Privacy Policy

Staffia ("Staffia," "we," "our," or "us") provides software that helps nurse staffing agencies match nurses to shifts, send SMS bookings, and coordinate operations. This Privacy Policy explains what information we collect, how we use it, who we share it with, and the choices you have about it.

This policy applies to staffia.pages.dev, the Staffia application, our APIs, and any related services we offer (collectively, the "Service"). It applies to information about three categories of people: agency staff who use the dashboard, nurses whose contact information is uploaded to the platform, and facilities whose details are stored in the system.

1. Information We Collect

1.1 Information you provide directly

• Account information. When an agency administrator signs up, we collect a name, business email, and (optionally) a phone number. We use Supabase Auth to authenticate sign-ins.
• Agency information. Agency name, time zone, notification email, and commercial account metadata.
• Nurse roster information. Agencies upload information about the nurses they staff, which may include first and last name, phone number, email, license type and state, license expiration, credentials (e.g., ACLS, BLS), and ZIP code. Agencies are responsible for collecting consent from nurses before uploading this information.
• Facility information. Facility name, address, site type (clinical/home), and contact phone number.
• Shift information. Start and end times, required license type, required credentials, and dispatch metadata.
• Communications. The contents of SMS messages sent and received through the Service, voice call outcomes, and email notifications generated by the platform.
• Support and feedback. Information you give us when you contact support or provide feedback.

1.2 Information we collect automatically

• Log and usage data. Server logs include IP addresses, request timestamps, browser type, and the API endpoints that were called. We use this for security monitoring and debugging.
• Session storage. We use browser localStorage to store authentication tokens so users stay signed in. We do not use third-party tracking cookies.
• Delivery receipts. When SMS messages are delivered, our SMS provider sends us delivery confirmations and error codes, which we store against the corresponding shift record.

2. How We Use Information

We use the information described above to:

• Operate and maintain the Service, including matching nurses to shifts and sending dispatch SMS.
• Authenticate users and protect accounts from unauthorized access.
• Send transactional notifications (booking confirmations, shift alerts, and operational notices).
• Detect, investigate, and prevent abuse, fraud, and security incidents.
• Comply with legal obligations and respond to lawful requests.
• Improve and develop new product features.

We do not sell personal information, and we do not use information from one agency's roster to benefit any other agency.

3. Sub-processors and Service Providers

We rely on a small number of vetted vendors to operate the Service. Each is bound by contractual obligations to protect the data we share with them and to use it only for the purposes we specify.

• Supabase, Inc. — Postgres database hosting and authentication. Data is stored in the United States (US-West region).
• Cloudflare, Inc. — Hosting for the application, edge functions, and DDoS protection.
• Twilio Inc. — SMS message delivery and inbound webhook handling.
• Bland AI — Outbound voice calls used for shift escalation when SMS booking does not complete.

If we engage a new sub-processor that materially affects how customer data is handled, we will update this list and notify customers in advance through the Service or by email.

4. SMS and TCPA Compliance

Staffia sends SMS messages to nurses on behalf of agencies that subscribe to the Service. Agencies are responsible for obtaining nurses' express prior written consent to receive these messages, in accordance with the Telephone Consumer Protection Act ("TCPA") and any applicable state laws.

Every nurse can opt out at any time by replying STOP to any Staffia SMS. Opt-out requests are processed automatically and immediately: the nurse's record is flagged as opted-out across the entire platform and no further SMS will be sent to that number from any agency. Replying START re-enables messaging.

Standard message and data rates may apply to SMS. We do not charge nurses to receive messages; any carrier fees are the responsibility of the recipient.

5. HIPAA

Staffia is not, by default, a HIPAA Business Associate. The Service is intended to handle staffing operations data (names, phone numbers, license types, shift times) and not protected health information ("PHI"). Agencies must not upload PHI through the Service unless we have entered into a separate Business Associate Agreement ("BAA") with the agency. If you require a BAA, contact us before uploading any PHI.

6. Data Retention

We retain personal information for as long as your agency's account is active and for a reasonable period after termination to allow for account reconciliation, dispute resolution, legal compliance, and account recovery. Specifically:

• Active accounts. Roster, facility, and shift data is retained for the life of the account.
• Closed accounts. We retain account data for up to 90 days after termination, then delete or anonymize it, except where a longer retention period is required by law (e.g., invoice and tax records typically retained for several years).
• SMS records. Delivery receipts and message logs are retained for 12 months for operational and compliance purposes.
• Authentication tokens. Short-lived nurse booking tokens expire automatically after 48 hours or when superseded by a newer token, whichever comes first.

7. Security

We use the following safeguards to protect personal information:

• TLS encryption in transit for all connections to the Service.
• Database access is restricted to a service-role key that is never exposed to client-side code; all queries originate from server-side Cloudflare Workers.
• Row-Level Security ("RLS") is enabled on every tenant-scoped table as a defense-in-depth measure.
• Tenant isolation enforced via composite foreign keys at the database level.
• Webhook endpoints from Twilio validate cryptographic signatures before processing; webhooks from Bland AI authenticate via a shared secret header.
• Authentication uses time-limited Bearer tokens issued by Supabase Auth.
• Browser security headers including Content Security Policy, HSTS, and X-Frame-Options are applied to every response.

No system is completely secure. If we learn of a security incident affecting your information, we will notify you in accordance with applicable law.

8. Your Rights and Choices

Depending on where you live, you may have the right to:

• Access the personal information we hold about you.
• Request correction of inaccurate information.
• Request deletion of personal information.
• Receive a portable copy of your information.
• Object to or restrict certain processing.
• Withdraw consent (where processing is based on consent).

Agency admins can download a complete JSON export of their agency's data (including nurse rosters, facilities, shifts, matches, and audit trail) directly from the Settings page. For all other rights — correction, deletion, objection, and portability beyond the JSON export — contact us at the email address below and we will respond within 30 days. If you are a nurse whose information is in the Service, please contact the agency that uploaded your data first; we act as a processor on their behalf. If you cannot reach the agency, you may contact us directly and we will help facilitate the request.

California residents have additional rights under the California Consumer Privacy Act ("CCPA"), including the right to know what categories of personal information we collect, the right to request deletion, and the right not to be discriminated against for exercising these rights. We do not sell personal information as defined by the CCPA.

9. International Transfers

Our infrastructure is hosted in the United States. If you access the Service from outside the United States, you understand that your information will be transferred to and processed in the United States, which may have different data protection laws than your country.

10. Children

The Service is not directed to children under 18, and we do not knowingly collect personal information from anyone under 18. If you believe a child has provided us with personal information, please contact us and we will delete it.

11. Changes to This Policy

We may update this Privacy Policy from time to time. When we do, we will revise the "Last updated" date at the top of the page. If the changes are material, we will provide notice through the Service or by email before the changes take effect.

12. Contact Us

For privacy questions, requests, or to exercise any of the rights described above, contact us at:

Staffia
Email: privacy@staffia.ai