Staffactory
Privacy

Privacy Policy

What we collect, how we use it, and the rights you have.

1. Who We Are

This Privacy Policy describes the practices of Staffactory LLC, a Delaware limited liability company (“Staffactory,” “we,” “us”). We operate a staffing and recruiting service that connects candidates with client companies through our website, portal, and mobile application. This Policy also applies to our Affiliates as described in Section 13.

2. Information We Collect

We collect information in three ways:

a. From you directly— when you create an account, apply, sign an RTR, chat with a recruiter, upload documents, or email us:

  • Identity & contact: name, email, phone, mailing address, date of birth, last 4 of Social Security Number (SSN) or equivalent for background-check keying;
  • Professional: resume, cover letter, work history, education, certifications, licenses, references, portfolio, pay expectations;
  • Placement & RTR data: the Right-to-Represent forms you sign, your electronic signature, signing date, zip code, and, where a client requires it, additional identifiers to pass client security screens;
  • Equal-opportunity data (voluntary): veteran status, race/ethnicity, disability status, and similar EEO fields — only if you choose to share them. Declining has no effect on your application;
  • Communications: messages you send us, including email, chat, and support tickets, and any attachments you include;
  • Mobile-app data (where applicable): push-notification tokens, device identifiers, biometric-enrollment status (we do not store biometric templates ourselves — the device does), and crash logs.

b. From employers and third parties:

  • References you list (we may contact them to verify work history);
  • Background-check companies (criminal history, employment/education verification, drug-screen results) — handled under the Fair Credit Reporting Act (see Section 12);
  • Client companies who receive your submission (interview feedback, placement decisions);
  • Public sources where you have made information available (such as a public LinkedIn profile or publicly indexed certifications), only when relevant to a specific opportunity.

c. Automatically, when you use our website or portal:

  • IP address, approximate location derived from IP, user-agent string, device type, browser;
  • Pages viewed, time on page, referrer, timestamps;
  • Authentication cookies and session identifiers;
  • Log data for security and fraud prevention.

3. How We Use Information

We use your information to:

  • Operate your account and the portal;
  • Match you with roles and present your candidacy to specific client companies you’ve authorized;
  • Verify eligibility (work authorization, background checks where applicable, certifications) in compliance with federal and state law;
  • Process payroll and tax withholding if you become a Staffactory W-2 employee during a placement;
  • Communicate with you about opportunities, application status, interviews, offers, onboarding, and platform changes;
  • Comply with legal obligations including EEOC reporting, OFCCP recordkeeping, FCRA, tax reporting (W-2/1099, state-equivalents), I-9 verification, and valid subpoenas or court orders;
  • Detect and prevent fraud, abuse, unauthorized access, and security incidents;
  • Analyze service usage in aggregated, de-identified form to improve the product;
  • Enforce our Terms of Service and legal agreements;
  • Operate Affiliate brands as described in Section 13.

No sale for advertising. We do not sell your personal information to third parties for their own advertising purposes, and we do not engage in cross-context behavioral advertising.

4. How We Share Information

We share your information only with categories of recipients listed below, and only for the purposes described:

  • Client companies. When you sign a Right-to-Represent (RTR) form, we share relevant parts of your profile (resume, contact details, RTR) with the named client company so they can evaluate you for the specific role. Clients receive only what is reasonably needed to make a hiring decision.
  • Background-check vendors. We or a client company may initiate a consumer report (criminal history, employment verification, drug screen) through an FCRA-compliant vendor. See Section 12.
  • Payroll and HR service providers. If you become a W-2 employee of Staffactory for a placement, we share the minimum information needed to pay you, file taxes, and administer benefits.
  • IT vendors and infrastructure providers. Categories include cloud hosting, database, content- delivery, transactional email, file storage, error monitoring, and analytics. Each is under a written contract that restricts their use of your information to the services they provide for us. See Section 14.
  • Professional advisors. Lawyers, auditors, accountants, and insurers, under professional obligations of confidentiality.
  • Government agencies and law enforcement when required by law (e.g., valid subpoenas, EEO-1 reporting, OFCCP audits, I-9 verification).
  • Affiliates and successor entities. See Section 13. In the event of a merger, acquisition, financing, or sale of assets, your information may be transferred to the successor entity. You will be notified of any change of control that materially affects how your information is handled.

We do not share EEO/demographic data with hiring managers. It is used only for aggregate compliance reporting.

5. How Long We Keep Information (Retention)

We keep your information for as long as your candidacy is active and for seven (7) yearsafter your last activity (last login, last application, or last communication with us), unless a longer period is required by law (e.g., tax, wage-and-hour, I-9, or pending litigation). The seven-year window is set to cover the minimum retention obligations under Title VII (1 year), ADEA (1 year), FCRA consumer-report records (5 years), OFCCP (2 years), and federal/state tax records (generally 4–7 years). It gives us a single, predictable rule across record types.

You can request earlier deletion under the rights in Section 6. We will honor the request unless we are required to keep specific records by law or to defend legal claims.

Aggregated or de-identified data (e.g., anonymized placement-rate statistics) may be retained indefinitely, because it no longer identifies you.

6. Your Rights Under U.S. State Privacy Laws

Depending on your state of residence, you may have some or all of the following rights regarding your personal information:

  • Right to know — what personal information we hold about you, where we got it, what we do with it, and who we share it with;
  • Right to access a copy of your personal information in a portable format;
  • Right to correct inaccurate personal information;
  • Right to delete your personal information, subject to legal-retention carve-outs;
  • Right to opt out of sale or sharing — although we do not sell personal information as CCPA/CPRA define “sale”;
  • Right to opt out of targeted advertising — we do not conduct this;
  • Right to limit use of sensitive personal information — we only use SPI (SSN last-4, DOB, precise geolocation, certain EEO data) for staffing, verification, compliance, and security;
  • Right to opt out of profiling that produces legal or similarly significant effects — see Section 15;
  • Right to non-discrimination for exercising these rights;
  • Right to appeal any denial of these rights (where required by your state).

How to exercise a right: email contact@staffactory.com with the subject line “Privacy Request” and your specific request. We will verify your identity using information already on file (we may ask you to log in and confirm via a second channel). We will respond within 45 days(some states require a shorter window — we’ll meet the shortest applicable deadline). For more complex requests, we may extend the response window by an additional 45 days where permitted by law and will notify you of the extension.

Authorized agents. You can designate an authorized agent to submit a request on your behalf. We will require written proof of the designation (such as a notarized power of attorney or signed permission) and will still verify your identity directly.

Appeals. If we decline a request, you may appeal by replying to our denial email or sending a new email to contact@staffactory.com with the subject line “Privacy Appeal.” We will respond to the appeal within 60 days and explain our reasoning. If we deny the appeal, you may contact your state Attorney General’s office or, if you are a California resident, the California Privacy Protection Agency.

California Shine the Light.California Civil Code § 1798.83 entitles California residents to request certain disclosures about sharing of personal information for third parties’ direct-marketing purposes. We do not share personal information for third-party direct-marketing purposes.

7. Sensitive Personal Information

We treat the following as “sensitive personal information” and use it only for purposes permitted under CCPA/CPRA and comparable state laws:

  • Social Security Number (we collect last 4 only on the portal; a client or background-check vendor may collect the full number directly, under their own controls);
  • Date of birth;
  • Precise geolocation (we do not collect precise location; IP-based city-level estimates only);
  • Racial or ethnic origin, for voluntary EEO reporting only;
  • Veteran, disability, and similar protected-class status, for voluntary EEO reporting only;
  • Account credentials (password hashes, session tokens).

We do not use this information for inferring characteristics, targeted advertising, or any purpose beyond providing the Services and meeting our legal obligations.

8. Cookies & Tracking

We use only the cookies needed to run the Services:

  • Authentication cookies (httpOnly, Secure, SameSite) to keep you logged in;
  • Session cookies for CSRF protection and form state;
  • Preference cookies for the UI (dark mode, language, etc.).

We do not use cookies for cross-site advertising or third-party analytics that profile you across unrelated sites. You can block or delete cookies through your browser; doing so may break login or some features.

Global Privacy Control (GPC).We honor GPC signals from your browser as a valid opt-out of any “sale” or “sharing” of your personal information.

Do Not Track.Browsers and devices may send a “Do Not Track” signal. Because there is no industry consensus on how to interpret that signal, we do not respond to DNT signals separately. Our handling of GPC signals (above) provides the equivalent opt-out.

9. Security

We protect your information using, among other controls:

  • TLS encryption for data in transit;
  • Encryption at rest for resumes and documents stored in our CDN;
  • Password hashing with bcrypt and security-best-practice salt rounds;
  • Hashed storage for invitation and password-reset tokens (the plaintext token only lives in your email and URL bar);
  • Role-based access controls inside our portal;
  • Rate-limiting and audit logging on sensitive endpoints;
  • Regular dependency updates and vulnerability review.

No system is perfectly secure. If we ever experience a security incident that legally requires notice, we will notify you and the appropriate regulators within the timeframes applicable law requires.

10. Children

The Services are not intended for children under 18. We do not knowingly collect personal information from children under 18. If you believe a child has provided information to us, contact contact@staffactory.com and we will delete it.

11. International Data Transfers

Staffactory operates in the United States and stores personal information on servers located in the United States. If you access the Services from outside the U.S., you understand and agree that your information will be transferred to and processed in the U.S., which may have different data-protection standards than your country.

12. Background-Check Data (FCRA)

Before Staffactory or a client company orders a consumer report (background check, credit check, drug screen, education/employment verification) in your name, you will be provided a separate clear and conspicuous written disclosure and asked for written authorization, as required by 15 U.S.C. § 1681b(b)(2). You will also receive a copy of the FCRA “Summary of Your Rights Under the Fair Credit Reporting Act.”

If any adverse action is taken against you (e.g., withdrawal of an offer) based in whole or part on a consumer report, you will receive a pre-adverse-action notice with a copy of the report and the FCRA Summary of Rights, a reasonable opportunity to dispute inaccuracies, and a final adverse-action notice if the decision stands.

Certain states (including California, New York City, San Francisco, Massachusetts, and others) have additional fair-chance or ban-the-box rules that we follow when applicable.

13. Affiliated Entities and Brand Use

Definition.“Affiliate” means any entity that, now or in the future, directly or indirectly controls, is controlled by, or is under common control with Staffactory LLC, including any parent, subsidiary, sister company, successor entity, joint venture, or business unit operated under a different brand, trade name, “doing business as” designation, or domain.

Use across Affiliates. Personal information we collect under this Policy may be processed and used by Affiliates for the same purposes described in this Policy (operating the Services, matching you with roles, verifying eligibility, communicating with you, complying with the law, and the other purposes in Section 3) and under the same protections (the same retention rules in Section 5, the same security controls in Section 9, the same rights in Section 6). No new consent is required for an Affiliate to use your personal information consistent with this Section, except where applicable law requires separate consent (in which case the Affiliate will obtain it before relying on the data for the regulated purpose).

Branding and notifications.An Affiliate may operate under a different brand, trade name, or domain than “Staffactory.” Communications you receive from an Affiliate brand are governed by this Policy as if sent by Staffactory directly. Where required by law or industry guideline, the Affiliate brand will identify the legal entity sending the communication.

Successor entities and corporate transactions. If Staffactory undergoes a corporate transaction (merger, acquisition, financing, reorganization, or sale of assets, in whole or in part), your personal information may be transferred to the successor entity, which will be bound by this Policy or a successor policy with materially equivalent protections. You will be notified by email of any change of control that materially affects how your information is handled, with reasonable advance notice where practicable.

No expansion of purpose.Affiliate use does not authorize the sale of your personal information for third-party advertising, cross-context behavioral advertising, or any other purpose not described in this Policy. The “No sale for advertising” commitment in Section 3 binds every Affiliate.

14. Service Providers and Contractual Restrictions

Each IT vendor or infrastructure provider that processes your personal information on our behalf (cloud hosting, database, transactional email, file storage, error monitoring, analytics, push notifications) is engaged under a written contract that:

  • Restricts the vendor’s use of your personal information to the services it provides for us;
  • Prohibits the vendor from selling or sharing your personal information for the vendor’s own benefit;
  • Requires the vendor to apply reasonable security controls (encryption in transit and at rest, access controls, breach notification);
  • Allows us to terminate the engagement and require return or deletion of your personal information; and
  • Where required by CCPA/CPRA or comparable state laws, includes the contractual provisions for “service providers” or “processors” under those statutes.

A list of categories of vendors we use is available on request to contact@staffactory.com. We may add or change vendors over time; the categories remain the same.

15. Automated Decision-Making and Profiling

Staffactory does not make hiring decisions about you based solely on automated processing. Decisions to advance, interview, hire, or reject a candidate are made by humans (Staffactory recruiters or client hiring managers, or both).

We may use automated tools to support recruiter judgment, such as sorting candidates by relevance to a role, matching resumes to a job description, or flagging duplicate or potentially fraudulent submissions. These tools assist decision-making but do not replace it. They do not produce legal or similarly significant effects on you on their own.

You may ask us to describe, in plain language, the role automated tools played in any decision that affected you. Email contact@staffactory.com with the subject line “Automated Processing Inquiry.”

16. Categories of Personal Information (CCPA Reference)

For California residents and residents of states with analogous frameworks, the categories of personal information we have collected in the preceding 12 months, mapped to the categories enumerated by CCPA/CPRA § 1798.140 (and similar):

  • Identifiers (name, email, postal address, phone, account ID, IP address, device identifier);
  • Customer-records information (signature, employment history, education, financial information for payroll, medical/insurance information only where required for a placement);
  • Protected classifications (age, race, color, ancestry, national origin, citizenship, religion, marital status, medical condition, physical or mental disability, sex, sexual orientation, veteran status — collected on a voluntary basis for EEO reporting only);
  • Commercial information (records of services received from us);
  • Internet or other electronic-network activity (browsing history on our portal, interaction with our communications);
  • Geolocation data (city-level only, derived from IP);
  • Sensory information (recordings of any voice or video calls you have with us, where applicable and lawful);
  • Professional or employment-related information (resume content, references, work history, certifications, licenses);
  • Education information (degrees, transcripts where you provide them);
  • Inferences drawn from the above to create a profile reflecting role suitability (we do not use these for ads).

Sources. We collect the above categories from you directly, from references and prior employers you authorize, from background-check vendors, from client companies you authorize, from public professional sources, and automatically through your use of the Services.

Business or commercial purposes. The purposes of collection match Section 3 of this Policy: operating the Services, matching candidates to roles, verification and compliance, communications, fraud and security, aggregated analytics, and Affiliate operations described in Section 13.

Categories of recipients. Client companies, background-check vendors, payroll/HR providers, IT vendors (categories in Section 14), professional advisors, government agencies and law enforcement, Affiliates, and successor entities (Section 13).

No sale; no sharing for cross-context behavioral advertising. We have not sold personal information and have not shared personal information for cross-context behavioral advertising in the preceding 12 months, and we have no plans to do so.

17. Changes to This Policy

We may update this Privacy Policy. For material changes we will notify you by email at least 30 days before the changes take effect. A history of prior versions is available on request.

18. Contact Us

Questions, requests, or complaints about this Privacy Policy or our handling of your information:

Staffactory LLC
Email: contact@staffactory.com

See also our Terms of Service for the legal terms that govern your use of the Services. If you are unable to resolve a privacy concern with us, California residents may contact the California Privacy Protection Agency, and residents of other states may contact their state Attorney General’s office.