Legal

Privacy Policy

Effective May 13, 2026

1. What We Collect

DiffPay collects the following data when you use the Service:

  • Account information:email address, timezone, professional role (e.g., “RN,” “Paramedic”).
  • Pay structure data: employer name, base hourly rate, overtime rules, differential rules, pay period configuration.
  • Shift data: clock in/out times, break minutes, applied differentials, calculated earnings.
  • Billing data: Stripe processes all payments. We store your Stripe customer ID and subscription status but never your credit card number.
  • Analytics: page views and feature usage via PostHog (when you consent) and Vercel Web Analytics.

2. What We Do Not Collect

DiffPay does not collect any patient health information. We handle pay structure and shift timing data — not medical records, diagnoses, or patient identifiers. DiffPay is not subject to HIPAA because no protected health information (PHI) is collected, stored, or transmitted.

3. How We Use Your Data

  • Calculate and display your earnings, overtime, and differentials.
  • Process subscription payments via Stripe.
  • Send transactional emails (payment confirmations, trial reminders) via Resend.
  • Improve the Service through anonymized usage analytics.

We do not sell your data. We do not share your data with advertisers.

4. Data Storage

Your data is stored in a Supabase-managed PostgreSQL database hosted on AWS infrastructure. The application is deployed on Vercel. All connections use TLS encryption in transit. Row-level security (RLS) ensures you can only access your own data.

5. Cookies

DiffPay uses essential cookies for authentication (Supabase session tokens). Optional analytics cookies (PostHog, Vercel Analytics) are set only with your consent. You can manage your cookie preferences via the consent banner shown on your first visit.

6. Your Rights

You have the right to:

  • Access: View all data DiffPay holds about you from your account settings.
  • Export: Download a copy of all your data in JSON format from account settings.
  • Delete: Permanently delete your account and all associated data from account settings. Deletion is irreversible.
  • Opt out of analytics: Decline analytics cookies via the consent banner. Essential cookies for authentication cannot be disabled.

These rights apply regardless of your location, including under GDPR (EU), CCPA (California), and similar state privacy laws.

7. Data Retention

Your data is retained as long as your account is active. If you delete your account, all personal data is permanently removed within 30 days. Anonymized analytics data may be retained indefinitely.

8. Third-Party Services

  • Supabase — authentication and database hosting.
  • Stripe — payment processing.
  • Vercel — application hosting and web analytics.
  • PostHog — product analytics (with consent).
  • Resend — transactional email delivery.

9. Children

DiffPay is designed for working adults. We do not knowingly collect data from anyone under 16.

10. Changes

We may update this Privacy Policy from time to time. Material changes will be communicated via email. The “Effective” date at the top of this page indicates the last revision.

11. Contact

Privacy questions? Email privacy@diffpay.app.