Privacy Policy

How Jombone collects, uses, discloses, and protects personal information.

Version 3.0 · Effective May 31, 2026 · Supersedes all prior versions

At a glance. Jombone is a software platform used by staffing agencies. We are not an employer, co-employer, or paymaster. We do not move money. The Platform's time clock uses photos for supervisor visual verification only — not biometric facial recognition. AI features assist staffing agencies but do not make employment decisions. We do not serve customers in the Province of Quebec.

California residents: See Section 12.1 for your rights under the CCPA/CPRA, including the right to opt out of sale/share of Personal Information and to limit the use of Sensitive Personal Information. Submit requests via the footer links below or email [email protected].

This Privacy Policy explains how Jombone Inc. ("Jombone," "we," "us," or "our") collects, uses, discloses, and protects personal information when individuals and businesses use the Jombone staffing operations platform, including our websites at www.jombone.com and help.jombone.com, our web application, our candidate and supervisor mobile applications, our iPad/tablet time-clock application, and our related APIs and services (collectively, the "Platform").

Please read this Privacy Policy carefully. By accessing or using the Platform, you confirm that you have read, understood, and accept the practices described in this Privacy Policy.

1. About Jombone — Important Disclosures

Before reading the rest of this Privacy Policy, please understand the following points about how the Platform works. These points affect how your personal information is collected, used, and disclosed.

Jombone is a software platform.

Jombone provides cloud-based software that staffing agencies use to manage their own staffing operations — recruiting, candidate management, scheduling, time capture, payroll-data export, billing, and reporting. Jombone is not an employer, co-employer, joint employer, employer-of-record, or paymaster of any worker or candidate. If you are a worker or candidate using the Platform, your employment relationship is with the staffing agency that invited you onto the Platform, not with Jombone.

Jombone does not move money.

Jombone does not pay workers, does not withhold taxes from worker wages, and does not collect funds from staffing agencies' clients. Where we collect banking deposit details, void cheques, Social Insurance Numbers (SIN), or Social Security Numbers (SSN), we do so on behalf of the staffing agency and pass that information to the staffing agency or to the staffing agency's third-party payroll provider. All payments and tax withholdings are handled by the staffing agency or by its third-party payroll provider, not by Jombone.

The Platform's time clock takes a photo at clock-in and clock-out — but this is not biometric identification.

When you clock in or out, the Platform captures a standard photograph for the purpose of allowing your supervisor at the staffing agency to visually verify it is you. The Platform does not derive any scan of facial geometry, facial template, facial vector, facial embedding, or other mathematical representation of your face; the Platform does not perform algorithmic facial recognition; and the photograph is not used to make any automated decision about you. The photograph is stored as a regular image file for supervisor visual review. (See Section 5.3 for full details.)

Jombone uses AI and machine learning to assist staffing agencies — but humans make the decisions.

The Platform includes AI-powered features (such as candidate matching, screening agents, and an employability rating called the "JScore") that may rank or score candidates and surface insights to staffing agencies. These features may use Jombone's own AI models, third-party AI service providers, or a combination of both. AI outputs may be inaccurate or biased. AI outputs are informational only and are not employment decisions. Staffing agencies remain solely responsible for all hiring, screening, scheduling, and other employment-related decisions. (See Section 7 for full details.)

Jombone does not serve customers in the Province of Quebec.

The Platform is offered to staffing agencies and their workers and clients located in the United States and Canada outside the Province of Quebec. Quebec Law 25 obligations are not addressed in this Privacy Policy. Individuals located in Quebec should not provide personal information to Jombone.

2. Who This Privacy Policy Applies To

Different parts of this Privacy Policy apply to different categories of individuals. The Platform serves three distinct audiences:

2.1 Workers and Candidates

Individuals who use the Jombone candidate mobile application, the candidate web portal, or the time-clock application to seek work through, or perform work for, one or more staffing agencies (each, a "Worker"). Workers may be invited onto the Platform by multiple staffing agencies (see Section 2.4 below).

2.2 Staffing Agency Customers

Businesses that subscribe to the Platform to manage their staffing operations (each, a "Customer"). Customers' employees and authorized users access the Platform through the web application and supervisor mobile application. Customers control their own data within the Platform (their "Tenant").

2.3 End-Clients of Staffing Agencies

Businesses that engage a Customer's workers — typically worksite employers — and that have been invited by a Customer to access limited Platform features such as timesheet approval, shift visibility, and invoice viewing (each, an "End-Client"). End-Clients access the Platform through accounts created and managed by the Customer.

2.4 Multi-Tenant Network Model

The Platform is multi-tenant. A single Worker may be invited into the networks of multiple Customers through the same mobile application or web portal. Within the Worker's view, the Worker's data, shifts, timesheets, communications, and related information are segregated by Customer network: a Worker sees only the data associated with the Customer network in which the Worker is currently operating, and one Customer cannot access another Customer's data even where the Customers share a common Worker.

2.5 Visitors to the Jombone Website and B2B Prospects

Individuals who visit www.jombone.com or who Jombone identifies as professional contacts at businesses that may be interested in subscribing to the Platform. Section 16 below addresses B2B marketing communications.

3. Our Role in Handling Personal Information

Where Jombone collects personal information from Workers, End-Clients, or Customer employees in connection with their use of a Customer's Platform Tenant, Jombone acts as a service provider (or processor) on behalf of the Customer. The Customer is the controller of that personal information and determines the purposes for which it is processed.

Where Jombone collects personal information directly — for example, when you visit our website, contact us, sign up for a free tier yourself, or interact with our B2B marketing — Jombone acts as a controller of that personal information.

Under California, Virginia, Colorado, Connecticut, Texas, and other US state privacy laws, where Jombone processes personal information on behalf of a Customer, Jombone is the Customer's "service provider," "processor," or equivalent. Under PIPEDA and similar Canadian laws, where Jombone processes personal information on behalf of a Customer, Jombone is a service provider acting on the Customer's behalf and is subject to comparable contractual protections.

4. Information We Collect from Workers and Candidates

If you use the Platform as a Worker or candidate, we may collect the following personal information, depending on which features your sponsoring Customer has enabled and which features you choose to use:

4.1 Identification and Contact Information

Full name, profile picture, date of birth, gender (where required by the Customer's compliance obligations);
Mailing address, telephone number, personal and business email addresses;
Emergency contact name and number;
Username and password for your account.

4.2 Employment and Eligibility Information

Resume, CV, cover letter, work history, education history, certifications, licenses, references;
Job preferences, type of employment sought, availability, shift preferences, work location preferences;
Introductory videos (if you choose to upload one);
Total work experience in years;
Proof of legal authorization to work in the applicable jurisdiction (e.g., government-issued ID, work permit, SIN/SSN as required to start employment);
Background-check results, drug-screening results, credit-check results, and similar third-party verifications (where the Customer requests them and you consent).

4.3 Payroll Passthrough Data

Where required by the Customer to process your pay, we collect — strictly as a passthrough to the Customer or the Customer's third-party payroll provider:

Banking deposit information (account number, transit/routing number);
Void cheque or bank confirmation document;
Social Insurance Number (Canada) or Social Security Number (United States);
Tax-withholding form data (e.g., TD1 in Canada; W-4 in the United States);
Other tax-identification or pay-related identifiers required by Applicable Law.

As stated in Section 1: Jombone does not initiate, settle, or otherwise effect payments to Workers. We collect this data on the Customer's behalf and pass it to the Customer or the Customer's third-party payroll provider for the Customer's payroll processing.

4.4 Time and Attendance Data

Clock-in and clock-out timestamps;
Geolocation at the time of clock-in and clock-out (where the Customer has enabled geo-fencing and you have granted location access on your mobile device);
Photographs captured at clock-in and clock-out (where the time-clock module has been enabled) — see Section 5.3 for details on how these photographs are used;
Shift assignments, hours worked, breaks, and supervisor approvals.

4.5 Communications

Messages exchanged between you and Customer personnel, supervisors, or End-Clients through the Platform's messaging features; push notifications and SMS messages sent or received through the Platform; and content of any support or feedback inquiries you submit to Jombone.

4.6 Device and Usage Information

Technical data automatically generated when you use the Platform, including IP address, browser type, operating system, device identifiers, app installation identifiers, log data, time zone, language settings, and the sections and pages of the Platform you visit. See Section 15 (Cookies and Tracking) for additional details.

4.7 Third-Party Sources

We may receive personal information about you from third parties, including background-check providers, identity-verification providers, credit-check providers, government agencies (for SIN/SSN verification), references you have authorized, and the Customer that invited you onto the Platform.

5. Special Categories of Information

Certain types of information we collect are subject to additional legal protections. This Section 5 sets out how we handle those categories specifically.

5.1 Government Identification Numbers (SIN / SSN)

We collect your Social Insurance Number (Canada) or Social Security Number (United States) only when required by Applicable Law and by your sponsoring Customer for the purpose of facilitating your active employment with the Customer. We do not use your SIN/SSN for any other purpose. We pass this information to the Customer and to the Customer's third-party payroll provider as part of the payroll passthrough described in Section 4.3. We use commercially reasonable technical and organizational measures, including encryption and access controls, to protect SIN/SSN data within the Platform.

5.2 Banking Deposit Information

We collect banking deposit information (account number, transit/routing number, and void cheque) only as a passthrough to the Customer or the Customer's third-party payroll provider for direct-deposit setup. Jombone does not access bank accounts, does not initiate transfers, and is not a payment processor, money transmitter, or financial institution.

5.3 Time-Clock Photographs

Where your sponsoring Customer has enabled the time-clock module, the Platform's time-clock application (delivered via iPad, tablet, or mobile device) captures a standard photograph at each clock-in and clock-out event. The following important points apply:

THE PLATFORM DOES NOT COLLECT, DERIVE, COMPUTE, STORE, COMPARE, OR OTHERWISE PROCESS ANY BIOMETRIC IDENTIFIER OR BIOMETRIC INFORMATION FROM THESE PHOTOGRAPHS. THE PLATFORM DOES NOT DERIVE ANY SCAN OF FACIAL GEOMETRY, FACIAL TEMPLATE, FACIAL VECTOR, EIGENFACES, FACIAL EMBEDDINGS, OR OTHER MATHEMATICAL REPRESENTATION OF FACIAL FEATURES. THE PLATFORM DOES NOT PERFORM ALGORITHMIC FACIAL RECOGNITION. THE PHOTOGRAPHS ARE NOT USED TO MAKE ANY AUTOMATED DECISION ABOUT YOU — INCLUDING NO DECISION ABOUT PAY, SCHEDULING, HIRING, DISCIPLINE, OR TERMINATION.

The photographs are stored as standard image files (JPEG or PNG) within your sponsoring Customer's Tenant. They are made available to authorized supervisors at your sponsoring Customer for visual review only — that is, to permit a human supervisor to look at the image and confirm visually that the Worker who clocked in or out is the assigned Worker. This is intended to deter buddy-punching and time theft.

Time-clock photographs are retained for the duration of your sponsoring Customer's subscription to the Platform and are deleted (along with the rest of the Customer's data) following termination of that subscription. You may request that your sponsoring Customer disable time-clock photo capture for you, subject to the Customer's operational policies. We confirm that, because the Platform does not derive biometric identifiers from these photographs, the Platform's use of time-clock photographs does not, by itself, trigger the Illinois Biometric Information Privacy Act (740 ILCS 14), the Texas Capture or Use of Biometric Identifier Act (Tex. Bus. & Com. Code § 503.001), the Washington biometric identifier law (RCW 19.375), or analogous law of any other jurisdiction.

5.4 Geolocation Data

Where your sponsoring Customer has enabled mobile time-clock or geo-fenced shift-management, the Platform may collect your mobile device's location at the time of clock-in and clock-out, and during shifts if so configured. You control location-sharing permissions through your mobile device's operating system. If you disable location sharing, you may not be able to clock in or out using the mobile application; in such case, please use an alternative time-capture method made available by your sponsoring Customer.

5.5 Background-Check Results, Credit-Check Results, and Drug-Screening Results

Where your sponsoring Customer requires background, credit, or drug-screening checks, those checks are conducted by third-party providers selected by Jombone or by the Customer. Results are returned to the Platform and made available to authorized Customer personnel. Use of such results is governed by the Customer's policies and by Applicable Law, including the Fair Credit Reporting Act (US), the Criminal Records Act (Canada), and applicable provincial human-rights legislation. Jombone does not use these results for any purpose other than presenting them to your sponsoring Customer.

5.6 No Protected Health Information by Default

Unless your sponsoring Customer has entered into a separate written Business Associate Agreement with Jombone under HIPAA, the Platform is not configured to receive Protected Health Information ("PHI"). Workers should not submit PHI to the Platform unless explicitly directed by their sponsoring Customer in accordance with such an agreement.

6. Information We Collect from Customers and End-Clients

6.1 Staffing Agency Customers

When a Customer subscribes to the Platform, we collect information about the Customer entity and its authorized users, including: business name, business email addresses, mailing addresses, telephone numbers, business profile information, billing contact information, payment information (encrypted credit card data or banking information for ACH/EFT, handled by our payment processor), industries served, locations, and Customer personnel names, titles, and contact information.

We collect login credentials, role and permission settings, and configuration data for each authorized user of the Customer's Tenant. We log authorized users' interactions with the Platform for security, audit, and Service-improvement purposes.

6.2 End-Clients

When a Customer invites an End-Client onto the Platform, the Customer creates an End-Client account and shares limited information with us about the End-Client business and the End-Client's authorized users (typically a worksite contact name, email, and phone). End-Clients may submit additional information into the Platform — such as timesheet approvals, comments on shifts, and worker feedback — which becomes part of the Customer's data within the Platform.

End-Clients should understand that all data accessible through their End-Client account belongs to the Customer (the staffing agency that invited the End-Client). The End-Client's access is provided as part of the Customer's commercial service to the End-Client. See our Master Services Agreement, Exhibit G (End-Client Access Terms), for more detail.

6.3 Website Visitors and Prospective Customers

When you visit www.jombone.com, request a demo, fill out a contact form, download a resource, register for a webinar, or otherwise interact with our marketing properties, we collect the information you provide (typically business name, business email, name, title, phone number, and any free-text input). We also collect device and usage information as described in Section 4.6 and Section 15.

7. How We Use Personal Information

We use personal information for the purposes set out below. Where we act as a service provider/processor on behalf of a Customer (see Section 3), we process personal information only for these purposes and only as instructed by the Customer.

7.1 Operating the Platform

Providing, maintaining, supporting, securing, and improving the Platform and its features;
Authenticating users and managing user accounts;
Hosting and storing Customer Tenant data;
Enabling communications between Workers, Customer personnel, supervisors, and End-Clients;
Processing the data inputs and outputs of the Customer's staffing operations (sourcing, applicant tracking, screening, scheduling, dispatch, time capture, payroll-data export, billing, and reporting).

7.2 Facilitating Worker Engagement with Customers

Sharing Worker profile data, qualifications, availability, references, and verification results with the sponsoring Customer (and, where the Customer directs, with End-Clients) to enable the Customer to assess, place, schedule, and engage the Worker;
Passing payroll-related data (banking deposit details, SIN/SSN, tax-form data, hours worked) to the Customer or to the Customer's third-party payroll provider, as a passthrough for the Customer's payroll processing;
Generating reports and analytics for the Customer about its staffing operations.

7.3 AI Features and the JScore

The Platform includes AI-powered features that may use Jombone's proprietary machine-learning models, third-party AI service providers (including large language model providers such as OpenAI), or a combination of both. These AI features include:

AI Matching — automated ranking or surfacing of candidates against job-order criteria submitted by a Customer;
AI Screening Agents — automated evaluation of candidate-submitted responses, qualifications, availability, or other attributes against criteria configured by a Customer through screening prompts;
AI Sourcing — automated identification and outreach to prospective candidates through multi-channel communications configured by a Customer;
JScore — an algorithmic "employability rating" generated for a candidate based on the candidate's profile data, behavioral data on the Platform, and other inputs. The JScore is shared with Customers and may be shared with End-Clients by Customers.

IMPORTANT NOTICE FOR WORKERS AND CANDIDATES REGARDING THE JSCORE AND OTHER AI FEATURES: THE JSCORE AND OTHER AI OUTPUTS MAY BE USED BY CUSTOMERS AS INPUTS TO EMPLOYMENT-RELATED DECISIONS. WHERE APPLICABLE LAW (SUCH AS NEW YORK CITY LOCAL LAW 144, THE COLORADO AI ACT, THE ILLINOIS ARTIFICIAL INTELLIGENCE VIDEO INTERVIEW ACT, OR ANALOGOUS LAW) REQUIRES NOTICE OF, CONSENT TO, OR A BIAS AUDIT FOR THE USE OF AUTOMATED EMPLOYMENT DECISION TOOLS ("AEDTS"), THE STAFFING AGENCY THAT USES THE AI FEATURE WITH RESPECT TO YOU (AND NOT JOMBONE) IS THE DEPLOYER OF THE AEDT AND IS RESPONSIBLE FOR COMPLIANCE WITH THOSE LAWS. IF YOU HAVE QUESTIONS ABOUT HOW A CUSTOMER IS USING AI FEATURES IN RELATION TO YOU, PLEASE CONTACT THE CUSTOMER DIRECTLY.

Where you wish to opt out of profiling and automated decision-making to the extent permitted by Applicable Law (including, for residents of certain US states, the right to opt out of profiling in furtherance of decisions producing legal or similarly significant effects), please see Section 11 (Your Rights). Where you wish to limit your data being used to train AI models, please see Section 7.5.

7.4 Security, Fraud Prevention, and Compliance

Detecting, investigating, and preventing fraud, security incidents, unauthorized access, time theft, buddy-punching, and other unlawful activity;
Monitoring Platform usage for SOC 2 compliance, audit logging, and incident response;
Complying with Applicable Law, regulatory requests, court orders, subpoenas, and lawful enforcement requests.

7.5 Research, Model Training, and Service Improvement

Subject to the limitations below, we may process personal information in de-identified or aggregated form to: (a) develop, train, fine-tune, test, evaluate, and improve Jombone's proprietary AI and machine-learning models, including matching, screening, sourcing, and scoring models; (b) generate aggregate industry insights, benchmarks, and analytics that do not identify any individual; (c) detect and remediate model bias, drift, and error; and (d) improve the security, integrity, and performance of the Platform.

"De-identified" means information from which all direct identifiers, and any indirect identifiers that could reasonably be used to re-identify an individual, have been removed, obscured, hashed, or aggregated. We use commercially reasonable technical and organizational measures to prevent re-identification, we do not attempt to re-identify de-identified data, and we contractually obligate our service providers not to attempt re-identification.

Where we use third-party AI service providers to deliver AI features, we configure those providers, where the configuration is available, not to train their own models on personal information submitted via Jombone's API.

Customers, Workers, and End-Clients located in jurisdictions where applicable law provides a right to opt out of personal information being used to train AI models may exercise that right by contacting [email protected] (see Section 11).

7.6 Communications and Marketing

Sending operational notifications about your account, shifts, timesheets, payroll-related notices issued by your sponsoring Customer, document-signing requests, security alerts, and changes to the Platform or to this Privacy Policy;
Providing customer support and responding to your inquiries;
For Customers and prospective Customers — sending marketing communications about our services, in accordance with Section 16 and Applicable Law (including CASL for Canadian recipients). You can opt out of marketing communications at any time.

We do not sell personal information. We do not share personal information for cross-context behavioral advertising. We share personal information only as described below.

8.1 With the Customer (Staffing Agency)

If you are a Worker or candidate, the personal information you submit to the Platform is shared with the staffing agency Customer or Customers that invited you onto the Platform. This includes your profile, work history, verification results, JScore, time and attendance data, communications, and other data necessary for the Customer to consider you for engagements and to manage your engagement if you are placed.

8.2 With End-Clients (When the Customer Directs)

If a Customer has invited an End-Client onto the Platform, the Customer determines what data is visible to the End-Client. Depending on the Customer's configuration, an End-Client may be able to see Worker profiles (including the JScore), shift schedules, time and attendance data, and timesheet approvals. End-Clients' access is governed by the Master Services Agreement, Exhibit G.

8.3 With Subprocessors and Service Providers

We share personal information with carefully selected third-party service providers ("Subprocessors") who help us deliver and operate the Platform. Our current Subprocessors, including the categories of services they provide and the categories of personal information they receive, are listed at www.jombone.com/subprocessors. Categories include:

Cloud hosting and infrastructure providers (storage, compute, content delivery);
Third-party AI service providers and large language model providers (for AI features);
Background-check, identity-verification, and credit-check providers;
E-signature providers;
Communications providers (SMS, email, push notifications);
Mapping and geolocation providers;
Payroll-data integration partners (note: these partners receive payroll-related data from Jombone as a passthrough; they are the Customer's third-party payroll providers, not Jombone's);
Customer support and ticketing platforms;
Analytics, error-monitoring, and security providers;
Payment processors (for Customer subscription billing).

All Subprocessors are bound by contractual obligations requiring them to handle personal information consistent with this Privacy Policy and Applicable Law, and to use the personal information only for the purposes for which they were engaged.

8.4 With Legal, Regulatory, and Law Enforcement Authorities

We may disclose personal information to government authorities, regulators, courts, and law enforcement: (a) where required by Applicable Law, court order, subpoena, or other lawful process; (b) to protect the rights, property, or safety of Jombone, our users, or others; (c) to investigate, prevent, or take action regarding suspected unlawful or harmful activity; or (d) to enforce our Master Services Agreement, this Privacy Policy, or other applicable terms. Where lawful and practicable, we will notify the affected Customer before disclosing the Customer's data.

8.5 In Business Transactions

If Jombone is involved in a merger, acquisition, financing, reorganization, sale of assets, or bankruptcy, personal information may be transferred to the successor entity. We will require the successor to handle personal information consistent with this Privacy Policy or to give affected users notice before materially changing its practices.

We may share personal information for other purposes with your consent or at your direction.

8.7 Aggregated and De-Identified Information

We may share aggregated and de-identified information — that does not identify any individual — for industry research, benchmarks, marketing, and other lawful purposes.

8.8 No Sale, No Cross-Context Behavioral Advertising

We confirm: (a) we do not "sell" personal information as that term is defined under the California Consumer Privacy Act (CCPA/CPRA) or analogous US state privacy laws; (b) we do not "share" personal information for cross-context behavioral advertising; (c) we do not use Sensitive Personal Information for purposes other than those permitted under Section 7027 of the California CCPA Regulations. A "Do Not Sell or Share My Personal Information" link and a "Limit the Use of My Sensitive Personal Information" link are provided in the footer of www.jombone.com for ease of access notwithstanding our current practices.

9. International Data Transfers and Storage Locations

Jombone is headquartered in the United States and operates infrastructure in the United States and Canada. Depending on your sponsoring Customer's location and configuration:

For US Customers, personal information is processed and stored in the United States and Canada;
For Canadian Customers (excluding Quebec), we use commercially reasonable efforts to process and store Canadian personal information within Canada or the United States;
Subprocessors may process personal information in additional jurisdictions; the categories of Subprocessors and their processing locations are listed at www.jombone.com/subprocessors.

When personal information is transferred outside the country in which it was collected, that information may be accessed by governmental and law-enforcement authorities of the receiving country under that country's laws, including without notice to you. We use standard contractual protections, technical safeguards, and contractual restrictions with Subprocessors to provide a comparable level of protection regardless of the location of processing.

10. How We Protect Your Information

We implement administrative, technical, and physical safeguards designed to protect personal information against unauthorized access, use, disclosure, alteration, or destruction. These safeguards include:

Encryption of personal information at rest (AES-256) and in transit (TLS 1.2 or higher);
Role-based access controls, the principle of least privilege, and segregation of duties;
Multi-factor authentication for administrative access;
Logging, monitoring, and alerting for security events;
Vulnerability scanning, periodic penetration testing, and secure software-development practices;
Vendor risk management, including security and privacy assessments of Subprocessors;
Documented incident-response procedures and regular tabletop exercises;
Employee security awareness training and confidentiality obligations.

Jombone maintains technical and organizational controls aligned with the SOC 2 Type II framework and is undergoing a third-party SOC 2 Type II audit, with the audit report anticipated to be available in Q2 2026. Upon completion of the audit, the SOC 2 Type II report will be made available to Customers under a customary mutual non-disclosure agreement upon written request.

No security measures are perfect or impenetrable, and no method of data transmission or storage can be guaranteed against interception or misuse. You play an important role in keeping your account secure: please choose a strong, unique password, enable multi-factor authentication where offered, do not share your credentials, and notify us immediately at [email protected] if you suspect any unauthorized access to your account.

11. How Long We Keep Personal Information

We retain personal information only for as long as necessary for the purposes set out in this Privacy Policy, to comply with our legal, regulatory, accounting, and reporting obligations, and to resolve disputes and enforce our agreements.

11.1 Customer Tenant Data

Personal information held within a Customer's Tenant (including Worker, candidate, End-Client, and Customer-personnel data) is retained for the duration of the Customer's subscription to the Platform. Following termination or expiration of the Customer's subscription, Customer Tenant data is deleted or anonymized within thirty (30) days, subject to: (a) legal-retention requirements; (b) de-identified or aggregated data, which may be retained indefinitely; and (c) routine backup overwrite cycles. Customers are responsible for exporting any data they wish to retain prior to termination of their subscription — see the Master Services Agreement, Section 5.2.

11.2 Time-Clock Photographs

Time-clock photographs are retained for the duration of the sponsoring Customer's subscription to the Platform and are deleted on subscription termination as part of Customer Tenant data deletion.

11.3 Marketing and Prospect Data

Where we hold business contact information for B2B marketing purposes (see Section 16), we retain that information for as long as it remains accurate and useful for marketing, or until you ask us to remove you from our marketing list. We honor opt-out requests within ten (10) business days for CASL recipients and as promptly as feasible for all others.

11.4 Website Visitor Data

Cookies and similar tracking data are retained for the periods set out in our Cookie Notice (see Section 15). Web-server logs are retained for security and audit purposes for up to twelve (12) months.

11.5 De-Identified Data

De-identified and aggregated data is not subject to the deletion timelines above and may be retained indefinitely for the purposes set out in Section 7.5.

11.6 Legal Hold

We may retain personal information beyond the periods above where required by Applicable Law, a court order, or a legal hold in connection with actual or threatened litigation, regulatory investigation, or government inquiry.

12. Your Privacy Rights

This Section 12 describes the privacy rights available to you. The specific rights you have depend on the laws of the jurisdiction in which you live. To exercise any of these rights, please contact us at [email protected] — see Section 19 for contact details and how we verify and process requests.

Where you are a Worker, candidate, or End-Client of a sponsoring Customer, much of your personal information is held by Jombone on behalf of that Customer. In those cases, the Customer is the controller of the information and you may need to direct your request to the Customer directly. If you contact us with a request that relates to a Customer's Tenant, we will work with the Customer to respond.

12.1 California Residents — Your Rights Under the CCPA/CPRA

If you are a California resident, you have the following rights under the California Consumer Privacy Act, as amended by the California Privacy Rights Act (collectively, the "CCPA"):

Right to Know. You may request that we disclose: (i) the categories of Personal Information we have collected about you; (ii) the categories of sources of that Personal Information; (iii) the business or commercial purpose for collecting, selling, or sharing Personal Information; (iv) the categories of third parties to whom we disclose Personal Information; and (v) the specific pieces of Personal Information we have collected about you.

Right to Delete. You may request that we delete Personal Information we have collected from you, subject to exceptions permitted by the CCPA (for example, where the information is needed to complete a transaction, detect security incidents, comply with a legal obligation, or for our internal lawful uses).

Right to Correct. You may request that we correct inaccurate Personal Information we maintain about you.

Right to Opt Out of Sale or Sharing. You may direct us not to sell or share your Personal Information. As stated in Section 8.8, Jombone does not sell or share Personal Information; however, a "Do Not Sell or Share My Personal Information" link is available in the footer of www.jombone.com.

Right to Limit the Use of Sensitive Personal Information. You may direct us to use Sensitive Personal Information only for purposes permitted under Section 7027 of the CCPA Regulations. Jombone uses Sensitive Personal Information (such as government identifiers and account credentials) only for the purposes set out in Sections 5 and 7 of this Privacy Policy, which are within the permitted categories. A "Limit the Use of My Sensitive Personal Information" link is available in the footer of www.jombone.com.

Right to Opt Out of Automated Decision-Making and Profiling (where in effect). Where regulations issued by the California Privacy Protection Agency providing the right to opt out of profiling and automated decision-making come into effect, you will have the right to opt out of profiling and automated decision-making that produces legal or similarly significant effects concerning you, including with respect to the AI features described in Section 7.3.

Right to Non-Discrimination. We will not discriminate against you for exercising any of your CCPA rights, including by denying services, charging different prices, providing a different level or quality of service, or suggesting that you will receive a different price or service.

To exercise these rights, contact us at [email protected], call us at +1 (888) 400-9896, or submit a request through the form at www.jombone.com/privacy-request. You may also designate an authorized agent to make a request on your behalf, provided we are able to verify the agent's authority and your identity. We respond to verified CCPA requests within forty-five (45) days, with one optional forty-five (45)-day extension where reasonably necessary and we notify you of the extension within the initial period.

Categories of Personal Information We Collect — California Disclosure. In the preceding twelve (12) months, we have collected the following categories of Personal Information under California Civil Code § 1798.140: (a) identifiers (e.g., name, IP address, email, account credentials, SSN/SIN); (b) information described in California Civil Code § 1798.80(e) (e.g., employment information, bank account information collected as passthrough); (c) characteristics of protected classifications under California or federal law (where Customers configure them); (d) commercial information (subscription and billing data); (e) internet or other electronic network activity (usage logs, device identifiers, cookies); (f) geolocation data (where time-clock geo-fencing is enabled); (g) audio, electronic, visual, or similar information (time-clock photographs, introductory videos); (h) professional or employment-related information (resumes, work history); (i) inferences drawn from the foregoing (e.g., JScore and AI feature outputs); and (j) Sensitive Personal Information including government identifiers, account credentials, and precise geolocation (where geo-fencing is enabled). We collect this Personal Information from the sources, for the purposes, and disclose it to the categories of third parties described elsewhere in this Privacy Policy.

12.2 Residents of Virginia, Colorado, Connecticut, Texas, Utah, Oregon, Montana, and Other States with Comprehensive Privacy Laws

Depending on your state of residence, you may have some or all of the following rights under your state's comprehensive privacy law (such as the Virginia CDPA, Colorado CPA, Connecticut CTDPA, Texas TDPSA, Utah UCPA, Oregon OCPA, Montana MTCDPA, and similar laws):

The right to confirm whether we process your Personal Data and to access that data;
The right to correct inaccurate Personal Data;
The right to delete Personal Data, subject to lawful exceptions;
The right to obtain a portable copy of your Personal Data in a structured, commonly used, machine-readable format;
The right to opt out of (i) the sale of Personal Data, (ii) targeted advertising, and (iii) profiling in furtherance of decisions that produce legal or similarly significant effects;
The right to limit the use of Sensitive Data (e.g., government identifiers, precise geolocation, financial account numbers);
The right to appeal a decision regarding a privacy request, in accordance with the appeal procedure in Section 12.6.

As stated above, Jombone does not sell Personal Data and does not engage in targeted advertising. Where we use AI features in a manner that may constitute profiling in furtherance of decisions producing legal or similarly significant effects, you may opt out by contacting [email protected]. Note that opt-out of AI-feature use by a sponsoring Customer may also require direct communication with that Customer.

12.3 Canadian Residents — Rights Under PIPEDA, Alberta PIPA, and BC PIPA

If you are a resident of Canada outside the Province of Quebec, you have the following rights under the Personal Information Protection and Electronic Documents Act ("PIPEDA"), and where applicable the Personal Information Protection Act of Alberta ("PIPA Alberta") or the Personal Information Protection Act of British Columbia ("PIPA BC"):

The right to be informed of the existence, use, and disclosure of your Personal Information and the right to access that information;
The right to request correction of inaccurate or incomplete Personal Information;
The right to withdraw consent at any time, subject to legal or contractual restrictions and reasonable notice (withdrawal of consent may affect the services we are able to provide);
The right to challenge our compliance with PIPEDA and the applicable provincial law by contacting our Privacy Officer (see Section 19) and, if unresolved, by filing a complaint with the Office of the Privacy Commissioner of Canada (www.priv.gc.ca) or with the applicable provincial commissioner.

We will respond to verified Canadian access and correction requests within thirty (30) days of receipt or, where additional time is necessary, will notify you within thirty (30) days of the reason for the extension and provide our response no later than sixty (60) days from receipt.

Jombone has designated a Privacy Officer responsible for PIPEDA compliance, reachable at [email protected].

12.4 Rights Available to All Users (Regardless of Jurisdiction)

Access to and correction of your account profile through the Platform's profile-management features;
Opt-out of marketing communications via the "unsubscribe" link in any marketing email or by emailing [email protected];
Withdrawal of consent to time-clock photo capture (request through your sponsoring Customer);
Closure of your account by contacting your sponsoring Customer (for Workers/End-Clients) or your account manager (for Customer admin users).

12.5 How We Verify and Process Requests

To protect your information, we will verify your identity before responding to any privacy rights request that involves disclosure, correction, or deletion of Personal Information. Verification may include confirming information we already hold (such as account credentials, recent activity, or contact details). Where the information we hold about you is not sufficient to verify your identity to a level commensurate with the risk of the request, we may decline the request, in which case we will inform you of the reason. We do not charge a fee for processing requests except in cases of repetitive or excessive requests, as permitted by Applicable Law.

12.6 Appeals

If we decline a request, you may appeal the decision by replying in writing to our response within forty-five (45) days. We will review the appeal and inform you in writing of our appeal decision within sixty (60) days. If your appeal is denied, you may submit a complaint to your state attorney general, the Federal Trade Commission, the Office of the Privacy Commissioner of Canada, or the applicable provincial commissioner, as appropriate.

13. Children's Privacy

The Platform is not intended for, and is not directed to, individuals under the age of eighteen (18). We do not knowingly collect Personal Information from individuals under 18. If you are under 18, please do not use the Platform or submit any Personal Information to us. If we learn that we have collected Personal Information from an individual under 18, we will promptly delete that information.

Customers are responsible for ensuring they do not invite individuals under 18 onto the Platform.

Jombone does not knowingly collect Personal Information from children under 13 in the United States in violation of the Children's Online Privacy Protection Act (COPPA), nor does Jombone target children under 13 with the Service.

14. Automated Decision-Making and AI — Additional Detail

This Section 14 provides additional detail about the AI features described in Section 7.3, including the JScore.

14.1 Logic and Significance

The JScore is a numerical or categorical "employability rating" generated for a Worker based on a combination of factors which may include: completeness of profile data, work history, certifications and credentials, geographic availability, schedule availability, prior shifts completed through the Platform, no-show or cancellation history, supervisor ratings, and similar behavioral signals. The JScore is intended to assist Customers in identifying suitable candidates and is not a determination of suitability. Customers using the JScore may give it different weight in their hiring processes.

AI Matching, AI Screening, and AI Sourcing features use machine-learning models — including, in some cases, third-party large language models — to compare candidate attributes against job-order criteria configured by Customers. The specific features in use may change from time to time as Jombone updates the Platform.

14.2 Significance of AI Outputs in Employment Decisions

AI outputs (including the JScore) may influence whether a Customer offers a Worker a shift, places a Worker on a particular assignment, or considers a candidate for a particular role. AI outputs do not, however, make these decisions automatically; the sponsoring Customer reviews AI outputs and makes the final decision.

Where Applicable Law (such as NYC Local Law 144, the Colorado AI Act, or the Illinois Artificial Intelligence Video Interview Act) requires bias audits, candidate notices, or opt-out mechanisms in connection with the use of AEDTs, the sponsoring Customer is the deployer of the AEDT and is responsible for compliance, as further described in our Master Services Agreement (Section 4.6 and Exhibit D, Acceptable Use Policy).

14.3 Your Rights Regarding AI Features

Request explanation: You may request from your sponsoring Customer (or, where Jombone is the controller, from us) an explanation of how the JScore or other AI feature has been used in relation to you;
Request human review: You may request that a human review any consequential decision the Customer has made about you based on an AI output, in addition to or in lieu of the AI output;
Opt out of profiling: To the extent provided by Applicable Law (see Sections 12.1, 12.2), you may opt out of profiling and automated decision-making by contacting [email protected];
Opt out of training: You may request that your Personal Information not be used in de-identified or aggregated form to train AI models by contacting [email protected] (this option does not affect AI features applied to your data while you use the Platform).

15. Cookies and Tracking Technologies

Our websites and the Platform use cookies and similar tracking technologies (such as web beacons, pixels, local storage, and software development kits) to operate the Service, remember your preferences, analyze usage, and (with your consent where required) deliver marketing communications.

15.1 Categories of Cookies We Use

Strictly Necessary — required for the Platform to function (authentication, session management, security); cannot be disabled;
Functional — remember your preferences and enhance Platform features (e.g., language selection);
Analytics — measure how visitors and users interact with the Platform so we can improve it (e.g., Google Analytics, Mixpanel);
Marketing — measure the effectiveness of our marketing campaigns and, with your consent where required, deliver marketing communications relevant to you (e.g., LinkedIn Insight Tag).

15.2 Managing Cookies

You can control cookies through your browser settings or, on visiting jombone.com, through our cookie banner (where displayed in your jurisdiction). Disabling cookies may affect Platform functionality. We honor Global Privacy Control (GPC) signals as a valid opt-out request from California residents (and from residents of other US states whose laws recognize GPC) where we process Personal Information that would be subject to the opt-out right.

15.3 Mobile Applications

Our mobile applications do not rely on browser cookies. When you install one of our mobile applications, we may assign a random installation identifier and may collect device identifiers, push-notification tokens, mobile advertising identifiers (where applicable), and similar device-level data. You can manage these through your mobile device's operating system settings (e.g., resetting your advertising identifier).

16. Anti-Spam and Marketing Communications

16.1 CASL (Canada)

Where we send Commercial Electronic Messages ("CEMs") to recipients in Canada — for example, marketing emails to prospective Customer personnel — we comply with Canada's Anti-Spam Legislation (S.C. 2010, c. 23) ("CASL"):

We obtain express or implied consent before sending CEMs;
We clearly identify Jombone as the sender;
We provide a functioning unsubscribe mechanism in every CEM, active for a minimum of sixty (60) days, and we honor unsubscribe requests within ten (10) business days;
We do not use false or misleading content, headers, or sender information.

Customers using the Platform's communication features to send CEMs are responsible for their own CASL compliance, including obtaining required consents from their recipients. See our Master Services Agreement.

16.2 CAN-SPAM (United States)

Where we send commercial email messages to recipients in the United States, we comply with the CAN-SPAM Act, including by identifying messages as advertisements where required, providing a valid physical postal address, and providing a clear unsubscribe mechanism that we honor within ten (10) business days.

16.3 B2B Marketing — Source of Information

Where we collect and process business contact information for B2B marketing purposes from individuals with whom we have not previously interacted, we may receive that information from publicly accessible sources (such as company websites and professional networks) and from licensed third-party data providers, including (without limitation) Apollo.io, Clay, ZoomInfo, Clearbit, Lusha, and Cognism. We process this business contact information only to send marketing communications relevant to the recipient's professional role and only in compliance with Applicable Law (including CASL, CAN-SPAM, and US state privacy laws). We do not collect sensitive personal information in this context. You may opt out at any time by replying "unsubscribe" to any marketing email or by emailing [email protected].

17. Geographic Scope and the Quebec Exclusion

The Platform is offered to Customers and their authorized users in the United States and Canada outside the Province of Quebec. Jombone does not operate in Quebec, does not market to Quebec residents, and does not accept subscriptions from Customers organized in or primarily doing business in Quebec. Quebec Law 25 (formerly Bill 64) obligations are therefore not addressed in this Privacy Policy.

If you are a resident of Quebec, please do not provide Personal Information to Jombone. The Platform is not intended for use by Quebec residents.

Jombone does not offer the Platform to residents of the United Kingdom, the European Union, the European Economic Area, or other jurisdictions outside of the United States and Canada (excluding Quebec). The UK GDPR and EU GDPR are not applicable to Jombone's services as offered under this Privacy Policy. If you are located outside the United States or Canada, please do not use the Platform or submit Personal Information to us.

18. Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, our services, Applicable Law, or our infrastructure. When we make material changes, we will: (a) update the "Effective Date" at the top of this Privacy Policy; (b) post the updated Privacy Policy at www.jombone.com/privacy-policy; and (c) where required by Applicable Law or appropriate to the circumstances, notify you directly (for example, by email or by in-Platform notice) and obtain any required consent.

Your continued use of the Platform following the posting of any updated Privacy Policy constitutes your acceptance of the updated terms. If you do not agree with an update, please discontinue use of the Platform and contact us at [email protected] to close your account.

We maintain a version history of this Privacy Policy and will make prior versions available on written request.

19. How to Contact Us

19.1 Privacy Officer

For privacy questions, requests, complaints, or to exercise any of your privacy rights, please contact our Privacy Officer:

Email: [email protected]

Phone: +1 (888) 400-9896

Mail (United States): Jombone Inc., Attn: Privacy Officer, 3300 Dallas Pkwy, Suite 200, Plano, TX 75093, USA

Mail (Canada): Jombone Inc., Attn: Privacy Officer, 2233 Argentia Road, Suite 302A, East Tower, Mississauga, ON L5N 2X7, Canada

19.2 Other Inquiries

For general support: [email protected]. For legal and contractual matters: [email protected]. For accessibility issues: [email protected].

19.3 Regulatory Authorities

If you are not satisfied with our response to a privacy concern, you have the right to contact the applicable privacy or data-protection authority:

United States — California: California Privacy Protection Agency (cppa.ca.gov);
United States — Other States: your state attorney general's office;
United States — Federal: Federal Trade Commission (ftc.gov);
Canada — Federal: Office of the Privacy Commissioner of Canada (priv.gc.ca);
Canada — Alberta: Office of the Information and Privacy Commissioner of Alberta (oipc.ab.ca);
Canada — British Columbia: Office of the Information and Privacy Commissioner for British Columbia (oipc.bc.ca);
Canada — Other Provinces (excluding Quebec): the Office of the Privacy Commissioner of Canada.

20. Additional Information

20.1 Relationship to Other Agreements

This Privacy Policy is incorporated by reference into the Jombone Master Services Agreement (the "MSA"), available at www.jombone.com/terms-of-use, and forms part of the agreement between you and Jombone. In the event of a conflict between this Privacy Policy and the MSA on a privacy or data-handling matter, this Privacy Policy controls.

20.2 Subprocessor List

A current list of Jombone's Subprocessors is maintained at www.jombone.com/subprocessors. We update this page at least fourteen (14) days before engaging any new Subprocessor.

20.3 Language

This Privacy Policy is written in English. As Jombone does not serve Quebec residents, the requirements of the Charter of the French Language (RLRQ c. C-11) do not apply.

20.4 Accessibility

We aim to make this Privacy Policy accessible to all users, including those who use assistive technologies. If you require this Privacy Policy in an alternative format, please contact [email protected].

Privacy Officer: [email protected] | +1 (888) 400-9896

↑ Back to top

Featured Resource

Guide

Key Resources