Legal

Privacy Policy

Effective date: 1 June 2025 · Last updated: 21 May 2026

🔒

What matters most

We collect only what we need to run the platform. We never sell your data. Patient information (PHI) is anonymised in public views and encrypted everywhere. You can request access, correction, or deletion of your data at any time by emailing privacy@trabajohub.com.

🏥

HIPAA Business Associate — Trabajo Hub operates as a Business Associate under HIPAA. All Protected Health Information (PHI) handled through the Platform is subject to the additional protections described in Section 5.

01Overview

Trabajo Hub Inc. ("we", "us", "our") is committed to protecting the privacy and security of your personal information. This Privacy Policy explains how we collect, use, share, and safeguard your data when you use the Trabajo Hub platform ("Platform"), including our web dashboard, mobile application, and associated APIs.

This policy applies to all users of the Platform: Facilities, Trabajo Hub Professionals (nurses and caregivers), and any authorised administrators. By using the Platform you acknowledge that you have read and understood this policy.

We review and update this policy periodically. When we make material changes we will notify you by email and by a prominent notice on the Platform at least 14 days before the changes take effect.

02Information We Collect

Account & identity information: when you register, we collect your full name, email address, phone number, date of birth, and government-issued ID details required for identity verification.

Professional credentials: nursing licences, CPR certifications, TB results, background-check reports, OIG/SAM exclusion check results, immunisation records, and any other documents required by the Platform or a Facility.

Location data: when you perform an EVV (Electronic Visit Verification) check-in or check-out, we capture GPS coordinates to verify your physical presence at a patient's address. Location data is collected only during active shift events and is not tracked continuously.

Usage data: log files, IP addresses, browser or device type, pages visited, features used, and timestamps. This data is used for security monitoring, debugging, and improving the Platform.

Communications: messages you send through the Platform's in-app messaging system, support ticket content, and any correspondence with our team.

Financial data: bank account details collected during Stripe Connect onboarding for payout processing. We do not store full bank account numbers; these are held by Stripe under their own security and compliance frameworks.

03How We Use Your Information

Operating the Platform: to create and manage your account, verify your identity and credentials, match you with available shifts, process payouts, and provide all core Platform features.

Compliance and safety: to conduct OIG/SAM exclusion checks, verify licence validity, fulfill our obligations as a HIPAA Business Associate, and detect fraudulent or unsafe activity.

Communications: to send shift confirmations, credential-expiry alerts, payment notifications, security alerts, and Platform updates. You may opt out of non-essential communications at any time.

Analytics and improvement: to understand how the Platform is used, identify bugs, optimise performance, and develop new features. Analytics data is aggregated and de-identified wherever possible.

Legal and regulatory: to comply with applicable laws, respond to lawful requests from government authorities, enforce our Terms of Service, and protect our legal rights.

We do not sell your personal information to third parties, and we do not use your data for targeted advertising.

04How We Share Your Information

With Facilities: when you accept a shift, the Facility receives your professional profile, verified credentials relevant to the assignment, and contact information necessary for the engagement. Patient PHI flows in the opposite direction — from Facility to you — and is subject to the HIPAA protections described in Section 5.

With service providers: we share data with trusted third-party vendors (Stripe for payments, DigitalOcean for cloud storage, SendGrid for email, Firebase for push notifications, Twilio for SMS) solely to provide the services we have engaged them for. All vendors are contractually bound to protect your data.

For legal reasons: we may disclose information to comply with a legal obligation, court order, or valid government request, or to protect the rights, property, or safety of Trabajo Hub, our users, or the public.

Business transfers: if Trabajo Hub is involved in a merger, acquisition, or sale of assets, your information may be transferred as part of that transaction. We will notify you before your data is transferred and becomes subject to a different privacy policy.

We do not share your information with any other parties without your explicit consent.

05HIPAA & Protected Health Information

Trabajo Hub operates as a Business Associate under the Health Insurance Portability and Accountability Act (HIPAA). We handle Protected Health Information (PHI) only on behalf of Covered Entity Facilities and in accordance with executed Business Associate Agreements (BAAs).

PHI is never displayed in public marketplace listings. Patient identifiers are replaced with anonymised codes (e.g. Case-PT-7701) until a Trabajo Hub Professional has been confirmed for a shift, at which point limited PHI is disclosed for care-delivery purposes only.

All PHI is encrypted using AES-256 at rest and TLS 1.3 in transit. Access to PHI is restricted on a strict need-to-know basis. Audit logs record every access event.

If you suspect or discover a PHI breach, you must report it immediately to privacy@trabajohub.com. We will investigate and, where required by HIPAA, notify affected individuals and the U.S. Department of Health & Human Services within the required timeframes.

06Data Security

We implement a layered security programme including: AES-256 encryption at rest for all sensitive data; TLS 1.3 in transit; role-based access controls; JWT-based authentication with short-lived access tokens and rotating refresh tokens; multi-factor authentication for all administrator accounts; and continuous security monitoring.

Credential documents and PHI are stored in private, non-publicly-accessible DigitalOcean Spaces buckets. Pre-signed URLs with short expiry windows are used whenever a document needs to be displayed to an authorised user.

We conduct periodic security reviews and penetration tests. Employees with access to personal data undergo mandatory privacy and security training.

While we take extensive precautions, no system is perfectly secure. If you believe your account has been compromised, contact security@trabajohub.com immediately.

07Data Retention

We retain your personal data for as long as your account is active and for a reasonable period thereafter to fulfill the purposes described in this policy, comply with legal obligations, resolve disputes, and enforce our agreements.

Credential documents are retained for a minimum of 7 years following account closure, in accordance with applicable healthcare record-keeping requirements.

EVV location records are retained for 5 years to satisfy state EVV compliance audit requirements.

You may request deletion of your account and associated non-regulated data at any time by contacting privacy@trabajohub.com. We will process deletion requests within 30 days, subject to legal retention obligations.

08Your Privacy Rights

Access: you may request a copy of the personal data we hold about you at any time.

Correction: you may request that we correct any inaccurate or incomplete personal data.

Deletion: subject to legal retention requirements, you may request deletion of your personal data.

Portability: you may request an export of your data in a structured, machine-readable format.

Objection and restriction: you may object to certain processing activities or request that we restrict how we process your data in specific circumstances.

To exercise any of these rights, email privacy@trabajohub.com. We will respond within 30 days. We may need to verify your identity before processing your request.

09Cookies & Tracking

The Platform uses essential cookies required for authentication session management and security. These cannot be disabled without breaking core functionality.

We use analytics cookies (via an anonymised, self-hosted analytics service) to understand Platform usage patterns. These do not contain personal identifiers.

We do not use advertising cookies, third-party tracking pixels, or cross-site tracking technologies.

You can manage cookie preferences through your browser settings. Disabling non-essential cookies will not affect your ability to use the Platform.

10Children's Privacy

The Platform is intended for use by adults who are 18 years of age or older. We do not knowingly collect personal information from anyone under 18.

If we become aware that we have inadvertently collected personal information from a minor, we will delete it promptly. If you believe we have collected data from a minor, please contact privacy@trabajohub.com.

11Contact & Data Controller

Trabajo Hub Inc. is the data controller for personal information processed on the Platform. If you have questions about this Privacy Policy or our data practices, please contact our Privacy Officer at privacy@trabajohub.com.

For HIPAA-specific matters, email privacy@trabajohub.com and reference 'HIPAA Enquiry' in the subject line.

Trabajo Hub Inc. · 500 Congress Ave, Suite 200 · Austin, TX 78701 · United States

Privacy questions or requests?

Our Privacy Officer responds within 30 days for all data rights requests.

Email privacy teamView Terms of Service