Privacy Policy

Effective: September 29, 2025 • Owner: Dakota Wheatley (sole proprietorship, Alberta, Canada)

1. INTRODUCTION

Dakota Wheatley ("we," "our," or "us") respects your privacy and is committed to protecting your personal information. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use the CronosWorks platform ("Service").

We comply with applicable privacy laws, including Canada's Personal Information Protection and Electronic Documents Act (PIPEDA), Alberta's Personal Information Protection Act (PIPA), and—where applicable—the General Data Protection Regulation (GDPR) and the California Consumer Privacy Act (CCPA).

If you have any questions, contact our Privacy Officer at ceo@cronosworks.com.

2. INFORMATION WE COLLECT

2.1 Information You Provide Directly

• Account Information: Name, email, phone number, organization, and password.
• Profile Information: Job title, department, employee ID, and user role.
• Timesheet & Case Data: Work hours, project details, client identifiers, narratives, notes, and supporting files.
• Billing Information: Payment method details (processed securely through Stripe).
• Communications: Messages, support requests, feedback, and contact form submissions.

Data Controller vs. Data Processor: For organizational data (timesheets, client case notes, staff logs, etc.), CronosWorks acts as a Data Processor on behalf of your organization (the "Data Controller"). We process that data only according to the organization's instructions and this Privacy Policy.

2.2 Information We Collect Automatically

• Usage Data: Features used, time spent, session duration, and interaction history.
• Device Data: IP address, browser, operating system, device type, and identifiers.
• Log Data: Server logs, crash reports, and performance metrics.
• Cookies & Tracking: Session cookies, preference cookies, and (with consent) analytics cookies.

2.3 Information from Third Parties

• Authentication Providers: When you log in through a third-party service.
• Payment Processors: Transaction data received from Stripe.
• Analytics Services: Usage metrics from privacy-compliant analytics tools (e.g., Plausible, Google Analytics 4).

3. HOW WE USE YOUR INFORMATION

3.1 Primary Purposes

• To operate and maintain the CronosWorks platform.
• To manage user accounts and access permissions.
• To process timesheets, reports, and billing.
• To send essential service updates and support communications.
• To process payments and manage subscriptions.

3.2 Secondary Purposes

• To improve and personalize the Service.
• To monitor performance and troubleshoot errors.
• To detect, prevent, and address security or fraud incidents.
• To comply with legal or regulatory obligations.

3.3 Legal Basis for Processing (GDPR)

• Contract Performance: To deliver the services you request.
• Legitimate Interests: Improving services and maintaining security.
• Consent: When required for analytics, communications, or data sharing.
• Legal Obligation: Where necessary to comply with law.

4. HOW WE SHARE YOUR INFORMATION

We do not sell, rent, or trade your personal information.

We may share your data only as follows:

4.1 Service Providers

• Stripe: For secure payment processing.
• AWS / Fly.io: For hosting and infrastructure.
• Email & Notification Services: For communication and alerts.
• Analytics Providers: For aggregated, anonymized usage data.

Each provider is contractually bound by confidentiality and data protection obligations.

4.2 Legal Requirements

We may disclose information:

• To comply with applicable law, regulation, or legal process.
• To protect our rights, property, or safety, or that of users.
• In the event of a merger, acquisition, or business transfer (you will be notified).

4.3 With Your Consent

We will share your data with third parties only when you give explicit consent.

5. DATA SECURITY

We apply administrative, technical, and physical safeguards to protect your data:

• Encryption: All data encrypted in transit (TLS) and at rest (AES-256).
• Access Controls: Role-based authentication and authorization.
• Regular Audits: Routine internal security assessments.
• Secure Hosting: Data stored on servers meeting SOC 2 and ISO 27001 standards.

Despite these measures, no system is completely secure. Users are responsible for maintaining strong passwords and account confidentiality.

6. DATA RETENTION

• Account & Profile Data: Retained while your account remains active.
• Timesheet & Case Data: Retained for 7 years (or as required by client contract).
• Billing Data: Retained for 7 years to meet tax and accounting obligations.
• Log Data: Retained for 1 year for diagnostics and security.

You may request deletion of your personal data at any time. We will delete or anonymize your data within 30 days, subject to legal retention requirements.

7. YOUR RIGHTS

Depending on your location, you may have the following rights:

• Access: Request a copy of your data.
• Correction: Request updates or corrections.
• Deletion ("Right to be Forgotten"): Request deletion of your personal data.
• Portability: Receive your data in a portable format.
• Restriction or Objection: Limit or object to specific processing activities.
• Withdraw Consent: If processing is based on consent, you may withdraw it at any time.

Requests can be sent to ceo@cronosworks.com.

8. COOKIES & TRACKING

• We use essential cookies for authentication and session management.
• Optional analytics cookies are used only with your consent.

9. INTERNATIONAL DATA TRANSFERS

Your data may be processed in Canada or the United States (Fly.io, AWS). We ensure adequate protection through Standard Contractual Clauses (SCCs) and equivalent safeguards consistent with PIPEDA and GDPR standards.

10. CHILDREN'S PRIVACY

CronosWorks is not intended for individuals under 13 years of age. If we become aware that a child's personal data has been submitted, we will promptly delete it.

Organizations using CronosWorks to document youth services must ensure that any client data they enter complies with relevant consent and privacy laws.

11. CCPA & CPRA (U.S. USERS)

If you are a California resident, you may have additional rights under the California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA), including:

• The right to know what categories of personal data we collect.
• The right to request deletion.
• The right to opt out of data sharing for advertising (we do not engage in this).

12. GDPR (EU/EEA USERS)

EU/EEA users may contact ceo@cronosworks.com to exercise GDPR rights. If unresolved, you have the right to lodge a complaint with your local supervisory authority.

13. CHANGES TO THIS POLICY

We may update this Privacy Policy periodically. Material changes will be notified via email or in-app notice. The "Effective Date" at the top will reflect the latest version.

14. CONTACT

Privacy Officer:
Dakota Wheatley
Email: ceo@cronosworks.com
Province: Alberta, Canada

15. COMPLAINTS

If you believe we have mishandled your data, you may contact:

Office of the Information and Privacy Commissioner of Alberta (OIPC)
https://www.oipc.ab.ca/

Or, if applicable, your local privacy authority.