Privacy Policy

Perch is a shift-scheduling software service operated by [LEGAL ENTITY NAME], with principal place of business at [COMPANY ADDRESS]. Where Perch decides how and why personal data about our Customers’ account holders is processed, we act as a “data controller” under the EU General Data Protection Regulation (GDPR) and equivalent laws. When we process personal data of your staff (or other end-users) on your instructions, we act as a “data processor” — see our Data Processing Agreement.

For any privacy-related question, contact privacy@onperch.co.

This Privacy Policy explains what personal data we collect from visitors to onperch.co and users of the Perch Service, how we use it, with whom we share it, and your rights. It applies to personal data collected from:

• Website visitors — anyone browsing our public marketing pages
• Account holders — administrators and team members who sign in to the Service
• Staff members entered by Customers — individuals whose schedule and employment data is managed by a Customer through the Service

From account holders:

• Account data — name, email address, profile image, password hash (managed by Clerk), and organization membership
• Billing data — company name, billing email, last four digits of payment card and card brand (full card data is held by Stripe; we do not store it). Tax/VAT identifier if applicable.
• Usage data — pages viewed, features used, mutation history, session length, referring source, approximate IP-based location, device and browser type
• Communications — support emails and messages you send us

From staff members (uploaded by Customers):

• Identity — full name, email address (optional), phone number (optional)
• Employment-related data — job position, skills/qualifications, availability windows, preferred hours, employment start date, pay-rate notes (if the Customer chooses to store them)
• Schedule data — assigned shifts, break times, swap requests, published and draft schedules, attendance records

We do not intentionally collect special-category data under GDPR Article 9 (health, religion, ethnicity, biometrics, etc.). Customers should not upload such data to Perch.

• Contract performance (Art. 6(1)(b)) — to provide the Service you signed up for, handle billing, and offer support.
• Legitimate interests (Art. 6(1)(f)) — to secure the Service against abuse, debug errors, improve functionality, and prevent fraud. We balance these interests against your rights and will stop processing if you object and your rights prevail.
• Consent (Art. 6(1)(a)) — for optional marketing emails, non-essential cookies, and any other purpose we tell you requires consent. You may withdraw consent at any time.
• Legal obligation (Art. 6(1)(c)) — to comply with tax, accounting, anti-fraud, and similar statutory requirements.

• Create and maintain your account and organization
• Generate, store, and display schedules
• Charge the appropriate subscription fees and send receipts
• Send transactional emails (account confirmations, shift notifications, billing receipts, security alerts)
• Respond to support requests
• Detect and prevent abuse, fraud, and security incidents
• Improve product quality through aggregated, non-identifying analytics
• Comply with legal obligations and enforce our Terms

We do not sell personal data. We do not use personal data to train machine-learning or AI models for third parties.

Perch offers an optional “auto-schedule” feature that generates suggested shift assignments based on Customer-configured rules (availability, qualifications, hours, breaks). This is a decision-support tool: a human administrator must review and approve every schedule before it is published. The feature does not produce legal or similarly significant effects without human involvement. If you believe an automated decision has affected you, contact the Customer (your employer) in the first instance, then us.

We rely on a small set of trusted providers to operate the Service. Each is bound by contract (including standard contractual clauses where applicable) to protect personal data in line with applicable law.

We notify Customers of material changes to this list at least 30 days in advance, so they may object before changes take effect.

Perch’s sub-processors are primarily located in the United States. When we transfer personal data from the EEA, UK, or Switzerland to the US, we rely on:

• Standard Contractual Clauses approved by the European Commission
• EU-US Data Privacy Framework where the sub-processor is certified (Clerk, Vercel, Stripe, Cloudflare — verify status at dataprivacyframework.gov)
• Supplementary technical and organizational measures (encryption in transit and at rest, access controls, audit logging)

Copies of the applicable transfer mechanisms are available on request at privacy@onperch.co.

We keep personal data only as long as we need it, based on the following principles:

• Active account data — retained for the life of your subscription.
• Post-cancellation — Customer Data (including staff records) is retained for up to 90 days to allow recovery or export, after which it is deleted or anonymized unless retention is legally required.
• Billing and tax records — retained for up to 7 years to comply with tax and accounting laws.
• Logs and analytics — retained for up to 12 months and then deleted or anonymized.
• Support communications — retained for up to 3 years.

If you are in the EEA, UK, or Switzerland, you have the following rights with respect to your personal data:

• Access — request a copy of the personal data we hold about you
• Rectification — request correction of inaccurate or incomplete data
• Erasure— request deletion (“right to be forgotten”) in certain circumstances
• Restriction — request that we limit how we use your data
• Portability — receive your data in a machine-readable format
• Objection — object to processing based on legitimate interests
• Withdraw consent — where processing is based on consent, withdraw it at any time
• Lodge a complaint — with your local data-protection authority. A list is available at edpb.europa.eu. For UK, the ICO at ico.org.uk.

To exercise these rights, email privacy@onperch.co. We’ll respond within 30 days. If your data was uploaded by a Customer (e.g. your employer), we may need to route your request through them.

California residents have the right to (a) know what personal information we collect, (b) request deletion, (c) correct inaccurate data, (d) limit use of sensitive personal information, and (e) opt out of “selling” or “sharing” of personal information. Perch does not sell personal information and does not share it for cross-context behavioral advertising. Submit requests to privacy@onperch.co. We will not discriminate against you for exercising these rights.

We use cookies and similar technologies to keep you signed in, remember your preferences, and measure how the Service is used. See our Cookie Policy for full detail, including how to manage preferences.

We implement technical and organizational measures appropriate to the risk, including:

• Encryption in transit (TLS 1.2+) and at rest (where supported by sub-processors)
• Role-based access controls and least-privilege principles
• Audit logging of administrative and billing actions
• Regular review of sub-processor security practices
• Password-less and/or MFA-capable authentication via Clerk

No system is perfectly secure. If you believe your account has been compromised, contact security@onperch.co immediately.

In the event of a personal-data breach that is likely to result in a risk to your rights and freedoms, we will notify you and the relevant supervisory authority in accordance with GDPR Article 33/34 within 72 hours of becoming aware, where required.

Perch is not directed at children under 16 (or the age of digital consent in your country, whichever is higher). We do not knowingly collect personal data from children. If you believe a child has provided us personal data, contact us and we will delete it promptly.

We may update this Policy as our practices evolve. For material changes, we will notify you by email or in-app notice at least 30 days in advance. The “Last updated” date at the top of this page always reflects the current version.

Privacy questions? Email privacy@onperch.co.

EU/UK representative. [APPOINT EU/UK REP IF REQUIRED] — if your Service has no EU establishment and you offer the Service to EU/UK data subjects, GDPR Art. 27 requires appointment of a representative in the EU and a separate UK representative. Common providers include DataRep, EDPO, and Prighter.