Legal
Privacy Policy
Effective date: June 10, 2026
GorillaWorks Inc. (“GorillaWorks,” “we,” “us,” or “our”) operates the gorillaworks.io website, the FlexBackOffice staffing back-office platform, and the GorillaResume resume-building application (collectively, the “Services”). This Privacy Policy explains what personal information we collect, why we collect it, how we use and share it, and the rights you have over your data.
By accessing or using our Services, you agree to the practices described in this policy. If you do not agree, please discontinue use of the Services and contact us at contact@gorillaworks.io with any questions.
1. Who We Are
GorillaWorks Inc. is a software company that provides back-office automation technology for staffing agencies and temporary staffing firms. Our flagship product, FlexBackOffice, manages the full post-placement workflow: contractor onboarding, timesheet collection and approval, payroll processing and tax remittance, client invoicing, and gross-margin reporting. We operate across all 50 United States and all 13 Canadian provinces and territories.
For the purposes of applicable privacy law, GorillaWorks Inc. is the data controller for information collected through our marketing website and demo-request process. For personal data processed within the FlexBackOffice platform on behalf of a staffing agency client, GorillaWorks acts as a data processor and the staffing agency is the data controller.
2. Information We Collect
2.1 Information You Provide Directly
Demo request and contact forms. When you submit a demo request or contact form on gorillaworks.io, we collect your first name, work email address, and company name. We use this information solely to schedule and conduct your product demonstration and to follow up with information relevant to your inquiry.
FlexBackOffice platform accounts. When your organization creates an account on FlexBackOffice, we collect the name, email address, job title, and phone number of account administrators and users (typically recruiters, payroll staff, and operations managers at a staffing agency).
GorillaResume accounts. When you create a GorillaResume account, we collect the name and email address you register with, along with the resume content you choose to input, including work history, education, skills, and contact details you elect to include on your resume.
2.2 Contractor Data Processed on Behalf of Staffing Agency Clients
FlexBackOffice processes personal information about the contractors and temporary workers placed by our staffing agency clients. This data is provided to us by the staffing agency (our client) and is processed solely on their instructions. The categories of contractor data we process include:
- Identity information: full legal name, date of birth, government-issued ID details
- Tax and employment eligibility documents: Form I-9 (US employment eligibility verification), Form W-4 (US federal tax withholding), TD1 (Canadian federal personal tax credits return), and provincial TD1 equivalents
- Social Security Numbers (US) and Social Insurance Numbers (Canada) for payroll tax reporting
- Banking and direct deposit information: financial institution name, account number, routing/transit number
- Work authorization status and relevant supporting documentation
- Timesheet data: hours worked, job codes, client assignments, approval status
- Payroll data: gross earnings, statutory deductions, net pay, year-to-date summaries
- Background check results (where applicable, processed through integrated third-party providers)
- Contact information: home address, personal email address, phone number
If you are a contractor whose data is processed through FlexBackOffice, your primary point of contact for data rights requests is the staffing agency that placed you. GorillaWorks will cooperate with any such requests directed to us through the staffing agency.
2.3 Usage and Technical Data
When you use our website or platform, we automatically collect certain technical information, including your IP address, browser type and version, operating system, referring URLs, pages viewed, and timestamps. This information is used for security monitoring, debugging, and improving the performance and functionality of our Services.
3. How We Use Information
We use the information we collect for the following purposes:
- To provide, maintain, and improve the Services
- To process payroll, generate invoices, file tax remittances, and fulfill the core functions of FlexBackOffice on behalf of staffing agency clients
- To respond to demo requests, sales inquiries, and customer support tickets
- To send transactional communications (account notifications, payroll confirmations, invoice receipts, system alerts)
- To detect, investigate, and prevent fraud, security incidents, and unauthorized access
- To comply with applicable laws, regulations, and legal process, including payroll tax reporting obligations in the US and Canada
- To enforce our Terms of Service and other agreements
- To analyze aggregate, de-identified usage patterns to inform product development
We do not sell personal information to third parties. We do not use contractor payroll or tax data for any purpose other than delivering the services contracted by the staffing agency client.
4. Legal Basis for Processing
For individuals in the European Economic Area (EEA) or the United Kingdom, we process personal data on the following legal bases under the General Data Protection Regulation (GDPR):
- Contract performance: processing necessary to deliver the Services under our agreement with a staffing agency client, or to respond to a direct request from a website visitor
- Legal obligation: processing necessary to comply with payroll tax remittance and reporting obligations under US and Canadian law
- Legitimate interests: security monitoring, fraud prevention, product analytics, and follow-up communications with demo requesters, balanced against the rights of individuals and conducted with appropriate safeguards
- Consent: where we rely on consent (e.g., optional marketing communications), you may withdraw it at any time
5. Information Sharing and Disclosure
We share personal information only in the following circumstances:
5.1 Service Providers and Sub-Processors
We engage trusted third-party service providers who process data on our behalf and are contractually bound to protect it. These include cloud infrastructure providers (for hosting and data storage), background check providers (integrated at the staffing agency's direction), payment and banking integration providers (for direct deposit processing), and security and monitoring tools. We enter into Data Processing Agreements with all sub-processors who handle personal data.
5.2 Integration Partners
FlexBackOffice integrates with Applicant Tracking Systems (ATS) including Bullhorn, Loxo, and Crelate, as well as financial systems including NetSuite, QuickBooks Online, Xero, Sage/Accpac, and Microsoft Dynamics, and payroll providers including ADP and others selected by the staffing agency client. Data is exchanged with these systems only as directed by the staffing agency client and only to the extent necessary to fulfill the integrated workflow.
5.3 Vendor Management Systems (VMS)
Where a staffing agency client uses a Vendor Management System for timesheet approval, FlexBackOffice synchronizes timesheet data with that VMS as part of the contracted service. All such data exchanges are governed by the staffing agency's agreements with both GorillaWorks and the VMS provider.
5.4 Legal and Regulatory Disclosure
We may disclose personal information when required by law, court order, or governmental authority, including for payroll tax filing purposes with the Canada Revenue Agency (CRA), the Internal Revenue Service (IRS), and applicable state and provincial tax authorities. We will notify affected parties of such disclosures to the extent permitted by law.
5.5 Business Transfers
In the event of a merger, acquisition, or sale of all or a portion of our assets, personal data may be transferred as part of that transaction. We will notify affected users via email or a prominent notice on our website prior to any such transfer and any change in data controller, and will ensure the receiving party is bound by equivalent privacy obligations.
6. Data Retention
We retain personal data for as long as necessary to fulfill the purposes described in this policy, subject to the following:
- Contractor payroll and tax records (including W-4, I-9, T4, payroll summaries, and remittance records) are retained for a minimum of seven years in accordance with IRS requirements and CRA requirements, and applicable provincial record-keeping obligations
- FlexBackOffice account data for active clients is retained for the duration of the service agreement plus a standard 90-day data retrieval window following termination
- Demo request and contact form submissions are retained for up to 24 months for sales follow-up purposes, after which they are deleted or anonymized
- GorillaResume account data is retained for the duration of an active account; deleted accounts are purged within 30 days
- System logs and security event data are retained for 12 months
Upon written request from a staffing agency client following termination of their service agreement, we will provide a data export in a standard machine-readable format within 30 days and securely delete all associated data within 90 days, except where retention is required by law.
7. Security
GorillaWorks holds ISO/IEC 27001 certification for our Information Security Management System (ISMS). Our security program includes, but is not limited to:
- Encryption of personal data in transit (TLS 1.2 or higher) and at rest (AES-256)
- Role-based access controls and the principle of least privilege for all systems handling personal data
- Multi-factor authentication enforced for all internal staff with access to production systems
- Regular vulnerability assessments and penetration testing by qualified third parties
- 24/7 security monitoring and intrusion detection
- Annual security training for all employees
- Incident response procedures with documented escalation and notification timelines
In the event of a data breach that poses a risk to individuals' rights and freedoms, we will notify affected parties and, where required by law, relevant supervisory authorities within the timeframes mandated by applicable regulation (72 hours under GDPR; as required under applicable Canadian provincial legislation and US state breach notification laws).
8. International Data Transfers
GorillaWorks operates primarily in the United States and Canada. Personal data may be stored and processed in either country. For Canadian clients, we ensure that any transfer of personal data across the Canada-US border is conducted under contractual protections consistent with PIPEDA requirements and applicable provincial privacy legislation (including Quebec Law 25).
For individuals in the EEA or UK whose data may be processed through our platform, we rely on Standard Contractual Clauses (SCCs) as the transfer mechanism where applicable.
9. Your Privacy Rights
9.1 California Residents: CCPA / CPRA
California residents have the following rights under the California Consumer Privacy Act (CCPA) as amended by the California Privacy Rights Act (CPRA):
- Right to Know: request disclosure of the categories and specific pieces of personal information we have collected about you, the sources, the business purpose, and the categories of third parties with whom it is shared
- Right to Delete: request deletion of personal information we have collected, subject to legal retention requirements
- Right to Correct: request correction of inaccurate personal information
- Right to Opt-Out of Sale or Sharing: we do not sell or share personal information for cross-context behavioral advertising
- Right to Limit Use of Sensitive Personal Information: we do not use sensitive personal information beyond what is necessary to provide the Services
- Right to Non-Discrimination: we will not discriminate against you for exercising any of these rights
To exercise your rights, contact us at contact@gorillaworks.io. We will verify your identity before processing requests and respond within 45 days, with one permitted 45-day extension where reasonably necessary.
9.2 Canadian Residents: PIPEDA and Provincial Laws
Under the Personal Information Protection and Electronic Documents Act (PIPEDA) and applicable provincial privacy legislation, including Alberta's PIPA, British Columbia's PIPA, and Quebec's Law 25 (Act respecting the protection of personal information in the private sector), Canadian residents have the right to:
- Access the personal information we hold about you and receive it in a portable format on request
- Request correction of inaccurate or incomplete personal information
- Withdraw consent to the collection, use, or disclosure of your personal information where processing is based on consent, subject to legal and contractual restrictions
- File a complaint with the Office of the Privacy Commissioner of Canada (OPC) or the applicable provincial privacy commissioner
Requests may be submitted to contact@gorillaworks.io. We will respond within 30 days, or notify you if an extension is required.
Consistent with Quebec Law 25, we maintain a Privacy Impact Assessment (PIA) process for new projects involving personal information and publish a clear, accessible description of our privacy practices. Our designated Privacy Officer can be reached at the email address above.
9.3 EEA and UK Residents: GDPR
Individuals in the European Economic Area or the United Kingdom have the following rights under the GDPR and UK GDPR:
- Right of Access (Article 15): obtain a copy of your personal data and supplementary information about how it is processed
- Right to Rectification (Article 16): have inaccurate data corrected without undue delay
- Right to Erasure (Article 17): request deletion where data is no longer necessary, consent is withdrawn, or processing is unlawful, subject to overriding legal obligations
- Right to Restriction (Article 18): request that we restrict processing while accuracy is contested or an objection is pending
- Right to Data Portability (Article 20): receive your data in a structured, commonly used, machine-readable format
- Right to Object (Article 21): object to processing based on legitimate interests
- Rights related to automated decision-making (Article 22): we do not make solely automated decisions that produce legal or similarly significant effects
Submit requests to contact@gorillaworks.io. We will respond within 30 days. You also have the right to lodge a complaint with your local supervisory authority.
10. Cookies and Tracking Technologies
Our marketing website (gorillaworks.io) uses the following categories of cookies and similar technologies:
- Strictly necessary cookies: required for the website to function, including session management and security. These cannot be disabled.
- Analytics cookies: used to understand how visitors interact with our website (pages visited, time on site, referral source). We use aggregate, anonymized data for this purpose and do not build individual visitor profiles for advertising.
- Preference cookies: used to remember settings such as language or region preferences.
The FlexBackOffice platform uses session cookies and authentication tokens that are essential to platform operation. No third-party advertising or behavioral tracking cookies are used within the platform.
You can control cookies through your browser settings. Disabling strictly necessary cookies will impair platform functionality.
11. Children's Privacy
Our Services are directed at businesses and professionals. We do not knowingly collect personal information from individuals under the age of 16. If we learn that we have inadvertently collected such information, we will delete it promptly. If you believe a minor's information has been submitted to us, contact us at contact@gorillaworks.io.
12. Third-Party Links
Our Services may contain links to third-party websites or integrations with third-party platforms (including the ATS and financial systems listed in Section 5.2). This Privacy Policy does not apply to those third-party services. We encourage you to review the privacy policies of any third-party services you use in connection with FlexBackOffice.
13. Changes to This Policy
We may update this Privacy Policy from time to time. When we make material changes, we will update the effective date at the top of this page and, where appropriate, provide notice by email to registered account holders or through a prominent notice on our website at least 30 days before the changes take effect. Continued use of the Services after the effective date of any changes constitutes acceptance of the updated policy.
14. Contact Us
If you have questions about this Privacy Policy, wish to exercise your privacy rights, or need to report a privacy concern, please contact our Privacy Officer:
We are committed to resolving privacy concerns promptly and transparently. If you are not satisfied with our response, you have the right to escalate to the applicable supervisory authority as described in Section 9.