity monitoring features that track computer usage. Here's a detailed explanation of what is monitored and how this data is used:
7.1 What Is Monitored
- Active vs. Idle Time: We track when your computer is being actively used versus when it is idle (no keyboard or mouse activity).
- Application Usage: We record which applications you are using and for how long. We only collect the application name, not what you are doing within the application.
- Mouse and Keyboard Activity: We track mouse movements and keyboard activity to determine if you are actively working. We do NOT record keystrokes or capture what you type.
- Work Hours: We track when you clock in and out and when you take breaks.
- Integrated System Activities: If you connect the Service to third-party applications, we track activities performed in those systems (e.g., creating documents, sending emails, completing tasks).
7.2 How Monitoring Data Is Used
The activity data collected is used to:
- Calculate productivity scores and metrics
- Generate reports on work patterns and productivity
- Verify attendance and work hours
- Analyze efficiency and identify areas for improvement
- Support payroll and billing processes
7.3 Monitoring Limitations
To protect your privacy, there are strict limitations on what is monitored:
- No recording of keystrokes or typing content
- No screenshots or screen content capture
- No access to personal files
- No monitoring of web browsing history
- No audio recording
- No continuous webcam monitoring (only specific verification points)
8. Webcam Verification
The Service uses webcam verification at specific times to verify user presence. Here's how webcam verification works:
8.1 When Photos Are Taken
Webcam photos are only taken at the following specific times:
- When you clock in at the beginning of your workday
- When you return from breaks
There is NO continuous monitoring or recording through your webcam.
8.2 How Verification Photos Are Used
Verification photos are used solely for attendance verification purposes. They allow your employer to confirm that the person clocking in or returning from breaks is actually you.
8.3 Storage and Deletion
Webcam verification photos are:
- Stored securely with encryption
- Accessible only to authorized Administrators
- Automatically deleted after one day
- Never shared with third parties except as required by law
9. Third-Party Integrations
The Service can integrate with third-party applications like MerusCase, Google Workspace, and Monday.com. When you connect these services, we access and process certain information from these platforms.
9.1 Types of Information Accessed
Depending on the integration, we may access:
- MerusCase: Case management activity, document creation/uploads, notes, and client communications metadata.
- Google Workspace: Calendar events, tasks, and (with explicit permission) the ability to create vacation events in your calendar.
- Monday.com: Board and task data, status updates, and task completion information.
9.2 How Integration Data Is Used
Data from these integrations is used to:
- Track productivity across different work platforms
- Provide a comprehensive view of your work activities
- Include activities from these platforms in your productivity calculations
- Display relevant information in the Service dashboard
9.3 Data Limitations
We follow the principle of least privilege when accessing third-party services:
- We only request the permissions necessary to provide the Service
- We do not access the content of documents, emails, or other sensitive information
- For Google Calendar, we use read-only access for viewing events and limited write access only for creating vacation events
10. Your Rights and Choices
Depending on your location, you may have certain rights regarding your personal information:
10.1 Access and Control
You may have the right to:
- Access the personal information we have about you
- Correct inaccurate or incomplete information
- Request deletion of your personal information
- Restrict or object to certain processing of your information
- Request a copy of your personal information in a structured, commonly used, and machine-readable format
To exercise these rights, please contact your employer's Administrator or contact us directly using the information in the "Contact Us" section.
10.2 Account Information
You can review and update your account information through the Service's profile settings. If you need assistance, please contact your Administrator.
10.3 Cookies and Tracking Technologies
Most web browsers are set to accept cookies by default. If you prefer, you can usually choose to set your browser to remove or reject cookies. Please note that if you choose to remove or reject cookies, this could affect the availability and functionality of the Service.
10.4 Communications Preferences
You may opt out of receiving promotional communications from us by following the unsubscribe instructions in those communications. Even if you opt out, you will still receive administrative messages regarding the Service.
11. International Data Transfers
We primarily store and process your information within the United States. However, we may transfer your information to our service providers and others located in different countries for the purposes described in this Privacy Policy.
Whenever we transfer your personal information outside of your country, we ensure a similar degree of protection is afforded to it by implementing appropriate safeguards, including:
- Using approved contractual clauses
- Ensuring that recipients are located in countries with adequate data protection laws
- Obtaining your consent for the transfer
12. Children's Privacy
The Service is not directed to individuals under the age of 18. We do not knowingly collect personal information from children under 18. If you become aware that a child has provided us with personal information, please contact us. If we become aware that we have collected personal information from a child under 18 without verification of parental consent, we will take steps to remove that information from our servers.
13. Changes to This Privacy Policy
We may update this Privacy Policy from time to time. The updated version will be indicated by an updated "Last Updated" date at the top of this Privacy Policy. We will notify you of any material changes by prominently posting a notice on the Service or by sending you an email. We encourage you to review this Privacy Policy frequently to be informed of how we are protecting your information.
↑