Legal

Security & Privacy Policy

Last updated: March 2026

1. What we collect and why

Wageform collects worker information solely to help contractors prepare and submit certified payroll reports as required by federal and state law. This includes:

  • Name, middle initial, and address — required on WH-347, NY PW-12, and CA DIR eCPR forms
  • Last four digits of Social Security Number — required on federal WH-347 per DOL guidance
  • Date of birth — collected for NY NYSDOL portal identity validation
  • Date hired, gender, and ethnicity — required for CA DIR eCPR and EEO workforce reporting
  • Trade classification and wage rates — required on all certified payroll forms

We do not collect full Social Security Numbers. We do not collect financial account information. We do not use worker data for advertising or marketing.

2. How we store and protect your data

All data is stored on Supabase's managed database infrastructure, which encrypts data at rest and in transit. We do not operate our own database servers.

Encryption at rest

Worker records, including sensitive identifiers like date of birth and SSN last four, are encrypted at rest on Supabase's infrastructure.

Encryption in transit

All data transmitted between your browser and Wageform is encrypted via TLS. We do not send worker data over unencrypted connections.

Access controls

Your worker data is isolated to your contractor account using row-level security (RLS). No other Wageform user can access your workers or projects.

No third-party sharing

We do not sell, rent, or share worker personally identifiable information (PII) with third parties for any purpose other than statutory compliance reporting.

3. Statutory compliance data (NY & CA)

To support mandatory state reporting requirements, Wageform collects certain identifiers beyond what federal WH-347 requires:

New York — NYSDOL

The NY portal requires date of birth for electronic worker identity validation. This field is used solely to facilitate Portal-Sync with the NYSDOL eCertified Payroll system. It is not displayed publicly or used for any other purpose.

California — DIR eCPR

The CA DIR eCPR iForm requires gender, ethnicity, date hired, and full worker address. These fields are used to pre-fill the CA Portal-Sync view and are not shared with any party other than the CA DIR when you submit your certified payroll report.

4. Data retention

Worker records are retained for as long as your account is active. Prevailing wage law generally requires contractors to maintain certified payroll records for a minimum of three years (federal) to five years (CA and NY). Wageform retains your data to support this requirement. You may request deletion of your data at any time by contacting us — subject to any legal hold obligations your jurisdiction may require.

5. Your rights

You have the right to access, correct, or delete the worker data you have entered into Wageform. To exercise these rights or to ask questions about this policy, contact us at:

Wageform
privacy@wageform.com
We will respond to all data requests within 30 days.

6. Changes to this policy

We will update this policy as our data practices change or as new regulatory requirements take effect. Material changes will be communicated to active users via email before they take effect.

← Back to Wageform
© 2026 Wageform