Privacy Notice
Effective 2026-05-28.
Who we are
Midslate Inc. ("we") operates the Midslate service. We are the data controller for your account/registration data and the data processor for the workforce data you upload via the Service.
What we collect
- Registration data: the email + display name you supply at signup, plus a bcrypt-hashed password.
- Usage telemetry: request counts, error rates, and coarse latency metrics for service health and capacity planning. No request body content.
- Audit log: who-did-what records for security and compliance. Retained per your tenant's configured audit-retention window (default 5 years; configurable on /admin/retention).
- Workforce data: employee records, attendance events, schedules, messages — all uploaded by your tenant admins. We process this only on your tenant's instructions; see the DPA.
How we use it
Registration + usage data: to operate the Service, send transactional emails (verification, billing, security alerts), and bill correctly. We do not sell personal data to third parties; we do not use your data to train AI models outside your own tenant.
Sub-processors
We rely on a cloud infrastructure provider, an email vendor (Resend or equivalent), Stripe for payment processing, and a monitoring vendor. See the DPA for the current list.
Your rights
You can:
- Export your data at any time via /admin/export (GDPR Art. 20).
- Request deletion of your tenant via /admin/danger (GDPR Art. 17). A 7-day grace period applies before permanent deletion.
- Request a per-user erasure via /admin/erasure.
- Email privacy@example.test for any rights request we don't already self-serve.
Retention
Workforce data retention windows are configurable per tenant on /admin/retention within the bounds we enforce for compliance (e.g. audit log min 365 days). Billing records and tax-relevant data may be retained beyond your tenant's retention window to comply with our own legal obligations.
Cookies
We use a single session cookie (session_id, HttpOnly, SameSite=Lax) for authentication. We do not set analytics or advertising cookies.
Security
See the DPA section 3 for our technical and organizational measures. For vulnerability disclosure, see /.well-known/security.txt.
Contact
Privacy questions: privacy@example.test.