Privacy Policy

Last updated April 22, 2026. Effective date April 22, 2026.

This policy describes what data Coordinex collects when you and your team use our iOS app and website, why we collect it, who we share it with, and how to exercise your rights over it. We wrote it to be readable. If anything is unclear, email privacy@coordinex.app.

1. Who we are

Coordinex is operated by Omar Nembhard, a sole proprietor based in the United States. For questions about this policy or to exercise your rights under it:

Email: privacy@coordinex.app
Mail: Coordinex, c/o Omar Nembhard. Postal address available on request via the email above.

2. What we collect

You give us

• Account info: name, email address, phone number, the organization name you set up.
• Profile: job title, profile photo (optional), pay rate (set by your organization's admin).
• Schedule and time data: shifts you create or are assigned to, clock-in / clock-out times, breaks, time off requests.
• Messages: chat messages, announcements, reactions, and read receipts you send within your organization.
• Photos: photos attached to time entries, expenses, or messages, when you choose to upload them.
• Files: documents (e.g. expense receipts, schedules) you upload.

We collect automatically

• Location: precise GPS coordinates when you clock in or out, and only if your organization requires geofencing. We do not track your location at any other time. iOS shows you a permission prompt the first time the app needs it.
• Device and usage: device model, OS version, app version, language, time zone, the screens you visit and the actions you take, app launch and crash data, network performance.
• Identifiers: a Coordinex user ID and a Firebase installation ID. We do not use the Apple advertising identifier (IDFA), and Coordinex does not show ads.

From third parties

• Authentication providers (Apple Sign In, Google Sign In) when you choose to sign in with them: name, email, and a unique sign-in identifier.
• Payment processors (Apple, Stripe, Square): a transaction reference and the subscription tier, but never your full card number, full bank account number, or government ID. Apple, Stripe, and Square handle all sensitive payment data under their own privacy policies.

3. Apple App Privacy Categories

For full transparency, here is the complete set of data categories we declare in the App Store Connect privacy questionnaire. This list is the authoritative one and is reviewed by Apple.

• Contact Info — Name, Email Address, Phone Number
• Financial Info — Other Financial Info (subscription transaction reference)
• Location — Precise Location, Coarse Location
• User Content — Photos or Videos, Audio Data, Customer Support, Other User Content
• Identifiers — User ID
• Purchases — Purchase History
• Usage Data — Product Interaction
• Diagnostics — Crash Data, Performance Data

For each category, our App Store privacy label discloses the purpose (App Functionality, Analytics, etc.) and whether the data is linked to your identity. None of it is used for tracking across other apps and websites.

4. Why we collect it

• To run the service: create accounts, build schedules, log time, process payroll exports, deliver messages, send notifications.
• To improve Coordinex: understand which features get used and which break, fix bugs surfaced in crash reports, prioritize what to build next.
• To keep accounts safe: detect suspicious sign-in attempts, prevent fraud and abuse, enforce subscription limits.
• To meet legal obligations: respond to lawful requests, comply with tax and employment record-keeping rules where applicable.

We do not sell or rent your data. We do not use your data to train AI models. We do not show you advertising, and we do not share your data with advertisers or data brokers.

5. Who we share it with

We share data only with the parties listed below and only for the purposes described.

Inside your organization

Schedules, time entries, messages, and reports are shared with the people in your Coordinex organization who have permission to see them. Your organization's owner and admins control those permissions.

Service providers we rely on

• Google Firebase (Google LLC) — Authentication, Firestore database, Cloud Functions, Cloud Storage, Crashlytics, Cloud Messaging (push notifications), App Check. Data is processed in Google's US data centers under their Privacy and Security in Firebase terms.
• Google Analytics for Firebase — anonymized product analytics. We do not enable Google Signals or cross-property identity linking.
• Stripe, Inc. — payment processing for invoiced organizations. Subject to Stripe's Privacy Policy.
• Square, Inc. — payment processing for organizations that opt into Square integration. Subject to Square's Privacy Policy.
• Apple, Inc. — App Store, Apple Sign In, StoreKit subscriptions, push notification delivery. Subject to Apple's Privacy Policy.

When required by law

We disclose data if compelled by valid legal process or to defend our rights and the safety of users. We will tell you about a request unless legally prohibited.

If Coordinex is acquired

Your data may be transferred to a buyer or successor entity. We will notify you in advance and you will have the option to delete your account before any transfer.

6. How we protect it

Coordinex uses industry-standard transport encryption (TLS 1.2+) for all network traffic and at-rest encryption on the underlying Firebase infrastructure. We do not claim end-to-end encryption: Coordinex servers can access your data because the service requires it (running queries, sending notifications, processing approvals).

• App Check protects our APIs from unauthorized client requests.
• Firestore Security Rules restrict every read and write to authenticated, authorized users.
• Sensitive operations (payroll, permission changes) require admin or owner role and are logged.
• We do not store your password — Firebase Auth holds a hashed credential we cannot read.

No system is impenetrable. If we ever suffer a breach affecting your data, we will notify affected users without undue delay and report it to the relevant data protection authorities where required.

7. How long we keep it

• Active accounts: as long as the account exists.
• Deleted accounts: profile and personal data deleted within 30 days of your request. Encrypted backups are purged within 90 days.
• Time and payroll records: may be retained for up to 7 years after deletion to comply with US wage-and-hour record-keeping requirements.
• Anonymized analytics: retained indefinitely in aggregate form that cannot be re-linked to you.

8. Your rights

You have the right to:

• Access a copy of your personal data.
• Correct inaccurate or incomplete data.
• Delete your account and personal data.
• Export your data in a portable format (JSON or CSV).
• Object to or restrict certain processing.
• Withdraw consent for optional features (e.g. push notifications, geolocation).

Email privacy@coordinex.app with your request. We respond within 30 days.

California residents (CCPA / CPRA)

You have the additional right to know what personal information we have collected, sold, or disclosed, and the right to opt out of the sale or sharing of your personal information. We do not sell or share your personal information. California residents may also designate an authorized agent to make a request on their behalf. We do not discriminate against you for exercising any of these rights.

EU and UK residents (GDPR / UK GDPR)

The lawful bases on which we process your data are: performance of a contract (running the service for your organization), legitimate interests (security, fraud prevention, product improvement), consent (push notifications, geolocation), and legal obligation (tax and employment records).

You have the right to lodge a complaint with your supervisory authority if you believe we are processing your data unlawfully. Data is transferred to the United States under Standard Contractual Clauses where applicable. We do not have an EU representative or DPO at this time; for any GDPR-specific question, contact privacy@coordinex.app.

9. Tracking and Apple ATT

Coordinex does not track you across other apps and websites. We do not request the Apple App Tracking Transparency (ATT) prompt because we have nothing to track. We do not use the Apple advertising identifier (IDFA), do not work with ad networks, and do not embed third-party advertising SDKs.

10. Cookies on this website

The Coordinex marketing website (coordinex.app) uses only essential cookies and does not set advertising or cross-site tracking cookies. We do not use Google Analytics on the marketing site. The iOS app does not use cookies.

11. Children's privacy

Coordinex is intended for businesses with employees aged 16 or older. We do not knowingly collect personal information from children under 16. If you believe a child has provided us with personal information, contact us and we will delete it.

12. International users

Coordinex is operated from the United States and your data is processed in the US. By using Coordinex from outside the US, you consent to this transfer.

13. Changes to this policy

We may update this policy as the product evolves. The "Last updated" date at the top of this page reflects the most recent change. Material changes will be announced in-app and by email at least 30 days before they take effect, so you have time to review them.

14. Contact

For privacy questions, deletion requests, or to report a concern:
privacy@coordinex.app